def wrapper(request, *args, **kwargs): # We know the user has been authenticated via a canvas page if a signed request is set. canvas = request.facebook is not False and hasattr(request.facebook, "signed_request") # The user has already authorized the application, but the given view requires # permissions besides the defaults listed in ``FACEBOOK_APPLICATION_DEFAULT_PERMISSIONS``. # # Derive a list of outstanding permissions and prompt the user to grant them. if request.facebook and request.facebook.user and permissions: outstanding_permissions = [p for p in permissions if p not in request.facebook.user.permissions] if outstanding_permissions: return authorize_application( request = request, redirect_uri = redirect_uri or get_post_authorization_redirect_url(request, canvas=canvas), permissions = outstanding_permissions ) # The user has not authorized the application yet. # # Concatenate the default permissions with permissions required for this particular view. if not request.facebook or not request.facebook.user: return authorize_application( request = request, redirect_uri = redirect_uri or get_post_authorization_redirect_url(request, canvas=canvas), permissions = (FACEBOOK_APPLICATION_INITIAL_PERMISSIONS or []) + (permissions or []) ) return function(request, *args, **kwargs)
def wrapper(request, *args, **kwargs): # Let Facebook's scraper pass # Using HTTP_USER_AGENT string which is kind of weak # Only allowing GET to pass through if request.method == 'GET' and request.META.get('HTTP_USER_AGENT', '').startswith('facebookexternalhit'): return function(request, *args, **kwargs) # The user has already authorized the application, but the given view requires # permissions besides the defaults listed in ``FACEBOOK_APPLICATION_DEFAULT_PERMISSIONS``. # # Derive a list of outstanding permissions and prompt the user to grant them. if request.facebook and request.facebook.user and permissions: outstanding_permissions = [p for p in permissions if p not in request.facebook.user.permissions] if outstanding_permissions: return authorize_application( request = request, redirect_uri = redirect_uri or get_post_authorization_redirect_url(request), permissions = outstanding_permissions ) # The user has not authorized the application yet. # # Concatenate the default permissions with permissions required for this particular view. if not request.facebook or not request.facebook.user: return authorize_application( request = request, redirect_uri = redirect_uri or get_post_authorization_redirect_url(request), permissions = (FACEBOOK_APPLICATION_INITIAL_PERMISSIONS or []) + (permissions or []) ) return function(request, *args, **kwargs)
def wrapper(request, *args, **kwargs): # The user has already authorized the application, but the given view requires # permissions besides the defaults listed in ``FACEBOOK_APPLICATION_DEFAULT_PERMISSIONS``. # # Derive a list of outstanding permissions and prompt the user to grant them. if request.facebook and request.facebook.user and permissions: outstanding_permissions = [ p for p in permissions if p not in request.facebook.user.permissions ] if outstanding_permissions: return authorize_application( request=request, redirect_uri=redirect_uri or get_post_authorization_redirect_url(request), permissions=outstanding_permissions) # The user has not authorized the application yet. # # Concatenate the default permissions with permissions required for this particular view. if not request.facebook or not request.facebook.user: return authorize_application( request=request, redirect_uri=redirect_uri or get_post_authorization_redirect_url(request), permissions=(FACEBOOK_APPLICATION_INITIAL_PERMISSIONS or []) + (permissions or [])) return function(request, *args, **kwargs)
def wrapper(request, *args, **kwargs): if not request.facebook or not request.facebook.user: return authorize_application( request = request, redirect_uri = get_post_authorization_redirect_url(request) ) return function(request, *args, **kwargs)
def test_authorization_redirect_only_triggers_on_fandjango_authorization_redirect(self): response = authorize_application(None, redirect_uri="http://apps.facebook.com/django-facetools/canvas/test_url/") before_content = response.content response = FandjangoIntegrationMiddleware().process_response(None, response) after_content = response.content self.assertNotEquals(before_content, after_content) response = test_url(None) before_content = response.content response = FandjangoIntegrationMiddleware().process_response(None, response) after_content = response.content self.assertEquals(before_content, after_content)
def test_authorization_redirect_fix(self): unaltered_redirect_uri = 'http://apps.facebook.com/django-facetools/canvas/test_url/' altered_redirect_uri = 'https://apps.facebook.com/django-facetools/test_url/' # Make sure our assumptions about the URL's location are correct response = authorize_application(None, redirect_uri=unaltered_redirect_uri) unaltered_js_url = self.get_redirect_uri(response, "window.parent.location =", ';') unaltered_href_url = self.get_redirect_uri(response, 'You must <a href="', '"') self.assertEquals(unaltered_redirect_uri, unaltered_js_url) self.assertEquals(unaltered_redirect_uri, unaltered_href_url) # Make sure the URL gets changed to the proper URL middleware = FandjangoIntegrationMiddleware() response = middleware.process_response(None, response) altered_js_url = self.get_redirect_uri(response, "window.parent.location =", ';') altered_href_url = self.get_redirect_uri(response, 'You must <a href="', '"') self.assertEquals(altered_redirect_uri, altered_js_url) self.assertEquals(altered_redirect_uri, altered_href_url) self.assertEquals(200, response.status_code)
def process_request(self, request): """Process the signed request.""" if ENABLED_PATHS and DISABLED_PATHS: raise ImproperlyConfigured('You may configure either FANDJANGO_ENABLED_PATHS or FANDJANGO_DISABLED_PATHS, but not both.') if DISABLED_PATHS and is_disabled_path(request.path): return if ENABLED_PATHS and not is_enabled_path(request.path): return # An error occured during authorization... if 'error' in request.GET: error = request.GET['error'] # The user refused to authorize the application... if error == 'access_denied': return authorization_denied_view(request) # Signed request found in either GET, POST or COOKIES... if 'signed_request' in request.REQUEST or 'signed_request' in request.COOKIES: request.facebook = Facebook() # If the request method is POST and its body only contains the signed request, # chances are it's a request from the Facebook platform and we'll override # the request method to HTTP GET to rectify their misinterpretation # of the HTTP standard. # # References: # "POST for Canvas" migration at http://developers.facebook.com/docs/canvas/post/ # "Incorrect use of the HTTP protocol" discussion at http://forum.developers.facebook.net/viewtopic.php?id=93554 if request.method == 'POST' and 'signed_request' in request.POST: request.POST = QueryDict('') request.method = 'GET' request.facebook.signed_request = SignedRequest.parse( signed_request = request.REQUEST.get('signed_request') or request.COOKIES.get('signed_request'), application_secret_key = FACEBOOK_APPLICATION_SECRET_KEY ) # User has authorized the application... if request.facebook.signed_request.user.has_authorized_application: # Redirect to Facebook Authorization if the OAuth token has expired if request.facebook.signed_request.oauth_token.has_expired: return authorize_application( request = request, redirect_uri = get_post_authorization_redirect_url(request) ) # Initialize a User object and its corresponding OAuth token try: user = User.objects.get(facebook_id=request.facebook.signed_request.user.id) except User.DoesNotExist: oauth_token = OAuthToken.objects.create( token = request.facebook.signed_request.oauth_token.token, issued_at = request.facebook.signed_request.oauth_token.issued_at, expires_at = request.facebook.signed_request.oauth_token.expires_at ) user = User.objects.create( facebook_id = request.facebook.signed_request.user.id, oauth_token = oauth_token ) user.synchronize() # Update the user's details and OAuth token else: user.last_seen_at = datetime.now() user.authorized = True if request.facebook.signed_request.oauth_token: user.oauth_token.token = request.facebook.signed_request.oauth_token.token user.oauth_token.issued_at = request.facebook.signed_request.oauth_token.issued_at user.oauth_token.expires_at = request.facebook.signed_request.oauth_token.expires_at user.oauth_token.save() user.save() # Attempt to extend the OAuth token, but ignore exceptions raised by # bug #102727766518358 in the Facebook Platform. # # http://developers.facebook.com/bugs/102727766518358/ try: user.oauth_token.extend() except: pass request.facebook.user = user # ... no signed request found. else: request.facebook = False
def process_request(self, request): """Process the signed request.""" if ENABLED_PATHS and DISABLED_PATHS: raise ImproperlyConfigured( 'You may configure either FANDJANGO_ENABLED_PATHS ' 'or FANDJANGO_DISABLED_PATHS, but not both.') if DISABLED_PATHS and is_disabled_path(request.path): return if ENABLED_PATHS and not is_enabled_path(request.path): return # An error occured during authorization... if 'error' in request.GET: error = request.GET['error'] # The user refused to authorize the application... if error == 'access_denied': return authorization_denied_view(request) # Signed request found in either GET, POST or COOKIES... if 'signed_request' in request.REQUEST or 'signed_request' in request.COOKIES: request.facebook = Facebook() # If the request method is POST and its body only contains the signed request, # chances are it's a request from the Facebook platform and we'll override # the request method to HTTP GET to rectify their misinterpretation # of the HTTP standard. # # References: # "POST for Canvas" migration at http://developers.facebook.com/docs/canvas/post/ # "Incorrect use of the HTTP protocol" discussion at http://forum.developers.facebook.net/viewtopic.php?id=93554 if request.method == 'POST' and 'signed_request' in request.POST: request.POST = QueryDict('') request.method = 'GET' try: request.facebook.signed_request = SignedRequest( signed_request=request.REQUEST.get('signed_request') or request.COOKIES.get('signed_request'), application_secret_key=FACEBOOK_APPLICATION_SECRET_KEY) except SignedRequest.Error: request.facebook = False # Valid signed request and user has authorized the application if request.facebook and request.facebook.signed_request.user.has_authorized_application: # Redirect to Facebook Authorization if the OAuth token has expired if request.facebook.signed_request.user.oauth_token.has_expired: return authorize_application( request=request, redirect_uri=get_post_authorization_redirect_url( request)) # Initialize a User object and its corresponding OAuth token try: user = User.objects.get( facebook_id=request.facebook.signed_request.user.id) except User.DoesNotExist: oauth_token = OAuthToken.objects.create( token=request.facebook.signed_request.user.oauth_token. token, issued_at=request.facebook.signed_request.user. oauth_token.issued_at, expires_at=request.facebook.signed_request.user. oauth_token.expires_at) user = User.objects.create( facebook_id=request.facebook.signed_request.user.id, oauth_token=oauth_token) user.synchronize() # Update the user's details and OAuth token else: user.last_seen_at = datetime.now() if 'signed_request' in request.REQUEST: user.authorized = True if request.facebook.signed_request.user.oauth_token: user.oauth_token.token = request.facebook.signed_request.user.oauth_token.token user.oauth_token.issued_at = request.facebook.signed_request.user.oauth_token.issued_at user.oauth_token.expires_at = request.facebook.signed_request.user.oauth_token.expires_at user.oauth_token.save() user.save() if not user.oauth_token.extended: # Attempt to extend the OAuth token, but ignore exceptions raised by # bug #102727766518358 in the Facebook Platform. # # http://developers.facebook.com/bugs/102727766518358/ try: user.oauth_token.extend() except: pass request.facebook.user = user # ... no signed request found. else: request.facebook = False