Commits

ronald martinez committed 95a5269

ok

Comments (0)

Files changed (1)

controllers/user.py

 facebook = Facebook()
 
 
-class Authorize(BaseHandler):
+class Authorize2(BaseHandler):
 
     def check_xsrf_cookie(self):
         pass
             settings.FACEBOOK_API_SECRET
         )
 
-        oauth_state = self.get_cookie('oauth_state')
-
-        state = self.get_argument('state', None)
-        code = self.get_argument('code', None)
-
-        if not code:
-            state = hashlib.md5(str(random.random())).hexdigest()
-            self.set_cookie('oauth_state', state)
-            self.finish(facebook.authorize_permission(redirect, state))
-        else:
-            if oauth_state != state:
-                logging.error('atack ccrf')
-            else:
-                access_token = facebook.get_access_token_code(code, redirect)
-                logging.info('access_token: %s' % access_token)
-        return
-
         if not 'user_id' in user_data_facebook:
             self.finish(facebook.authorize_permission(redirect))
         else:
 
             self.redirect(self.reverse_url(redirect))
 
+
+class Authorize(BaseHandler):
+
+    def check_xsrf_cookie(self):
+        pass
+
+    def post(self, redirect):
+
+        user_data_facebook = facebook.parse_signed_request(
+            self.get_argument('signed_request', None),
+            settings.FACEBOOK_API_SECRET
+        )
+
+        oauth_state = self.get_cookie('oauth_state')
+        state = self.get_argument('state', None)
+        code = self.get_argument('code', None)
+
+        if not 'user_id' in user_data_facebook or not code:
+        #if not code:
+            state = hashlib.md5(str(random.random())).hexdigest()
+            self.set_cookie('oauth_state', state)
+            self.finish(facebook.authorize_permission(redirect, state))
+        else:
+            if oauth_state != state:
+                logging.error('attack')
+            else:
+                access_token = facebook.get_access_token_code(code, redirect)
+                logging.info('access_token: %s' % access_token)
+
+                user_data = {
+                    'user_id': user_data_facebook['user_id'],
+                    'access_token': access_token,
+                }
+
+                data = cPickle.dumps(user_data, -1)
+                self.set_secure_cookie('user', data)
+
+                user = Session.query(User).filter_by(
+                    fbid=user_data_facebook.get('user_id'))
+
+                if not user.first():
+                    self.add_user(user_data)
+                else:
+
+                    user.update({'access_token': access_token})
+                    logging.info('update user')
+
+                self.redirect(self.reverse_url(redirect))
+
     def add_user(self, session):
 
         data = facebook.get_info(
 
         if 'error' in data:
             if data.get('error').get('type') == 'OAuthException':
-                if data.get('error').get('error_subcode') == 463:
-                    # https://developers.facebook.com/
-                    # docs/reference/api/errors/
-                    self.finish(
-                        facebook.window_authorize_location('list_friends'))
+                #if data.get('error').get('error_subcode') == 463:
+                # https://developers.facebook.com/
+                # docs/reference/api/errors/
+                self.finish(
+                    facebook.window_authorize_location('list_friends'))
             else:
                 raise HTTPError(500)
         else: