Verifying Facebook Graph API Calls

Verification with appsecret_proof can be used: See https://developers.facebook.com/docs/graph-api/securing-requests

diff --git a/tornado/auth.py b/tornado/auth.py
index 05ac3d1ee7de5330e85e435cf2da783636345285..3062ee366f09a841817f9002d9ef3f87a5d14318 100644 (file)
--- a/tornado/auth.py
+++ b/tornado/auth.py
@@ -996,6 +996,9 @@ class FacebookGraphMixin(OAuth2Mixin):
             callback=functools.partial(
                 self._on_get_user_info, future, session, fields),
             access_token=session["access_token"],
+            appsecret_proof=hmac.new(key=client_secret.encode('utf8'),
+                msg=session["access_token"].encode('utf8'),
+                digestmod=hashlib.sha256).hexdigest()
             fields=",".join(fields)
         )