I'm having some trouble authenticating users for my app. During the authentication process I get the following error:
Refused to display 'https://www.facebook.com/dialog/oauth?response_type=code&client_id=xxxxxxxx…%2Fliketodownload.xx-xxxx.com%2Fauth%2Ffacebook%2Fcallback&scope=email' in a frame because it set 'X-Frame-Options' to 'DENY'.
I think it's to do with the authentication trying to redirected to an invalid target and that's why it's getting blocked. But with Ruby and Sinatra I am unsure of how to overcome this.
Many thanks.
UPDATE
I'm not redirecting to views, of which the auth and add to page dialogs are trigged into new targets via html. Now I'm trying to figure out the logic of which to auth and redirect users appropriately.
Code below:
post '/' do
if current_user
signed_request = FBGraph::Canvas.parse_signed_request(APP_SECRET, params[:signed_request])
if signed_request["page"] != nil
is_admin = signed_request["page"]["admin"]
is_liked = signed_request["page"]["liked"]
if is_admin #if admin, see if existing user is in db, if not create, then send to admin page
puts "user is a page admin" #logging for dev
redirect '/index'
elsif is_liked #if liked send to download end point
puts "user has liked page" #logging for dev purposes
redirect '/main/#/liked'
elsif !is_liked #otherwise make them like the page
puts "user has not liked" #logging for dev purposes
redirect '/main/#/notliked'
end
else
redirect '/addtopage/#/addtopageview'
end
elsif $auth1 && !current_user
puts "post / add to page view reached"
User.first_or_create({:uid => $auth1["uid"]}, {
:uid => $auth1["uid"],
:nickname => $auth1["info"]["nickname"],
:name => $auth1["info"]["name"],
:email_address => $auth1["info"]["email"],
:created_at => Time.now})
redirect '/addtopage/#/addtopageview'
else
# we just redirect to /auth/facebook here which will parse the @signed_request FB sends us, asking for auth if the user has not already granted access, or simply moving straight to the callback where they have already granted access.
puts "post / auth me reached"
redirect '/addtopage/#/authme'
end
end
get '/auth/:provider/callback' do
content_type 'application/json'
response.set_cookie 'test', {:value => "facebook_callback", :path => "/"}
JSON.generate(request.env)
auth = request.env["omniauth.auth"]
$auth1 = auth
#need escape here to allow user to initially authorise app without the full @signed_request?
session['fb_auth'] = auth
session['fb_token'] = cookies[:fb_token] = auth['credentials']['token']
session['fb_error'] = nil
if params[:signed_request] != nil #if the signed request isn't empty
signed_request = FBGraph::Canvas.parse_signed_request(APP_SECRET, params[:signed_request])
if signed_request["page"] != nil #if the signed request contains page data
$page_id = signed_request["page"]["id"]
is_admin = signed_request["page"]["admin"]
is_liked = signed_request["page"]["liked"]
if is_admin #if admin, see if existing user is in db, if not create, then send to admin page
puts "user is a page admin" #logging for dev
User.first_or_create({:uid => auth["uid"]}, {
:uid => auth["uid"],
:nickname => auth["info"]["nickname"],
:name => auth["info"]["name"],
:email_address => auth["info"]["email"],
:created_at => Time.now})
#insert page_id into database?
redirect '/index'
elsif is_liked #if liked send to download end point
puts "user has liked page" #logging for dev purposes
redirect '/main/#/liked'
elsif !is_liked #otherwise make them like the page
puts "user has not liked" #logging for dev purposes
redirect '/main/#/notliked'
end
else #user authed app but needs to add to page
puts "add to page view"
redirect '/addtopage/#/addtopageview'
end
else
#needs to redirect to a page telling them that they must be on facebook or that they must authorise the application
redirect '/index'
end
end
helpers do
def current_user
@current_user ||= User.get(session[:user_id]) if session[:user_id]
end
end
Facebook domains can not be
iframed
except for the socials plugins, Why?for security reasons, for example let's say you're logged into Your Facebook account and I have
http://example.com/xss.html
which has aniframe
ofhttp://facebook.com
in this way I cansteal
orhi-jack
sensitive information from your account likefb_dtsg
token, same thing foroAuth Dialogs
I can set myiframe
source to to it and steal Youraccess_token
:)I hope it's clear enough why Facebook uses