Context Navigation

← Previous Revision
Latest Revision
Next Revision →
Blame
Revision Log

source: trunk/www.guidonia.net/wp/wp-content/plugins/fbconnect/facebook-client/facebook.php@ 44

Last change on this file since 44 was 44, checked in by luciano, 14 years ago

File size: 19.6 KB

Line
1	<?php
2	// Copyright 2004-2009 Facebook. All Rights Reserved.
3	//
4	// +---------------------------------------------------------------------------+
5	// \| Facebook Platform PHP5 client \|
6	// +---------------------------------------------------------------------------+
7	// \| Copyright (c) 2007 Facebook, Inc. \|
8	// \| All rights reserved. \|
9	// \| \|
10	// \| Redistribution and use in source and binary forms, with or without \|
11	// \| modification, are permitted provided that the following conditions \|
12	// \| are met: \|
13	// \| \|
14	// \| 1. Redistributions of source code must retain the above copyright \|
15	// \| notice, this list of conditions and the following disclaimer. \|
16	// \| 2. Redistributions in binary form must reproduce the above copyright \|
17	// \| notice, this list of conditions and the following disclaimer in the \|
18	// \| documentation and/or other materials provided with the distribution. \|
19	// \| \|
20	// \| THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR \|
21	// \| IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES \|
22	// \| OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. \|
23	// \| IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, \|
24	// \| INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT \|
25	// \| NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, \|
26	// \| DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY \|
27	// \| THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT \|
28	// \| (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF \|
29	// \| THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. \|
30	// +---------------------------------------------------------------------------+
31	// \| For help with this library, contact developers-help@facebook.com \|
32	// +---------------------------------------------------------------------------+
33
34	include_once 'facebookapi_php5_restlib.php';
35
36	define('FACEBOOK_API_VALIDATION_ERROR', 1);
37	class Facebook {
38	public $api_client;
39	public $api_key;
40	public $secret;
41	public $generate_session_secret;
42	public $session_expires;
43
44	public $fb_params;
45	public $user;
46	public $profile_user;
47	public $canvas_user;
48	protected $base_domain;
49	/*
50	* Create a Facebook client like this:
51	*
52	* $fb = new Facebook(API_KEY, SECRET);
53	*
54	* This will automatically pull in any parameters, validate them against the
55	* session signature, and chuck them in the public $fb_params member variable.
56	*
57	* @param api_key your Developer API key
58	* @param secret your Developer API secret
59	* @param generate_session_secret whether to automatically generate a session
60	* if the user doesn't have one, but
61	* there is an auth token present in the url,
62	*/
63	public function __construct($api_key, $secret, $generate_session_secret=false) {
64	$this->api_key = $api_key;
65	$this->secret = $secret;
66	$this->generate_session_secret = $generate_session_secret;
67	$this->api_client = new FacebookRestClient($api_key, $secret, null);
68	$this->validate_fb_params();
69
70	// Set the default user id for methods that allow the caller to
71	// pass an explicit uid instead of using a session key.
72	$defaultUser = null;
73	if ($this->user) {
74	$defaultUser = $this->user;
75	} else if ($this->profile_user) {
76	$defaultUser = $this->profile_user;
77	} else if ($this->canvas_user) {
78	$defaultUser = $this->canvas_user;
79	}
80
81	$this->api_client->set_user($defaultUser);
82
83
84	if (isset($this->fb_params['friends'])) {
85	$this->api_client->friends_list = explode(',', $this->fb_params['friends']);
86	}
87	if (isset($this->fb_params['added'])) {
88	$this->api_client->added = $this->fb_params['added'];
89	}
90	if (isset($this->fb_params['canvas_user'])) {
91	$this->api_client->canvas_user = $this->fb_params['canvas_user'];
92	}
93	}
94
95	/*
96	* Validates that the parameters passed in were sent from Facebook. It does so
97	* by validating that the signature matches one that could only be generated
98	* by using your application's secret key.
99	*
100	* Facebook-provided parameters will come from $_POST, $_GET, or $_COOKIE,
101	* in that order. $_POST and $_GET are always more up-to-date than cookies,
102	* so we prefer those if they are available.
103	*
104	* For nitty-gritty details of when each of these is used, check out
105	* http://wiki.developers.facebook.com/index.php/Verifying_The_Signature
106	*
107	* @param bool resolve_auth_token convert an auth token into a session
108	*/
109	public function validate_fb_params($resolve_auth_token=true) {
110	$this->fb_params = $this->get_valid_fb_params($_POST, 48*3600, 'fb_sig');
111
112	// note that with preload FQL, it's possible to receive POST params in
113	// addition to GET, so use a different prefix to differentiate them
114	if (!$this->fb_params) {
115	$fb_params = $this->get_valid_fb_params($_GET, 48*3600, 'fb_sig');
116	$fb_post_params = $this->get_valid_fb_params($_POST, 48*3600, 'fb_post_sig');
117	$this->fb_params = array_merge($fb_params, $fb_post_params);
118	}
119
120	// Okay, something came in via POST or GET
121	if ($this->fb_params) {
122	$user = isset($this->fb_params['user']) ?
123	$this->fb_params['user'] : null;
124	$this->profile_user = isset($this->fb_params['profile_user']) ?
125	$this->fb_params['profile_user'] : null;
126	$this->canvas_user = isset($this->fb_params['canvas_user']) ?
127	$this->fb_params['canvas_user'] : null;
128	$this->base_domain = isset($this->fb_params['base_domain']) ?
129	$this->fb_params['base_domain'] : null;
130
131	if (isset($this->fb_params['session_key'])) {
132	$session_key = $this->fb_params['session_key'];
133	} else if (isset($this->fb_params['profile_session_key'])) {
134	$session_key = $this->fb_params['profile_session_key'];
135	} else {
136	$session_key = null;
137	}
138	$expires = isset($this->fb_params['expires']) ?
139	$this->fb_params['expires'] : null;
140	$this->set_user($user,
141	$session_key,
142	$expires);
143	}
144	// if no Facebook parameters were found in the GET or POST variables,
145	// then fall back to cookies, which may have cached user information
146	// Cookies are also used to receive session data via the Javascript API
147	else if ($cookies =
148	$this->get_valid_fb_params($_COOKIE, null, $this->api_key)) {
149
150	$base_domain_cookie = 'base_domain_' . $this->api_key;
151	if (isset($_COOKIE[$base_domain_cookie])) {
152	$this->base_domain = $_COOKIE[$base_domain_cookie];
153	}
154
155	// use $api_key . '_' as a prefix for the cookies in case there are
156	// multiple facebook clients on the same domain.
157	$expires = isset($cookies['expires']) ? $cookies['expires'] : null;
158	$this->set_user($cookies['user'],
159	$cookies['session_key'],
160	$expires);
161	}
162	// finally, if we received no parameters, but the 'auth_token' GET var
163	// is present, then we are in the middle of auth handshake,
164	// so go ahead and create the session
165	else if ($resolve_auth_token && isset($_GET['auth_token']) &&
166	$session = $this->do_get_session($_GET['auth_token'])) {
167	if ($this->generate_session_secret &&
168	!empty($session['secret'])) {
169	$session_secret = $session['secret'];
170	}
171
172	if (isset($session['base_domain'])) {
173	$this->base_domain = $session['base_domain'];
174	}
175
176	$this->set_user($session['uid'],
177	$session['session_key'],
178	$session['expires'],
179	isset($session_secret) ? $session_secret : null);
180	}
181
182	return !empty($this->fb_params);
183	}
184
185	// Store a temporary session secret for the current session
186	// for use with the JS client library
187	public function promote_session() {
188	try {
189	$session_secret = $this->api_client->auth_promoteSession();
190	if (!$this->in_fb_canvas()) {
191	$this->set_cookies($this->user, $this->api_client->session_key, $this->session_expires, $session_secret);
192	}
193	return $session_secret;
194	} catch (FacebookRestClientException $e) {
195	// API_EC_PARAM means we don't have a logged in user, otherwise who
196	// knows what it means, so just throw it.
197	if ($e->getCode() != FacebookAPIErrorCodes::API_EC_PARAM) {
198	throw $e;
199	}
200	}
201	}
202
203	public function do_get_session($auth_token) {
204	try {
205	return $this->api_client->auth_getSession($auth_token, $this->generate_session_secret);
206	} catch (FacebookRestClientException $e) {
207	// API_EC_PARAM means we don't have a logged in user, otherwise who
208	// knows what it means, so just throw it.
209	if ($e->getCode() != FacebookAPIErrorCodes::API_EC_PARAM) {
210	throw $e;
211	}
212	}
213	}
214
215	// Invalidate the session currently being used, and clear any state associated with it
216	public function expire_session() {
217	if ($this->api_client->auth_expireSession()) {
218	if (!$this->in_fb_canvas() && isset($_COOKIE[$this->api_key . '_user'])) {
219	$cookies = array('user', 'session_key', 'expires', 'ss');
220	foreach ($cookies as $name) {
221	setcookie($this->api_key . '_' . $name, false, time() - 3600);
222	unset($_COOKIE[$this->api_key . '_' . $name]);
223	}
224	setcookie($this->api_key, false, time() - 3600);
225	unset($_COOKIE[$this->api_key]);
226	}
227
228	// now, clear the rest of the stored state
229	$this->user = 0;
230	$this->api_client->session_key = 0;
231	return true;
232	} else {
233	return false;
234	}
235	}
236
237	public function redirect($url) {
238	if ($this->in_fb_canvas()) {
239	echo '<fb:redirect url="' . $url . '"/>';
240	} else if (preg_match('/^https?:\/\/([^\/]*\.)?facebook\.com(:\d+)?/i', $url)) {
241	// make sure facebook.com url's load in the full frame so that we don't
242	// get a frame within a frame.
243	echo "<script type=\"text/javascript\">\ntop.location.href = \"$url\";\n</script>";
244	} else {
245	header('Location: ' . $url);
246	}
247	exit;
248	}
249
250	public function in_frame() {
251	return isset($this->fb_params['in_canvas']) \|\| isset($this->fb_params['in_iframe']);
252	}
253	public function in_fb_canvas() {
254	return isset($this->fb_params['in_canvas']);
255	}
256
257	public function get_loggedin_user() {
258	return $this->user;
259	}
260
261	public function get_canvas_user() {
262	return $this->canvas_user;
263	}
264
265	public function get_profile_user() {
266	return $this->profile_user;
267	}
268
269	public static function current_url() {
270	return 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
271	}
272
273	// require_add and require_install have been removed.
274	// see http://developer.facebook.com/news.php?blog=1&story=116 for more details
275	public function require_login() {
276	if ($user = $this->get_loggedin_user()) {
277	return $user;
278	}
279	$this->redirect($this->get_login_url(self::current_url(), $this->in_frame()));
280	}
281
282	public function require_frame() {
283	if (!$this->in_frame()) {
284	$this->redirect($this->get_login_url(self::current_url(), true));
285	}
286	}
287
288	public static function get_facebook_url($subdomain='www') {
289	return 'http://' . $subdomain . '.facebook.com';
290	}
291
292	public function get_install_url($next=null) {
293	// this was renamed, keeping for compatibility's sake
294	return $this->get_add_url($next);
295	}
296
297	public function get_add_url($next=null) {
298	return self::get_facebook_url().'/add.php?api_key='.$this->api_key .
299	($next ? '&next=' . urlencode($next) : '');
300	}
301
302	public function get_login_url($next, $canvas) {
303	return self::get_facebook_url().'/login.php?v=1.0&api_key=' . $this->api_key .
304	($next ? '&next=' . urlencode($next) : '') .
305	($canvas ? '&canvas' : '');
306	}
307
308	public function set_user($user, $session_key, $expires=null, $session_secret=null) {
309	if (!$this->in_fb_canvas() && (!isset($_COOKIE[$this->api_key . '_user'])
310	\|\| $_COOKIE[$this->api_key . '_user'] != $user)) {
311	$this->set_cookies($user, $session_key, $expires, $session_secret);
312	}
313	$this->user = $user;
314	$this->api_client->session_key = $session_key;
315	$this->session_expires = $expires;
316	}
317
318	public function set_cookies($user, $session_key, $expires=null, $session_secret=null) {
319	$cookies = array();
320	$cookies['user'] = $user;
321	$cookies['session_key'] = $session_key;
322	if ($expires != null) {
323	$cookies['expires'] = $expires;
324	}
325	if ($session_secret != null) {
326	$cookies['ss'] = $session_secret;
327	}
328
329	foreach ($cookies as $name => $val) {
330	setcookie($this->api_key . '_' . $name, $val, (int)$expires, '', $this->base_domain);
331	$_COOKIE[$this->api_key . '_' . $name] = $val;
332	}
333	$sig = self::generate_sig($cookies, $this->secret);
334	setcookie($this->api_key, $sig, (int)$expires, '', $this->base_domain);
335	$_COOKIE[$this->api_key] = $sig;
336
337	if ($this->base_domain != null) {
338	$base_domain_cookie = 'base_domain_' . $this->api_key;
339	setcookie($base_domain_cookie, $this->base_domain, (int)$expires, '', $this->base_domain);
340	$_COOKIE[$base_domain_cookie] = $this->base_domain;
341	}
342	}
343
344	/**
345	* Tries to undo the badness of magic quotes as best we can
346	* @param string $val Should come directly from $_GET, $_POST, etc.
347	* @return string val without added slashes
348	*/
349	public static function no_magic_quotes($val) {
350	if (get_magic_quotes_gpc()) {
351	return stripslashes($val);
352	} else {
353	return $val;
354	}
355	}
356
357	/*
358	* Get the signed parameters that were sent from Facebook. Validates the set
359	* of parameters against the included signature.
360	*
361	* Since Facebook sends data to your callback URL via unsecured means, the
362	* signature is the only way to make sure that the data actually came from
363	* Facebook. So if an app receives a request at the callback URL, it should
364	* always verify the signature that comes with against your own secret key.
365	* Otherwise, it's possible for someone to spoof a request by
366	* pretending to be someone else, i.e.:
367	* www.your-callback-url.com/?fb_user=10101
368	*
369	* This is done automatically by verify_fb_params.
370	*
371	* @param assoc $params a full array of external parameters.
372	* presumed $_GET, $_POST, or $_COOKIE
373	* @param int $timeout number of seconds that the args are good for.
374	* Specifically good for forcing cookies to expire.
375	* @param string $namespace prefix string for the set of parameters we want
376	* to verify. i.e., fb_sig or fb_post_sig
377	*
378	* @return assoc the subset of parameters containing the given prefix,
379	* and also matching the signature associated with them.
380	* OR an empty array if the params do not validate
381	*/
382	public function get_valid_fb_params($params, $timeout=null, $namespace='fb_sig') {
383	$prefix = $namespace . '_';
384	$prefix_len = strlen($prefix);
385	$fb_params = array();
386	if (empty($params)) {
387	return array();
388	}
389
390	foreach ($params as $name => $val) {
391	// pull out only those parameters that match the prefix
392	// note that the signature itself ($params[$namespace]) is not in the list
393	if (strpos($name, $prefix) === 0) {
394	$fb_params[substr($name, $prefix_len)] = self::no_magic_quotes($val);
395	}
396	}
397
398	// validate that the request hasn't expired. this is most likely
399	// for params that come from $_COOKIE
400	if ($timeout && (!isset($fb_params['time']) \|\| time() - $fb_params['time'] > $timeout)) {
401	return array();
402	}
403
404	// validate that the params match the signature
405	$signature = isset($params[$namespace]) ? $params[$namespace] : null;
406	if (!$signature \|\| (!$this->verify_signature($fb_params, $signature))) {
407	return array();
408	}
409	return $fb_params;
410	}
411
412	/*
413	* Validates that a given set of parameters match their signature.
414	* Parameters all match a given input prefix, such as "fb_sig".
415	*
416	* @param $fb_params an array of all Facebook-sent parameters,
417	* not including the signature itself
418	* @param $expected_sig the expected result to check against
419	*/
420	public function verify_signature($fb_params, $expected_sig) {
421	return self::generate_sig($fb_params, $this->secret) == $expected_sig;
422	}
423
424	/*
425	* Generate a signature using the application secret key.
426	*
427	* The only two entities that know your secret key are you and Facebook,
428	* according to the Terms of Service. Since nobody else can generate
429	* the signature, you can rely on it to verify that the information
430	* came from Facebook.
431	*
432	* @param $params_array an array of all Facebook-sent parameters,
433	* NOT INCLUDING the signature itself
434	* @param $secret your app's secret key
435	*
436	* @return a hash to be checked against the signature provided by Facebook
437	*/
438	public static function generate_sig($params_array, $secret) {
439	$str = '';
440
441	ksort($params_array);
442	// Note: make sure that the signature parameter is not already included in
443	// $params_array.
444	foreach ($params_array as $k=>$v) {
445	$str .= "$k=$v";
446	}
447	$str .= $secret;
448
449	return md5($str);
450	}
451
452	public function encode_validationError($summary, $message) {
453	return json_encode(
454	array('errorCode' => FACEBOOK_API_VALIDATION_ERROR,
455	'errorTitle' => $summary,
456	'errorMessage' => $message));
457	}
458
459	public function encode_multiFeedStory($feed, $next) {
460	return json_encode(
461	array('method' => 'multiFeedStory',
462	'content' =>
463	array('next' => $next,
464	'feed' => $feed)));
465	}
466
467	public function encode_feedStory($feed, $next) {
468	return json_encode(
469	array('method' => 'feedStory',
470	'content' =>
471	array('next' => $next,
472	'feed' => $feed)));
473	}
474
475	public function create_templatizedFeedStory($title_template, $title_data=array(),
476	$body_template='', $body_data = array(), $body_general=null,
477	$image_1=null, $image_1_link=null,
478	$image_2=null, $image_2_link=null,
479	$image_3=null, $image_3_link=null,
480	$image_4=null, $image_4_link=null) {
481	return array('title_template'=> $title_template,
482	'title_data' => $title_data,
483	'body_template'=> $body_template,
484	'body_data' => $body_data,
485	'body_general' => $body_general,
486	'image_1' => $image_1,
487	'image_1_link' => $image_1_link,
488	'image_2' => $image_2,
489	'image_2_link' => $image_2_link,
490	'image_3' => $image_3,
491	'image_3_link' => $image_3_link,
492	'image_4' => $image_4,
493	'image_4_link' => $image_4_link);
494	}
495
496
497	}
498

Note: See TracBrowser for help on using the repository browser.

Download in other formats: