Module: Facebook

Defined in:

app/services/facebook/api_client.rb,
app/services/facebook/advertiser_api_client.rb,
app/services/facebook/signed_request_verifier.rb

Overview

Verifies and parses Meta's "signed_request" payload, used by both
Login (cookie-based flow) and the Data Deletion Callback webhook.

Meta's format is <base64url(signature)>.<base64url(json_payload)> where
the signature is HMAC-SHA256(encoded_payload, app_secret) — note the
HMAC is computed over the encoded payload string, not the decoded JSON.

Reference:
https://developers.facebook.com/docs/facebook-login/guides/advanced/oidc-token#signedrequest
https://developers.facebook.com/docs/development/create-an-app/app-dashboard/data-deletion-callback/

We can't reuse the parser bundled with omniauth-facebook
(OmniAuth::Facebook::SignedRequest.parse) directly because it raises on
failure — for a webhook controller we want a Result object we can branch
on without rescuing. The HMAC logic is otherwise identical.

Examples:

Happy path

result = Facebook::SignedRequestVerifier.call(
  signed_request: params[:signed_request],
  app_secret:     Heatwave::Configuration.fetch(:omniauth, :facebook_secret)
)
if result.valid?
  user_id = result.payload.fetch('user_id')
  # ...
end

Defined Under Namespace

Classes: AdvertiserApiClient, ApiClient, ConversionReporter, SignedRequestVerifier