api_key = $api_key;
$this->secret = $secret;
$this->generate_session_secret = $generate_session_secret;
$this->api_client = new FacebookRestClient($api_key, $secret, null);
$this->validate_fb_params();
// Set the default user id for methods that allow the caller to
// pass an explicit uid instead of using a session key.
$defaultUser = null;
if ($this->user) {
$defaultUser = $this->user;
} else if ($this->profile_user) {
$defaultUser = $this->profile_user;
} else if ($this->canvas_user) {
$defaultUser = $this->canvas_user;
}
$this->api_client->set_user($defaultUser);
if (isset($this->fb_params['friends'])) {
$this->api_client->friends_list = explode(',', $this->fb_params['friends']);
}
if (isset($this->fb_params['added'])) {
$this->api_client->added = $this->fb_params['added'];
}
if (isset($this->fb_params['canvas_user'])) {
$this->api_client->canvas_user = $this->fb_params['canvas_user'];
}
}
/*
* Validates that the parameters passed in were sent from Facebook. It does so
* by validating that the signature matches one that could only be generated
* by using your application's secret key.
*
* Facebook-provided parameters will come from $_POST, $_GET, or $_COOKIE,
* in that order. $_POST and $_GET are always more up-to-date than cookies,
* so we prefer those if they are available.
*
* For nitty-gritty details of when each of these is used, check out
* http://wiki.developers.facebook.com/index.php/Verifying_The_Signature
*
* @param bool resolve_auth_token convert an auth token into a session
*/
public function validate_fb_params($resolve_auth_token=true) {
$this->fb_params = $this->get_valid_fb_params($_POST, 48 * 3600, 'fb_sig');
// note that with preload FQL, it's possible to receive POST params in
// addition to GET, so use a different prefix to differentiate them
if (!$this->fb_params) {
$fb_params = $this->get_valid_fb_params($_GET, 48 * 3600, 'fb_sig');
$fb_post_params = $this->get_valid_fb_params($_POST, 48 * 3600, 'fb_post_sig');
$this->fb_params = array_merge($fb_params, $fb_post_params);
}
// Okay, something came in via POST or GET
if ($this->fb_params) {
$user = isset($this->fb_params['user']) ?
$this->fb_params['user'] : null;
$this->profile_user = isset($this->fb_params['profile_user']) ?
$this->fb_params['profile_user'] : null;
$this->canvas_user = isset($this->fb_params['canvas_user']) ?
$this->fb_params['canvas_user'] : null;
$this->base_domain = isset($this->fb_params['base_domain']) ?
$this->fb_params['base_domain'] : null;
if (isset($this->fb_params['session_key'])) {
$session_key = $this->fb_params['session_key'];
} else if (isset($this->fb_params['profile_session_key'])) {
$session_key = $this->fb_params['profile_session_key'];
} else {
$session_key = null;
}
$expires = isset($this->fb_params['expires']) ?
$this->fb_params['expires'] : null;
$this->set_user($user,
$session_key,
$expires);
}
// if no Facebook parameters were found in the GET or POST variables,
// then fall back to cookies, which may have cached user information
// Cookies are also used to receive session data via the Javascript API
else if ($cookies =
$this->get_valid_fb_params($_COOKIE, null, $this->api_key)) {
$base_domain_cookie = 'base_domain_' . $this->api_key;
if (isset($_COOKIE[$base_domain_cookie])) {
$this->base_domain = $_COOKIE[$base_domain_cookie];
}
// use $api_key . '_' as a prefix for the cookies in case there are
// multiple facebook clients on the same domain.
$expires = isset($cookies['expires']) ? $cookies['expires'] : null;
$this->set_user($cookies['user'],
$cookies['session_key'],
$expires);
}
// finally, if we received no parameters, but the 'auth_token' GET var
// is present, then we are in the middle of auth handshake,
// so go ahead and create the session
else if ($resolve_auth_token && isset($_GET['auth_token']) &&
$session = $this->do_get_session($_GET['auth_token'])) {
if ($this->generate_session_secret &&
!empty($session['secret'])) {
$session_secret = $session['secret'];
}
if (isset($session['base_domain'])) {
$this->base_domain = $session['base_domain'];
}
$this->set_user($session['uid'],
$session['session_key'],
$session['expires'],
isset($session_secret) ? $session_secret : null);
}
return !empty($this->fb_params);
}
// Store a temporary session secret for the current session
// for use with the JS client library
public function promote_session() {
try {
$session_secret = $this->api_client->auth_promoteSession();
if (!$this->in_fb_canvas()) {
$this->set_cookies($this->user, $this->api_client->session_key, $this->session_expires, $session_secret);
}
return $session_secret;
} catch (FacebookRestClientException $e) {
// API_EC_PARAM means we do not have a logged in user, otherwise who
// knows what it means, so just throw it.
if ($e->getCode() != FacebookAPIErrorCodes::API_EC_PARAM) {
throw $e;
}
}
}
public function do_get_session($auth_token) {
try {
return $this->api_client->auth_getSession($auth_token, $this->generate_session_secret);
} catch (FacebookRestClientException $e) {
// API_EC_PARAM means we do not have a logged in user, otherwise who
// knows what it means, so just throw it.
if ($e->getCode() != FacebookAPIErrorCodes::API_EC_PARAM) {
throw $e;
}
}
}
// Invalidate the session currently being used, and clear any state associated
// with it. Note that the user will still remain logged into Facebook.
public function expire_session() {
if ($this->api_client->auth_expireSession()) {
$this->clear_cookie_state();
return true;
} else {
return false;
}
}
/** Logs the user out of all temporary application sessions as well as their
* Facebook session. Note this will only work if the user has a valid current
* session with the application.
*
* @param string $next URL to redirect to upon logging out
*
*/
public function logout($next) {
$logout_url = $this->get_logout_url($next);
// Clear any stored state
$this->clear_cookie_state();
$this->redirect($logout_url);
}
/**
* Clears any persistent state stored about the user, including
* cookies and information related to the current session in the
* client.
*
*/
public function clear_cookie_state() {
if (!$this->in_fb_canvas() && isset($_COOKIE[$this->api_key . '_user'])) {
$cookies = array('user', 'session_key', 'expires', 'ss');
foreach ($cookies as $name) {
setcookie($this->api_key . '_' . $name, false, time() - 3600);
unset($_COOKIE[$this->api_key . '_' . $name]);
}
setcookie($this->api_key, false, time() - 3600);
unset($_COOKIE[$this->api_key]);
}
// now, clear the rest of the stored state
$this->user = 0;
$this->api_client->session_key = 0;
}
public function redirect($url) {
if ($this->in_fb_canvas()) {
echo '';
} else if (preg_match('/^https?:\/\/([^\/]*\.)?facebook\.com(:\d+)?/i', $url)) {
// make sure facebook.com url's load in the full frame so that we do not
// get a frame within a frame.
echo "";
} else {
header('Location: ' . $url);
}
exit;
}
public function in_frame() {
return isset($this->fb_params['in_canvas'])
|| isset($this->fb_params['in_iframe']);
}
public function in_fb_canvas() {
return isset($this->fb_params['in_canvas']);
}
public function get_loggedin_user() {
return $this->user;
}
public function get_canvas_user() {
return $this->canvas_user;
}
public function get_profile_user() {
return $this->profile_user;
}
public static function current_url() {
return 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
}
// require_add and require_install have been removed.
// see http://developer.facebook.com/news.php?blog=1&story=116 for more details
public function require_login() {
if ($user = $this->get_loggedin_user()) {
return $user;
}
$this->redirect($this->get_login_url(self::current_url(), $this->in_frame()));
}
public function require_frame() {
if (!$this->in_frame()) {
$this->redirect($this->get_login_url(self::current_url(), true));
}
}
public static function get_facebook_url($subdomain='www') {
return 'http://' . $subdomain . '.facebook.com';
}
public function get_install_url($next=null) {
// this was renamed, keeping for compatibility's sake
return $this->get_add_url($next);
}
public function get_add_url($next=null) {
$page = self::get_facebook_url().'/add.php';
$params = array('api_key' => $this->api_key);
if ($next) {
$params['next'] = $next;
}
return $page . '?' . http_build_query($params);
}
public function get_login_url($next, $canvas) {
$page = self::get_facebook_url().'/login.php';
$params = array('api_key' => $this->api_key,
'v' => '1.0');
if ($next) {
$params['next'] = $next;
}
if ($canvas) {
$params['canvas'] = '1';
}
return $page . '?' . http_build_query($params);
}
public function get_logout_url($next) {
$page = self::get_facebook_url().'/logout.php';
$params = array('app_key' => $this->api_key,
'session_key' => $this->api_client->session_key);
if ($next) {
$params['connect_next'] = 1;
$params['next'] = $next;
}
return $page . '?' . http_build_query($params);
}
public function set_user($user, $session_key, $expires=null, $session_secret=null) {
if (!$this->in_fb_canvas() && (!isset($_COOKIE[$this->api_key . '_user'])
|| $_COOKIE[$this->api_key . '_user'] != $user)) {
$this->set_cookies($user, $session_key, $expires, $session_secret);
}
$this->user = $user;
$this->api_client->session_key = $session_key;
$this->session_expires = $expires;
}
public function set_cookies($user, $session_key, $expires=null, $session_secret=null) {
$cookies = array();
$cookies['user'] = $user;
$cookies['session_key'] = $session_key;
if ($expires != null) {
$cookies['expires'] = $expires;
}
if ($session_secret != null) {
$cookies['ss'] = $session_secret;
}
foreach ($cookies as $name => $val) {
setcookie($this->api_key . '_' . $name, $val, (int)$expires, '', $this->base_domain);
$_COOKIE[$this->api_key . '_' . $name] = $val;
}
$sig = self::generate_sig($cookies, $this->secret);
setcookie($this->api_key, $sig, (int)$expires, '', $this->base_domain);
$_COOKIE[$this->api_key] = $sig;
if ($this->base_domain != null) {
$base_domain_cookie = 'base_domain_' . $this->api_key;
setcookie($base_domain_cookie, $this->base_domain, (int)$expires, '', $this->base_domain);
$_COOKIE[$base_domain_cookie] = $this->base_domain;
}
}
/**
* Tries to undo the badness of magic quotes as best we can
* @param string $val Should come directly from $_GET, $_POST, etc.
* @return string val without added slashes
*/
public static function no_magic_quotes($val) {
if (get_magic_quotes_gpc()) {
return stripslashes($val);
} else {
return $val;
}
}
/*
* Get the signed parameters that were sent from Facebook. Validates the set
* of parameters against the included signature.
*
* Since Facebook sends data to your callback URL via unsecured means, the
* signature is the only way to make sure that the data actually came from
* Facebook. So if an app receives a request at the callback URL, it should
* always verify the signature that comes with against your own secret key.
* Otherwise, it's possible for someone to spoof a request by
* pretending to be someone else, i.e.:
* www.your-callback-url.com/?fb_user=10101
*
* This is done automatically by verify_fb_params.
*
* @param assoc $params a full array of external parameters.
* presumed $_GET, $_POST, or $_COOKIE
* @param int $timeout number of seconds that the args are good for.
* Specifically good for forcing cookies to expire.
* @param string $namespace prefix string for the set of parameters we want
* to verify. i.e., fb_sig or fb_post_sig
*
* @return assoc the subset of parameters containing the given prefix,
* and also matching the signature associated with them.
* OR an empty array if the params do not validate
*/
public function get_valid_fb_params($params, $timeout=null, $namespace='fb_sig') {
$prefix = $namespace . '_';
$prefix_len = strlen($prefix);
$fb_params = array();
if (empty($params)) {
return array();
}
foreach ($params as $name => $val) {
// pull out only those parameters that match the prefix
// note that the signature itself ($params[$namespace]) is not in the list
if (strpos($name, $prefix) === 0) {
$fb_params[substr($name, $prefix_len)] = self::no_magic_quotes($val);
}
}
// validate that the request hasn't expired. this is most likely
// for params that come from $_COOKIE
if ($timeout && (!isset($fb_params['time']) || time() - $fb_params['time'] > $timeout)) {
return array();
}
// validate that the params match the signature
$signature = isset($params[$namespace]) ? $params[$namespace] : null;
if (!$signature || (!$this->verify_signature($fb_params, $signature))) {
return array();
}
return $fb_params;
}
/**
* Validates the account that a user was trying to set up an
* independent account through Facebook Connect.
*
* @param user The user attempting to set up an independent account.
* @param hash The hash passed to the reclamation URL used.
* @return bool True if the user is the one that selected the
* reclamation link.
*/
public function verify_account_reclamation($user, $hash) {
return $hash == md5($user . $this->secret);
}
/**
* Validates that a given set of parameters match their signature.
* Parameters all match a given input prefix, such as "fb_sig".
*
* @param $fb_params an array of all Facebook-sent parameters,
* not including the signature itself
* @param $expected_sig the expected result to check against
*/
public function verify_signature($fb_params, $expected_sig) {
return self::generate_sig($fb_params, $this->secret) == $expected_sig;
}
/**
* Validate the given signed public session data structure with
* public key of the app that
* the session proof belongs to.
*
* @param $signed_data the session info that is passed by another app
* @param string $public_key Optional public key of the app. If this
* is not passed, function will make an API call to get it.
* return true if the session proof passed verification.
*/
public function verify_signed_public_session_data($signed_data,
$public_key = null) {
// If public key is not already provided, we need to get it through API
if (!$public_key) {
$public_key = $this->api_client->auth_getAppPublicKey(
$signed_data['api_key']);
}
// Create data to verify
$data_to_serialize = $signed_data;
unset($data_to_serialize['sig']);
$serialized_data = implode('_', $data_to_serialize);
// Decode signature
$signature = base64_decode($signed_data['sig']);
$result = openssl_verify($serialized_data, $signature, $public_key,
OPENSSL_ALGO_SHA1);
return $result == 1;
}
/*
* Generate a signature using the application secret key.
*
* The only two entities that know your secret key are you and Facebook,
* according to the Terms of Service. Since nobody else can generate
* the signature, you can rely on it to verify that the information
* came from Facebook.
*
* @param $params_array an array of all Facebook-sent parameters,
* NOT INCLUDING the signature itself
* @param $secret your app's secret key
*
* @return a hash to be checked against the signature provided by Facebook
*/
public static function generate_sig($params_array, $secret) {
$str = '';
ksort($params_array);
// Note: make sure that the signature parameter is not already included in
// $params_array.
foreach ($params_array as $k=>$v) {
$str .= "$k=$v";
}
$str .= $secret;
return md5($str);
}
public function encode_validationError($summary, $message) {
return json_encode(
array('errorCode' => FACEBOOK_API_VALIDATION_ERROR,
'errorTitle' => $summary,
'errorMessage' => $message));
}
public function encode_multiFeedStory($feed, $next) {
return json_encode(
array('method' => 'multiFeedStory',
'content' =>
array('next' => $next,
'feed' => $feed)));
}
public function encode_feedStory($feed, $next) {
return json_encode(
array('method' => 'feedStory',
'content' =>
array('next' => $next,
'feed' => $feed)));
}
public function create_templatizedFeedStory($title_template, $title_data=array(),
$body_template='', $body_data = array(), $body_general=null,
$image_1=null, $image_1_link=null,
$image_2=null, $image_2_link=null,
$image_3=null, $image_3_link=null,
$image_4=null, $image_4_link=null) {
return array('title_template'=> $title_template,
'title_data' => $title_data,
'body_template'=> $body_template,
'body_data' => $body_data,
'body_general' => $body_general,
'image_1' => $image_1,
'image_1_link' => $image_1_link,
'image_2' => $image_2,
'image_2_link' => $image_2_link,
'image_3' => $image_3,
'image_3_link' => $image_3_link,
'image_4' => $image_4,
'image_4_link' => $image_4_link);
}
}