Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
#Facebooker Post Authorize / Post DeAuthorize Callbacks
#from the FanGamb team - http://www.fangamb.com
class CallbacksController < ApplicationController
skip_before_filter :ensure_app_installed, :except => :post_authorize
skip_before_filter :verify_authenticity_token
def post_authorize
if request.post?
if verify_uninstall_signature
#set user's has_app indicator to 1 to indicate active
end
end
render :nothing => true
end
def post_deauthorize
if request.post?
if verify_uninstall_signature
#set user's has_app indicator to 0 to indicate inactive
end
end
render :nothing => true
end
private
#based on http://wiki.developers.facebook.com/index.php/Post-Remove_URL
def verify_uninstall_signature
signature = ''
keys = params.keys.sort
keys.each do |key|
next if key == 'fb_sig'
next unless key.include?('fb_sig')
key_name = key.gsub('fb_sig_', '')
signature += key_name
signature += '='
signature += params[key]
end
signature += FACEBOOK_YAML['secret_key']
calculated_sig = Digest::MD5.hexdigest(signature)
if calculated_sig != params[:fb_sig]
logger.warn "\nWARNING :: potential spoofing :: expected signatures did not match"
logger.info "\nSignature (fb_sig param from facebook) :: #{params[:fb_sig]}"
logger.info "\nSignature String (pre-hash) :: #{signature}"
logger.info "\nMD5 Hashed Sig :: #{calculated_sig}"
#check to see if ip variables are nil
if not request.env['HTTP_X_FORWARDED_FOR'].nil? and not request.env['HTTP_X_REAL_IP'].nil?
ip = request.env['HTTP_X_FORWARDED_FOR'] || request.env['HTTP_X_REAL_IP']
else
ip = request.remote_ip
end
logger.info "\nRemote IP :: #{ip}"
return false
else
#logger.warn "\n\nSUCCESS!! Signatures matched.\n"
end
return true
end
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment