From ae04e81d91cd15bc16fd25013172393a8530a58d Mon Sep 17 00:00:00 2001
From: malcm <malchowmartin@gmail.com>
Date: Fri, 11 Mar 2016 14:11:45 +0100
Subject: [PATCH] Verifying Facebook Graph API Calls

Verification with appsecret_proof can be used: See https://developers.facebook.com/docs/graph-api/securing-requests
---
 tornado/auth.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/tornado/auth.py b/tornado/auth.py
index 05ac3d1ee..3062ee366 100644
--- a/tornado/auth.py
+++ b/tornado/auth.py
@@ -996,6 +996,9 @@ class FacebookGraphMixin(OAuth2Mixin):
             callback=functools.partial(
                 self._on_get_user_info, future, session, fields),
             access_token=session["access_token"],
+            appsecret_proof=hmac.new(key=client_secret.encode('utf8'),
+                msg=session["access_token"].encode('utf8'),
+                digestmod=hashlib.sha256).hexdigest()
             fields=",".join(fields)
         )
 
-- 
2.47.2