search

oklahomer / p5-Facebook-OpenGraph

https://metacpan.org/release/Facebook-OpenGraph
Other
14 stars 5 forks source link

Should it take care of fbsr_{app_id} cookie value? #1

Closed oklahomer closed 10 years ago

oklahomer commented 10 years ago

When combined w/ JS SDK, it whould be better if this module takes care of the cookie value that is set by JS SDK since it can skip the process to acquire code parameter by redirecting user to login dialog. Cookie name seems to be in a form of fbsr_{app_id} and the value can be parsed w/ parse_signed_request().

oklahomer commented 10 years ago

To keep its implementation simple, I’m thinking to add a method that just returns cookie name. This way I don’t have to take care of what modules developer is using to handle request header and cookie. Developers should be able to access cookie value and parse it with some code below:

if(my $cookie = $c->req->cookie( $fb->js_cookie_name )) {
    my $val = $fb->parse_signed_request($cookie);
    my $token_ref = $fb->get_user_token_by_code($val->{code})
}
else {
    return $c->redirect( $fb->auth_uri );
}
oklahomer commented 10 years ago

It appears that this cookie is set when following conditions meet:

As long as these are satisfied cookie is set/updated on every FB.init() call.

Parsing signed request should be as easy as my previous comment. Parsed content should be something like below:

{
    "algorithm": "HMAC-SHA256",
    "issued_at": 1398180151,
    "code": "SOME_OPAQUE_STRING",
    "user_id": 44007581
};

The next step, _get_user_token_bycode(), has a problem; this method requires _$fb->redirecturi to be set. With the code extracted from the signed_request, redirect_uri must be empty string. When some string is given Facebook returns the error below:

100:- OAuthException:Error validating verification code. Please make sure your redirect_uri is identical to the one you used in the OAuth dialog request

When redirect_uri is totally missing it says:

191:- OAuthException:Missing redirect_uri parameter.

So you must set empty string as redirect_uri value to get correct response 

{
    "access_token" : "new_token_string_qwerty",
    "expires" : 5752
};

I must do something about _get_user_token_bycode()'s implementation.