Post-Remove URL

From Facebook Developer Wiki

Jump to: navigation, search

Contents

[edit] Overview

The Post-Remove URL is briefly described here. This URL is pinged when a person removes your application from their applications on their "My Applications" page. Facebook's servers will POST several fields back to this URL along with a signature.

[edit] POST Parameters of Ping

The following fields are sent to your Post-Remove URL in the form of a POST request. The user removing your application will not be redirected to this URL. Facebook's servers send this request in the background.

Type Name Description
int fb_sig_uninstall Set to 1 to indicate the user is removing your application
string fb_sig_time A UNIX timestamp indicating when the removal occurred (e.g. 1187756160.7131)
int fb_sig_user The uid of the person who is removing your application (e.g. 609143784)
string fb_sig_app_id The application ID of your application that is being removed.
string fb_sig_api_key The api_key of your application that is being removed.
int fb_sig_added This parameter is returned with a value of 0, indicating that the application has been removed.
string fb_sig_linked_account_ids JSON-encoded array of linked account ids that were set with Connect.registerUsers. If you have previously registered a user's email address, and that user then de-authorizes your Connect application, then your ping will include the corresponding set of linked ids for that user.
string fb_sig This is the signature of the POST. Facebook uses the same signing process that your application uses to make requests to Facebook. With the exception that it truncates fb_sig_ from variable names when creating the signature.

[edit] PHP Example of Verification

The PHP client does all the work for you automatically as soon as you instantiate a Facebook object:

$facebook = new Facebook($apikey, $secret); $user = $facebook->get_loggedin_user(); if ($user != NULL && $facebook->fb_params['uninstall'] == 1) { //The user has removed your app }
  • Facebook sends the arguments via a POST.
  • Facebook does not include the fb_sig prefix when calculating the signature of the request.
  • Your calculated signature and the signature they POST to your script should match up.
  • You can use the fb_sig_user, fb_sig_session_key and fb_sig_api_key to look up which user is removing your application.


If you don't want to use the PHP client, you can do it yourself as follows:

<?php $secret = 'YOURAPPSSECRETHERE'; $sig = ''; ksort($_POST); foreach ($_POST as $key => $val) { if (substr($key, 0, 7) == 'fb_sig_') { $sig .= substr($key, 7) . '=' . $val; } } $sig .= $secret; $verify = md5($sig); if ($verify == $_POST['fb_sig']) { // Update your database to note that fb_sig_user has removed your application } else { // Log the IP and request for future reference } ?>

[edit] Pseudocode Example of Verification

See notes in PHP Example of Verification for information about the POST variables.

variable secretkey = 'APPLICATION SECRET KEY' variable signature = '' sort_by_key (POST ARRAY) for every element in POST ARRAY where key is the keyname and value is the contents { if key starts with 'fb_sig_' then append to signature (keyname after and including character 7) append to signature '=' append to signature value end if } append to signature secretkey var verify = md5 hash of signature if (verify is equal to the fb_sig submitted by POST) then // Update your database to note that fb_sig_user has removed your application else // Log the IP and request for future reference end if


[edit] Rails Example of Verification

  • As of this writing (2/20/08), the rfacebook plugin does not seem to provide a way to handle removals (easily). Please update this section if I am mistaken.

In this example, to handle removals in your rails app we will use the post-remove URL of 'foo.yourapp.com/uninstalled'.

In your application.rb, you probably have something like:

before_filter :require_facebook_install before_filter :require_facebook_login


First, add "require 'digest/md5'" to your environment.rb or the top of application.rb.

Next change your application.rb to something like:

before_filter :require_facebook_install, :except => [:uninstalled] before_filter :require_facebook_login, :except => [:uninstalled] # Before Filter on *only* the 'uninstalled' method before_filter :verify_uninstall_signature, :only => [:uninstalled] # Note: it's important this method is *above* the 'protected' definition, since it needs to be called directly def uninstalled @fb_uid = params[:fb_sig_user] # From here on it will be app specific -- given the facebook uid, destroy the user, like... @user = User.find_by_fb_uid(@fb_uid) @user.destroy if @user render :nothing => true; return end protected ...


Next, in your 'protected' section, add the following method which roughly corresponds to the PHP / pseudocode above:

def verify_uninstall_signature signature = '' keys = params.keys.sort keys.each do |key| next if key == 'fb_sig' next unless key.include?('fb_sig') key_name = key.gsub('fb_sig_', '') signature += key_name signature += '=' signature += params[key] end signature += FACEBOOK['secret'] calculated_sig = Digest::MD5.hexdigest(signature) #logger.info "\nUNINSTALL :: Signature (fb_sig param from facebook) :: #{params[:fb_sig]}" #logger.info "\nUNINSTALL :: Signature String (pre-hash) :: #{signature}" #logger.info "\nUNINSTALL :: MD5 Hashed Sig :: #{calculated_sig}" if calculated_sig != params[:fb_sig] #logger.warn "\n\nUNINSTALL :: WARNING :: expected signatures did not match\n\n" return false else #logger.warn "\n\nUNINSTALL :: SUCCESS!! Signatures matched.\n" end return true end


I'm going to forward this snippet on to the rfacebook maintainers in case it would be of any help having it in the plugin. -SB

Also, you might have to add this entry to your config/routes.rb file:

map.connect 'uninstalled', :controller => 'application', :action => 'uninstalled'


[edit] See Also

Retrieved from "http://wiki.developers.facebook.com/index.php/Post-Remove_URL"
reference