source: trunk/www.guidonia.net/wp/wp-content/plugins/fbconnect/facebook-client/facebook.php@ 44

Last change on this file since 44 was 44, checked in by luciano, 15 years ago
File size: 19.6 KB
RevLine 
[44]1<?php
2// Copyright 2004-2009 Facebook. All Rights Reserved.
3//
4// +---------------------------------------------------------------------------+
5// | Facebook Platform PHP5 client |
6// +---------------------------------------------------------------------------+
7// | Copyright (c) 2007 Facebook, Inc. |
8// | All rights reserved. |
9// | |
10// | Redistribution and use in source and binary forms, with or without |
11// | modification, are permitted provided that the following conditions |
12// | are met: |
13// | |
14// | 1. Redistributions of source code must retain the above copyright |
15// | notice, this list of conditions and the following disclaimer. |
16// | 2. Redistributions in binary form must reproduce the above copyright |
17// | notice, this list of conditions and the following disclaimer in the |
18// | documentation and/or other materials provided with the distribution. |
19// | |
20// | THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR |
21// | IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES |
22// | OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. |
23// | IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, |
24// | INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
25// | NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
26// | DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
27// | THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
28// | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
29// | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
30// +---------------------------------------------------------------------------+
31// | For help with this library, contact developers-help@facebook.com |
32// +---------------------------------------------------------------------------+
33
34include_once 'facebookapi_php5_restlib.php';
35
36define('FACEBOOK_API_VALIDATION_ERROR', 1);
37class Facebook {
38 public $api_client;
39 public $api_key;
40 public $secret;
41 public $generate_session_secret;
42 public $session_expires;
43
44 public $fb_params;
45 public $user;
46 public $profile_user;
47 public $canvas_user;
48 protected $base_domain;
49 /*
50 * Create a Facebook client like this:
51 *
52 * $fb = new Facebook(API_KEY, SECRET);
53 *
54 * This will automatically pull in any parameters, validate them against the
55 * session signature, and chuck them in the public $fb_params member variable.
56 *
57 * @param api_key your Developer API key
58 * @param secret your Developer API secret
59 * @param generate_session_secret whether to automatically generate a session
60 * if the user doesn't have one, but
61 * there is an auth token present in the url,
62 */
63 public function __construct($api_key, $secret, $generate_session_secret=false) {
64 $this->api_key = $api_key;
65 $this->secret = $secret;
66 $this->generate_session_secret = $generate_session_secret;
67 $this->api_client = new FacebookRestClient($api_key, $secret, null);
68 $this->validate_fb_params();
69
70 // Set the default user id for methods that allow the caller to
71 // pass an explicit uid instead of using a session key.
72 $defaultUser = null;
73 if ($this->user) {
74 $defaultUser = $this->user;
75 } else if ($this->profile_user) {
76 $defaultUser = $this->profile_user;
77 } else if ($this->canvas_user) {
78 $defaultUser = $this->canvas_user;
79 }
80
81 $this->api_client->set_user($defaultUser);
82
83
84 if (isset($this->fb_params['friends'])) {
85 $this->api_client->friends_list = explode(',', $this->fb_params['friends']);
86 }
87 if (isset($this->fb_params['added'])) {
88 $this->api_client->added = $this->fb_params['added'];
89 }
90 if (isset($this->fb_params['canvas_user'])) {
91 $this->api_client->canvas_user = $this->fb_params['canvas_user'];
92 }
93 }
94
95 /*
96 * Validates that the parameters passed in were sent from Facebook. It does so
97 * by validating that the signature matches one that could only be generated
98 * by using your application's secret key.
99 *
100 * Facebook-provided parameters will come from $_POST, $_GET, or $_COOKIE,
101 * in that order. $_POST and $_GET are always more up-to-date than cookies,
102 * so we prefer those if they are available.
103 *
104 * For nitty-gritty details of when each of these is used, check out
105 * http://wiki.developers.facebook.com/index.php/Verifying_The_Signature
106 *
107 * @param bool resolve_auth_token convert an auth token into a session
108 */
109 public function validate_fb_params($resolve_auth_token=true) {
110 $this->fb_params = $this->get_valid_fb_params($_POST, 48*3600, 'fb_sig');
111
112 // note that with preload FQL, it's possible to receive POST params in
113 // addition to GET, so use a different prefix to differentiate them
114 if (!$this->fb_params) {
115 $fb_params = $this->get_valid_fb_params($_GET, 48*3600, 'fb_sig');
116 $fb_post_params = $this->get_valid_fb_params($_POST, 48*3600, 'fb_post_sig');
117 $this->fb_params = array_merge($fb_params, $fb_post_params);
118 }
119
120 // Okay, something came in via POST or GET
121 if ($this->fb_params) {
122 $user = isset($this->fb_params['user']) ?
123 $this->fb_params['user'] : null;
124 $this->profile_user = isset($this->fb_params['profile_user']) ?
125 $this->fb_params['profile_user'] : null;
126 $this->canvas_user = isset($this->fb_params['canvas_user']) ?
127 $this->fb_params['canvas_user'] : null;
128 $this->base_domain = isset($this->fb_params['base_domain']) ?
129 $this->fb_params['base_domain'] : null;
130
131 if (isset($this->fb_params['session_key'])) {
132 $session_key = $this->fb_params['session_key'];
133 } else if (isset($this->fb_params['profile_session_key'])) {
134 $session_key = $this->fb_params['profile_session_key'];
135 } else {
136 $session_key = null;
137 }
138 $expires = isset($this->fb_params['expires']) ?
139 $this->fb_params['expires'] : null;
140 $this->set_user($user,
141 $session_key,
142 $expires);
143 }
144 // if no Facebook parameters were found in the GET or POST variables,
145 // then fall back to cookies, which may have cached user information
146 // Cookies are also used to receive session data via the Javascript API
147 else if ($cookies =
148 $this->get_valid_fb_params($_COOKIE, null, $this->api_key)) {
149
150 $base_domain_cookie = 'base_domain_' . $this->api_key;
151 if (isset($_COOKIE[$base_domain_cookie])) {
152 $this->base_domain = $_COOKIE[$base_domain_cookie];
153 }
154
155 // use $api_key . '_' as a prefix for the cookies in case there are
156 // multiple facebook clients on the same domain.
157 $expires = isset($cookies['expires']) ? $cookies['expires'] : null;
158 $this->set_user($cookies['user'],
159 $cookies['session_key'],
160 $expires);
161 }
162 // finally, if we received no parameters, but the 'auth_token' GET var
163 // is present, then we are in the middle of auth handshake,
164 // so go ahead and create the session
165 else if ($resolve_auth_token && isset($_GET['auth_token']) &&
166 $session = $this->do_get_session($_GET['auth_token'])) {
167 if ($this->generate_session_secret &&
168 !empty($session['secret'])) {
169 $session_secret = $session['secret'];
170 }
171
172 if (isset($session['base_domain'])) {
173 $this->base_domain = $session['base_domain'];
174 }
175
176 $this->set_user($session['uid'],
177 $session['session_key'],
178 $session['expires'],
179 isset($session_secret) ? $session_secret : null);
180 }
181
182 return !empty($this->fb_params);
183 }
184
185 // Store a temporary session secret for the current session
186 // for use with the JS client library
187 public function promote_session() {
188 try {
189 $session_secret = $this->api_client->auth_promoteSession();
190 if (!$this->in_fb_canvas()) {
191 $this->set_cookies($this->user, $this->api_client->session_key, $this->session_expires, $session_secret);
192 }
193 return $session_secret;
194 } catch (FacebookRestClientException $e) {
195 // API_EC_PARAM means we don't have a logged in user, otherwise who
196 // knows what it means, so just throw it.
197 if ($e->getCode() != FacebookAPIErrorCodes::API_EC_PARAM) {
198 throw $e;
199 }
200 }
201 }
202
203 public function do_get_session($auth_token) {
204 try {
205 return $this->api_client->auth_getSession($auth_token, $this->generate_session_secret);
206 } catch (FacebookRestClientException $e) {
207 // API_EC_PARAM means we don't have a logged in user, otherwise who
208 // knows what it means, so just throw it.
209 if ($e->getCode() != FacebookAPIErrorCodes::API_EC_PARAM) {
210 throw $e;
211 }
212 }
213 }
214
215 // Invalidate the session currently being used, and clear any state associated with it
216 public function expire_session() {
217 if ($this->api_client->auth_expireSession()) {
218 if (!$this->in_fb_canvas() && isset($_COOKIE[$this->api_key . '_user'])) {
219 $cookies = array('user', 'session_key', 'expires', 'ss');
220 foreach ($cookies as $name) {
221 setcookie($this->api_key . '_' . $name, false, time() - 3600);
222 unset($_COOKIE[$this->api_key . '_' . $name]);
223 }
224 setcookie($this->api_key, false, time() - 3600);
225 unset($_COOKIE[$this->api_key]);
226 }
227
228 // now, clear the rest of the stored state
229 $this->user = 0;
230 $this->api_client->session_key = 0;
231 return true;
232 } else {
233 return false;
234 }
235 }
236
237 public function redirect($url) {
238 if ($this->in_fb_canvas()) {
239 echo '<fb:redirect url="' . $url . '"/>';
240 } else if (preg_match('/^https?:\/\/([^\/]*\.)?facebook\.com(:\d+)?/i', $url)) {
241 // make sure facebook.com url's load in the full frame so that we don't
242 // get a frame within a frame.
243 echo "<script type=\"text/javascript\">\ntop.location.href = \"$url\";\n</script>";
244 } else {
245 header('Location: ' . $url);
246 }
247 exit;
248 }
249
250 public function in_frame() {
251 return isset($this->fb_params['in_canvas']) || isset($this->fb_params['in_iframe']);
252 }
253 public function in_fb_canvas() {
254 return isset($this->fb_params['in_canvas']);
255 }
256
257 public function get_loggedin_user() {
258 return $this->user;
259 }
260
261 public function get_canvas_user() {
262 return $this->canvas_user;
263 }
264
265 public function get_profile_user() {
266 return $this->profile_user;
267 }
268
269 public static function current_url() {
270 return 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
271 }
272
273 // require_add and require_install have been removed.
274 // see http://developer.facebook.com/news.php?blog=1&story=116 for more details
275 public function require_login() {
276 if ($user = $this->get_loggedin_user()) {
277 return $user;
278 }
279 $this->redirect($this->get_login_url(self::current_url(), $this->in_frame()));
280 }
281
282 public function require_frame() {
283 if (!$this->in_frame()) {
284 $this->redirect($this->get_login_url(self::current_url(), true));
285 }
286 }
287
288 public static function get_facebook_url($subdomain='www') {
289 return 'http://' . $subdomain . '.facebook.com';
290 }
291
292 public function get_install_url($next=null) {
293 // this was renamed, keeping for compatibility's sake
294 return $this->get_add_url($next);
295 }
296
297 public function get_add_url($next=null) {
298 return self::get_facebook_url().'/add.php?api_key='.$this->api_key .
299 ($next ? '&next=' . urlencode($next) : '');
300 }
301
302 public function get_login_url($next, $canvas) {
303 return self::get_facebook_url().'/login.php?v=1.0&api_key=' . $this->api_key .
304 ($next ? '&next=' . urlencode($next) : '') .
305 ($canvas ? '&canvas' : '');
306 }
307
308 public function set_user($user, $session_key, $expires=null, $session_secret=null) {
309 if (!$this->in_fb_canvas() && (!isset($_COOKIE[$this->api_key . '_user'])
310 || $_COOKIE[$this->api_key . '_user'] != $user)) {
311 $this->set_cookies($user, $session_key, $expires, $session_secret);
312 }
313 $this->user = $user;
314 $this->api_client->session_key = $session_key;
315 $this->session_expires = $expires;
316 }
317
318 public function set_cookies($user, $session_key, $expires=null, $session_secret=null) {
319 $cookies = array();
320 $cookies['user'] = $user;
321 $cookies['session_key'] = $session_key;
322 if ($expires != null) {
323 $cookies['expires'] = $expires;
324 }
325 if ($session_secret != null) {
326 $cookies['ss'] = $session_secret;
327 }
328
329 foreach ($cookies as $name => $val) {
330 setcookie($this->api_key . '_' . $name, $val, (int)$expires, '', $this->base_domain);
331 $_COOKIE[$this->api_key . '_' . $name] = $val;
332 }
333 $sig = self::generate_sig($cookies, $this->secret);
334 setcookie($this->api_key, $sig, (int)$expires, '', $this->base_domain);
335 $_COOKIE[$this->api_key] = $sig;
336
337 if ($this->base_domain != null) {
338 $base_domain_cookie = 'base_domain_' . $this->api_key;
339 setcookie($base_domain_cookie, $this->base_domain, (int)$expires, '', $this->base_domain);
340 $_COOKIE[$base_domain_cookie] = $this->base_domain;
341 }
342 }
343
344 /**
345 * Tries to undo the badness of magic quotes as best we can
346 * @param string $val Should come directly from $_GET, $_POST, etc.
347 * @return string val without added slashes
348 */
349 public static function no_magic_quotes($val) {
350 if (get_magic_quotes_gpc()) {
351 return stripslashes($val);
352 } else {
353 return $val;
354 }
355 }
356
357 /*
358 * Get the signed parameters that were sent from Facebook. Validates the set
359 * of parameters against the included signature.
360 *
361 * Since Facebook sends data to your callback URL via unsecured means, the
362 * signature is the only way to make sure that the data actually came from
363 * Facebook. So if an app receives a request at the callback URL, it should
364 * always verify the signature that comes with against your own secret key.
365 * Otherwise, it's possible for someone to spoof a request by
366 * pretending to be someone else, i.e.:
367 * www.your-callback-url.com/?fb_user=10101
368 *
369 * This is done automatically by verify_fb_params.
370 *
371 * @param assoc $params a full array of external parameters.
372 * presumed $_GET, $_POST, or $_COOKIE
373 * @param int $timeout number of seconds that the args are good for.
374 * Specifically good for forcing cookies to expire.
375 * @param string $namespace prefix string for the set of parameters we want
376 * to verify. i.e., fb_sig or fb_post_sig
377 *
378 * @return assoc the subset of parameters containing the given prefix,
379 * and also matching the signature associated with them.
380 * OR an empty array if the params do not validate
381 */
382 public function get_valid_fb_params($params, $timeout=null, $namespace='fb_sig') {
383 $prefix = $namespace . '_';
384 $prefix_len = strlen($prefix);
385 $fb_params = array();
386 if (empty($params)) {
387 return array();
388 }
389
390 foreach ($params as $name => $val) {
391 // pull out only those parameters that match the prefix
392 // note that the signature itself ($params[$namespace]) is not in the list
393 if (strpos($name, $prefix) === 0) {
394 $fb_params[substr($name, $prefix_len)] = self::no_magic_quotes($val);
395 }
396 }
397
398 // validate that the request hasn't expired. this is most likely
399 // for params that come from $_COOKIE
400 if ($timeout && (!isset($fb_params['time']) || time() - $fb_params['time'] > $timeout)) {
401 return array();
402 }
403
404 // validate that the params match the signature
405 $signature = isset($params[$namespace]) ? $params[$namespace] : null;
406 if (!$signature || (!$this->verify_signature($fb_params, $signature))) {
407 return array();
408 }
409 return $fb_params;
410 }
411
412 /*
413 * Validates that a given set of parameters match their signature.
414 * Parameters all match a given input prefix, such as "fb_sig".
415 *
416 * @param $fb_params an array of all Facebook-sent parameters,
417 * not including the signature itself
418 * @param $expected_sig the expected result to check against
419 */
420 public function verify_signature($fb_params, $expected_sig) {
421 return self::generate_sig($fb_params, $this->secret) == $expected_sig;
422 }
423
424 /*
425 * Generate a signature using the application secret key.
426 *
427 * The only two entities that know your secret key are you and Facebook,
428 * according to the Terms of Service. Since nobody else can generate
429 * the signature, you can rely on it to verify that the information
430 * came from Facebook.
431 *
432 * @param $params_array an array of all Facebook-sent parameters,
433 * NOT INCLUDING the signature itself
434 * @param $secret your app's secret key
435 *
436 * @return a hash to be checked against the signature provided by Facebook
437 */
438 public static function generate_sig($params_array, $secret) {
439 $str = '';
440
441 ksort($params_array);
442 // Note: make sure that the signature parameter is not already included in
443 // $params_array.
444 foreach ($params_array as $k=>$v) {
445 $str .= "$k=$v";
446 }
447 $str .= $secret;
448
449 return md5($str);
450 }
451
452 public function encode_validationError($summary, $message) {
453 return json_encode(
454 array('errorCode' => FACEBOOK_API_VALIDATION_ERROR,
455 'errorTitle' => $summary,
456 'errorMessage' => $message));
457 }
458
459 public function encode_multiFeedStory($feed, $next) {
460 return json_encode(
461 array('method' => 'multiFeedStory',
462 'content' =>
463 array('next' => $next,
464 'feed' => $feed)));
465 }
466
467 public function encode_feedStory($feed, $next) {
468 return json_encode(
469 array('method' => 'feedStory',
470 'content' =>
471 array('next' => $next,
472 'feed' => $feed)));
473 }
474
475 public function create_templatizedFeedStory($title_template, $title_data=array(),
476 $body_template='', $body_data = array(), $body_general=null,
477 $image_1=null, $image_1_link=null,
478 $image_2=null, $image_2_link=null,
479 $image_3=null, $image_3_link=null,
480 $image_4=null, $image_4_link=null) {
481 return array('title_template'=> $title_template,
482 'title_data' => $title_data,
483 'body_template'=> $body_template,
484 'body_data' => $body_data,
485 'body_general' => $body_general,
486 'image_1' => $image_1,
487 'image_1_link' => $image_1_link,
488 'image_2' => $image_2,
489 'image_2_link' => $image_2_link,
490 'image_3' => $image_3,
491 'image_3_link' => $image_3_link,
492 'image_4' => $image_4,
493 'image_4_link' => $image_4_link);
494 }
495
496
497}
498
Note: See TracBrowser for help on using the repository browser.