OAuth IFrame Canvas Apps Issue on Lookup of "authenticate" method in lib/authentication.rb

Question

OAuth IFrame Canvas Apps Issue on Lookup of "authenticate" method in lib/authentication.rb

ephekt opened this issue 14 years ago · 4 comments

Hi Nov,

Been chugging through porting my Rails 2.5 FacebookER app to your Rails 3 Open Graph library & I've come across a pretty subtle but disabling bug in line 13 of authentication.rb:

12: def current_user
13: @current_user ||= Facebook.find_by_id(session[:current_user])
14: rescue ActiveRecord::RecordNotFound
15: nil
16: end

The issue is on line 13 is that we're trying to lookup by id, but the id coming through from the Facebooks controller's user being passed into the function is 1. Thus, every user who attempts to access my application is being looked up by user id 1. I set up the application and thus I was able to access the application b/c I was the first user & somehow it always pulled down my information (maybe by a cookie or something). However, a second, third, or fourth user from a different machine would be put into an endless loop trying to authenticate. Changing the following line 13 to:

12: def current_user
13: @current_user ||= Facebook.find_by_identifier(session[:current_user])
14: rescue ActiveRecord::RecordNotFound
15: nil
16: end

and modifying the controller methods to to use the identifier:

def require_authentication
  authenticate Facebook.find_by_identifier(session[:current_user])
rescue Unauthorized => e
  redirect_to root_url and return false
end

def authenticate(user)
  raise Unauthorized unless user
  session[:current_user] = user.identifier
end

solved the issue for me. My hunch is that this app worked for the first user (either JS or Oauth Authentication), but never tested w/ a second machine that would try to load a user of id 1 with an access token that wouldn't authenticate... I could be wrong. I'm new to Rails 3 & FbGraph, but I'm just hoping this will help someone else if they have a problem like mine.

I can put together a patch, but not too sure on how tests work for this app & if my findings are novel or not. Let me know. Thanks!

Answer 1 · 2010-09-27T02:22:33.000Z

Umm, I couldn't repeat the issue.
Does it occur only in iframe apps?

Answer 2 · 2010-09-27T02:52:58.000Z

After stepping through the logic more, I am not able to reproduce conceptually the issue I encountered. I'm going to try and build a test for this and see if I can reproduce the issue, but I'm thinking this is a mistake on my end. Closing the issue and calling this "my bad." Hopefully I run into the error again so I can try and solve what may have been the root cause. Thanks for your prompt replies.

Answer 3 · 2010-09-27T03:55:13.000Z

I see.
Then I close this issue for now.

Answer 4 · 2010-09-27T03:55:31.000Z

ah, you already closed :p