assistance developing plugin for developing Facebook applications in Seaside

Hi there,

I'm interested in building Facebook applications with Seaside.  I'm new to Seaside and would like some advice on how to implement the logic.  There are basically two needs within a Facebook application:  first, receive the Facebook specific variables from the request and provide access to the underlying application, and second, provide a REST-client interface so that you can query Facebook for information about the user and their friends.  The second item is not so challenging as it is not much more than a web client connecting.   The first item is a little challenging to me as Seaside offers to do much of the heavy work for you in processing variables during a request which I could do special processing under different frameworks.

A Facebook application is very simple:  you configure your application to work through the Facebook "proxy".  So, a Facebook app might look like http://apps.facebook.com/myapplication.  When the Facebook appserver sees a request for "myapplication" it makes a request to http://myapplicationserver.com/foobar which is my server.  Facebook makes a POST to this URL with a few extra variables than would normally be expected in the request, variables which are all prefaced with "fb_sig_", like "fb_sig_user".  One of the variables ("fb_sig") is a signed digest of the variables concatenated together.  To validate the request (ensure it comes from Facebook) you need to grab all "fb_sig_*" variables, sort them, and then use a secret key to generate the digest, a secret key which only your application and Facebook are aware of.  If the signature sent in the request and the one you generate match, then you know the data is trusted.  Then your application can trust that among other things the user_id sent is valid and the request did come from a user accessing your application through Facebook.

I'd like to write logic to enable this for my Seaside applications.  Can someone tell me how I go about overriding the proper classes in the request chain to
process these variables and then provide accessors within my base classes to the Facebook data? 

Here is the logic for processing the request in Ruby:

def self.verify_fb_signature( params, sig )
    signature = ""
    keys = params.keys.sort
    keys.each do |key|
      next if key == 'fb_sig'
      next unless key.include?('fb_sig')
      key_name = key.gsub('fb_sig_', '')
      signature += key_name
      signature += '='
      signature += params[key]
    end
    signature += ENV[ 'FACEBOOK_SECRET_KEY' ] # example:  'aabddasasasweasdsdaqewasdasd'
    calculated_sig = Digest::MD5.hexdigest(signature)
    calculated_sig.eql? sig
  end

Thanks,
Chris

_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

>>>>> "Chris" == Chris Dawson <[hidden email]> writes:

Chris> I'd like to write logic to enable this for my Seaside applications.
Chris> Can someone tell me how I go about overriding the proper classes in the
Chris> request chain to process these variables and then provide accessors
Chris> within my base classes to the Facebook data?

Your top level component should implement #initialRequest:,
which will be passed a WARequest object, on which you can call
things like #at: to get the various params.  See the implementors of
#initialRequest: for examples (only WABrowser in the core Seaside distro).

>From there, you should be able to do the processing as you did in Ruby, and
once validated, you can set up your components and subcomponents to reply
appropriately within the session.

--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<[hidden email]> <URL:http://www.stonehenge.com/merlyn/>
Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc.
See http://methodsandmessages.vox.com/ for Smalltalk and Seaside discussion
_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

Randal,

I'm finally getting back to writing this code.  If I understand correctly initialRequest is called only when a new session is created.  I think this will give me the proper data so that I can retrieve the information I need from Facebook, but I'd like to implement something that is called on every request and not only when a new session is created.  The reason for this is that if a request comes in that has the proper Facebook proxy parameters, and then some action occurs and the next request looks like a valid Seaside session but the Facebook proxy parameters are not correct, I'd like the app to barf before it does any processing.  It is probably unlikely that communication between the Facebook proxy and my app will be compromised but I doubt Seaside session urls use some kind of cryptographically secure mechanism to prevent spoofing so I'd rather be safe than sorry.  Any idea how I could install a handler in between every request to verify the Facebook proxy parameters?  I suppose I'd also like advice on what is the "Seaside way" to barf when I see a failure.

Chris



_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

> but I doubt Seaside
> session urls use some kind of cryptographically secure
> mechanism to prevent spoofing so I'd rather be safe than
> sorry.  
> Chris

Quoting Lukas from ...
http://lists.squeakfoundation.org/pipermail/seaside/2007-November/015444.htm
l

"_s and _k are cryptographically secure keys into a particular point of a
session." -- Lukas

Ramon Leon
http://onsmalltalk.com

_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside