Skip to content

Pass appsecret_proof as a query string parameter as it maybe be ignored if passed in as a body parameter #1073

New issue
New issue
Open
Open
Pass appsecret_proof as a query string parameter as it maybe be ignored if passed in as a body parameter#1073
@kullfar

Description

@kullfar
kullfar
opened on Sep 29, 2024

Specifically for some POST requests in current implementation we get API calls from the server require an appsecret_proof argument response. Some POST endpoints will send the HTTP body with form encoded data, which would mean the body parameters are ignored.

Tangibly related it may be worth also implementing it following https://developers.facebook.com/docs/facebook-login/security/#proof (using timestamp in proof computation is not enforced but recommended by FB)

  // See https://developers.facebook.com/docs/facebook-login/security/#proof
  var appsecretTime = TimeUnit.MILLISECONDS.toSeconds(System.currentTimeMillis());
  final String appsecretProofPlain = accessToken + "|" + appsecretTime;
  for (byte b : mac.doFinal(appsecretProofPlain.getBytes())) {
    appsecretProof.format("%02x", b);
  }
  request.addQuerystringParameter("appsecret_proof", appsecretProof.toString());
  request.addQuerystringParameter("appsecret_time", String.valueOf(appsecretTime));

image

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions