fail! if there is no 'code' parameter or 'fbsr_' cookie in the callback.

Includes tests for #signed_request.
2022-11-09 12:32:45 -05:00 · 2013-06-11 03:08:00 -07:00 · 2013-06-11 03:08:00 -07:00 · 867ff3680c
commit 867ff3680c
parent 9e7b85564f
2 changed files with 34 additions and 7 deletions
--- a/lib/omniauth/strategies/facebook.rb
+++ b/lib/omniauth/strategies/facebook.rb
@ -81,6 +81,18 @@ module OmniAuth
        end
      end

+      def callback_phase
+        super
+      rescue NoAuthorizationCodeError => e
+        fail!(:no_authz_code, e)
+      rescue NotImplementedError => e
+        if e.message =~ /unknown algorithm/i
+          fail!(:algo_not_impl, e)
+        else
+          raise e
+        end
+      end
+
      def request_phase
        if signed_request_contains_access_token?
          # if we already have an access token, we can just hit the
@ -205,7 +217,7 @@ module OmniAuth
        decoded_payload = MultiJson.decode(base64_decode_url(encoded_payload))

        unless decoded_payload['algorithm'] == 'HMAC-SHA256'
-          raise NotImplementedError, "unkown algorithm: #{decoded_payload['algorithm']}"
+          raise NotImplementedError, "unknown algorithm: #{decoded_payload['algorithm']}"
        end

        if valid_signature?(client.secret, decoded_hex_signature, encoded_payload)
--- a/test/test.rb
+++ b/test/test.rb
@ -379,13 +379,18 @@ module SignedRequestTests
    test 'is nil' do
      assert_nil strategy.send(:signed_request)
    end
+
+    test 'throws an error on calling build_access_token' do
+      assert_equal 'must pass either a `code` parameter or a signed request (via `signed_request` parameter or a `fbsr_XXX` cookie)',
+                   assert_raises(OmniAuth::Strategies::Facebook::NoAuthorizationCodeError) { strategy.send(:build_access_token) }.message
+    end
  end

  class CookiePresentTest < TestCase
-    def setup
-      super
+    def setup(algo = nil)
+      super()
      @payload = {
-        'algorithm' => 'HMAC-SHA256',
+        'algorithm' => algo || 'HMAC-SHA256',
        'code' => 'm4c0d3z',
        'issued_at' => Time.now.to_i,
        'user_id' => '123456'
@ -397,13 +402,18 @@ module SignedRequestTests
    test 'parses the access code out from the cookie' do
      assert_equal @payload, strategy.send(:signed_request)
    end
+
+    test 'throws an error if the algorithm is unknown' do
+      setup('UNKNOWN-ALGO')
+      assert_equal "unknown algorithm: UNKNOWN-ALGO", assert_raises(NotImplementedError) { strategy.send(:signed_request) }.message
+    end
  end

  class ParamPresentTest < TestCase
-    def setup
-      super
+    def setup(algo = nil)
+      super()
      @payload = {
-        'algorithm' => 'HMAC-SHA256',
+        'algorithm' => algo || 'HMAC-SHA256',
        'oauth_token' => 'XXX',
        'issued_at' => Time.now.to_i,
        'user_id' => '123456'
@ -415,6 +425,11 @@ module SignedRequestTests
    test 'parses the access code out from the param' do
      assert_equal @payload, strategy.send(:signed_request)
    end
+
+    test 'throws an error if the algorithm is unknown' do
+      setup('UNKNOWN-ALGO')
+      assert_equal "unknown algorithm: UNKNOWN-ALGO", assert_raises(NotImplementedError) { strategy.send(:signed_request) }.message
+    end
  end

  class CookieAndParamPresentTest < TestCase