fix calback_uri when using code from signed request in cookie

lib/omniauth/strategies/facebook.rb

@@ -1,4 +1,6 @@
 require 'omniauth/strategies/oauth2'
+require 'base64'
+require 'openssl'
 
 module OmniAuth
   module Strategies
@@ -66,12 +68,18 @@ module OmniAuth
       end
 
       def build_access_token
-        with_code(request.params['code'] || signed_request && signed_request['code']) do
+        with_authorization_code { super }.tap do |token|
-          super.tap do |token|
+          token.options.merge!(access_token_options)
-            token.options.merge!(access_token_options)
-          end
         end
       end
+      
+      # NOTE if we're using code from the signed request cookie
+      # then FB sets the redirect_uri to '' during the authorize
+      # phase + it must match during the access_token phase:
+      # https://github.com/facebook/php-sdk/blob/master/src/base_facebook.php#L348
+      def callback_url
+        @authorization_code_from_cookie ? '' : super
+      end
 
       def access_token_options
         options.access_token_options.inject({}) { |h,(k,v)| h[k.to_sym] = v; h }
@@ -93,13 +101,21 @@ module OmniAuth
       
       private
       
-      def with_code(code)
+      # picks the authorization code in order, from:
-        original_code = request.params['code']
+      # 1. the request param
-        begin
+      # 2. a signed cookie
-          request.params['code'] = code
+      def with_authorization_code
+        if request.params.key?('code')
           yield
-        ensure
+        else code_from_cookie = signed_request && signed_request['code']
-          request.params['code'] = original_code
+          request.params['code'] = code_from_cookie
+          @authorization_code_from_cookie = true
+          begin
+            yield
+          ensure
+            request.params.delete('code')
+            @authorization_code_from_cookie = false
+          end
         end
       end