[Python-modules-commits] [python-social-auth] 120/322: [facebook-oauth2] Verifying Graph API Calls with appsecret_proof
Wolfgang Borgert
debacle at moszumanska.debian.org
Sat Dec 24 15:12:57 UTC 2016
This is an automated email from the git hooks/post-receive script.
debacle pushed a commit to tag v0.2.10
in repository python-social-auth.
commit 94ad25e06a82641130ef18eb37a682bb1285baa0
Author: Eugene Agafonov <e.a.agafonov at gmail.com>
Date: Thu Feb 12 21:42:21 2015 +0300
[facebook-oauth2] Verifying Graph API Calls with appsecret_proof
https://developers.facebook.com/docs/graph-api/securing-requests
Graph API calls from a server can be better secured by adding a
parameter called appsecret_proof.
The app secret proof is a sha256 hash of your access token, using the
app secret as the key.
$appsecret_proof= hash_hmac('sha256', $access_token, $app_secret)
the result as an appsecret_proof parameter must be added to each call
you make from server.
Securing with appsecret_proof is optional (but enabled by default for
new Facebook apps) so add appsecret_proof param is contoled by
SOCIAL_AUTH_FACEBOOK_APPSECRET_PROOF = True|False
Default is True
---
social/backends/facebook.py | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/social/backends/facebook.py b/social/backends/facebook.py
index f318169..eb7a494 100644
--- a/social/backends/facebook.py
+++ b/social/backends/facebook.py
@@ -13,6 +13,11 @@ from social.backends.oauth import BaseOAuth2
from social.exceptions import AuthException, AuthCanceled, AuthUnknownError, \
AuthMissingParameter
+import hmac
+import hashlib
+
+def hmac_sha256(key, msg):
+ return hmac.new(key, msg, digestmod=hashlib.sha256).hexdigest()
class FacebookOAuth2(BaseOAuth2):
"""Facebook OAuth2 authentication backend"""
@@ -46,6 +51,11 @@ class FacebookOAuth2(BaseOAuth2):
"""Loads user data from service"""
params = self.setting('PROFILE_EXTRA_PARAMS', {})
params['access_token'] = access_token
+
+ if self.setting('APPSECRET_PROOF', True):
+ _, secret = self.get_key_and_secret()
+ params['appsecret_proof'] = hmac_sha256(secret, access_token);
+
return self.get_json(self.USER_DATA_URL, params=params)
def process_error(self, data):
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/python-modules/packages/python-social-auth.git
More information about the Python-modules-commits
mailing list