JsonObject ParseSignedRequest(string signedRequest)
{
if (String.IsNullOrEmpty(_bindings.AppSecret))
throw new FacebookApiException("Config", "AppSecret should be set");
string[] parts = signedRequest.Split(s_separator, 2, StringSplitOptions.RemoveEmptyEntries);
if (parts.Length != 2)
throw new FacebookApiException("Canvas", "Incorrect signature format");
string encodedSignature = parts[0];
string encodedPayload = parts[1];
string payload;
byte[] signature;
try
{
signature = FromBase64String(encodedSignature);
payload = Encoding.ASCII.GetString(FromBase64String(encodedPayload));
}
catch (FormatException ex)
{
throw new FacebookApiException("Canvas", "Incorrect signature", ex);
}
var data = JsonObject.CreateFromString(payload, Culture);
if (data.IsDictionary && data.Dictionary["algorithm"].String.ToUpperInvariant() != "HMAC-SHA256")
throw new FacebookApiException("Canvas", "Unexpected hash algorithm");
byte[] expectedSignature;
using (KeyedHashAlgorithm hmac = new HMACSHA256(AppSecretBytes))
expectedSignature = hmac.ComputeHash(Encoding.ASCII.GetBytes(encodedPayload));
if (expectedSignature.Length == signature.Length)
{
for (int i = 0; i < signature.Length; i++)
if (expectedSignature[i] != signature[i]) goto @throw;
return data;
}
@throw: throw new FacebookApiException("Canvas", "Unexpected signature");
}