[44] | 1 | <?php
|
---|
| 2 | // Copyright 2004-2009 Facebook. All Rights Reserved.
|
---|
| 3 | //
|
---|
| 4 | // +---------------------------------------------------------------------------+
|
---|
| 5 | // | Facebook Platform PHP5 client |
|
---|
| 6 | // +---------------------------------------------------------------------------+
|
---|
| 7 | // | Copyright (c) 2007 Facebook, Inc. |
|
---|
| 8 | // | All rights reserved. |
|
---|
| 9 | // | |
|
---|
| 10 | // | Redistribution and use in source and binary forms, with or without |
|
---|
| 11 | // | modification, are permitted provided that the following conditions |
|
---|
| 12 | // | are met: |
|
---|
| 13 | // | |
|
---|
| 14 | // | 1. Redistributions of source code must retain the above copyright |
|
---|
| 15 | // | notice, this list of conditions and the following disclaimer. |
|
---|
| 16 | // | 2. Redistributions in binary form must reproduce the above copyright |
|
---|
| 17 | // | notice, this list of conditions and the following disclaimer in the |
|
---|
| 18 | // | documentation and/or other materials provided with the distribution. |
|
---|
| 19 | // | |
|
---|
| 20 | // | THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR |
|
---|
| 21 | // | IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES |
|
---|
| 22 | // | OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. |
|
---|
| 23 | // | IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, |
|
---|
| 24 | // | INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
|
---|
| 25 | // | NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
|
---|
| 26 | // | DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
|
---|
| 27 | // | THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
|
---|
| 28 | // | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
|
---|
| 29 | // | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
|
---|
| 30 | // +---------------------------------------------------------------------------+
|
---|
| 31 | // | For help with this library, contact developers-help@facebook.com |
|
---|
| 32 | // +---------------------------------------------------------------------------+
|
---|
| 33 |
|
---|
| 34 | include_once 'facebookapi_php5_restlib.php';
|
---|
| 35 |
|
---|
| 36 | define('FACEBOOK_API_VALIDATION_ERROR', 1);
|
---|
| 37 | class Facebook {
|
---|
| 38 | public $api_client;
|
---|
| 39 | public $api_key;
|
---|
| 40 | public $secret;
|
---|
| 41 | public $generate_session_secret;
|
---|
| 42 | public $session_expires;
|
---|
| 43 |
|
---|
| 44 | public $fb_params;
|
---|
| 45 | public $user;
|
---|
| 46 | public $profile_user;
|
---|
| 47 | public $canvas_user;
|
---|
| 48 | protected $base_domain;
|
---|
| 49 | /*
|
---|
| 50 | * Create a Facebook client like this:
|
---|
| 51 | *
|
---|
| 52 | * $fb = new Facebook(API_KEY, SECRET);
|
---|
| 53 | *
|
---|
| 54 | * This will automatically pull in any parameters, validate them against the
|
---|
| 55 | * session signature, and chuck them in the public $fb_params member variable.
|
---|
| 56 | *
|
---|
| 57 | * @param api_key your Developer API key
|
---|
| 58 | * @param secret your Developer API secret
|
---|
| 59 | * @param generate_session_secret whether to automatically generate a session
|
---|
| 60 | * if the user doesn't have one, but
|
---|
| 61 | * there is an auth token present in the url,
|
---|
| 62 | */
|
---|
| 63 | public function __construct($api_key, $secret, $generate_session_secret=false) {
|
---|
| 64 | $this->api_key = $api_key;
|
---|
| 65 | $this->secret = $secret;
|
---|
| 66 | $this->generate_session_secret = $generate_session_secret;
|
---|
| 67 | $this->api_client = new FacebookRestClient($api_key, $secret, null);
|
---|
| 68 | $this->validate_fb_params();
|
---|
| 69 |
|
---|
| 70 | // Set the default user id for methods that allow the caller to
|
---|
| 71 | // pass an explicit uid instead of using a session key.
|
---|
| 72 | $defaultUser = null;
|
---|
| 73 | if ($this->user) {
|
---|
| 74 | $defaultUser = $this->user;
|
---|
| 75 | } else if ($this->profile_user) {
|
---|
| 76 | $defaultUser = $this->profile_user;
|
---|
| 77 | } else if ($this->canvas_user) {
|
---|
| 78 | $defaultUser = $this->canvas_user;
|
---|
| 79 | }
|
---|
| 80 |
|
---|
| 81 | $this->api_client->set_user($defaultUser);
|
---|
| 82 |
|
---|
| 83 |
|
---|
| 84 | if (isset($this->fb_params['friends'])) {
|
---|
| 85 | $this->api_client->friends_list = explode(',', $this->fb_params['friends']);
|
---|
| 86 | }
|
---|
| 87 | if (isset($this->fb_params['added'])) {
|
---|
| 88 | $this->api_client->added = $this->fb_params['added'];
|
---|
| 89 | }
|
---|
| 90 | if (isset($this->fb_params['canvas_user'])) {
|
---|
| 91 | $this->api_client->canvas_user = $this->fb_params['canvas_user'];
|
---|
| 92 | }
|
---|
| 93 | }
|
---|
| 94 |
|
---|
| 95 | /*
|
---|
| 96 | * Validates that the parameters passed in were sent from Facebook. It does so
|
---|
| 97 | * by validating that the signature matches one that could only be generated
|
---|
| 98 | * by using your application's secret key.
|
---|
| 99 | *
|
---|
| 100 | * Facebook-provided parameters will come from $_POST, $_GET, or $_COOKIE,
|
---|
| 101 | * in that order. $_POST and $_GET are always more up-to-date than cookies,
|
---|
| 102 | * so we prefer those if they are available.
|
---|
| 103 | *
|
---|
| 104 | * For nitty-gritty details of when each of these is used, check out
|
---|
| 105 | * http://wiki.developers.facebook.com/index.php/Verifying_The_Signature
|
---|
| 106 | *
|
---|
| 107 | * @param bool resolve_auth_token convert an auth token into a session
|
---|
| 108 | */
|
---|
| 109 | public function validate_fb_params($resolve_auth_token=true) {
|
---|
| 110 | $this->fb_params = $this->get_valid_fb_params($_POST, 48 * 3600, 'fb_sig');
|
---|
| 111 |
|
---|
| 112 | // note that with preload FQL, it's possible to receive POST params in
|
---|
| 113 | // addition to GET, so use a different prefix to differentiate them
|
---|
| 114 | if (!$this->fb_params) {
|
---|
| 115 | $fb_params = $this->get_valid_fb_params($_GET, 48 * 3600, 'fb_sig');
|
---|
| 116 | $fb_post_params = $this->get_valid_fb_params($_POST, 48 * 3600, 'fb_post_sig');
|
---|
| 117 | $this->fb_params = array_merge($fb_params, $fb_post_params);
|
---|
| 118 | }
|
---|
| 119 |
|
---|
| 120 | // Okay, something came in via POST or GET
|
---|
| 121 | if ($this->fb_params) {
|
---|
| 122 | $user = isset($this->fb_params['user']) ?
|
---|
| 123 | $this->fb_params['user'] : null;
|
---|
| 124 | $this->profile_user = isset($this->fb_params['profile_user']) ?
|
---|
| 125 | $this->fb_params['profile_user'] : null;
|
---|
| 126 | $this->canvas_user = isset($this->fb_params['canvas_user']) ?
|
---|
| 127 | $this->fb_params['canvas_user'] : null;
|
---|
| 128 | $this->base_domain = isset($this->fb_params['base_domain']) ?
|
---|
| 129 | $this->fb_params['base_domain'] : null;
|
---|
| 130 |
|
---|
| 131 | if (isset($this->fb_params['session_key'])) {
|
---|
| 132 | $session_key = $this->fb_params['session_key'];
|
---|
| 133 | } else if (isset($this->fb_params['profile_session_key'])) {
|
---|
| 134 | $session_key = $this->fb_params['profile_session_key'];
|
---|
| 135 | } else {
|
---|
| 136 | $session_key = null;
|
---|
| 137 | }
|
---|
| 138 | $expires = isset($this->fb_params['expires']) ?
|
---|
| 139 | $this->fb_params['expires'] : null;
|
---|
| 140 | $this->set_user($user,
|
---|
| 141 | $session_key,
|
---|
| 142 | $expires);
|
---|
| 143 | }
|
---|
| 144 | // if no Facebook parameters were found in the GET or POST variables,
|
---|
| 145 | // then fall back to cookies, which may have cached user information
|
---|
| 146 | // Cookies are also used to receive session data via the Javascript API
|
---|
| 147 | else if ($cookies =
|
---|
| 148 | $this->get_valid_fb_params($_COOKIE, null, $this->api_key)) {
|
---|
| 149 |
|
---|
| 150 | $base_domain_cookie = 'base_domain_' . $this->api_key;
|
---|
| 151 | if (isset($_COOKIE[$base_domain_cookie])) {
|
---|
| 152 | $this->base_domain = $_COOKIE[$base_domain_cookie];
|
---|
| 153 | }
|
---|
| 154 |
|
---|
| 155 | // use $api_key . '_' as a prefix for the cookies in case there are
|
---|
| 156 | // multiple facebook clients on the same domain.
|
---|
| 157 | $expires = isset($cookies['expires']) ? $cookies['expires'] : null;
|
---|
| 158 | $this->set_user($cookies['user'],
|
---|
| 159 | $cookies['session_key'],
|
---|
| 160 | $expires);
|
---|
| 161 | }
|
---|
| 162 | // finally, if we received no parameters, but the 'auth_token' GET var
|
---|
| 163 | // is present, then we are in the middle of auth handshake,
|
---|
| 164 | // so go ahead and create the session
|
---|
| 165 | else if ($resolve_auth_token && isset($_GET['auth_token']) &&
|
---|
| 166 | $session = $this->do_get_session($_GET['auth_token'])) {
|
---|
| 167 | if ($this->generate_session_secret &&
|
---|
| 168 | !empty($session['secret'])) {
|
---|
| 169 | $session_secret = $session['secret'];
|
---|
| 170 | }
|
---|
| 171 |
|
---|
| 172 | if (isset($session['base_domain'])) {
|
---|
| 173 | $this->base_domain = $session['base_domain'];
|
---|
| 174 | }
|
---|
| 175 |
|
---|
| 176 | $this->set_user($session['uid'],
|
---|
| 177 | $session['session_key'],
|
---|
| 178 | $session['expires'],
|
---|
| 179 | isset($session_secret) ? $session_secret : null);
|
---|
| 180 | }
|
---|
| 181 |
|
---|
| 182 | return !empty($this->fb_params);
|
---|
| 183 | }
|
---|
| 184 |
|
---|
| 185 | // Store a temporary session secret for the current session
|
---|
| 186 | // for use with the JS client library
|
---|
| 187 | public function promote_session() {
|
---|
| 188 | try {
|
---|
| 189 | $session_secret = $this->api_client->auth_promoteSession();
|
---|
| 190 | if (!$this->in_fb_canvas()) {
|
---|
| 191 | $this->set_cookies($this->user, $this->api_client->session_key, $this->session_expires, $session_secret);
|
---|
| 192 | }
|
---|
| 193 | return $session_secret;
|
---|
| 194 | } catch (FacebookRestClientException $e) {
|
---|
| 195 | // API_EC_PARAM means we don't have a logged in user, otherwise who
|
---|
| 196 | // knows what it means, so just throw it.
|
---|
| 197 | if ($e->getCode() != FacebookAPIErrorCodes::API_EC_PARAM) {
|
---|
| 198 | throw $e;
|
---|
| 199 | }
|
---|
| 200 | }
|
---|
| 201 | }
|
---|
| 202 |
|
---|
| 203 | public function do_get_session($auth_token) {
|
---|
| 204 | try {
|
---|
| 205 | return $this->api_client->auth_getSession($auth_token, $this->generate_session_secret);
|
---|
| 206 | } catch (FacebookRestClientException $e) {
|
---|
| 207 | // API_EC_PARAM means we don't have a logged in user, otherwise who
|
---|
| 208 | // knows what it means, so just throw it.
|
---|
| 209 | if ($e->getCode() != FacebookAPIErrorCodes::API_EC_PARAM) {
|
---|
| 210 | throw $e;
|
---|
| 211 | }
|
---|
| 212 | }
|
---|
| 213 | }
|
---|
| 214 |
|
---|
| 215 | // Invalidate the session currently being used, and clear any state associated
|
---|
| 216 | // with it. Note that the user will still remain logged into Facebook.
|
---|
| 217 | public function expire_session() {
|
---|
| 218 | if ($this->api_client->auth_expireSession()) {
|
---|
| 219 | $this->clear_cookie_state();
|
---|
| 220 | return true;
|
---|
| 221 | } else {
|
---|
| 222 | return false;
|
---|
| 223 | }
|
---|
| 224 | }
|
---|
| 225 |
|
---|
| 226 | /** Logs the user out of all temporary application sessions as well as their
|
---|
| 227 | * Facebook session. Note this will only work if the user has a valid current
|
---|
| 228 | * session with the application.
|
---|
| 229 | *
|
---|
| 230 | * @param string $next URL to redirect to upon logging out
|
---|
| 231 | *
|
---|
| 232 | */
|
---|
| 233 | public function logout($next) {
|
---|
| 234 | $logout_url = $this->get_logout_url($next);
|
---|
| 235 |
|
---|
| 236 | // Clear any stored state
|
---|
| 237 | $this->clear_cookie_state();
|
---|
| 238 |
|
---|
| 239 | $this->redirect($logout_url);
|
---|
| 240 | }
|
---|
| 241 |
|
---|
| 242 | /**
|
---|
| 243 | * Clears any persistent state stored about the user, including
|
---|
| 244 | * cookies and information related to the current session in the
|
---|
| 245 | * client.
|
---|
| 246 | *
|
---|
| 247 | */
|
---|
| 248 | public function clear_cookie_state() {
|
---|
| 249 | if (!$this->in_fb_canvas() && isset($_COOKIE[$this->api_key . '_user'])) {
|
---|
| 250 | $cookies = array('user', 'session_key', 'expires', 'ss');
|
---|
| 251 | foreach ($cookies as $name) {
|
---|
| 252 | setcookie($this->api_key . '_' . $name, false, time() - 3600);
|
---|
| 253 | unset($_COOKIE[$this->api_key . '_' . $name]);
|
---|
| 254 | }
|
---|
| 255 | setcookie($this->api_key, false, time() - 3600);
|
---|
| 256 | unset($_COOKIE[$this->api_key]);
|
---|
| 257 | }
|
---|
| 258 |
|
---|
| 259 | // now, clear the rest of the stored state
|
---|
| 260 | $this->user = 0;
|
---|
| 261 | $this->api_client->session_key = 0;
|
---|
| 262 | }
|
---|
| 263 |
|
---|
| 264 | public function redirect($url) {
|
---|
| 265 | if ($this->in_fb_canvas()) {
|
---|
| 266 | echo '<fb:redirect url="' . $url . '"/>';
|
---|
| 267 | } else if (preg_match('/^https?:\/\/([^\/]*\.)?facebook\.com(:\d+)?/i', $url)) {
|
---|
| 268 | // make sure facebook.com url's load in the full frame so that we don't
|
---|
| 269 | // get a frame within a frame.
|
---|
| 270 | echo "<script type=\"text/javascript\">\ntop.location.href = \"$url\";\n</script>";
|
---|
| 271 | } else {
|
---|
| 272 | header('Location: ' . $url);
|
---|
| 273 | }
|
---|
| 274 | exit;
|
---|
| 275 | }
|
---|
| 276 |
|
---|
| 277 | public function in_frame() {
|
---|
| 278 | return isset($this->fb_params['in_canvas'])
|
---|
| 279 | || isset($this->fb_params['in_iframe']);
|
---|
| 280 | }
|
---|
| 281 | public function in_fb_canvas() {
|
---|
| 282 | return isset($this->fb_params['in_canvas']);
|
---|
| 283 | }
|
---|
| 284 |
|
---|
| 285 | public function get_loggedin_user() {
|
---|
| 286 | return $this->user;
|
---|
| 287 | }
|
---|
| 288 |
|
---|
| 289 | public function get_canvas_user() {
|
---|
| 290 | return $this->canvas_user;
|
---|
| 291 | }
|
---|
| 292 |
|
---|
| 293 | public function get_profile_user() {
|
---|
| 294 | return $this->profile_user;
|
---|
| 295 | }
|
---|
| 296 |
|
---|
| 297 | public static function current_url() {
|
---|
| 298 | return 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
|
---|
| 299 | }
|
---|
| 300 |
|
---|
| 301 | // require_add and require_install have been removed.
|
---|
| 302 | // see http://developer.facebook.com/news.php?blog=1&story=116 for more details
|
---|
| 303 | public function require_login() {
|
---|
| 304 | if ($user = $this->get_loggedin_user()) {
|
---|
| 305 | return $user;
|
---|
| 306 | }
|
---|
| 307 | $this->redirect($this->get_login_url(self::current_url(), $this->in_frame()));
|
---|
| 308 | }
|
---|
| 309 |
|
---|
| 310 | public function require_frame() {
|
---|
| 311 | if (!$this->in_frame()) {
|
---|
| 312 | $this->redirect($this->get_login_url(self::current_url(), true));
|
---|
| 313 | }
|
---|
| 314 | }
|
---|
| 315 |
|
---|
| 316 | public static function get_facebook_url($subdomain='www') {
|
---|
| 317 | return 'http://' . $subdomain . '.facebook.com';
|
---|
| 318 | }
|
---|
| 319 |
|
---|
| 320 | public function get_install_url($next=null) {
|
---|
| 321 | // this was renamed, keeping for compatibility's sake
|
---|
| 322 | return $this->get_add_url($next);
|
---|
| 323 | }
|
---|
| 324 |
|
---|
| 325 | public function get_add_url($next=null) {
|
---|
| 326 | $page = self::get_facebook_url().'/add.php';
|
---|
| 327 | $params = array('api_key' => $this->api_key);
|
---|
| 328 |
|
---|
| 329 | if ($next) {
|
---|
| 330 | $params['next'] = $next;
|
---|
| 331 | }
|
---|
| 332 |
|
---|
| 333 | return $page . '?' . http_build_query($params);
|
---|
| 334 | }
|
---|
| 335 |
|
---|
| 336 | public function get_login_url($next, $canvas) {
|
---|
| 337 | $page = self::get_facebook_url().'/login.php';
|
---|
| 338 | $params = array('api_key' => $this->api_key,
|
---|
| 339 | 'v' => '1.0');
|
---|
| 340 |
|
---|
| 341 | if ($next) {
|
---|
| 342 | $params['next'] = $next;
|
---|
| 343 | }
|
---|
| 344 | if ($canvas) {
|
---|
| 345 | $params['canvas'] = '1';
|
---|
| 346 | }
|
---|
| 347 |
|
---|
| 348 | return $page . '?' . http_build_query($params);
|
---|
| 349 | }
|
---|
| 350 |
|
---|
| 351 | public function get_logout_url($next) {
|
---|
| 352 | $page = self::get_facebook_url().'/logout.php';
|
---|
| 353 | $params = array('app_key' => $this->api_key,
|
---|
| 354 | 'session_key' => $this->api_client->session_key);
|
---|
| 355 |
|
---|
| 356 | if ($next) {
|
---|
| 357 | $params['connect_next'] = 1;
|
---|
| 358 | $params['next'] = $next;
|
---|
| 359 | }
|
---|
| 360 |
|
---|
| 361 | return $page . '?' . http_build_query($params);
|
---|
| 362 | }
|
---|
| 363 |
|
---|
| 364 | public function set_user($user, $session_key, $expires=null, $session_secret=null) {
|
---|
| 365 | if (!$this->in_fb_canvas() && (!isset($_COOKIE[$this->api_key . '_user'])
|
---|
| 366 | || $_COOKIE[$this->api_key . '_user'] != $user)) {
|
---|
| 367 | $this->set_cookies($user, $session_key, $expires, $session_secret);
|
---|
| 368 | }
|
---|
| 369 | $this->user = $user;
|
---|
| 370 | $this->api_client->session_key = $session_key;
|
---|
| 371 | $this->session_expires = $expires;
|
---|
| 372 | }
|
---|
| 373 |
|
---|
| 374 | public function set_cookies($user, $session_key, $expires=null, $session_secret=null) {
|
---|
| 375 | $cookies = array();
|
---|
| 376 | $cookies['user'] = $user;
|
---|
| 377 | $cookies['session_key'] = $session_key;
|
---|
| 378 | if ($expires != null) {
|
---|
| 379 | $cookies['expires'] = $expires;
|
---|
| 380 | }
|
---|
| 381 | if ($session_secret != null) {
|
---|
| 382 | $cookies['ss'] = $session_secret;
|
---|
| 383 | }
|
---|
| 384 |
|
---|
| 385 | foreach ($cookies as $name => $val) {
|
---|
| 386 | setcookie($this->api_key . '_' . $name, $val, (int)$expires, '', $this->base_domain);
|
---|
| 387 | $_COOKIE[$this->api_key . '_' . $name] = $val;
|
---|
| 388 | }
|
---|
| 389 | $sig = self::generate_sig($cookies, $this->secret);
|
---|
| 390 | setcookie($this->api_key, $sig, (int)$expires, '', $this->base_domain);
|
---|
| 391 | $_COOKIE[$this->api_key] = $sig;
|
---|
| 392 |
|
---|
| 393 | if ($this->base_domain != null) {
|
---|
| 394 | $base_domain_cookie = 'base_domain_' . $this->api_key;
|
---|
| 395 | setcookie($base_domain_cookie, $this->base_domain, (int)$expires, '', $this->base_domain);
|
---|
| 396 | $_COOKIE[$base_domain_cookie] = $this->base_domain;
|
---|
| 397 | }
|
---|
| 398 | }
|
---|
| 399 |
|
---|
| 400 | /**
|
---|
| 401 | * Tries to undo the badness of magic quotes as best we can
|
---|
| 402 | * @param string $val Should come directly from $_GET, $_POST, etc.
|
---|
| 403 | * @return string val without added slashes
|
---|
| 404 | */
|
---|
| 405 | public static function no_magic_quotes($val) {
|
---|
| 406 | if (get_magic_quotes_gpc()) {
|
---|
| 407 | return stripslashes($val);
|
---|
| 408 | } else {
|
---|
| 409 | return $val;
|
---|
| 410 | }
|
---|
| 411 | }
|
---|
| 412 |
|
---|
| 413 | /*
|
---|
| 414 | * Get the signed parameters that were sent from Facebook. Validates the set
|
---|
| 415 | * of parameters against the included signature.
|
---|
| 416 | *
|
---|
| 417 | * Since Facebook sends data to your callback URL via unsecured means, the
|
---|
| 418 | * signature is the only way to make sure that the data actually came from
|
---|
| 419 | * Facebook. So if an app receives a request at the callback URL, it should
|
---|
| 420 | * always verify the signature that comes with against your own secret key.
|
---|
| 421 | * Otherwise, it's possible for someone to spoof a request by
|
---|
| 422 | * pretending to be someone else, i.e.:
|
---|
| 423 | * www.your-callback-url.com/?fb_user=10101
|
---|
| 424 | *
|
---|
| 425 | * This is done automatically by verify_fb_params.
|
---|
| 426 | *
|
---|
| 427 | * @param assoc $params a full array of external parameters.
|
---|
| 428 | * presumed $_GET, $_POST, or $_COOKIE
|
---|
| 429 | * @param int $timeout number of seconds that the args are good for.
|
---|
| 430 | * Specifically good for forcing cookies to expire.
|
---|
| 431 | * @param string $namespace prefix string for the set of parameters we want
|
---|
| 432 | * to verify. i.e., fb_sig or fb_post_sig
|
---|
| 433 | *
|
---|
| 434 | * @return assoc the subset of parameters containing the given prefix,
|
---|
| 435 | * and also matching the signature associated with them.
|
---|
| 436 | * OR an empty array if the params do not validate
|
---|
| 437 | */
|
---|
| 438 | public function get_valid_fb_params($params, $timeout=null, $namespace='fb_sig') {
|
---|
| 439 | $prefix = $namespace . '_';
|
---|
| 440 | $prefix_len = strlen($prefix);
|
---|
| 441 | $fb_params = array();
|
---|
| 442 | if (empty($params)) {
|
---|
| 443 | return array();
|
---|
| 444 | }
|
---|
| 445 |
|
---|
| 446 | foreach ($params as $name => $val) {
|
---|
| 447 | // pull out only those parameters that match the prefix
|
---|
| 448 | // note that the signature itself ($params[$namespace]) is not in the list
|
---|
| 449 | if (strpos($name, $prefix) === 0) {
|
---|
| 450 | $fb_params[substr($name, $prefix_len)] = self::no_magic_quotes($val);
|
---|
| 451 | }
|
---|
| 452 | }
|
---|
| 453 |
|
---|
| 454 | // validate that the request hasn't expired. this is most likely
|
---|
| 455 | // for params that come from $_COOKIE
|
---|
| 456 | if ($timeout && (!isset($fb_params['time']) || time() - $fb_params['time'] > $timeout)) {
|
---|
| 457 | return array();
|
---|
| 458 | }
|
---|
| 459 |
|
---|
| 460 | // validate that the params match the signature
|
---|
| 461 | $signature = isset($params[$namespace]) ? $params[$namespace] : null;
|
---|
| 462 | if (!$signature || (!$this->verify_signature($fb_params, $signature))) {
|
---|
| 463 | return array();
|
---|
| 464 | }
|
---|
| 465 | return $fb_params;
|
---|
| 466 | }
|
---|
| 467 |
|
---|
| 468 | /**
|
---|
| 469 | * Validates the account that a user was trying to set up an
|
---|
| 470 | * independent account through Facebook Connect.
|
---|
| 471 | *
|
---|
| 472 | * @param user The user attempting to set up an independent account.
|
---|
| 473 | * @param hash The hash passed to the reclamation URL used.
|
---|
| 474 | * @return bool True if the user is the one that selected the
|
---|
| 475 | * reclamation link.
|
---|
| 476 | */
|
---|
| 477 | public function verify_account_reclamation($user, $hash) {
|
---|
| 478 | return $hash == md5($user . $this->secret);
|
---|
| 479 | }
|
---|
| 480 |
|
---|
| 481 | /**
|
---|
| 482 | * Validates that a given set of parameters match their signature.
|
---|
| 483 | * Parameters all match a given input prefix, such as "fb_sig".
|
---|
| 484 | *
|
---|
| 485 | * @param $fb_params an array of all Facebook-sent parameters,
|
---|
| 486 | * not including the signature itself
|
---|
| 487 | * @param $expected_sig the expected result to check against
|
---|
| 488 | */
|
---|
| 489 | public function verify_signature($fb_params, $expected_sig) {
|
---|
| 490 | return self::generate_sig($fb_params, $this->secret) == $expected_sig;
|
---|
| 491 | }
|
---|
| 492 |
|
---|
| 493 | /**
|
---|
| 494 | * Validate the given signed public session data structure with
|
---|
| 495 | * public key of the app that
|
---|
| 496 | * the session proof belongs to.
|
---|
| 497 | *
|
---|
| 498 | * @param $signed_data the session info that is passed by another app
|
---|
| 499 | * @param string $public_key Optional public key of the app. If this
|
---|
| 500 | * is not passed, function will make an API call to get it.
|
---|
| 501 | * return true if the session proof passed verification.
|
---|
| 502 | */
|
---|
| 503 | public function verify_signed_public_session_data($signed_data,
|
---|
| 504 | $public_key = null) {
|
---|
| 505 |
|
---|
| 506 | // If public key is not already provided, we need to get it through API
|
---|
| 507 | if (!$public_key) {
|
---|
| 508 | $public_key = $this->api_client->auth_getAppPublicKey(
|
---|
| 509 | $signed_data['api_key']);
|
---|
| 510 | }
|
---|
| 511 |
|
---|
| 512 | // Create data to verify
|
---|
| 513 | $data_to_serialize = $signed_data;
|
---|
| 514 | unset($data_to_serialize['sig']);
|
---|
| 515 | $serialized_data = implode('_', $data_to_serialize);
|
---|
| 516 |
|
---|
| 517 | // Decode signature
|
---|
| 518 | $signature = base64_decode($signed_data['sig']);
|
---|
| 519 | $result = openssl_verify($serialized_data, $signature, $public_key,
|
---|
| 520 | OPENSSL_ALGO_SHA1);
|
---|
| 521 | return $result == 1;
|
---|
| 522 | }
|
---|
| 523 |
|
---|
| 524 | /*
|
---|
| 525 | * Generate a signature using the application secret key.
|
---|
| 526 | *
|
---|
| 527 | * The only two entities that know your secret key are you and Facebook,
|
---|
| 528 | * according to the Terms of Service. Since nobody else can generate
|
---|
| 529 | * the signature, you can rely on it to verify that the information
|
---|
| 530 | * came from Facebook.
|
---|
| 531 | *
|
---|
| 532 | * @param $params_array an array of all Facebook-sent parameters,
|
---|
| 533 | * NOT INCLUDING the signature itself
|
---|
| 534 | * @param $secret your app's secret key
|
---|
| 535 | *
|
---|
| 536 | * @return a hash to be checked against the signature provided by Facebook
|
---|
| 537 | */
|
---|
| 538 | public static function generate_sig($params_array, $secret) {
|
---|
| 539 | $str = '';
|
---|
| 540 |
|
---|
| 541 | ksort($params_array);
|
---|
| 542 | // Note: make sure that the signature parameter is not already included in
|
---|
| 543 | // $params_array.
|
---|
| 544 | foreach ($params_array as $k=>$v) {
|
---|
| 545 | $str .= "$k=$v";
|
---|
| 546 | }
|
---|
| 547 | $str .= $secret;
|
---|
| 548 |
|
---|
| 549 | return md5($str);
|
---|
| 550 | }
|
---|
| 551 |
|
---|
| 552 | public function encode_validationError($summary, $message) {
|
---|
| 553 | return json_encode(
|
---|
| 554 | array('errorCode' => FACEBOOK_API_VALIDATION_ERROR,
|
---|
| 555 | 'errorTitle' => $summary,
|
---|
| 556 | 'errorMessage' => $message));
|
---|
| 557 | }
|
---|
| 558 |
|
---|
| 559 | public function encode_multiFeedStory($feed, $next) {
|
---|
| 560 | return json_encode(
|
---|
| 561 | array('method' => 'multiFeedStory',
|
---|
| 562 | 'content' =>
|
---|
| 563 | array('next' => $next,
|
---|
| 564 | 'feed' => $feed)));
|
---|
| 565 | }
|
---|
| 566 |
|
---|
| 567 | public function encode_feedStory($feed, $next) {
|
---|
| 568 | return json_encode(
|
---|
| 569 | array('method' => 'feedStory',
|
---|
| 570 | 'content' =>
|
---|
| 571 | array('next' => $next,
|
---|
| 572 | 'feed' => $feed)));
|
---|
| 573 | }
|
---|
| 574 |
|
---|
| 575 | public function create_templatizedFeedStory($title_template, $title_data=array(),
|
---|
| 576 | $body_template='', $body_data = array(), $body_general=null,
|
---|
| 577 | $image_1=null, $image_1_link=null,
|
---|
| 578 | $image_2=null, $image_2_link=null,
|
---|
| 579 | $image_3=null, $image_3_link=null,
|
---|
| 580 | $image_4=null, $image_4_link=null) {
|
---|
| 581 | return array('title_template'=> $title_template,
|
---|
| 582 | 'title_data' => $title_data,
|
---|
| 583 | 'body_template'=> $body_template,
|
---|
| 584 | 'body_data' => $body_data,
|
---|
| 585 | 'body_general' => $body_general,
|
---|
| 586 | 'image_1' => $image_1,
|
---|
| 587 | 'image_1_link' => $image_1_link,
|
---|
| 588 | 'image_2' => $image_2,
|
---|
| 589 | 'image_2_link' => $image_2_link,
|
---|
| 590 | 'image_3' => $image_3,
|
---|
| 591 | 'image_3_link' => $image_3_link,
|
---|
| 592 | 'image_4' => $image_4,
|
---|
| 593 | 'image_4_link' => $image_4_link);
|
---|
| 594 | }
|
---|
| 595 |
|
---|
| 596 |
|
---|
| 597 | }
|
---|
| 598 |
|
---|