Facebook iframe Canvas App Authentication in node.js

8/27/2011 - 1:07 AM

Facebook iframe Canvas App Authentication in node.js

var base64ToString = function(str) {
	return (new Buffer(str || "", "base64")).toString("ascii");
};

var base64UrlToString = function(str) {
	return base64ToString( base64UrlToBase64(str) );
};

var base64UrlToBase64 = function(str) {
	var paddingNeeded = (4- (str.length%4));
	for (var i = 0; i < paddingNeeded; i++) {
		str = str + '=';
	}
	return str.replace(/\-/g, '+').replace(/_/g, '/')
};

app.get('/fb', function(req, res) {
	var signed_request = req.param('signed_request'); 
	var parts = signed_request.split('.');
	var sig = base64UrlToBase64(parts[0]);
	var payload = parts[1];
	var data = JSON.parse(base64UrlToString(payload));	
	if (!data.user_id) {
		// send over to authorize url
	}
	else {
		// lets verify        
        	if (data.algorithm.toUpperCase() !== 'HMAC-SHA256') {
			res.send('Unknown algorithm. Expected HMAC-SHA256');
			return;
		}
		var secret = 'XXXXXXXXXXXXXXXXXXXX';
		var hmac = require('crypto').createHmac('sha256', secret);
		hmac.update(payload);
		var expected_sig = hmac.digest('base64');
		if (sig != expected_sig){
			console.log('expected [' + expected_sig + '] got [' + sig + ']');
			res.send('Hello, this is my app! you are CHEATING! .. expected [' + expected_sig + '] got [' + sig + ']');
		}
		else {
			res.send('Hello, this is my app! you passed verification and are ' + data.user_id);
		}
	}
});

Cacher is the code snippet organizer for pro developers

We empower you and your team to get more done, faster

Facebook iframe Canvas App Authentication in node.js