.github/workflows/ci.yml

@@ -0,0 +1,25 @@
+name: Ruby
+
+on: [push, pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby:
+          - "3.0"
+          - "3.1"
+          - "3.2"
+          - "3.3"
+          - head
+    steps:
+    - uses: actions/checkout@v4
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby }}
+        bundler-cache: true # 'bundle install' and cache
+    - name: Run tests
+      run: bundle exec rake

.github/workflows/stale.yml

@@ -17,7 +17,7 @@ jobs:
         stale-pr-message: 'This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.'
         stale-issue-label: 'no-issue-activity'
         stale-pr-label: 'no-pr-activity'
-        days-before-stale: 30
-        days-before-close: 5
+        days-before-stale: 90
+        days-before-close: 60
         exempt-pr-label: 'pinned'
         exempt-issue-label: 'pinned'

CHANGELOG.md

@@ -1,3 +1,15 @@
+## 10.0.0 (2024-05-23)
+
+Changes:
+
+  - bumped version of FB Graph API to v19.0
+
+## 9.0.0 (2021-10-25)
+
+Changes:
+
+  - bumped version of FB Graph API to v5.0
+
 ## 8.0.0 (2020-10-20)
 
 Changes:

Gemfile

@@ -2,8 +2,4 @@ source 'https://rubygems.org'
 
 gemspec
 
-gem 'rack', RUBY_VERSION < '2.2.2' ? '~> 1.6' : '>= 2.0'
-
-platforms :rbx do
-  gem 'rubysl', '~> 2.0'
-end
+gem 'rack', '>= 2.0'

README.md

@@ -39,12 +39,14 @@ You can configure several options, which you pass in to the `provider` method vi
 Option name | Default | Explanation
 --- | --- | ---
 `scope` | `email` | A comma-separated list of permissions you want to request from the user. See the Facebook docs for a full list of available permissions: https://developers.facebook.com/docs/reference/login/
-`display` | `page` | The display context to show the authentication page. Options are: `page`, `popup` and `touch`. Read the Facebook docs for more details: https://developers.facebook.com/docs/reference/dialogs/oauth/
+`display` | `page` | The display context to show the authentication page. Options are: `page`, `popup` and 
+`config_id` |  | The configuration ID to use for a System User access token with Facebook Login for Business. Read the Facebook docs for more details: https://developers.facebook.com/docs/facebook-login/facebook-login-for-business#invoke-a--login-dialog
+`touch`. Read the Facebook docs for more details: https://developers.facebook.com/docs/reference/dialogs/oauth/
 `image_size` | `square` | Set the size for the returned image url in the auth hash. Valid options include `square` (50x50), `small` (50 pixels wide, variable height), `normal` (100 pixels wide, variable height), or `large` (about 200 pixels wide, variable height). Additionally, you can request a picture of a specific size by setting this option to a hash with `:width` and `:height` as keys. This will return an available profile picture closest to the requested size and requested aspect ratio. If only `:width` or `:height` is specified, we will return a picture whose width or height is closest to the requested size, respectively.
 `info_fields` | `name,email` | Specify exactly which fields should be returned when getting the user's info. Value should be a comma-separated string as per https://developers.facebook.com/docs/graph-api/reference/user/ (only `/me` endpoint).
 `locale` |  | Specify locale which should be used when getting the user's info. Value should be locale string as per https://developers.facebook.com/docs/reference/api/locale/.
 `auth_type` | | Optionally specifies the requested authentication features as a comma-separated list, as per https://developers.facebook.com/docs/facebook-login/reauthentication/. Valid values are `https` (checks for the presence of the secure cookie and asks for re-authentication if it is not present), and `reauthenticate` (asks the user to re-authenticate unconditionally). Use 'rerequest' when you want to request premissions. Default is `nil`.
-`secure_image_url` | `false` | Set to `true` to use https for the avatar image url returned in the auth hash.
+`secure_image_url` | `true` | Set to `true` to use https for the avatar image url returned in the auth hash. SSL is mandatory as per https://developers.facebook.com/docs/facebook-login/security#surfacearea.
 `callback_url` / `callback_path` | | Specify a custom callback URL used during the server-side flow. Note this must be allowed by your app configuration on Facebook (see 'Valid OAuth redirect URIs' under the 'Advanced' settings section in the configuration for your Facebook app for more details).
 
 For example, to request `email`, `user_birthday` and `read_stream` permissions and display the authentication page in a popup window:
@@ -58,21 +60,21 @@ end
 
 ### API Version
 
-OmniAuth Facebook uses versioned API endpoints by default (current v4.0). You can configure a different version via `client_options` hash passed to `provider`, specifically you should change the version in the `site` and `authorize_url` parameters. For example, to change to v7.0 (assuming that exists):
+OmniAuth Facebook uses versioned API endpoints by default (current v19.0). You can configure a different version via `client_options` hash passed to `provider`, specifically you should change the version in the `site` and `authorize_url` parameters. For example, to change to v20.0 (assuming that exists):
 
 ```ruby
 use OmniAuth::Builder do
   provider :facebook, ENV['FACEBOOK_APP_ID'], ENV['FACEBOOK_APP_SECRET'],
     client_options: {
-      site: 'https://graph.facebook.com/v7.0',
-      authorize_url: "https://www.facebook.com/v7.0/dialog/oauth"
+      site: 'https://graph.facebook.com/v20.0',
+      authorize_url: "https://www.facebook.com/v20.0/dialog/oauth"
     }
 end
 ```
 
 ### Per-Request Options
 
-If you want to set the `display` format, `auth_type`, or `scope` on a per-request basis, you can just pass it to the OmniAuth request phase URL, for example: `/auth/facebook?display=popup` or `/auth/facebook?scope=email`.
+If you want to set the `display` format, `auth_type`, `scope` or `config_id` on a per-request basis, you can just pass it to the OmniAuth request phase URL, for example: `/auth/facebook?display=popup`, `/auth/facebook?scope=email` or `/auth/facebook?config_id=001`.
 
 ## Auth Hash
 
@@ -152,7 +154,7 @@ If you use the server-side flow, Facebook will give you back a longer lived acce
 
 ## Supported Rubies
 
-- Ruby MRI (2.3, 2.4, 2.5, 2.6)
+- Ruby MRI (3.0, 3.1, 3.2 and 3.3)
 
 ## License
 

example/Gemfile.lock

@@ -1,53 +1,74 @@
 PATH
   remote: ..
   specs:
-    omniauth-facebook (6.0.0)
-      omniauth-oauth2 (~> 1.2)
+    omniauth-facebook (10.0.0)
+      bigdecimal
+      omniauth-oauth2 (>= 1.2, < 3)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    backports (3.15.0)
-    faraday (1.0.0)
-      multipart-post (>= 1.2, < 3)
-    hashie (3.6.0)
-    jwt (2.2.1)
-    multi_json (1.14.1)
-    multi_xml (0.6.0)
-    multipart-post (2.1.1)
-    mustermann (1.1.1)
+    base64 (0.2.0)
+    bigdecimal (3.1.8)
+    faraday (2.12.0)
+      faraday-net_http (>= 2.0, < 3.4)
+      json
+      logger
+    faraday-net_http (3.3.0)
+      net-http
+    hashie (5.0.0)
+    json (2.7.2)
+    jwt (2.9.3)
+      base64
+    logger (1.6.1)
+    multi_json (1.15.0)
+    multi_xml (0.7.1)
+      bigdecimal (~> 3.1)
+    mustermann (3.0.3)
       ruby2_keywords (~> 0.0.1)
-    oauth2 (1.4.2)
-      faraday (>= 0.8, < 2.0)
+    net-http (0.4.1)
+      uri
+    oauth2 (2.0.9)
+      faraday (>= 0.17.3, < 3.0)
       jwt (>= 1.0, < 3.0)
-      multi_json (~> 1.3)
       multi_xml (~> 0.5)
-      rack (>= 1.2, < 3)
-    omniauth (1.9.0)
-      hashie (>= 3.4.6, < 3.7.0)
-      rack (>= 1.6.2, < 3)
-    omniauth-oauth2 (1.6.0)
-      oauth2 (~> 1.1)
-      omniauth (~> 1.9)
-    rack (2.1.1)
-    rack-protection (2.0.8.1)
-      rack
-    ruby2_keywords (0.0.2)
-    sinatra (2.0.8.1)
-      mustermann (~> 1.0)
-      rack (~> 2.0)
-      rack-protection (= 2.0.8.1)
+      rack (>= 1.2, < 4)
+      snaky_hash (~> 2.0)
+      version_gem (~> 1.1)
+    omniauth (2.1.2)
+      hashie (>= 3.4.6)
+      rack (>= 2.2.3)
+      rack-protection
+    omniauth-oauth2 (1.8.0)
+      oauth2 (>= 1.4, < 3)
+      omniauth (~> 2.0)
+    rack (3.1.8)
+    rack-protection (4.0.0)
+      base64 (>= 0.1.0)
+      rack (>= 3.0.0, < 4)
+    rack-session (2.0.0)
+      rack (>= 3.0.0)
+    ruby2_keywords (0.0.5)
+    sinatra (4.0.0)
+      mustermann (~> 3.0)
+      rack (>= 3.0.0, < 4)
+      rack-protection (= 4.0.0)
+      rack-session (>= 2.0.0, < 3)
       tilt (~> 2.0)
-    sinatra-contrib (2.0.8.1)
-      backports (>= 2.8.2)
-      multi_json
-      mustermann (~> 1.0)
-      rack-protection (= 2.0.8.1)
-      sinatra (= 2.0.8.1)
+    sinatra-contrib (4.0.0)
+      multi_json (>= 0.0.2)
+      mustermann (~> 3.0)
+      rack-protection (= 4.0.0)
+      sinatra (= 4.0.0)
       tilt (~> 2.0)
     sinatra-reloader (1.0)
       sinatra-contrib
-    tilt (2.0.10)
+    snaky_hash (2.0.1)
+      hashie
+      version_gem (~> 1.1, >= 1.1.1)
+    tilt (2.4.0)
+    uri (0.13.1)
+    version_gem (1.1.4)
 
 PLATFORMS
   ruby
@@ -59,4 +80,4 @@ DEPENDENCIES
   sinatra-reloader
 
 BUNDLED WITH
-   1.17.2
+   2.5.14

example/config.ru

@@ -2,7 +2,7 @@ require 'bundler/setup'
 require 'omniauth-facebook'
 require './app.rb'
 
-use Rack::Session::Cookie, secret: 'abc123'
+use Rack::Session::Cookie, secret: 'rqt2iy17g0vpkouu995r598671cihpae9mritav0yctevwqhprpr71oumzlv5c3z'
 
 use OmniAuth::Builder do
   provider :facebook, ENV['FACEBOOK_APP_ID'], ENV['FACEBOOK_APP_SECRET']

lib/omniauth/facebook/signed_request.rb

@@ -28,7 +28,7 @@ def parse_signed_request
         return if signature.nil?
 
         decoded_hex_signature = base64_decode_url(signature)
-        decoded_payload = MultiJson.decode(base64_decode_url(encoded_payload))
+        decoded_payload = JSON.parse(base64_decode_url(encoded_payload))
 
         unless decoded_payload['algorithm'] == SUPPORTED_ALGORITHM
           raise UnknownSignatureAlgorithmError, "unknown algorithm: #{decoded_payload['algorithm']}"

lib/omniauth/facebook/version.rb

@@ -1,5 +1,5 @@
 module OmniAuth
   module Facebook
-    VERSION = '8.0.0'
+    VERSION = '10.0.0'
   end
 end

lib/omniauth/strategies/facebook.rb

@@ -10,10 +10,11 @@ class Facebook < OmniAuth::Strategies::OAuth2
       class NoAuthorizationCodeError < StandardError; end
 
       DEFAULT_SCOPE = 'email'
+      DEFAULT_FACEBOOK_API_VERSION = 'v19.0'.freeze
 
       option :client_options, {
-        site: 'https://graph.facebook.com/v4.0',
-        authorize_url: "https://www.facebook.com/v4.0/dialog/oauth",
+        site: "https://graph.facebook.com/#{DEFAULT_FACEBOOK_API_VERSION}",
+        authorize_url: "https://www.facebook.com/#{DEFAULT_FACEBOOK_API_VERSION}/dialog/oauth",
         token_url: 'oauth/access_token'
       }
 
@@ -24,7 +25,9 @@ class NoAuthorizationCodeError < StandardError; end
 
       option :authorization_code_from_signed_request_in_cookie, nil
 
-      option :authorize_options, [:scope, :display, :auth_type]
+      option :authorize_options, [:scope, :display, :auth_type, :config_id]
+
+      option :secure_image_url, true
 
       uid { raw_info['id'] }
 
@@ -82,21 +85,21 @@ def callback_url
           ''
         else
           # Fixes regression in omniauth-oauth2 v1.4.0 by https://github.com/intridea/omniauth-oauth2/commit/85fdbe117c2a4400d001a6368cc359d88f40abc7
-          options[:callback_url] || (full_host + script_name + callback_path)
+          options[:callback_url] || (full_host + callback_path)
         end
       end
 
       def access_token_options
         options.access_token_options.inject({}) { |h,(k,v)| h[k.to_sym] = v; h }
       end
 
-      # You can pass +display+, +scope+, or +auth_type+ params to the auth request, if you need to set them dynamically.
+      # You can pass +display+, +scope+, +auth_type+ or +config_id+ params to the auth request, if you need to set them dynamically.
       # You can also set these options in the OmniAuth config :authorize_params option.
       #
       # For example: /auth/facebook?display=popup
       def authorize_params
         super.tap do |params|
-          %w[display scope auth_type].each do |v|
+          %w[display scope auth_type config_id].each do |v|
             if request.params[v]
               params[v.to_sym] = request.params[v]
             end
@@ -161,15 +164,13 @@ def image_url(uid, options)
         uri_class = options[:secure_image_url] ? URI::HTTPS : URI::HTTP
         site_uri = URI.parse(client.site)
         url = uri_class.build({host: site_uri.host, path: "#{site_uri.path}/#{uid}/picture"})
-        query = { access_token: access_token.token }
 
-        if options[:image_size].is_a?(String) || options[:image_size].is_a?(Symbol)
-          query[:type] = options[:image_size]
+        query = if options[:image_size].is_a?(String) || options[:image_size].is_a?(Symbol)
+          { type: options[:image_size] }
         elsif options[:image_size].is_a?(Hash)
-          query.merge!(options[:image_size])
+          options[:image_size]
         end
-
-        url.query = Rack::Utils.build_query(query)
+        url.query = Rack::Utils.build_query(query) if query
 
         url.to_s
       end

omniauth-facebook.gemspec

@@ -11,12 +11,13 @@ Gem::Specification.new do |s|
   s.homepage = 'https://github.com/simi/omniauth-facebook'
   s.license  = 'MIT'
 
-  s.files         = `git ls-files`.split("\n")
+  s.files         = `git ls-files`.split("\n").reject { |path| path.start_with? "example/" }
   s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
   s.executables   = `git ls-files -- bin/*`.split("\n").map { |f| File.basename(f) }
   s.require_paths = ['lib']
 
-  s.add_runtime_dependency 'omniauth-oauth2', '~> 1.2'
+  s.add_runtime_dependency 'omniauth-oauth2', '>= 1.2', '< 3'
+  s.add_runtime_dependency 'bigdecimal'
 
   s.add_development_dependency 'minitest'
   s.add_development_dependency 'mocha'

test/helper.rb

@@ -1,6 +1,6 @@
 require 'bundler/setup'
 require 'minitest/autorun'
-require 'mocha/setup'
+require 'mocha/minitest'
 require 'omniauth/strategies/facebook'
 
 OmniAuth.config.test_mode = true
@@ -42,6 +42,8 @@ def setup
     @client_id = '123'
     @client_secret = '53cr3tz'
     @options = {}
+
+    @facebook_api_version = OmniAuth::Strategies::Facebook::DEFAULT_FACEBOOK_API_VERSION
   end
 
   def strategy

test/signed_request_test.rb

@@ -5,7 +5,7 @@ class SignedRequestTest < Minitest::Test
   def setup
     @value = fixture('signed_request.txt').strip
     @secret = "897z956a2z7zzzzz5783z458zz3z7556"
-    @expected_payload = MultiJson.decode(fixture('payload.json'))
+    @expected_payload = JSON.parse(fixture('payload.json'))
   end
 
   def test_signed_request_payload