def post(self): args = self.reqparse.parse_args() signed_request_data = SignedRequest(args['signed_req'], FB_KEY, application_id=FB_CLIENT) # print(signed_request_data.user.id) user, _ = User.get_or_create(user_id=signed_request_data.user.id, user_type="facebook") return make_response( jsonify({ "message": "Login successful!", "token": user.generate_auth_token().decode('ascii') }), 200)
def test_signed_request_renewal(self): """ Verify that users are redirected to renew their signed requests once they expire. """ client = Client() signed_request = SignedRequest(TEST_SIGNED_REQUEST, TEST_APPLICATION_SECRET) signed_request.user.oauth_token.expires_at = now() - timedelta(days=1) response = client.get( path=reverse('home'), data={'signed_request': signed_request.generate()}) # There's no way to derive the view the response originated from in Django, # so verifying its status code will have to suffice. assert response.status_code == 401
def setup_module(module): """ Create a Facebook test user. """ global TEST_SIGNED_REQUEST graph = GraphAPI('%s|%s' % (TEST_APPLICATION_ID, TEST_APPLICATION_SECRET)) user = graph.post('%s/accounts/test-users' % TEST_APPLICATION_ID, installed=True, permissions=['publish_stream, read_stream']) TEST_SIGNED_REQUEST = SignedRequest( user=SignedRequest.User(id=user['id'], age=range(0, 100), locale='en_US', country='Norway'), oauth_token=SignedRequest.OAuthToken( token=user['access_token'], issued_at=datetime.now(), expires_at=None)).generate(TEST_APPLICATION_SECRET)
def test_initialize_signed_request(): signed_request = SignedRequest( signed_request=TEST_SIGNED_REQUEST, application_secret_key=TEST_FACEBOOK_APPLICATION_SECRET_KEY) assert signed_request.user.id == '499729129' assert signed_request.user.oauth_token.token == TEST_ACCESS_TOKEN assert signed_request.user.oauth_token.expires_at is None assert signed_request.raw == { 'user_id': '499729129', 'algorithm': 'HMAC-SHA256', 'expires': 0, 'oauth_token': '181259711925270|1570a553ad6605705d1b7a5f.1-499729129|8XqMRhCWDKtpG-i_zRkHBDSsqqk', 'user': { 'locale': 'en_US', 'country': 'no', 'age': { 'min': 21 } }, 'issued_at': 1306179904 }
def test_generate_signed_request(): signed_request = SignedRequest( signed_request=TEST_SIGNED_REQUEST, application_secret_key=TEST_FACEBOOK_APPLICATION_SECRET_KEY) signed_request = signed_request.generate()
def process_request(self, request): """Process the signed request.""" if ENABLED_PATHS and DISABLED_PATHS: raise ImproperlyConfigured( 'You may configure either FANDJANGO_ENABLED_PATHS ' 'or FANDJANGO_DISABLED_PATHS, but not both.') if DISABLED_PATHS and is_disabled_path(request.path): return if ENABLED_PATHS and not is_enabled_path(request.path): return # An error occured during authorization... if 'error' in request.GET: error = request.GET['error'] # The user refused to authorize the application... if error == 'access_denied': return authorization_denied_view(request) # Signed request found in either GET, POST or COOKIES... if 'signed_request' in request.REQUEST or 'signed_request' in request.COOKIES: request.facebook = Facebook() # If the request method is POST and its body only contains the signed request, # chances are it's a request from the Facebook platform and we'll override # the request method to HTTP GET to rectify their misinterpretation # of the HTTP standard. # # References: # "POST for Canvas" migration at http://developers.facebook.com/docs/canvas/post/ # "Incorrect use of the HTTP protocol" discussion at http://forum.developers.facebook.net/viewtopic.php?id=93554 if request.method == 'POST' and 'signed_request' in request.POST: request.POST = QueryDict('') request.method = 'GET' try: request.facebook.signed_request = SignedRequest( signed_request=request.REQUEST.get('signed_request') or request.COOKIES.get('signed_request'), application_secret_key=FACEBOOK_APPLICATION_SECRET_KEY) except SignedRequest.Error: request.facebook = False # Valid signed request and user has authorized the application if request.facebook and request.facebook.signed_request.user.has_authorized_application: # Redirect to Facebook Authorization if the OAuth token has expired if request.facebook.signed_request.user.oauth_token.has_expired: return authorize_application( request=request, redirect_uri=get_post_authorization_redirect_url( request)) # Initialize a User object and its corresponding OAuth token try: user = User.objects.get( facebook_id=request.facebook.signed_request.user.id) except User.DoesNotExist: oauth_token = OAuthToken.objects.create( token=request.facebook.signed_request.user.oauth_token. token, issued_at=request.facebook.signed_request.user. oauth_token.issued_at, expires_at=request.facebook.signed_request.user. oauth_token.expires_at) user = User.objects.create( facebook_id=request.facebook.signed_request.user.id, oauth_token=oauth_token) user.synchronize() # Update the user's details and OAuth token else: user.last_seen_at = datetime.now() if 'signed_request' in request.REQUEST: user.authorized = True if request.facebook.signed_request.user.oauth_token: user.oauth_token.token = request.facebook.signed_request.user.oauth_token.token user.oauth_token.issued_at = request.facebook.signed_request.user.oauth_token.issued_at user.oauth_token.expires_at = request.facebook.signed_request.user.oauth_token.expires_at user.oauth_token.save() user.save() if not user.oauth_token.extended: # Attempt to extend the OAuth token, but ignore exceptions raised by # bug #102727766518358 in the Facebook Platform. # # http://developers.facebook.com/bugs/102727766518358/ try: user.oauth_token.extend() except: pass request.facebook.user = user # ... no signed request found. else: request.facebook = False
def test_signed_request_missing_page_data(): try: SignedRequest(TEST_SIGNED_REQUEST_MISSING_PAGE_DATA, TEST_FACEBOOK_APPLICATION_SECRET_KEY) except KeyError: raise AssertionError('Missing page data in signed request')
def process_request(self, request): """Process the signed request.""" # User has already been authed by alternate middleware if hasattr(request, "facebook") and request.facebook: return request.facebook = False if not self.is_valid_path(request): return if self.is_access_denied(request): return authorization_denied_view(request) # No signed request found in either GET, POST nor COOKIES... if 'signed_request' not in request.REQUEST and 'signed_request' not in request.COOKIES: return # If the request method is POST and its body only contains the signed request, # chances are it's a request from the Facebook platform and we'll override # the request method to HTTP GET to rectify their misinterpretation # of the HTTP standard. # # References: # "POST for Canvas" migration at http://developers.facebook.com/docs/canvas/post/ # "Incorrect use of the HTTP protocol" discussion at http://forum.developers.facebook.net/viewtopic.php?id=93554 if request.method == 'POST' and 'signed_request' in request.POST: request.POST = QueryDict('') request.method = 'GET' request.facebook = Facebook() try: request.facebook.signed_request = SignedRequest( signed_request=request.REQUEST.get('signed_request') or request.COOKIES.get('signed_request'), application_secret_key=FACEBOOK_APPLICATION_SECRET_KEY) except SignedRequest.Error: request.facebook = False # Valid signed request and user has authorized the application if request.facebook \ and request.facebook.signed_request.user.has_authorized_application \ and not request.facebook.signed_request.user.oauth_token.has_expired: # Initialize a User object and its corresponding OAuth token try: user = User.objects.get( facebook_id=request.facebook.signed_request.user.id) except User.DoesNotExist: oauth_token = OAuthToken.objects.create( token=request.facebook.signed_request.user.oauth_token. token, issued_at=request.facebook.signed_request.user.oauth_token. issued_at.replace(tzinfo=tzlocal()), expires_at=request.facebook.signed_request.user. oauth_token.expires_at.replace(tzinfo=tzlocal())) user = User.objects.create( facebook_id=request.facebook.signed_request.user.id, oauth_token=oauth_token) user.synchronize() # Update the user's details and OAuth token else: user.last_seen_at = now() if 'signed_request' in request.REQUEST: user.authorized = True if request.facebook.signed_request.user.oauth_token: user.oauth_token.token = request.facebook.signed_request.user.oauth_token.token user.oauth_token.issued_at = request.facebook.signed_request.user.oauth_token.issued_at.replace( tzinfo=tzlocal()) user.oauth_token.expires_at = request.facebook.signed_request.user.oauth_token.expires_at.replace( tzinfo=tzlocal()) user.oauth_token.save() user.save() if not user.oauth_token.extended: # Attempt to extend the OAuth token, but ignore exceptions raised by # bug #102727766518358 in the Facebook Platform. # # http://developers.facebook.com/bugs/102727766518358/ try: user.oauth_token.extend() except: pass request.facebook.user = user