[Python-modules-commits] [python-social-auth] 120/322: [facebook-oauth2] Verifying Graph API Calls with appsecret_proof

Wolfgang Borgert debacle at moszumanska.debian.org
Sat Dec 24 15:12:57 UTC 2016 

This is an automated email from the git hooks/post-receive script.

debacle pushed a commit to tag v0.2.10
in repository python-social-auth.

commit 94ad25e06a82641130ef18eb37a682bb1285baa0
Author: Eugene Agafonov <e.a.agafonov at gmail.com>
Date:   Thu Feb 12 21:42:21 2015 +0300

    [facebook-oauth2] Verifying Graph API Calls with appsecret_proof
    
    https://developers.facebook.com/docs/graph-api/securing-requests
    
    Graph API calls from a server can be better secured by adding a
    parameter called appsecret_proof.
    
    The app secret proof is a sha256 hash of your access token, using the
    app secret as the key.
    
    $appsecret_proof= hash_hmac('sha256', $access_token, $app_secret)
    
    the result as an appsecret_proof parameter must be added to each call
    you make from server.
    
    Securing with appsecret_proof is optional (but enabled by default for
    new Facebook apps) so add appsecret_proof param is contoled by
    SOCIAL_AUTH_FACEBOOK_APPSECRET_PROOF = True|False
    
    Default is True
---
 social/backends/facebook.py | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/social/backends/facebook.py b/social/backends/facebook.py
index f318169..eb7a494 100644
--- a/social/backends/facebook.py
+++ b/social/backends/facebook.py
@@ -13,6 +13,11 @@ from social.backends.oauth import BaseOAuth2
 from social.exceptions import AuthException, AuthCanceled, AuthUnknownError, \
                               AuthMissingParameter
 
+import hmac
+import hashlib
+
+def hmac_sha256(key, msg):
+    return hmac.new(key, msg, digestmod=hashlib.sha256).hexdigest()
 
 class FacebookOAuth2(BaseOAuth2):
     """Facebook OAuth2 authentication backend"""
@@ -46,6 +51,11 @@ class FacebookOAuth2(BaseOAuth2):
         """Loads user data from service"""
         params = self.setting('PROFILE_EXTRA_PARAMS', {})
         params['access_token'] = access_token
+
+        if self.setting('APPSECRET_PROOF', True):
+            _, secret = self.get_key_and_secret()
+            params['appsecret_proof'] = hmac_sha256(secret, access_token);
+
         return self.get_json(self.USER_DATA_URL, params=params)
 
     def process_error(self, data):

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/python-modules/packages/python-social-auth.git

More information about the Python-modules-commits mailing list