appsecret_proof support

stickfigure / batchfb-migrated

Some migrated content from google code; ignore this repository

MIT License

0 stars 0 forks source link

appsecret_proof support #20

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago

What steps will reproduce the problem?
1. In facebook, go to Application, Settings, Advanced, Client Token, toggle Yes 
on "App Secret Proof for Server API calls"
2. In the code, try to get a photo using "photo/{id}" as the resource
3. The exception "com.googlecode.batchfb.err.PermissionException: API calls 
from the server require an appsecret_proof argument" will be thrown

What is the expected output? What do you see instead?
The response for the picture.  What I get instead is the aforementioned 
exception.

What version of the product are you using? On what operating system?
2.1.5

Original issue reported on code.google.com by je...@mimedia.com on 3 Feb 2015 at 8:14

GoogleCodeExporter commented 9 years ago

Ah, a new facebook feature. Will add this asap.

Original comment by lhori...@gmail.com on 3 Feb 2015 at 11:49

Changed state: Accepted
Added labels: Type-Enhancement, Priority-Critical
Removed labels: Type-Defect, Priority-Medium

GoogleCodeExporter commented 9 years ago

Grab the latest code from master and let me know if it works the way you like. 
If so, I'll push a new release to maven.

Original comment by lhori...@gmail.com on 4 Feb 2015 at 12:28

GoogleCodeExporter commented 9 years ago

The temporary workaround I have found to work (I think) is;

final Later<T> future = batcher.graph(endpoint, new TypeReference<T>() {}, new 
Param("appsecret_proof", encode(FACEBOOK_APP_SECRET, accessToken)));

private static String encode(String key, String data) {
        final SecretKeySpec secret_key = new SecretKeySpec(key.getBytes(), "HmacSHA256");
        final Mac sha256_HMAC;
        try {
            sha256_HMAC = Mac.getInstance("HmacSHA256");
            sha256_HMAC.init(secret_key);
            return Hex.encodeHexString(sha256_HMAC.doFinal(data.getBytes()));
        } catch (NoSuchAlgorithmException | InvalidKeyException e) {
            throw new RuntimeException("Cannot generate facebook appsecret_proof", e);
        }
    }

Maybe you can batcher, or graph(...) receive the app_secret key so that I can 
do its hashing for the appsecret_proof ?

Thanks!

Original comment by je...@mimedia.com on 4 Feb 2015 at 3:05

GoogleCodeExporter commented 9 years ago

Have you tried the latest code in master? It adds a parameter to the 
FacebookBatcher constructor (the raw app secret).

I'm just waiting on confirmation that this works and that you're happy with the 
API before cutting a release.

Original comment by lhori...@gmail.com on 4 Feb 2015 at 6:44

GoogleCodeExporter commented 9 years ago

Crap - so sorry.  I completely put this behind me, for the time being.  I 
cannot test it currently, as I am busy with something else.

Thanks for the super-quick reply, and my apologies for being MIA, and for being 
useless in the immediate future.

Original comment by je...@mimedia.com on 11 Mar 2015 at 7:34