def post(self):
args = self.reqparse.parse_args()
signed_request_data = SignedRequest(args['signed_req'],
FB_KEY,
application_id=FB_CLIENT)
# print(signed_request_data.user.id)
user, _ = User.get_or_create(user_id=signed_request_data.user.id,
user_type="facebook")
return make_response(
jsonify({
"message": "Login successful!",
"token": user.generate_auth_token().decode('ascii')
}), 200)
def test_signed_request_renewal(self):
"""
Verify that users are redirected to renew their signed requests
once they expire.
"""
client = Client()
signed_request = SignedRequest(TEST_SIGNED_REQUEST,
TEST_APPLICATION_SECRET)
signed_request.user.oauth_token.expires_at = now() - timedelta(days=1)
response = client.get(
path=reverse('home'),
data={'signed_request': signed_request.generate()})
# There's no way to derive the view the response originated from in Django,
# so verifying its status code will have to suffice.
assert response.status_code == 401
def setup_module(module):
"""
Create a Facebook test user.
"""
global TEST_SIGNED_REQUEST
graph = GraphAPI('%s|%s' % (TEST_APPLICATION_ID, TEST_APPLICATION_SECRET))
user = graph.post('%s/accounts/test-users' % TEST_APPLICATION_ID,
installed=True,
permissions=['publish_stream, read_stream'])
TEST_SIGNED_REQUEST = SignedRequest(
user=SignedRequest.User(id=user['id'],
age=range(0, 100),
locale='en_US',
country='Norway'),
oauth_token=SignedRequest.OAuthToken(
token=user['access_token'],
issued_at=datetime.now(),
expires_at=None)).generate(TEST_APPLICATION_SECRET)
def test_initialize_signed_request():
signed_request = SignedRequest(
signed_request=TEST_SIGNED_REQUEST,
application_secret_key=TEST_FACEBOOK_APPLICATION_SECRET_KEY)
assert signed_request.user.id == '499729129'
assert signed_request.user.oauth_token.token == TEST_ACCESS_TOKEN
assert signed_request.user.oauth_token.expires_at is None
assert signed_request.raw == {
'user_id': '499729129',
'algorithm': 'HMAC-SHA256',
'expires': 0,
'oauth_token':
'181259711925270|1570a553ad6605705d1b7a5f.1-499729129|8XqMRhCWDKtpG-i_zRkHBDSsqqk',
'user': {
'locale': 'en_US',
'country': 'no',
'age': {
'min': 21
}
},
'issued_at': 1306179904
}
def test_generate_signed_request():
signed_request = SignedRequest(
signed_request=TEST_SIGNED_REQUEST,
application_secret_key=TEST_FACEBOOK_APPLICATION_SECRET_KEY)
signed_request = signed_request.generate()
def process_request(self, request):
"""Process the signed request."""
if ENABLED_PATHS and DISABLED_PATHS:
raise ImproperlyConfigured(
'You may configure either FANDJANGO_ENABLED_PATHS '
'or FANDJANGO_DISABLED_PATHS, but not both.')
if DISABLED_PATHS and is_disabled_path(request.path):
return
if ENABLED_PATHS and not is_enabled_path(request.path):
return
# An error occured during authorization...
if 'error' in request.GET:
error = request.GET['error']
# The user refused to authorize the application...
if error == 'access_denied':
return authorization_denied_view(request)
# Signed request found in either GET, POST or COOKIES...
if 'signed_request' in request.REQUEST or 'signed_request' in request.COOKIES:
request.facebook = Facebook()
# If the request method is POST and its body only contains the signed request,
# chances are it's a request from the Facebook platform and we'll override
# the request method to HTTP GET to rectify their misinterpretation
# of the HTTP standard.
#
# References:
# "POST for Canvas" migration at http://developers.facebook.com/docs/canvas/post/
# "Incorrect use of the HTTP protocol" discussion at http://forum.developers.facebook.net/viewtopic.php?id=93554
if request.method == 'POST' and 'signed_request' in request.POST:
request.POST = QueryDict('')
request.method = 'GET'
try:
request.facebook.signed_request = SignedRequest(
signed_request=request.REQUEST.get('signed_request')
or request.COOKIES.get('signed_request'),
application_secret_key=FACEBOOK_APPLICATION_SECRET_KEY)
except SignedRequest.Error:
request.facebook = False
# Valid signed request and user has authorized the application
if request.facebook and request.facebook.signed_request.user.has_authorized_application:
# Redirect to Facebook Authorization if the OAuth token has expired
if request.facebook.signed_request.user.oauth_token.has_expired:
return authorize_application(
request=request,
redirect_uri=get_post_authorization_redirect_url(
request))
# Initialize a User object and its corresponding OAuth token
try:
user = User.objects.get(
facebook_id=request.facebook.signed_request.user.id)
except User.DoesNotExist:
oauth_token = OAuthToken.objects.create(
token=request.facebook.signed_request.user.oauth_token.
token,
issued_at=request.facebook.signed_request.user.
oauth_token.issued_at,
expires_at=request.facebook.signed_request.user.
oauth_token.expires_at)
user = User.objects.create(
facebook_id=request.facebook.signed_request.user.id,
oauth_token=oauth_token)
user.synchronize()
# Update the user's details and OAuth token
else:
user.last_seen_at = datetime.now()
if 'signed_request' in request.REQUEST:
user.authorized = True
if request.facebook.signed_request.user.oauth_token:
user.oauth_token.token = request.facebook.signed_request.user.oauth_token.token
user.oauth_token.issued_at = request.facebook.signed_request.user.oauth_token.issued_at
user.oauth_token.expires_at = request.facebook.signed_request.user.oauth_token.expires_at
user.oauth_token.save()
user.save()
if not user.oauth_token.extended:
# Attempt to extend the OAuth token, but ignore exceptions raised by
# bug #102727766518358 in the Facebook Platform.
#
# http://developers.facebook.com/bugs/102727766518358/
try:
user.oauth_token.extend()
except:
pass
request.facebook.user = user
# ... no signed request found.
else:
request.facebook = False
def test_signed_request_missing_page_data():
try:
SignedRequest(TEST_SIGNED_REQUEST_MISSING_PAGE_DATA,
TEST_FACEBOOK_APPLICATION_SECRET_KEY)
except KeyError:
raise AssertionError('Missing page data in signed request')
def process_request(self, request):
"""Process the signed request."""
# User has already been authed by alternate middleware
if hasattr(request, "facebook") and request.facebook:
return
request.facebook = False
if not self.is_valid_path(request):
return
if self.is_access_denied(request):
return authorization_denied_view(request)
# No signed request found in either GET, POST nor COOKIES...
if 'signed_request' not in request.REQUEST and 'signed_request' not in request.COOKIES:
return
# If the request method is POST and its body only contains the signed request,
# chances are it's a request from the Facebook platform and we'll override
# the request method to HTTP GET to rectify their misinterpretation
# of the HTTP standard.
#
# References:
# "POST for Canvas" migration at http://developers.facebook.com/docs/canvas/post/
# "Incorrect use of the HTTP protocol" discussion at http://forum.developers.facebook.net/viewtopic.php?id=93554
if request.method == 'POST' and 'signed_request' in request.POST:
request.POST = QueryDict('')
request.method = 'GET'
request.facebook = Facebook()
try:
request.facebook.signed_request = SignedRequest(
signed_request=request.REQUEST.get('signed_request')
or request.COOKIES.get('signed_request'),
application_secret_key=FACEBOOK_APPLICATION_SECRET_KEY)
except SignedRequest.Error:
request.facebook = False
# Valid signed request and user has authorized the application
if request.facebook \
and request.facebook.signed_request.user.has_authorized_application \
and not request.facebook.signed_request.user.oauth_token.has_expired:
# Initialize a User object and its corresponding OAuth token
try:
user = User.objects.get(
facebook_id=request.facebook.signed_request.user.id)
except User.DoesNotExist:
oauth_token = OAuthToken.objects.create(
token=request.facebook.signed_request.user.oauth_token.
token,
issued_at=request.facebook.signed_request.user.oauth_token.
issued_at.replace(tzinfo=tzlocal()),
expires_at=request.facebook.signed_request.user.
oauth_token.expires_at.replace(tzinfo=tzlocal()))
user = User.objects.create(
facebook_id=request.facebook.signed_request.user.id,
oauth_token=oauth_token)
user.synchronize()
# Update the user's details and OAuth token
else:
user.last_seen_at = now()
if 'signed_request' in request.REQUEST:
user.authorized = True
if request.facebook.signed_request.user.oauth_token:
user.oauth_token.token = request.facebook.signed_request.user.oauth_token.token
user.oauth_token.issued_at = request.facebook.signed_request.user.oauth_token.issued_at.replace(
tzinfo=tzlocal())
user.oauth_token.expires_at = request.facebook.signed_request.user.oauth_token.expires_at.replace(
tzinfo=tzlocal())
user.oauth_token.save()
user.save()
if not user.oauth_token.extended:
# Attempt to extend the OAuth token, but ignore exceptions raised by
# bug #102727766518358 in the Facebook Platform.
#
# http://developers.facebook.com/bugs/102727766518358/
try:
user.oauth_token.extend()
except:
pass
request.facebook.user = user
