Tornado with Facebook Registration Plugin

StackOverflow https://stackoverflow.com/questions/4623702

  •  30-09-2019
  •  | 
  •  

Pergunta

Facebook released released a registration plugin here http://developers.facebook.com/docs/user_registration few weeks ago.

I was wondering how can we implement this with Tornado?

I kept receiving an error: 403 POST /auth/fbform (127.0.0.1): '_xsrf' argument missing from POST

The redirect_url is http://localhost:8888/auth/fbform And the code is as follows:

class FBFormLoginHandler(BaseHandler, tornado.web.RequestHandler):
    def get(self):
        print "i'm in GET"
        print self.request
        # parse and check data
        data = _parse_signed_request(self.request['_xsrf'], "XXXXX")
        return
    def post(self):
        print "i'm in POST"
        print self.request
        # parse and check data
        data = _parse_signed_request(self.request['_xsrf'], "XXXXX")
        return

    def _parse_signed_request(signed_request, app_secret):
        print "hello in parse_signed_request"
        try:
          l = signed_request.split('.', 2)
          encoded_sig = str(l[0])
          payload = str(l[1])
        except IndexError:
          raise ValueError("'signed_request' malformed")

        sig = base64.urlsafe_b64decode(encoded_sig + "=" * ((4 - len(encoded_sig) % 4) % 4))
        data = base64.urlsafe_b64decode(payload + "=" * ((4 - len(payload) % 4) % 4))

        data = json.loads(data)

        if data.get('algorithm').upper() != 'HMAC-SHA256':
          raise ValueError("'signed_request' is using an unknown algorithm")
        else:
          expected_sig = hmac.new(app_secret, msg=payload, digestmod=hashlib.sha256).digest()

        if sig != expected_sig:
          raise ValueError("'signed_request' signature mismatch")
        else:
          return data

I do not understand which POST the error message is talking about, so I tried to use the _parse_signed_request from the get and post function.

Please enlighten me. I'm currently working from my local computer by the way.

Best Regards.

Foi útil?

Solução

You have to disabled CSRF checking on that endpoint since the request is coming from Facebook and not your own site

http://www.tornadoweb.org/documentation#cross-site-request-forgery-protection

Licenciado em: CC-BY-SA com atribuição
Não afiliado a StackOverflow
scroll top