We recently had to implement “social authentication” for an application with a Ruby on Rails back-end. More precisely, the ability to log in through Facebook, Google, Twitter and so on.

Gigya is a service that provides an API for this, so that developers don’t have to deal with the particulars of the particulars of each API. (Facebook’s API has been voted the worst ever)

On the downside, Gigya is very pricey (forget about it if you are a small startup) and the documentation on their site is less than perfect.

In particular, for verifying the signature (front-end to back-end call), there is no Ruby code sample on their site. After figuring out the steps, I thought of posting it here, in the hopes that it will benefit others who come across this issue.

def self.verify_signature(uid, timestamp, signature)

    #Validate that the timestamp is within 3 minutes of your current server time  
    if (Time.now.getutc - timestamp.to_time) > 180
      raise GigyaError.new(“GIGYA ERROR: Invalid Timestamp”)
    end

    base_string = “#{timestamp}_#{uid}”
    hmacsha1 = OpenSSL::HMAC.digest(DIGEST, Base64.decode64(SECRET), base_string)
    my_sig = Base64.encode64(hmacsha1).chomp.gsub(/\n/,”) 
    if (my_sig != signature)
     raise GigyaError.new(“GIGYA ERROR: Invalid Signature”)
    end 
    true
  end

where DIGEST = OpenSSL::Digest::Digest.new(‘sha1’) and SECRET is the Gigya secret.

Important things are the fact that the SECRET has to be Base64 decoded. Also, one should use OpenSSL::HMAC as it is the most efficient method for generating a sha1 digest.