if respond_to?(:require_relative, true) require_relative 'common' else require File.dirname(__FILE__) + '/common' end describe RestGraph do it 'would return nil if parse error, but not when call data directly' do rg = RestGraph.new rg.parse_cookies!({}).should == nil rg.data .should == {} end it 'would extract correct access_token or fail checking sig' do access_token = '1|2-5|f.' app_id = '1829' secret = app_id.reverse sig = '398262caea8442bd8801e8fba7c55c8a' fbs = "access_token=#{CGI.escape(access_token)}&expires=0&" \ "secret=abc&session_key=def-456&sig=#{sig}&uid=3" check = lambda{ |token, fbs| http_cookie = "__utma=123; __utmz=456.utmcsr=(d)|utmccn=(d)|utmcmd=(n); " \ "fbs_#{app_id}=#{fbs}" rg = RestGraph.new(:app_id => app_id, :secret => secret) rg.parse_rack_env!('HTTP_COOKIE' => http_cookie). should.kind_of?(token ? Hash : NilClass) rg.access_token.should == token rg.parse_rack_env!('HTTP_COOKIE' => nil).should == nil rg.data.should == {} rg.parse_cookies!({"fbs_#{app_id}" => fbs}). should.kind_of?(token ? Hash : NilClass) rg.access_token.should == token rg.parse_fbs!(fbs). should.kind_of?(token ? Hash : NilClass) rg.access_token.should == token } check.call(access_token, fbs) check.call(access_token, "\"#{fbs}\"") fbs << '&inject=evil"' check.call(nil, fbs) check.call(nil, "\"#{fbs}\"") end it 'would not pass if there is no secret, prevent from forgery' do rg = RestGraph.new rg.parse_fbs!('"feed=me&sig=bddd192cf27f22c05f61c8bea24fa4b7"'). should == nil end it 'would parse json correctly' do rg = RestGraph.new rg.parse_json!('bad json').should == nil rg.parse_json!('{"no":"sig"}').should == nil rg.parse_json!('{"feed":"me","sig":"bddd192cf27f22c05f61c8bea24fa4b7"}'). should == nil rg = RestGraph.new(:secret => 'bread') rg.parse_json!('{"feed":"me","sig":"20393e7823730308938a86ecf1c88b14"}'). should == {'feed' => 'me', 'sig' => "20393e7823730308938a86ecf1c88b14"} end it 'would parse signed_request' do secret = 'aloha' json = {'ooh' => 'dir', 'moo' => 'bar'}.to_json encode = lambda{ |str| [str].pack('m').tr("\n=", '').tr('+/', '-_') } json_encoded = encode[json] sig = OpenSSL::HMAC.digest('sha256', secret, json_encoded) signed_request = "#{encode[sig]}.#{json_encoded}" rg = RestGraph.new(:secret => secret) rg.parse_signed_request!(signed_request) rg.data['ooh'].should == 'dir' rg.data['moo'].should == 'bar' signed_request = "#{encode[sig[0..-4]+'bad']}.#{json_encoded}" rg.parse_signed_request!(signed_request).should == nil end end