Before I start, I should address the inevitable “what about OAuth2″ comments. Yes, OAuth2 is the new hotness for Facebook authentication, but the Facebook Connect iPhone SDK isn’t going to get broken (intentionally!) any time soon. (I have that on authority from a friend inside Facebook, BTW.) If you’ve got the time to replicate the functionality of FBConnect for the new world order I salute you, but otherwise this code may come in handy and will continue to function until a full-featured replacement for FBConnect arrives.

With a session proxy (say at http://your-server.example.com/fbproxy), this is how the client establishes a session:

• Phone:
  – GET http://your-server.example.com/fbproxy?auth_token=A_TOKEN&…
• To respond, your server relays the results of this POST:
  – POST: http://api.facebook/com/restserver.php
  – POST body: auth_token=A_TOKEN&sig=A_SIGNATURE&…

A_SIGNATURE is generated using your FB app secret, so Facebook knows the request is legit. Facebook returns a session key & secret that can be used to make Facebook API calls from the phone. If you’re wondering (like I did) how this is any more secure than shipping your app secret directly, you should understand that a session key is much less powerful than an app secret. The app secret is basically the root password for your app, while a session key gets you an unprivileged user account.

With HexaLex I’ve used Google App Engine to host most of the backend service, so I ended up adapting some sample code I found online to do the job. (minifb is particularly readable.) I didn’t want to pull in a bunch of other dependencies, so this code is self-sufficient. I’m using Google’s webapp framework so that’s what’s used in the code, but it should be easy to adapt to whatever framework you favor. Without further ado, here’s the code:

"""
To use this, write in your Facebook API key and secret below and then
add FacebookSessionProxy to your list of url handlers:
    application = webapp.WSGIApplication(
        [('/fbproxy', FacebookSessionProxy),
         ...])
 
Then in your iPhone code use something like
session = [FBSession sessionForApplication:myApiKey 
             getSessionProxy:@"http://yourApp.appspot.com/fbproxy"
             delegate:self];
"""
import hashlib
import httplib
import urllib
from google.appengine.ext import webapp
 
# This lambda prevents the secret from appearing in cgitb backtraces
FB_API_SECRET = lambda:"YOUR_API_SECRET"
FB_API_KEY = "YOUR_API_KEY"
 
FB_API_HOST="api.facebook.com"
FB_API_PATH="/restserver.php"
 
def facebook_signature(paramsDict):
    """Compute the signature of a Facebook request"""
    sorted = paramsDict.items()
    sorted.sort()
 
    trace = ''.join(["%s=%s" % x for x in sorted])
    trace += FB_API_SECRET()
 
    md5 = hashlib.md5()
    md5.update(trace)
    return md5.hexdigest()
 
def get_fb_session(auth_token):
    """Request a Facebook session using the given auth_token"""
    params={
            "api_key":FB_API_KEY,
            "v":"1.0",
            "auth_token":auth_token,
            "generate_session_secret":"1",
            "method":"auth.getSession",
    }
    params["sig"] = facebook_signature(params)
 
    encoded_params = urllib.urlencode(params)
    headers = {
            "Content-type":"application/x-www-form-urlencoded",
    }
 
    conn = httplib.HTTPConnection(FB_API_HOST)
    conn.request("POST", FB_API_PATH, encoded_params, headers)
    return conn.getresponse()
 
class FacebookSessionProxy(webapp.RequestHandler):
    def get(self):
        response = self.response
        auth_token = self.request.get('auth_token')
        if len(auth_token) == 0:
            response.set_status(httplib.BAD_REQUEST)
            response.out.write("Facebook login error: no auth_token given.")
            return
        fbResponse = get_fb_session(auth_token)
        response.out.write(fbResponse.read())
        response.set_status(fbResponse.status, fbResponse.reason)
        response.headers['Content-Type'] = fbResponse.getheader('content-type')
 
# The End

Update: I fixed a bug in the call to get_fb_session. Thanks to Justin Williams for reporting it.

Some of you have probably noticed that I’ve been neglecting some of my other projects and complaining about being busy a lot lately. Well here’s what I’ve been working on. I’m pleased to announce HexaLex, a new angle on crossword games! The first platform for HexaLex is iPhone and iPod Touch, but I’m planning to expand to Facebook in the near future.

HexaLex as it looks in-game

If you want to get a quick overview of the game and a list of features go ahead and visit the HexaLex.com website. If you want to read some great 5-star reviews or buy the game just pop on over to the App Store. Continue reading for a little more detail on the core concept of the game.

HexaLex is an idea I came up with a little over a year ago as a grad student. The core gameplay is a lot like Scrabble, Words With Friends, or Lexulous, so if you’ve played one of those games you’ll get the idea right away. You use tiles to build words on a game board. But HexaLex has a big difference — it’s played with hexagonal tiles. Looks interesting, right?

Playing a crossword game with hexagonal tiles sounds like a simple idea but it actually requires a bit of creative thinking to make it playable and fun. (This is probably why it hasn’t been done a million times already!) You see, when two words cross with square tiles they only interact at one tile — the tile of intersection. With hexagonal tiles, that’s not the case. Hex tiles cause interactions at the tile of intersection and its neighbors! This means that playing one word across another word also forms two new two-letter words. This is sort of hard to describe, but easy to see as a picture (like the one below).

Crossing START with CRAZY forms RT and RZ

Traditionally, in crossword games you have to make every word on the board valid. If you just take the standard rules and try to use them with hexagonal tiles you’ll quickly discover that the game is unplayably hard. It’s just frustrating to have to work out two valid two-letter words for each and every crossing play.

The way I solved this in HexaLex was to introduce the idea of junk words. A junk word is a two-letter word that’s not a valid word. So XR, TQ, and ZA are examples of junk words. (Oops, ZA is actually a valid word, at least in the strange world of crossword games.) In HexaLex you are allowed to play junk words subject to a few restrictions:

The main menu features a sliding word animation

With junk words, a simple play of one word crossing another is always possible provided the two words share a letter. The game is playable once again and balance is restored!

So now you know that when you look at a HexaLex game it’s OK that some of the two-letter words are bogus, but all of the longer words have to be legit.

Junk words aren’t the only break from Scrabble tradition in HexaLex but I’ll leave the rest for another post.

HexaLex is available now in the App Store. Give it a shot! Initial App Store reviews have been overwhelmingly positive, with fourteen unanimous 5-star ratings and reviews so far. If you enjoy HexaLex please let me know! You can also become a HexaLex fan on Facebook and/or follow HexaLexGame on Twitter. Also, please help spread the word by clicking the digg button!