Skipping CSRF validation upon valid signed request

[rshk]

I just added a middleware class that prevents CSRF validation (by setting it as already checked) in case a valid signed request was found.
All the code is committed in my own django-facebook fork: https://github.com/rshk/django-facebook (I just changed the middleware module and README.md).

Now, I'm not sure what the exact procedure should be in order to integrate with mainstream (if you would like to), since
I'm quite new to the whole git/github thing; should I submit a pull request? How do I do that?

Anyways, the changes I made consist just in an extra middleware class, so you could just copy-paste that.

[martey]

See http://help.github.com/send-pull-requests/.

Since the signed request is already processed in FacebookMiddleware, could this be accomplished by a one line addition there (and updating the documentation that it should be placed before CsrfViewMiddleware)?

[rshk]

Unluckily, no. This is due to Middleware dependencies: FacebookCSRFMiddleware must be executed before CsrfViewMiddleware, while FacebookMiddleware checks for an authenticated user, and thus it must go after AuthenticationMiddleware. And I'm not sure it would be a good idea to move AuthenticationMiddleware before CsrfViewMiddleware...
Anyways, I'm thinking on a nicer way to avoid the duplicated signature checking; probably the best way would be to make FacebookCSRFMiddleware store information on the signature validation somewhere inside request, and make FacebookMiddleware skip signed request validation if result from FacebookCSRFMiddleware was found..

[martey]

That seems fine to me. It might make sense to call the CSRF middleware something like FacebookCanvasMiddleware or otherwise note that it should be used with Canvas applications, and would not be useful for Facebook Connect websites.

[rshk]

I renamed FacebookCSRFMiddleware into FacebookCanvasMiddleware as you suggested, also because I am adding some other stuff in that (I also added an option to directly login user there, if requested to do so).

Also, at the moment I'm doing a bunch of other changes, in order to try speeding things up a bit (in an application I'm developing, I'm experiencing pageloads of ~10s after adding django_facebook).

Briefly:

• I added support for caching Graph API requests (only GETs..), since I need user data on each page, and friends data quite often.
• I'm making some changes to try using "channel file", as suggested in the official doc, to speed up cross-domain communication -- plus ETags in order to force caching on the browser-side.
• I changed middleware.DjangoFacebook into using "lazy" cached properties to access stuff, instead of rawly loading that in the constructor.
• I'm planning to add further integration with user profiles, storing in the local database user data taken from Facebook (and then, maybe, update that data once in a while / asynchronously / ..)

I committed and pushed everything, so you can see the latest code.

Oh, and I added some sphinx-based documentation (now I have to clean up docstrings a bit..).