developing Facebook application in Aida

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

developing Facebook application in Aida

Chris Dawson
Hi there,

I originally made this request on the Seaside list, and now would like to know how to do this in Aida.  I'm interested in building Facebook applications with Aida.  There are basically two needs within a Facebook application:  first, receive the Facebook specific variables from the request and provide access to the underlying application, and second, provide a REST-client interface so that you can query Facebook for information about the user and their friends.  The second item is not so challenging as it is not much more than a web client connecting.  

A Facebook application is very simple:  you configure your application to work through the Facebook "proxy".  So, a Facebook app might look like http://apps.facebook.com/myapplication.  When the Facebook appserver sees a request for "myapplication" it makes a request to http://myapplicationserver.com/foobar which is my server.  Facebook makes a POST to this URL with a few extra variables than would normally be expected in the request, variables which are all prefaced with "fb_sig_", like "fb_sig_user".  One of the variables ("fb_sig") is a signed digest of the variables concatenated together.  To validate the request (ensure it comes from Facebook) you need to grab all "fb_sig_*" variables, sort them, and then use a secret key to generate the digest, a secret key which only your application and Facebook are aware of.  If the signature sent in the request and the one you generate match, then you know the data is trusted.  Then your application can trust that among other things the user_id sent is valid and the request did come from a user accessing your application through Facebook.

I'd like to write logic to enable this for my Aida applications.  Can someone tell me how I go about overriding the proper classes in the request chain to
process these variables and then provide accessors within my base app classes to the Facebook data? 

Here is the logic for processing the request in Ruby:

def self.verify_fb_signature( params, sig )
    signature = ""
    keys = params.keys.sort
    keys.each do |key|
      next if key == 'fb_sig'
      next unless key.include?('fb_sig')
      key_name = key.gsub('fb_sig_', '')
      signature += key_name
      signature += '='
      signature += params[key]
    end
    signature += ENV[ 'FACEBOOK_SECRET_KEY' ] # example:  'aabddasasasweasdsdaqewasdasd'
    calculated_sig = Digest::MD5.hexdigest(signature
)
    calculated_sig.eql? sig
  end

Thanks,
Chris


_______________________________________________
Aida mailing list
[hidden email]
http://lists.aidaweb.si/mailman/listinfo/aida
Reply | Threaded
Open this post in threaded view
|

Re: developing Facebook application in Aida

Janko Mivšek
Hi Chris,

Interesting project you are doing and I think it is interesting broadly
for Aida community too. So my first question would be: would you share
your work with us? This could be a nice contribution and also a good
extension aof Aida for Facebook apps.

FRom you explanations it seems that Facebook app is like every other
Aida app, with addition of the credentials verification protocol. You
make this verification at the start of your viewMain method and if
successful, continue, if not, return error element. Something like:

viewMain
   self signatureOK ifFalse:
        [^WebElement new addText: 'signature incorrect!'; yourself]
   e := WebElement new.
   ...
   ^e

So, first task is therefore to implement signatureOK method.You can
simply look at current web request for Facebook parameters (see also
Swazoo-Messages):

signatureOK
    req := self session lastRequest.
    fbSig := req postDataAt: 'fb_sig'
    ..

something like that.

I hope this will help you start.

Best regards
Janko

Chris Dawson wrote:

> Hi there,
>
> I originally made this request on the Seaside list, and now would like
> to know how to do this in Aida.  I'm interested in building Facebook
> applications with Aida.  There are basically two needs within a Facebook
> application:  first, receive the Facebook specific variables from the
> request and provide access to the underlying application, and second,
> provide a REST-client interface so that you can query Facebook for
> information about the user and their friends.  The second item is not so
> challenging as it is not much more than a web client connecting.  
>
> A Facebook application is very simple:  you configure your application
> to work through the Facebook "proxy".  So, a Facebook app might look
> like http://apps.facebook.com/myapplication 
> <http://apps.facebook.com/myapplication>.  When the Facebook appserver
> sees a request for "myapplication" it makes a request to
> http://myapplicationserver.com/foobar which is my server.  Facebook
> makes a POST to this URL with a few extra variables than would normally
> be expected in the request, variables which are all prefaced with
> "fb_sig_", like "fb_sig_user".  One of the variables ("fb_sig") is a
> signed digest of the variables concatenated together.  To validate the
> request (ensure it comes from Facebook) you need to grab all "fb_sig_*"
> variables, sort them, and then use a secret key to generate the digest,
> a secret key which only your application and Facebook are aware of.  If
> the signature sent in the request and the one you generate match, then
> you know the data is trusted.  Then your application can trust that
> among other things the user_id sent is valid and the request did come
> from a user accessing your application through Facebook.
>
> I'd like to write logic to enable this for my Aida applications.  Can
> someone tell me how I go about overriding the proper classes in the
> request chain to
> process these variables and then provide accessors within my base app
> classes to the Facebook data?
>
> Here is the logic for processing the request in Ruby:
>
> def self.verify_fb_signature( params, sig )
>     signature = ""
>     keys = params.keys.sort
>     keys.each do |key|
>       next if key == 'fb_sig'
>       next unless key.include?('fb_sig')
>       key_name = key.gsub('fb_sig_', '')
>       signature += key_name
>       signature += '='
>       signature += params[key]
>     end
>     signature += ENV[ 'FACEBOOK_SECRET_KEY' ] # example:  
> 'aabddasasasweasdsdaqewasdasd'
>     calculated_sig = Digest::MD5.hexdigest(signature
> )
>     calculated_sig.eql? sig
>   end
>
> Thanks,
> Chris
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Aida mailing list
> [hidden email]
> http://lists.aidaweb.si/mailman/listinfo/aida

--
Janko Mivšek
AIDA/Web
Smalltalk Web Application Server
http://www.aidaweb.si
_______________________________________________
Aida mailing list
[hidden email]
http://lists.aidaweb.si/mailman/listinfo/aida