ianlee-dev / facebook-java-api

Automatically exported from code.google.com/p/facebook-java-api
0 stars 0 forks source link

Desktop session secret will not always end with double-underscore #211

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
In the ExtensibleClient there is the following logic:
if ( secret.endsWith( "__" ) ) {
  _isDesktop = true;
}

This is not durable test: It is possible to get a session secret that does 
NOT end with double-underscore.

To reproduce:
Create a new desktop mode Facebook app
Generate an authentication URL using the app's API key
Authorize that application for a user
Request offline_access extended permission
Run auth_promote and get back the session key and session secret, notice 
the session secret doesn't end with double-underscore

Example (these have been modified to avoid giving out secret key):
DESKTOP_APIKEY=0ba346696372c2b673ad32ce-11002633
DESKTOP_SECRET=3263335400f70c9f1872e1a314cccf33

Original issue reported on code.google.com by abdinoor on 28 May 2009 at 11:57

GoogleCodeExporter commented 8 years ago

Original comment by david.j....@googlemail.com on 29 May 2009 at 7:17

GoogleCodeExporter commented 8 years ago

Original comment by david.j....@googlemail.com on 31 May 2009 at 7:49

GoogleCodeExporter commented 8 years ago
I've noticed this too..

I think the api users will have to tell us explicitly when they hand us a
sessionSecret instead of a normal appSecret.  I have added a constructor for 
this,
but haven't publicized the requirement yet...

Original comment by fern...@gmail.com on 21 Nov 2009 at 9:06