simple memo, initializer run

Class Rails::Initializer
<br />#The Initializer is responsible for processing the Rails configuration, such as setting the $LOAD_PATH, requiring the right frameworks, initializing logging, and more. It can be run either as a single command that‘ll just use the default configuration, like this:<br /><br /> Rails::Initializer.run<br /><br />#But normally it‘s more interesting to pass in a custom configuration through the block running:<br /><br /> Rails::Initializer.run do |config|<br /> config.frameworks -= [ :action_mailer ]<br /> end<br /><br />

Symmetric Encryption vs Asymmetric Encryption

http://support.oss.org.tw/wiki/index.php/

Symmetric Encryption – 對稱式加密簡介
其特色在於加解密所使用的金鑰(key)是相同的!
●兩方要進行秘密訊息的傳送之前，必須協議出一個共同的，用來加解密的金鑰(key)以及所使用的演算法；如此訊息一來一往之間，才可以被正確的加解密。
●當然這樣的方式會衍生出一些問題，因此才會有 Asymmetric Encryption(非對稱式加密) 的產生，來改善一些 Symmetric Encryption 的缺點；然而 Symmetric Encryption 在實際的應用上有其實用性，因此目前還是持續不斷的被使用當中

在加解密運作的機制中，有兩大重要部分，除了金鑰(key)之外，另外一個即為加解密所使用的演算法(algorithm)。
在實際應用上，金鑰(key)是一個檔案，內容為一群無意義的英文與數字的集合，長度範圍有可能介於 64~1024 bits (甚至更大) 之間，妥善由通訊雙方秘密保管好。
而演算法(algorithm)則是透明公開的，隨時可以從網路或是其他地方取得演算法的相關使用方法與規則。

---

Asymmetric Encryption (非對稱式加密) 即是為了改良 Symmetric Encryption(對稱式加密) 的缺點而產生的。
在對稱式加密中，通訊雙方往來的訊息是由同一把金鑰進行加密；假設 A 與 B 通訊，兩個人必須有一把相同的金鑰；而若是 A 也要與 C 通訊，則 A 與 C 則必須擁有另外一把不同的金鑰；否則若是都使用相同金鑰，C 就可以解密出 A 要給 B 的訊息，相對的，B 也可以解密出 A 要給 C 的訊息，如此一來資訊在傳送就不再安全!
除此之外，還要防範金鑰被竊取的問題，只要通訊雙方任一方把金鑰洩露出去，就破壞了原本建立的安全機制了。
因此，Asymmetric Encryption(非對稱式加密) 使用了一對金鑰(key pair)的方式解決了這個問題

在 Asymmetric Encryption 的架構中，要通訊的雙方都各持有一對金鑰，分別是私鑰(private key)以及公鑰(public key)。
private key 是要妥善且由自己秘密保管的，而 public key 則是可以公開出去。
假設使用者 A 有一對金鑰，若是 B 要與 A 進行通訊，則 B 必須使用 A 所提供的 public key 進行加密，再將加密的內容傳送給 A，接著 A 可以用自己的 private key 進行解密。同樣的，A 要是要傳訊息給 B，則是要使用 B 所提供的 public key 進行加密，而 B 則可以用自己的 private key 進行解密。
有趣的是，雖然訊息是由 public key 所加密，但是卻無法利用 public key 將原本的訊息還原回來，這就是非對稱式加密的精華所在，也是目前非常受到歡迎的原因。而這一來一往之間，所使用的演算法，即為 RSA 演算法。

如此看來，其實 RSA 的加解密過程是很簡單的，因此重點就是在於金鑰的產生，目前已經被證明長度 1024 bits 不夠安全，因此建議使用長度為 2048 bits 的金鑰作為加解密之用，來提升重要資訊傳輸的安全性。
最後，雖然非對稱式加密解決了金鑰交換的問題，但是卻衍生出加解密效率不彰的問題，因為相較於 DES，RSA 的速度只有其百分之一不到

---

Asymmetric + Symmetric

真的沒有更好的 solution 嗎? 當然是有的...只要巧妙的結合兩者的優點即可啦!! 其中的原理很簡單，假設 A 要傳訊息給 B，就會發生大概類似以下流程：
(1) A 透過對稱式演算法，產生出一把對稱式加密用的金鑰
(注意：這把金鑰只用在這一次的傳輸)
(2) 接著 A 使用 B 所提供的 public key，將這把金鑰加密，
並將加密後的內容傳給 B
(3) B 接收到後，使用自己的 private key 解密，取得這把
一次性金鑰
(4) 之後雙方訊息的往來，都使用對稱式加密
如此一來，就不僅解決了金鑰交換的問題，也解決了非對稱式加解密效率不彰的問題。
當然，這樣的 solution 其實還不算最安全，因此才會有 Digital Signature(數位簽章) 的誕生

facebook 發post ( story ) 到 wall

http://wiki.developers.facebook.com/index.php/Feed_forms
http://wiki.developers.facebook.com/index.php/FB.Connect.streamPublish
http://wiki.developers.facebook.com/index.php/Attachment_%28Streams%29
http://wiki.developers.facebook.com/index.php/Stream.publish

http://wiki.developers.facebook.com/index.php/XFBML
http://blog.yangtheman.com/2009/08/23/how-to-integrate-facebook-connect-with-a-rails-app/

這邊用的是iframe canvas下的 push 方式, 基本上是跟 facebook connect 相同的
<br /> function trigger_publish(){<br /> var attachment = {<br />'media':[{'type':'image','src':'http://bit.ly/AJTnf','href':'http://bit.ly/hifZk'}],<br />'description' : 'kerkerlala',<br /> 'caption' : 'caption kerker',<br /> 'properties' : {'category' : {'text' : 'pets', 'href' : 'http://www.youtube.com/browse?s=mp&t=t&c=15'}, 'ratings' : '5 stars' }};<br /> var actionLinks = [{ "text": "Watch Video", "href": "http://www.myvideosite/videopage.html"}];<br /> FB.Connect.streamPublish('lala', attachment, actionLinks, null, 'kerker');<br />}<br /><br /><a href='#' onclick='trigger_publish();' >publish</a><br />
需要include XFBML 和 facebook connect 的 js

Authorizing Applications, share button

Authorizing_Applications
share button

Once a user has authorized your application, you can utilize the following URLs, which you specify in your application's settings in the Developer application:

* Post-Authorize Callback URL: Facebook pings this URL when a user authorizes your application for the first time. You can also call users.isAppUser to determine if the user has authorized your application.
* Post-Authorize Redirect URL: You can redirect a user to this URL after the user authorizes your application for the first time. You can use this URL only if the user authorizes your application through login.php and not the login dialog.
* Post-Remove Callback URL: Facebook pings the URL when a user removes your application.


For FBML canvas page applications, the parameters are sent as POST parameter. For iframe applications, the parameters are sent as GET parameters, unless you are preloading FQL using the fb_iframe_post option, in which case the parameters are sent as POST parameters.

Choosing between an FBML or IFrame Application(2)

Now, with XFBML, in addition to being able to embed things like fb:name and fb:profile-pic directly into your HTML, you can render any FBML tag by using server-side FBML. If you wrap your FBML inside fb:serverfbml tags, as in:


...then this opens an IFrame to Facebook on the page being served from your domain, and Facebook will render the FBML in there.

However, a fair amount of overhead is involved in opening the IFrame, and your CSS won't propagate into the FBML IFrame, so you won't want to put too many blocks of server-side FBML on a page. But if you need one or two snippets of FBML to make your application richer, or you want a large chunk of your page to use FBML, this makes that possible and pretty easy.

---

Preload FQL


Preload FQL lets you do these sorts of queries on both FBML and IFrame canvas pages, though it works differently for each. In general, you specify a few regular expressions that map to lists of FQL queries. If the page being requested matches any of the regular expressions, the corresponding FQL queries will be executed by Facebook when the user's browser sends the request to Facebook.

For FBML applications, the results get sent along to your application's servers when Facebook requests the FBML from you. Most of the time, this makes calls to the Facebook API unnecessary, even when you need fairly complicated data from Facebook to generate the page.

This is what the flow would look like for an FBML canvas page using preload FQL

FBML Canvas Page Using Preload FQL



Preloading FQL works differently with IFrames. In order for Facebook to send data to your server along with the request for the IFrame, it has to encode the data in the URL being requested. Instead of sending the FQL result set to your server, the Facebook server sends the FQL result data down to the user's browser, attached to the outer frame that contains the Facebook chrome on the canvas. You can choose whether you want to have a lightweight redirect occur, which encodes the FQL results in the request made for your IFrame page. Or, if you only want to access that data on the client side, you can use the PreloadFQL_get method from the JavaScript client library and rewrite parts of the page on the fly using the data after it's initially rendered.


IFrame Canvas Page using Preload FQL


Note that the preload FQL will only work on the first page that loads in your IFrame. If you point your links to apps.facebook.com URLs using target="_top" instead of just linking to different pages within the frame, you could use preload FQL on every page, but this would make all your pages load slowly

Choosing between an FBML or IFrame Application(1)

Choosing between an FBML or IFrame Application


Traditional IFrame Canvas Page


FBML Canvas Page



XFBML as part of Facebook Connect as a way to quickly get social content onto any Web page, and since IFrames are just Web pages, XFBML can speed those up as well.

Before XFBML, IFrame applications always had to make API calls to render social content like user names and profile pictures, and those API calls required another round trip communication between your server and Facebook before sending back content to the user's browser

with XFBML, you can embed various FBML tags like fb:name and fb:profile-pic directly into the HTML that your application sends to the user's browser. Then you simply include some Facebook-specific JavaScript, and that code gets executed and scans the DOM for those tags. The JavaScript then determines all the data needed to render that content and batches it up into one API call from the user's browser to Facebook

The rest of the page that isn't social content can render to the user before the API call completes. And in XFBML, we cache data on the browser so that in many cases, it isn't even necessary to make any API call to Facebook at all.

IFrame Canvas Page Using XFBML - First Page Load by a User


IFrame Canvas Page Using XFBML - Subsequent Page Loads by a User

找該加index 的地方

rails_indexes

<br />script/plugin install git://github.com/eladmeidar/rails_indexes.git<br /><br />#用association 來找 缺少的 index<br />rake db:show_me_a_migration<br /><br />#用 AR::Base#find calls (including: find, find_by, find_all_by, find_by_x_and_y, find_all_by_x_and_y): 來找缺少的index<br />rake db:show_me_ar_find_indexes<br />

check index exist

add_index 之前檢查一下
<br />class AddMissingIndexes < ActiveRecord::Migration<br /> def self.up<br /> check_add_index :groups, :id<br /> check_add_index :about_states, :confirm_email_code<br /> check_add_index :messages, :id<br /> end<br /><br /> def self.down<br /> check_remove_index :groups, :id<br /> check_remove_index :about_states, :confirm_email_code<br /> check_remove_index :messages, :id<br /> end<br /><br /> def self.check_add_index(table, column)<br /> add_index table, column unless check_index_exist(table, column)<br /> end<br /><br /> def self.check_remove_index(table, column)<br /> remove_index table, column if check_index_exist(table, column)<br /> end<br /><br /> # indexes 可以找出talbe 的 indexes<br /> # index_name 可以產生該生成的 index name<br /> def self.check_index_exist(table, columns)<br /> ActiveRecord::Base.connection.indexes(table).map(&:name).include?(ActiveRecord::Base.connection.index_name(table, columns))<br /> end<br /><br />end<br />

mustache 把view logic 的部份再拆出來

就是要讓view 更乾淨把logic 的部份再拆出來
mustache

Ruby on Rails Code Quality Checklist

Ruby on Rails Code Quality Checklist

1. Each controller action only calls one model method other than an initial find or new.
(Make custom .new or .update methods in the model with all necessary). ...
就是盡量把邏輯擺到model 裡, 唯一的例外就是在決定要render view or redirect的時候


2. Only one or two instance variables are shared between each controller and view. ...
保持一兩個instance variable 在controller 和 view 就好
這樣可以讓所有相關連的只有在需要的時候在被call 到, 而且還可以做instance-variable cache in one place
例如不要在controller 裡用到 @post and @related_posts 兩個instance variable, 而是create a method 給 @post, 這樣你就可以在 view 裡面直接用 @post.related_posts


3. All model and variable names are both immediately obvious (to a new developer) and as short as possible without using abbreviations. ...
取個好名字


4. All custom "finds" accessed from more than one place in the code use named_scope instead of a custom method. ...
有關find 什麼東西的, 都用named_scope 來做


5. A .find or .find_by_ is never called in a view or view helper. ...
別直接在view , find or find_by anything, 至少用一下namde_scope or custom methods to do that


6. There is zero custom code that duplicates functionality of a built-in function in rails. ...
7. Code has been aggressively DRYed during development. ...
8. All functionality used in two or more models has been turned into a library/module. ...
9. All logic duplicated between two or more apps has been turned into a gemified plugin. ...

10. STI is not used anywhere ...
別用STI, 用module 來代替, 如果你用STI 你會需要至少bind 兩個model, 這樣你很難回頭
data migration 你會死
但是polymorphic association 是鼓勵的


11. Every design choice should yield the most simplistic design possible for the need of users at the current time.
No guesses for future functionality were designed into the application. ...
對於現在的情況做最簡單的設計, 不要猜測未來的情況, 你可能會猜錯


12. Close to full test coverage exists at the highest level of the application: on and between controller actions. Coverage is highest for code used by the most number of end users. ...

先從user 最常用的開始測起
13. All tests pass before code is merged into a shared repository. ...

merge 前要測過
14. Every fixed defect on a deployed product has tests added to prevent regression. ...
替解掉的defeat 加上測試

15. Every plugin installed has been code reviewed. ...
檢查一下你的plugin code

Install any HTML theme/template into your Rails app

Install any HTML theme/template into your Rails app
install_theme
open source web design

幫你用來快速套template 的
<br /># lowerright:text 的部份就是指定content的部份<br /># partial 就是指定哪邊會變partial, 最基本的就是menu<br /># 指定path 有不同的指定方式XPath or CSS path 都可以<br /># install_theme . path/to/theme/folder ".lowerright:text" --partial "menu:.nav:text"<br /><br /><br />$ gem install install_theme<br />$ rails my_app<br />$ cd my_app<br />$ install_theme . path/to/theme/folder ".lowerright:text" --partial "menu://div[@class='nav']/text()"<br /> create app/app/helpers/template_helper.rb<br /> create app/controllers/original_template_controller.rb<br /> create app/helpers/template_helper.rb<br /> create app/views/layouts/_menu.html.erb<br /> create app/views/layouts/application.html.erb<br /> create app/views/original_template/index.html.erb<br /> create public/images/footer.png<br /> ...<br /> create public/stylesheets/style.css<br /><br />Your theme has been installed into your app.<br />
<br />#可以用這樣來做menu 的選擇<br /><br />module TemplateHelper<br /> def render_or_default(partial, default = partial)<br /> render :partial => partial<br /> rescue ActionView::MissingTemplate<br /> begin<br /> render :partial => "layouts/#{default}"<br /> rescue ActionView::MissingTemplate<br /> nil<br /> end<br /> end<br />end<br />

[Scale] Scale Frontend 應該注意的五件事

[Scale] Scale Frontend 應該注意的五件事
Rails in the Wild: 5 Client-Side Performance Observations

1. It’s easy to forget to compress your JavaScript and CSS

要記得 :cache => true
要記得壓 js 和 css

2. Watch out for slow third party services

都是慢在第三方
google ads, analytics 也會托慢, 請用 postload_google_ads


3. Using multiple image hosts doesn’t always mean higher performance

拆那麼多台未必會比較快

4. S3 is NOT a Webserver!

S3 是 storage ，不是 web server。所以不要一股腦的把東西往上丟，要注意有沒有敏感資訊，而且 s3p 是沒有幫忙做 gzip 的。

5. Most performance variability is NOT attributable to page factors

速度慢通常是慢在後端..

clearance 的 generator

clearance
Class Rails::Generator::Commands::Create


<br />#這邊是需要的library <br />require File.expand_path(File.dirname(__FILE__) + "/lib/insert_commands.rb") <br />require File.expand_path(File.dirname(__FILE__) + "/lib/rake_commands.rb") <br />require 'factory_girl' <br /> <br />class ClearanceGenerator < Rails::Generator::Base <br /> <br /> def manifest <br /> record do |m| <br /> # 原來可以這樣insert GOOD <br /> m.insert_into "app/controllers/application_controller.rb", <br /> "include Clearance::Authentication" <br /> <br /> user_model = "app/models/user.rb" <br /> if File.exists?(user_model) <br /> m.insert_into user_model, "include Clearance::User" <br /> else <br /> #原來也可以生目錄 <br /> m.directory File.join("app", "models") <br /> m.file "user.rb", user_model <br /> end <br /> <br /> m.directory File.join("test", "factories") <br /> m.file "factories.rb", "test/factories/clearance.rb" <br /> <br /> #還可以選擇用哪個file migrate, 叫啥名字 <br /> m.migration_template "migrations/#{migration_name}.rb", <br /> 'db/migrate', <br /> :migration_file_name => "clearance_#{migration_name}" <br /> <br /> m.readme "README" <br /> end <br /> private <br /> <br /> def migration_name <br /> #可以check table 在不在 <br /> if ActiveRecord::Base.connection.table_exists?(:users) <br /> 'update_users' <br /> else <br /> 'create_users' <br /> end <br /> end <br /> <br />end <br /> <br />#-------------------------------------------------- <br />Rails::Generator::Commands::Create.class_eval do <br /> def insert_into(file, line) <br /> logger.insert "#{line} into #{file}" <br /> unless options[:pretend] || file_contains?(file, line) <br /> gsub_file file, /^(class|module) .+$/ do |match| <br /> "#{match}\n #{line}" <br /> end <br /> end <br /> end <br />end <br /><br />#/clearance/templates/migrations/create_users.rb <br />class ClearanceCreateUsers < ActiveRecord::Migration <br /> def self.up <br /> create_table(:users) do |t| <br /> t.string :email <br /> t.string :encrypted_password, :limit => 128 <br /> t.string :salt, :limit => 128 <br /> t.string :confirmation_token, :limit => 128 <br /> t.string :remember_token, :limit => 128 <br /> t.boolean :email_confirmed, :default => false, :null => false <br /> t.timestamps <br /> end <br /> <br /> add_index :users, [:id, :confirmation_token] <br /> add_index :users, :email <br /> add_index :users, :remember_token <br /> end <br /> <br /> def self.down <br /> drop_table :users <br /> end <br />end <br /> <br /> <br />#------------------------------------- <br />#/clearance/templates/migrations/update_users.rb <br />class ClearanceUpdateUsers < ActiveRecord::Migration <br /> def self.up <br /><% <br /> # ActiveRecord::Base.connection.columns(:users).collect { |each| each.name } = User.columns.map { |each| each.name } <br /> existing_columns = ActiveRecord::Base.connection.columns(:users).collect { |each| each.name } <br /> columns = [ <br /> [:email, 't.string :email'], <br /> [:encrypted_password, 't.string :encrypted_password, :limit => 128'], <br /> [:salt, 't.string :salt, :limit => 128'], <br /> [:confirmation_token, 't.string :confirmation_token, :limit => 128'], <br /> [:remember_token, 't.string :remember_token, :limit => 128'], <br /> [:email_confirmed, 't.boolean :email_confirmed, :default => false, :null => false'] <br /> ].delete_if {|c| existing_columns.include?(c.first.to_s)} <br />-%> <br /> change_table(:users) do |t| <br /><% columns.each do |c| -%> <br /> <%= c.last %> <br /><% end -%> <br /> end <br /> <br /><% <br /> #連有哪些index 也可以看 <br /> existing_indexes = ActiveRecord::Base.connection.indexes(:users) <br /> index_names = existing_indexes.collect { |each| each.name } <br /> new_indexes = [ <br /> [:index_users_on_id_and_confirmation_token, 'add_index :users, [:id, :confirmation_token]'], <br /> [:index_users_on_email, 'add_index :users, :email'], <br /> [:index_users_on_remember_token, 'add_index :users, :remember_token'] <br /> ].delete_if { |each| index_names.include?(each.first.to_s) } <br />-%> <br /><% new_indexes.each do |each| -%> <br /> <%= each.last %> <br /><% end -%> <br /> end <br /> <br /> def self.down <br /> change_table(:users) do |t| <br /><% unless columns.empty? -%> <br /> t.remove <%= columns.collect { |each| ":#{each.first}" }.join(',') %> <br /><% end -%> <br /> end <br /> end <br />end <br />

JavaScript 中的 document.createDocumentFragment

JavaScript 中的 document.createDocumentFragment
<br />var fragment = document.createDocumentFragment();<br />for (var i in some_array) {<br /> var node = document.createElement('option');<br /> node.innerHTML = '....';<br /> fragment.appendChild(node);<br />}<br />targetNode.appendChild(fragment);<br />
在這段程式碼中，使用了 document.createDocumentFragment() 這個函式產生一個 document fragment，你可以把它想作是一個處理 DOM element 的 buffer，把欲生成的 DOM element 先加入到這個 fragment 中，最後再一次加到頁面的 DOM 結構中，這樣的作法比起在迴圈中一直 appendChild 來得快上許多，當然更重要的是，問題也被解決了 :)

ruby binary code

有時候想要return 一些binary code 東西要怎樣帶勒
<br />#注意外面要雙引號喔<br />return :text => "aaaa\r\nbbbb"<br />#或<br />return :text => "aaaa\x0a\x0dbbbb"<br />

console tips

Hirb - Irb On The Good Stuff
可以看到sql 結果的
<br /> gem install cldwalker-hirb —source http://gems.github.com<br /> # Load hirb and enable view framework<br /> irb>> require 'hirb'<br /> => true<br /> irb>> Hirb::View.enable<br /> => nil<br />

可以看到sql 指令的
<br /># ~/.irbrc file <br />script_console_running = ENV.include?('RAILS_ENV') && IRB.conf[:LOAD_MODULES] && IRB.conf[:LOAD_MODULES].include?('console_with_helpers')<br />rails_running = ENV.include?('RAILS_ENV') && !(IRB.conf[:LOAD_MODULES] && IRB.conf[:LOAD_MODULES].include?('console_with_helpers'))<br />irb_standalone_running = !script_console_running && !rails_running<br /><br />if script_console_running<br /> require 'logger'<br /> Object.const_set(:RAILS_DEFAULT_LOGGER, Logger.new(STDOUT))<br />end<br />

has_many , time now, assocation

Do you know when your code runs?
有時候你時候你會發現你在你下的conditions 有關於時間的, 跑起來有點怪怪的

在development 沒問題, 在production 卻不正常

仔細看會發現時間統統都是static 的了, 因為production 並不會每次都去reload class
<br />class Person < ActiveRecord::Base<br /> has_many :posts<br /> has_many :recent_posts, :class_name => 'Post', :conditions => ["created_at > ?", 1.week.ago]<br /> validates_inclusion_of :birth_date, :in => (20.years.ago..13.years.ago), <br /> :message => "You must be a teenager to signup", :on => :create<br />end<br /><br />class Post < ActiveRecord::Base<br /> named_scope :recent, :conditions => ["created_at > ?", 1.week.ago]<br />end<br />
這時候只要換個寫法<br />#make one with no arguments, just to ensure that the time condition is evaluated whenever the scope is accessed. <br />class Post<br /> named_scope :recent, lambda { {:conditions => 1.week.ago}}<br />end<br /><br />#Active Record will perform that interpolation again at the point where sql is generated<br />class Person < ActiveRecord::Base<br /> has_many :recent_posts, :class_name => 'Post', <br /> :conditions => "created_at > #{1.week.ago.to_s(:db)}"<br />end<br /><br />#Validations can't play any of the clever little games that the other 2 examples can. You'll just have to something like<br />class Person < ActiveRecord::Base<br /> validate_on_create :is_a_teenager<br /><br /> def is_a_teenager<br /> unless birth_date < 13.years.ago && birth_date > 20.years.ago<br /> ...<br /> end<br /> end<br />end<br />

跨browser 播音樂

http://www.htmlcodetutorial.com/embeddedobjects/_EMBED.html
<br /><[embed src="symphony.mid" autostart="false" width="0" height="0" id="music"]><br /><br />var music = $("#music")[0];<br />music.Stop();<br /><br />music.Play();<br />

Facebook app memo

Facebook development: choosing FBML or iframe as your application type
http://apps.new.facebook.com/facebooker_tutorial/

1. Set up New application
http://www.facebook.com/developers/

2. remember your api key and serect key

3. Canvas/畫布 setting

---

api key, serect key

they let our application verify that requests are coming from Facebook.

---

Facebook sends us the ID of the current user and their whole list of friends on
every request. That makes our life quite a bit easier. It also can cause
some security problems.

---

All requests come from Facebook. To make sure this is the case, we can
verify the signature that is sent by Facebook on every request. A digital
signature is a way to use cryptography to verify that something actually
came from the person who it appears to be from.4 Facebook sends a
number of parameters that start with fb_sig. All these parameters are
used in the signature validation.

When Facebook sends our applications a request, it builds a string
that includes all the fb_sig parameters in alphabetical order. It then
adds our secret key to the end of that string and calculates the MD5 sum.

When Facebooker receives a request, it goes through the
same steps to recalculate the signature. If the value that Facebooker
calculates matches the one in our request, it proves that the request
came from somebody who knows our secret key.

---

Rails included a feature to stop cross-site forgery
attacks. Unfortunately, this feature doesn’t play well with Facebook.
We’ll need to disable it by editing environment.rb and setting allow_forgery_
protection to false,

---

---

---

---