From ae04e81d91cd15bc16fd25013172393a8530a58d Mon Sep 17 00:00:00 2001
From: malcm <malchowmartin@gmail.com>
Date: Fri, 11 Mar 2016 14:11:45 +0100
Subject: [PATCH 1/2] Verifying Facebook Graph API Calls

Verification with appsecret_proof can be used: See https://developers.facebook.com/docs/graph-api/securing-requests
---
 tornado/auth.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/tornado/auth.py b/tornado/auth.py
index 05ac3d1e..3062ee36 100644
--- a/tornado/auth.py
+++ b/tornado/auth.py
@@ -996,6 +996,9 @@ class FacebookGraphMixin(OAuth2Mixin):
             callback=functools.partial(
                 self._on_get_user_info, future, session, fields),
             access_token=session["access_token"],
+            appsecret_proof=hmac.new(key=client_secret.encode('utf8'),
+                msg=session["access_token"].encode('utf8'),
+                digestmod=hashlib.sha256).hexdigest()
             fields=",".join(fields)
         )
 

From 4063e8e5d51916af1f36af31db425cd1594d83d8 Mon Sep 17 00:00:00 2001
From: Martin Malchow <martin.malchow@hpi.de>
Date: Fri, 11 Mar 2016 14:29:51 +0100
Subject: [PATCH 2/2] fix missing comma

---
 tornado/auth.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tornado/auth.py b/tornado/auth.py
index 3062ee36..edc3e5eb 100644
--- a/tornado/auth.py
+++ b/tornado/auth.py
@@ -998,7 +998,7 @@ class FacebookGraphMixin(OAuth2Mixin):
             access_token=session["access_token"],
             appsecret_proof=hmac.new(key=client_secret.encode('utf8'),
                 msg=session["access_token"].encode('utf8'),
-                digestmod=hashlib.sha256).hexdigest()
+                digestmod=hashlib.sha256).hexdigest(),
             fields=",".join(fields)
         )