From faf4a12adc31c1c93a7f50ef5713ecb161775b75 Mon Sep 17 00:00:00 2001
From: Stian Prestholdt <stian@e5r.no>
Date: Tue, 21 Oct 2014 13:52:39 +0200
Subject: [PATCH] Add Python 3 support for
 FacebookAuthorization.parse_signed_data

`json.loads` was expecting a string, but in python 3 `base64decode()`
return bytes and that is why it bugged. We fix this by making sure
the decoded payload data is in string and that `hmac.new()` is
provided with arguments in bytes. `open_facebook.utils.smart_str`
will do that job correctly in python 2 and 3.

We also use `hmac.compare_digest()` which is the preferred way to
compare those kinds of data to prevent timing analysis. If not
`hmac.compare_digest` is available (python 2.7.7+) then we just compare
logically.

Fixes #491.
---
 open_facebook/api.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/open_facebook/api.py b/open_facebook/api.py
index 8dd07090..57f9c95b 100644
--- a/open_facebook/api.py
+++ b/open_facebook/api.py
@@ -484,7 +484,9 @@ def parse_signed_data(cls, signed_request,
             expected_sig = hmac.new(smart_str(secret), msg=smart_str(payload),
                                     digestmod=hashlib.sha256).digest()
 
-        if not sig == expected_sig:
+        if (hasattr(hmac, 'compare_digest') and
+                not hmac.compare_digest(sig, expected_sig) or
+                sig != expected_sig):
             error_format = 'Signature %s didnt match the expected signature %s'
             error_message = error_format % (sig, expected_sig)
             send_warning(error_message)