Tornado with Facebook Registration Plugin
Pergunta
Facebook released released a registration plugin here http://developers.facebook.com/docs/user_registration few weeks ago.
I was wondering how can we implement this with Tornado?
I kept receiving an error: 403 POST /auth/fbform (127.0.0.1): '_xsrf' argument missing from POST
The redirect_url is http://localhost:8888/auth/fbform And the code is as follows:
class FBFormLoginHandler(BaseHandler, tornado.web.RequestHandler):
def get(self):
print "i'm in GET"
print self.request
# parse and check data
data = _parse_signed_request(self.request['_xsrf'], "XXXXX")
return
def post(self):
print "i'm in POST"
print self.request
# parse and check data
data = _parse_signed_request(self.request['_xsrf'], "XXXXX")
return
def _parse_signed_request(signed_request, app_secret):
print "hello in parse_signed_request"
try:
l = signed_request.split('.', 2)
encoded_sig = str(l[0])
payload = str(l[1])
except IndexError:
raise ValueError("'signed_request' malformed")
sig = base64.urlsafe_b64decode(encoded_sig + "=" * ((4 - len(encoded_sig) % 4) % 4))
data = base64.urlsafe_b64decode(payload + "=" * ((4 - len(payload) % 4) % 4))
data = json.loads(data)
if data.get('algorithm').upper() != 'HMAC-SHA256':
raise ValueError("'signed_request' is using an unknown algorithm")
else:
expected_sig = hmac.new(app_secret, msg=payload, digestmod=hashlib.sha256).digest()
if sig != expected_sig:
raise ValueError("'signed_request' signature mismatch")
else:
return data
I do not understand which POST the error message is talking about, so I tried to use the _parse_signed_request from the get and post function.
Please enlighten me. I'm currently working from my local computer by the way.
Best Regards.
Solução
You have to disabled CSRF checking on that endpoint since the request is coming from Facebook and not your own site
http://www.tornadoweb.org/documentation#cross-site-request-forgery-protection