Class: Facebook::SignedRequestVerifier

Inherits:
Object
  • Object
show all
Defined in:
app/services/facebook/signed_request_verifier.rb

Overview

Service object: signed-request verifier.

Defined Under Namespace

Classes: Result

Constant Summary collapse

SUPPORTED_ALGORITHM = 
'HMAC-SHA256'

Class Method Summary collapse

Class Method Details

.call(signed_request:, app_secret:) ⇒ Result

Parameters:

  • signed_request (String)

    the raw signed_request form param Meta posted

  • app_secret (String)

    the FB app's secret (omniauth.facebook_secret)

Returns:



43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
 
# File 'app/services/facebook/signed_request_verifier.rb', line 43

def self.call(signed_request:, app_secret:)
  return Result.new(valid?: false, payload: nil, error: 'missing_signed_request') if signed_request.blank?
  return Result.new(valid?: false, payload: nil, error: 'missing_app_secret')     if app_secret.blank?

  encoded_sig, encoded_payload = signed_request.split('.', 2)
  return Result.new(valid?: false, payload: nil, error: 'malformed') if encoded_sig.blank? || encoded_payload.blank?

  payload = JSON.parse(base64_url_decode(encoded_payload))

  unless payload['algorithm'] == SUPPORTED_ALGORITHM
    return Result.new(valid?: false, payload: nil, error: "unsupported_algorithm:#{payload['algorithm']}")
  end

  expected_sig = OpenSSL::HMAC.digest('SHA256', app_secret, encoded_payload)
  provided_sig = base64_url_decode(encoded_sig)

  unless ActiveSupport::SecurityUtils.secure_compare(expected_sig, provided_sig)
    return Result.new(valid?: false, payload: nil, error: 'bad_signature')
  end

  Result.new(valid?: true, payload: payload, error: nil)
rescue JSON::ParserError => e
  Result.new(valid?: false, payload: nil, error: "json_parse:#{e.message}")
rescue ArgumentError => e
  Result.new(valid?: false, payload: nil, error: "base64_decode:#{e.message}")
end