Last active
April 21, 2021 12:16
-
-
Save flyingdogz/4bf1e9a599322aae35fcd6389443ad79 to your computer and use it in GitHub Desktop.
Example implementation of Facebook Data Deletion Callback in Python
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import base64 | |
import hashlib | |
import hmac | |
import json | |
from flask import Flask, jsonify, request | |
app = Flask(__name__) | |
def parse_fb_signed_request(signed_request): | |
encoded_sig, payload = signed_request.split('.', 2) | |
secret = '<your_fb_app_secret>' | |
encoded_sig = encoded_sig.encode('ascii') | |
payload = payload.encode('ascii') | |
encoded_sig += "=" * ((4 - len(encoded_sig) % 4) % 4) | |
payload += "=" * ((4 - len(payload) % 4) % 4) | |
sig = base64.urlsafe_b64decode(encoded_sig) | |
data = json.loads(base64.urlsafe_b64decode(payload)) | |
# check the signature | |
expected_sig = hmac.new(secret, payload, hashlib.sha256).digest() | |
if not hmac.compare_digest(expected_sig,sig): | |
return None | |
else: | |
return data | |
@app.route('/') | |
def hello_world(): | |
return 'Hello World!' | |
# https://developers.facebook.com/docs/apps/delete-data | |
@app.route('/fb/ddc', methods= ['POST']) | |
def data_deletion_callback(): | |
signed_request = request.form.get('signed_request') | |
data = parse_fb_signed_request(signed_request) | |
# do data deletion stuff here using the data above | |
# return tracking url and code to FB | |
return jsonify({ | |
'url': 'https://example.com/1234', | |
'confirmation_code': '1234' | |
}) | |
if __name__ == '__main__': | |
app.run() |
I also had issues, but this worked:
def parse_signed_request(signed_request: str, secret: str):
encoded_sig, payload = signed_request.split(".", 2)
original_payload = payload
encoded_sig += "=" * ((4 - len(encoded_sig) % 4) % 4)
payload += "=" * ((4 - len(payload) % 4) % 4)
sig = base64.urlsafe_b64decode(encoded_sig)
data = json.loads(base64.urlsafe_b64decode(payload))
# check the signature
expected_sig = hmac.new(
secret.encode("ascii"), original_payload.encode("ascii"), hashlib.sha256
).digest()
if not hmac.compare_digest(expected_sig, sig):
raise Exception(
"Unauthenticated attempt to delete facebook data: Invalid signature"
)
else:
return data
what would be the request here?
what is signed_request?
what would be the response?
Please explain the code
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
check the signature something wrong for me.