Post-Remove Callback URL

From Facebook Developer Wiki

Jump to: navigation, search

Contents

Overview

The Post-Remove URL is briefly described in Creating a Platform Application. Facebook pings this URL when a user removes your application from his or her "My Applications" page. Facebook's servers POST several fields back to this URL along with a signature.

This URL cannot be your application's canvas page or a Facebook-framed page, since removing an application means the user is no longer using it within Facebook. The user does not see any content you display in this page.

POST Parameters of Ping

The following fields are sent to your Post-Remove URL in the form of a POST request. The user removing your application will not be redirected to this URL. Facebook's servers send this request in the background.

Type Name Description
int fb_sig_uninstall Set to 1 to indicate the user is removing your application
string fb_sig_time A UNIX timestamp indicating when the removal occurred (e.g. 1187756160.7131)
int fb_sig_user The uid of the person who is removing your application (e.g. 609143784)
string fb_sig_app_id The application ID of your application that is being removed.
string fb_sig_api_key The api_key of your application that is being removed.
int fb_sig_added This parameter is returned with a value of 0, indicating that the application has been removed.
string fb_sig_linked_account_ids JSON-encoded array of linked account ids that were set with Connect.registerUsers. If you have previously registered a user's email address, and that user then de-authorizes your Connect application, then your ping will include the corresponding set of linked ids for that user.
string fb_sig This is the signature of the POST. Facebook uses the same signing process that your application uses to make requests to Facebook. With the exception that it truncates fb_sig_ from variable names when creating the signature.

PHP Example of Verification

The PHP client does all the work for you automatically as soon as you instantiate a Facebook object:

$facebook = new Facebook($apikey, $secret); $user = $facebook->get_loggedin_user(); if ($user != NULL && $facebook->fb_params['uninstall'] == 1) { //The user has removed your app }
  • Facebook sends the arguments via a POST.
  • Facebook does not include the fb_sig prefix when calculating the signature of the request.
  • Your calculated signature and the signature they POST to your script should match up.
  • You can use the fb_sig_user, fb_sig_session_key and fb_sig_api_key to look up which user is removing your application.


If you don't want to use the PHP client, you can do it yourself as follows:

<?php $secret = 'YOURAPPSSECRETHERE'; $sig = ''; ksort($_POST); foreach ($_POST as $key => $val) { if (substr($key, 0, 7) == 'fb_sig_') { $sig .= substr($key, 7) . '=' . $val; } } $sig .= $secret; $verify = md5($sig); if ($verify == $_POST['fb_sig']) { // Update your database to note that fb_sig_user has removed your application } else { // Log the IP and request for future reference } ?>

Pseudocode Example of Verification

See notes in PHP Example of Verification for information about the POST variables.

variable secretkey = 'APPLICATION SECRET KEY' variable signature = '' sort_by_key (POST ARRAY) for every element in POST ARRAY where key is the keyname and value is the contents { if key starts with 'fb_sig_' then append to signature (keyname after and including character 7) append to signature '=' append to signature value end if } append to signature secretkey var verify = md5 hash of signature if (verify is equal to the fb_sig submitted by POST) then // Update your database to note that fb_sig_user has removed your application else // Log the IP and request for future reference end if


Rails Example of Verification

  • As of this writing (2/20/08), the rfacebook plugin does not seem to provide a way to handle removals (easily). Please update this section if I am mistaken.

In this example, to handle removals in your rails app we will use the post-remove URL of 'foo.yourapp.com/uninstalled'.

In your application.rb, you probably have something like:

before_filter :require_facebook_install before_filter :require_facebook_login


First, add "require 'digest/md5'" to your environment.rb or the top of application.rb.

Next change your application.rb to something like:

before_filter :require_facebook_install, :except => [:uninstalled] before_filter :require_facebook_login, :except => [:uninstalled] # Before Filter on *only* the 'uninstalled' method before_filter :verify_uninstall_signature, :only => [:uninstalled] # Note: it's important this method is *above* the 'protected' definition, since it needs to be called directly def uninstalled @fb_uid = params[:fb_sig_user] # From here on it will be app specific -- given the facebook uid, destroy the user, like... @user = User.find_by_fb_uid(@fb_uid) @user.destroy if @user render :nothing => true; return end protected ...


Next, in your 'protected' section, add the following method which roughly corresponds to the PHP / pseudocode above:

def verify_uninstall_signature signature = '' keys = params.keys.sort keys.each do |key| next if key == 'fb_sig' next unless key.include?('fb_sig') key_name = key.gsub('fb_sig_', '') signature += key_name signature += '=' signature += params[key] end signature += FACEBOOK['secret'] calculated_sig = Digest::MD5.hexdigest(signature) #logger.info "\nUNINSTALL :: Signature (fb_sig param from facebook) :: #{params[:fb_sig]}" #logger.info "\nUNINSTALL :: Signature String (pre-hash) :: #{signature}" #logger.info "\nUNINSTALL :: MD5 Hashed Sig :: #{calculated_sig}" if calculated_sig != params[:fb_sig] #logger.warn "\n\nUNINSTALL :: WARNING :: expected signatures did not match\n\n" return false else #logger.warn "\n\nUNINSTALL :: SUCCESS!! Signatures matched.\n" end return true end


I'm going to forward this snippet on to the rfacebook maintainers in case it would be of any help having it in the plugin. -SB

Also, you might have to add this entry to your config/routes.rb file:

map.connect 'uninstalled', :controller => 'application', :action => 'uninstalled'


See Also

Retrieved from "http://wiki.developers.facebook.com/index.php/Post-Remove_Callback_URL"