Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Unknown algorithm. Expected HMAC-SHA256 spam in logs

I'm using facebook php sdk 3.1.1 and the current version of the facebook JS sdk. Our users are not reporting errors, but I'm seeing a ton of error log messages like this:

Unknown algorithm. Expected HMAC-SHA256

I see from the source that the error is triggered when reading a signed request with the wrong encoding encoding algorithm, but I'm not sure why that would be, as all signed requests should be generated by the facebook JS code.

Anyone seen this behavior? Any idea how bad a thing this is, or whether it's really indicative of errors? I have been unable to replicate it on demand.

like image 500
mike Avatar asked Aug 31 '11 18:08

mike


1 Answers

Try logging some of the signed_request parameters to inspect them manually. For instance, you could change the log line in Base_Facebook::parseSignedRequest to this:

  self::errorLog('Unknown algorithm. Expected HMAC-SHA256, request='.$signed_request);

Once you have a few of these logged, decode them manually or paste them at the end of this URL:

https://developers.facebook.com/tools/echo?signed_request=

Check what algorithm is specified in the payload or whether the data is malformed in some way. If you share the results here, make sure to omit private data like the access token value.

You might also want to check your web server access logs. For starters, look for GET requests with a signed_request query parameter that occurred around the same time as those entries in your error logs.

like image 99
PCheese Avatar answered Sep 21 '22 13:09

PCheese