From: malcm <malchowmartin@gmail.com>
Date: Fri, 11 Mar 2016 13:11:45 +0000 (+0100)
Subject: Verifying Facebook Graph API Calls
X-Git-Tag: v4.4.0b1~43^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1661%2Fhead;p=thirdparty%2Ftornado.git

Verifying Facebook Graph API Calls

Verification with appsecret_proof can be used: See https://developers.facebook.com/docs/graph-api/securing-requests
---

diff --git a/tornado/auth.py b/tornado/auth.py
index 05ac3d1ee..3062ee366 100644
--- a/tornado/auth.py
+++ b/tornado/auth.py
@@ -996,6 +996,9 @@ class FacebookGraphMixin(OAuth2Mixin):
             callback=functools.partial(
                 self._on_get_user_info, future, session, fields),
             access_token=session["access_token"],
+            appsecret_proof=hmac.new(key=client_secret.encode('utf8'),
+                msg=session["access_token"].encode('utf8'),
+                digestmod=hashlib.sha256).hexdigest()
             fields=",".join(fields)
         )