def wrapper(request, *args, **kwargs):
# Let Facebook's scraper pass
# Using HTTP_USER_AGENT string which is kind of weak
# Only allowing GET to pass through
if request.method == 'GET' and request.META.get('HTTP_USER_AGENT', '').startswith('facebookexternalhit'):
return function(request, *args, **kwargs)
# The user has already authorized the application, but the given view requires
# permissions besides the defaults listed in ``FACEBOOK_APPLICATION_DEFAULT_PERMISSIONS``.
#
# Derive a list of outstanding permissions and prompt the user to grant them.
if request.facebook and request.facebook.user and permissions:
outstanding_permissions = [p for p in permissions if p not in request.facebook.user.permissions]
if outstanding_permissions:
return authorize_application(
request = request,
redirect_uri = redirect_uri or get_post_authorization_redirect_url(request),
permissions = outstanding_permissions
)
# The user has not authorized the application yet.
#
# Concatenate the default permissions with permissions required for this particular view.
if not request.facebook or not request.facebook.user:
return authorize_application(
request = request,
redirect_uri = redirect_uri or get_post_authorization_redirect_url(request),
permissions = (FACEBOOK_APPLICATION_INITIAL_PERMISSIONS or []) + (permissions or [])
)
return function(request, *args, **kwargs)
def wrapper(request, *args, **kwargs):
# We know the user has been authenticated via a canvas page if a signed request is set.
canvas = request.facebook is not False and hasattr(request.facebook, "signed_request")
# The user has already authorized the application, but the given view requires
# permissions besides the defaults listed in ``FACEBOOK_APPLICATION_DEFAULT_PERMISSIONS``.
#
# Derive a list of outstanding permissions and prompt the user to grant them.
if request.facebook and request.facebook.user and permissions:
outstanding_permissions = [p for p in permissions if p not in request.facebook.user.permissions]
if outstanding_permissions:
return authorize_application(
request = request,
redirect_uri = redirect_uri or get_post_authorization_redirect_url(request, canvas=canvas),
permissions = outstanding_permissions
)
# The user has not authorized the application yet.
#
# Concatenate the default permissions with permissions required for this particular view.
if not request.facebook or not request.facebook.user:
return authorize_application(
request = request,
redirect_uri = redirect_uri or get_post_authorization_redirect_url(request, canvas=canvas),
permissions = (FACEBOOK_APPLICATION_INITIAL_PERMISSIONS or []) + (permissions or [])
)
return function(request, *args, **kwargs)
def wrapper(request, *args, **kwargs):
# The user has already authorized the application, but the given view requires
# permissions besides the defaults listed in ``FACEBOOK_APPLICATION_DEFAULT_PERMISSIONS``.
#
# Derive a list of outstanding permissions and prompt the user to grant them.
if request.facebook and request.facebook.user and permissions:
outstanding_permissions = [
p for p in permissions
if p not in request.facebook.user.permissions
]
if outstanding_permissions:
return authorize_application(
request=request,
redirect_uri=redirect_uri
or get_post_authorization_redirect_url(request),
permissions=outstanding_permissions)
# The user has not authorized the application yet.
#
# Concatenate the default permissions with permissions required for this particular view.
if not request.facebook or not request.facebook.user:
return authorize_application(
request=request,
redirect_uri=redirect_uri
or get_post_authorization_redirect_url(request),
permissions=(FACEBOOK_APPLICATION_INITIAL_PERMISSIONS
or []) + (permissions or []))
return function(request, *args, **kwargs)
def test_get_post_authorization_redirect_url():
"""
Verify that Fandjango redirects the user correctly upon authorizing the application.
"""
request = request_factory.get('/foo/bar/baz')
redirect_url = get_post_authorization_redirect_url(request)
assert redirect_url == 'http://apps.facebook.com/fandjango-test/bar/baz'
def test_get_post_authorization_redirect_url(self):
"""
Verify that Fandjango redirects the user correctly upon authorizing the application.
"""
request = request_factory.get('/foo/bar/baz')
redirect_url = get_post_authorization_redirect_url(request, canvas = False)
# RequestFactory has the hostname "testserver"
assert redirect_url == 'http://testserver/foo/bar/baz'
def test_get_post_authorization_redirect_url(self):
"""
Verify that Fandjango redirects the user correctly upon authorizing the application.
"""
request = request_factory.get('/foo/bar/baz')
redirect_url = get_post_authorization_redirect_url(request)
assert redirect_url == 'https://apps.facebook.com/fandjango-test/bar/baz'
def test_get_post_authorization_redirect_url(self):
"""
Verify that Fandjango redirects the user correctly upon authorizing the application.
"""
request = request_factory.get('/foo/bar/baz')
redirect_url = get_post_authorization_redirect_url(request, canvas = False)
assert redirect_url == 'http://example.org/foo/bar/baz'
def test_get_post_authorization_redirect_url(self):
"""
Verify that Fandjango redirects the user correctly upon authorizing the application.
"""
request = request_factory.get('/foo/bar/baz')
redirect_url = get_post_authorization_redirect_url(request,
canvas=False)
# RequestFactory has the hostname "testserver"
assert redirect_url == 'http://testserver/foo/bar/baz'
def wrapper(request, *args, **kwargs):
if not request.facebook or not request.facebook.user:
return authorize_application(
request = request,
redirect_uri = get_post_authorization_redirect_url(request)
)
return function(request, *args, **kwargs)
def process_request(self, request):
"""Process the signed request."""
if ENABLED_PATHS and DISABLED_PATHS:
raise ImproperlyConfigured('You may configure either FANDJANGO_ENABLED_PATHS or FANDJANGO_DISABLED_PATHS, but not both.')
if DISABLED_PATHS and is_disabled_path(request.path):
return
if ENABLED_PATHS and not is_enabled_path(request.path):
return
# An error occured during authorization...
if 'error' in request.GET:
error = request.GET['error']
# The user refused to authorize the application...
if error == 'access_denied':
return authorization_denied_view(request)
# Signed request found in either GET, POST or COOKIES...
if 'signed_request' in request.REQUEST or 'signed_request' in request.COOKIES:
request.facebook = Facebook()
# If the request method is POST and its body only contains the signed request,
# chances are it's a request from the Facebook platform and we'll override
# the request method to HTTP GET to rectify their misinterpretation
# of the HTTP standard.
#
# References:
# "POST for Canvas" migration at http://developers.facebook.com/docs/canvas/post/
# "Incorrect use of the HTTP protocol" discussion at http://forum.developers.facebook.net/viewtopic.php?id=93554
if request.method == 'POST' and 'signed_request' in request.POST:
request.POST = QueryDict('')
request.method = 'GET'
request.facebook.signed_request = SignedRequest.parse(
signed_request = request.REQUEST.get('signed_request') or request.COOKIES.get('signed_request'),
application_secret_key = FACEBOOK_APPLICATION_SECRET_KEY
)
# User has authorized the application...
if request.facebook.signed_request.user.has_authorized_application:
# Redirect to Facebook Authorization if the OAuth token has expired
if request.facebook.signed_request.oauth_token.has_expired:
return authorize_application(
request = request,
redirect_uri = get_post_authorization_redirect_url(request)
)
# Initialize a User object and its corresponding OAuth token
try:
user = User.objects.get(facebook_id=request.facebook.signed_request.user.id)
except User.DoesNotExist:
oauth_token = OAuthToken.objects.create(
token = request.facebook.signed_request.oauth_token.token,
issued_at = request.facebook.signed_request.oauth_token.issued_at,
expires_at = request.facebook.signed_request.oauth_token.expires_at
)
user = User.objects.create(
facebook_id = request.facebook.signed_request.user.id,
oauth_token = oauth_token
)
user.synchronize()
# Update the user's details and OAuth token
else:
user.last_seen_at = datetime.now()
user.authorized = True
if request.facebook.signed_request.oauth_token:
user.oauth_token.token = request.facebook.signed_request.oauth_token.token
user.oauth_token.issued_at = request.facebook.signed_request.oauth_token.issued_at
user.oauth_token.expires_at = request.facebook.signed_request.oauth_token.expires_at
user.oauth_token.save()
user.save()
# Attempt to extend the OAuth token, but ignore exceptions raised by
# bug #102727766518358 in the Facebook Platform.
#
# http://developers.facebook.com/bugs/102727766518358/
try:
user.oauth_token.extend()
except:
pass
request.facebook.user = user
# ... no signed request found.
else:
request.facebook = False
def process_request(self, request):
"""Process the web-based auth request."""
# User has already been authed by alternate middleware
if hasattr(request, "facebook") and request.facebook:
return
request.facebook = False
if not self.is_valid_path(request):
return
if self.is_access_denied(request):
return authorization_denied_view(request)
request.facebook = Facebook()
oauth_token = False
# Is there a token cookie already present?
if 'oauth_token' in request.COOKIES:
try:
# Check if the current token is already in DB
oauth_token = OAuthToken.objects.get(token=request.COOKIES['oauth_token'])
except OAuthToken.DoesNotExist:
request.facebook = False
return
# Is there a code in the GET request?
elif 'code' in request.GET:
try:
graph = GraphAPI()
# Exchange code for an access_token
response = graph.get('oauth/access_token',
client_id = FACEBOOK_APPLICATION_ID,
redirect_uri = get_post_authorization_redirect_url(request, canvas=False),
client_secret = FACEBOOK_APPLICATION_SECRET_KEY,
code = request.GET['code'],
)
components = parse_qs(response)
# Save new OAuth-token in DB
oauth_token, new_oauth_token = OAuthToken.objects.get_or_create(
token = components['access_token'][0],
issued_at = now(),
expires_at = now() + timedelta(seconds = int(components['expires'][0]))
)
except GraphAPI.OAuthError:
pass
# There isn't a valid access_token
if not oauth_token or oauth_token.expired:
request.facebook = False
return
# Is there a user already connected to the current token?
try:
user = oauth_token.user
if not user.authorized:
request.facebook = False
return
user.last_seen_at = now()
user.save()
except User.DoesNotExist:
graph = GraphAPI(oauth_token.token)
profile = graph.get('me')
# Either the user already exists and its just a new token, or user and token both are new
try:
user = User.objects.get(facebook_id = profile.get('id'))
if not user.authorized:
if new_oauth_token:
user.last_seen_at = now()
user.authorized = True
else:
request.facebook = False
return
except User.DoesNotExist:
# Create a new user to go with token
user = User.objects.create(
facebook_id = profile.get('id'),
oauth_token = oauth_token
)
user.synchronize(profile)
# Delete old access token if there is any and only if the new one is different
old_oauth_token = None
if user.oauth_token != oauth_token:
old_oauth_token = user.oauth_token
user.oauth_token = oauth_token
user.save()
if old_oauth_token:
old_oauth_token.delete()
if not user.oauth_token.extended:
# Attempt to extend the OAuth token, but ignore exceptions raised by
# bug #102727766518358 in the Facebook Platform.
#
# http://developers.facebook.com/bugs/102727766518358/
try:
user.oauth_token.extend()
except:
pass
request.facebook.user = user
request.facebook.oauth_token = oauth_token
def process_request(self, request):
"""Process the signed request."""
if ENABLED_PATHS and DISABLED_PATHS:
raise ImproperlyConfigured(
'You may configure either FANDJANGO_ENABLED_PATHS '
'or FANDJANGO_DISABLED_PATHS, but not both.')
if DISABLED_PATHS and is_disabled_path(request.path):
return
if ENABLED_PATHS and not is_enabled_path(request.path):
return
# An error occured during authorization...
if 'error' in request.GET:
error = request.GET['error']
# The user refused to authorize the application...
if error == 'access_denied':
return authorization_denied_view(request)
# Signed request found in either GET, POST or COOKIES...
if 'signed_request' in request.REQUEST or 'signed_request' in request.COOKIES:
request.facebook = Facebook()
# If the request method is POST and its body only contains the signed request,
# chances are it's a request from the Facebook platform and we'll override
# the request method to HTTP GET to rectify their misinterpretation
# of the HTTP standard.
#
# References:
# "POST for Canvas" migration at http://developers.facebook.com/docs/canvas/post/
# "Incorrect use of the HTTP protocol" discussion at http://forum.developers.facebook.net/viewtopic.php?id=93554
if request.method == 'POST' and 'signed_request' in request.POST:
request.POST = QueryDict('')
request.method = 'GET'
try:
request.facebook.signed_request = SignedRequest(
signed_request=request.REQUEST.get('signed_request')
or request.COOKIES.get('signed_request'),
application_secret_key=FACEBOOK_APPLICATION_SECRET_KEY)
except SignedRequest.Error:
request.facebook = False
# Valid signed request and user has authorized the application
if request.facebook and request.facebook.signed_request.user.has_authorized_application:
# Redirect to Facebook Authorization if the OAuth token has expired
if request.facebook.signed_request.user.oauth_token.has_expired:
return authorize_application(
request=request,
redirect_uri=get_post_authorization_redirect_url(
request))
# Initialize a User object and its corresponding OAuth token
try:
user = User.objects.get(
facebook_id=request.facebook.signed_request.user.id)
except User.DoesNotExist:
oauth_token = OAuthToken.objects.create(
token=request.facebook.signed_request.user.oauth_token.
token,
issued_at=request.facebook.signed_request.user.
oauth_token.issued_at,
expires_at=request.facebook.signed_request.user.
oauth_token.expires_at)
user = User.objects.create(
facebook_id=request.facebook.signed_request.user.id,
oauth_token=oauth_token)
user.synchronize()
# Update the user's details and OAuth token
else:
user.last_seen_at = datetime.now()
if 'signed_request' in request.REQUEST:
user.authorized = True
if request.facebook.signed_request.user.oauth_token:
user.oauth_token.token = request.facebook.signed_request.user.oauth_token.token
user.oauth_token.issued_at = request.facebook.signed_request.user.oauth_token.issued_at
user.oauth_token.expires_at = request.facebook.signed_request.user.oauth_token.expires_at
user.oauth_token.save()
user.save()
if not user.oauth_token.extended:
# Attempt to extend the OAuth token, but ignore exceptions raised by
# bug #102727766518358 in the Facebook Platform.
#
# http://developers.facebook.com/bugs/102727766518358/
try:
user.oauth_token.extend()
except:
pass
request.facebook.user = user
# ... no signed request found.
else:
request.facebook = False
def process_request(self, request):
"""Process the web-based auth request."""
# User has already been authed by alternate middleware
if hasattr(request, "facebook") and request.facebook:
return
request.facebook = False
if not self.is_valid_path(request):
return
if self.is_access_denied(request):
return authorization_denied_view(request)
request.facebook = Facebook()
oauth_token = False
# Is there a token cookie already present?
if 'oauth_token' in request.COOKIES:
try:
# Check if the current token is already in DB
oauth_token = OAuthToken.objects.get(
token=request.COOKIES['oauth_token'])
except OAuthToken.DoesNotExist:
request.facebook = False
return
# Is there a code in the GET request?
elif 'code' in request.GET:
try:
graph = GraphAPI()
# Exchange code for an access_token
response = graph.get(
'oauth/access_token',
client_id=FACEBOOK_APPLICATION_ID,
redirect_uri=get_post_authorization_redirect_url(
request, canvas=False),
client_secret=FACEBOOK_APPLICATION_SECRET_KEY,
code=request.GET['code'],
)
components = parse_qs(response)
# Save new OAuth-token in DB
oauth_token, new_oauth_token = OAuthToken.objects.get_or_create(
token=components['access_token'][0],
issued_at=now(),
expires_at=now() +
timedelta(seconds=int(components['expires'][0])))
except GraphAPI.OAuthError:
pass
# There isn't a valid access_token
if not oauth_token or oauth_token.expired:
request.facebook = False
return
# Is there a user already connected to the current token?
try:
user = oauth_token.user
if not user.authorized:
request.facebook = False
return
user.last_seen_at = now()
user.save()
except User.DoesNotExist:
graph = GraphAPI(oauth_token.token)
profile = graph.get('me')
# Either the user already exists and its just a new token, or user and token both are new
try:
user = User.objects.get(facebook_id=profile.get('id'))
if not user.authorized:
if new_oauth_token:
user.last_seen_at = now()
user.authorized = True
else:
request.facebook = False
return
except User.DoesNotExist:
# Create a new user to go with token
user = User.objects.create(facebook_id=profile.get('id'),
oauth_token=oauth_token)
user.synchronize(profile)
# Delete old access token if there is any and only if the new one is different
old_oauth_token = None
if user.oauth_token != oauth_token:
old_oauth_token = user.oauth_token
user.oauth_token = oauth_token
user.save()
if old_oauth_token:
old_oauth_token.delete()
if not user.oauth_token.extended:
# Attempt to extend the OAuth token, but ignore exceptions raised by
# bug #102727766518358 in the Facebook Platform.
#
# http://developers.facebook.com/bugs/102727766518358/
try:
user.oauth_token.extend()
except:
pass
request.facebook.user = user
request.facebook.oauth_token = oauth_token
