summaryrefslogtreecommitdiff
path: root/plugins/Facebook/facebook/facebook.php
blob: 440706cbc3fdb5543001003e88e2bc9721414192 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
<?php
// Copyright 2004-2009 Facebook. All Rights Reserved.
//
// +---------------------------------------------------------------------------+
// | Facebook Platform PHP5 client                                             |
// +---------------------------------------------------------------------------+
// | Copyright (c) 2007 Facebook, Inc.                                         |
// | All rights reserved.                                                      |
// |                                                                           |
// | Redistribution and use in source and binary forms, with or without        |
// | modification, are permitted provided that the following conditions        |
// | are met:                                                                  |
// |                                                                           |
// | 1. Redistributions of source code must retain the above copyright         |
// |    notice, this list of conditions and the following disclaimer.          |
// | 2. Redistributions in binary form must reproduce the above copyright      |
// |    notice, this list of conditions and the following disclaimer in the    |
// |    documentation and/or other materials provided with the distribution.   |
// |                                                                           |
// | THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR      |
// | IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES |
// | OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.   |
// | IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,          |
// | INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT  |
// | NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
// | DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY     |
// | THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT       |
// | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF  |
// | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.         |
// +---------------------------------------------------------------------------+
// | For help with this library, contact developers-help@facebook.com          |
// +---------------------------------------------------------------------------+

include_once 'facebookapi_php5_restlib.php';

define('FACEBOOK_API_VALIDATION_ERROR', 1);
class Facebook {
  public $api_client;
  public $api_key;
  public $secret;
  public $generate_session_secret;
  public $session_expires;

  public $fb_params;
  public $user;
  public $profile_user;
  public $canvas_user;
  protected $base_domain;
  /*
   * Create a Facebook client like this:
   *
   * $fb = new Facebook(API_KEY, SECRET);
   *
   * This will automatically pull in any parameters, validate them against the
   * session signature, and chuck them in the public $fb_params member variable.
   *
   * @param api_key                  your Developer API key
   * @param secret                   your Developer API secret
   * @param generate_session_secret  whether to automatically generate a session
   *                                 if the user doesn't have one, but
   *                                 there is an auth token present in the url,
   */
  public function __construct($api_key, $secret, $generate_session_secret=false) {
    $this->api_key                 = $api_key;
    $this->secret                  = $secret;
    $this->generate_session_secret = $generate_session_secret;
    $this->api_client = new FacebookRestClient($api_key, $secret, null);
    $this->validate_fb_params();

    // Set the default user id for methods that allow the caller to
    // pass an explicit uid instead of using a session key.
    $defaultUser = null;
    if ($this->user) {
      $defaultUser = $this->user;
    } else if ($this->profile_user) {
      $defaultUser = $this->profile_user;
    } else if ($this->canvas_user) {
      $defaultUser = $this->canvas_user;
    }

    $this->api_client->set_user($defaultUser);


    if (isset($this->fb_params['friends'])) {
      $this->api_client->friends_list =
        array_filter(explode(',', $this->fb_params['friends']));
    }
    if (isset($this->fb_params['added'])) {
      $this->api_client->added = $this->fb_params['added'];
    }
    if (isset($this->fb_params['canvas_user'])) {
      $this->api_client->canvas_user = $this->fb_params['canvas_user'];
    }
  }

  /*
   * Validates that the parameters passed in were sent from Facebook. It does so
   * by validating that the signature matches one that could only be generated
   * by using your application's secret key.
   *
   * Facebook-provided parameters will come from $_POST, $_GET, or $_COOKIE,
   * in that order. $_POST and $_GET are always more up-to-date than cookies,
   * so we prefer those if they are available.
   *
   * For nitty-gritty details of when each of these is used, check out
   * http://wiki.developers.facebook.com/index.php/Verifying_The_Signature
   *
   * @param bool  resolve_auth_token  convert an auth token into a session
   */
  public function validate_fb_params($resolve_auth_token=true) {
    $this->fb_params = $this->get_valid_fb_params($_POST, 48 * 3600, 'fb_sig');

    // note that with preload FQL, it's possible to receive POST params in
    // addition to GET, so use a different prefix to differentiate them
    if (!$this->fb_params) {
      $fb_params = $this->get_valid_fb_params($_GET, 48 * 3600, 'fb_sig');
      $fb_post_params = $this->get_valid_fb_params($_POST, 48 * 3600, 'fb_post_sig');
      $this->fb_params = array_merge($fb_params, $fb_post_params);
    }

    // Okay, something came in via POST or GET
    if ($this->fb_params) {
      $user               = isset($this->fb_params['user']) ?
                            $this->fb_params['user'] : null;
      $this->profile_user = isset($this->fb_params['profile_user']) ?
                            $this->fb_params['profile_user'] : null;
      $this->canvas_user  = isset($this->fb_params['canvas_user']) ?
                            $this->fb_params['canvas_user'] : null;
      $this->base_domain  = isset($this->fb_params['base_domain']) ?
                            $this->fb_params['base_domain'] : null;

      if (isset($this->fb_params['session_key'])) {
        $session_key =  $this->fb_params['session_key'];
      } else if (isset($this->fb_params['profile_session_key'])) {
        $session_key =  $this->fb_params['profile_session_key'];
      } else {
        $session_key = null;
      }
      $expires     = isset($this->fb_params['expires']) ?
                     $this->fb_params['expires'] : null;
      $this->set_user($user,
                      $session_key,
                      $expires);
    }
    // if no Facebook parameters were found in the GET or POST variables,
    // then fall back to cookies, which may have cached user information
    // Cookies are also used to receive session data via the Javascript API
    else if ($cookies =
             $this->get_valid_fb_params($_COOKIE, null, $this->api_key)) {

      $base_domain_cookie = 'base_domain_' . $this->api_key;
      if (isset($_COOKIE[$base_domain_cookie])) {
        $this->base_domain = $_COOKIE[$base_domain_cookie];
      }

      // use $api_key . '_' as a prefix for the cookies in case there are
      // multiple facebook clients on the same domain.
      $expires = isset($cookies['expires']) ? $cookies['expires'] : null;
      $this->set_user($cookies['user'],
                      $cookies['session_key'],
                      $expires);
    }
    // finally, if we received no parameters, but the 'auth_token' GET var
    // is present, then we are in the middle of auth handshake,
    // so go ahead and create the session
    else if ($resolve_auth_token && isset($_GET['auth_token']) &&
             $session = $this->do_get_session($_GET['auth_token'])) {
      if ($this->generate_session_secret &&
          !empty($session['secret'])) {
        $session_secret = $session['secret'];
      }

      if (isset($session['base_domain'])) {
        $this->base_domain = $session['base_domain'];
      }

      $this->set_user($session['uid'],
                      $session['session_key'],
                      $session['expires'],
                      isset($session_secret) ? $session_secret : null);
    }

    return !empty($this->fb_params);
  }

  // Store a temporary session secret for the current session
  // for use with the JS client library
  public function promote_session() {
    try {
      $session_secret = $this->api_client->auth_promoteSession();
      if (!$this->in_fb_canvas()) {
        $this->set_cookies($this->user, $this->api_client->session_key, $this->session_expires, $session_secret);
      }
      return $session_secret;
    } catch (FacebookRestClientException $e) {
      // API_EC_PARAM means we don't have a logged in user, otherwise who
      // knows what it means, so just throw it.
      if ($e->getCode() != FacebookAPIErrorCodes::API_EC_PARAM) {
        throw $e;
      }
    }
  }

  public function do_get_session($auth_token) {
    try {
      return $this->api_client->auth_getSession($auth_token, $this->generate_session_secret);
    } catch (FacebookRestClientException $e) {
      // API_EC_PARAM means we don't have a logged in user, otherwise who
      // knows what it means, so just throw it.
      if ($e->getCode() != FacebookAPIErrorCodes::API_EC_PARAM) {
        throw $e;
      }
    }
  }

  // Invalidate the session currently being used, and clear any state associated
  // with it. Note that the user will still remain logged into Facebook.
  public function expire_session() {
    try {
      if ($this->api_client->auth_expireSession()) {
        $this->clear_cookie_state();
        return true;
      } else {
        return false;
      }
    } catch (Exception $e) {
      $this->clear_cookie_state();
    }
  }

  /** Logs the user out of all temporary application sessions as well as their
   * Facebook session.  Note this will only work if the user has a valid current
   * session with the application.
   *
   * @param string  $next  URL to redirect to upon logging out
   *
   */
   public function logout($next) {
    $logout_url = $this->get_logout_url($next);

    // Clear any stored state
    $this->clear_cookie_state();

    $this->redirect($logout_url);
  }

  /**
   *  Clears any persistent state stored about the user, including
   *  cookies and information related to the current session in the
   *  client.
   *
   */
  public function clear_cookie_state() {
    if (!$this->in_fb_canvas() && isset($_COOKIE[$this->api_key . '_user'])) {
       $cookies = array('user', 'session_key', 'expires', 'ss');
       foreach ($cookies as $name) {
         setcookie($this->api_key . '_' . $name,
                   false,
                   time() - 3600,
                   '',
                   $this->base_domain);
         unset($_COOKIE[$this->api_key . '_' . $name]);
       }
       setcookie($this->api_key, false, time() - 3600, '', $this->base_domain);
       unset($_COOKIE[$this->api_key]);
     }

     // now, clear the rest of the stored state
     $this->user = 0;
     $this->api_client->session_key = 0;
  }

  public function redirect($url) {
    if ($this->in_fb_canvas()) {
      echo '<fb:redirect url="' . $url . '"/>';
    } else if (preg_match('/^https?:\/\/([^\/]*\.)?facebook\.com(:\d+)?/i', $url)) {
      // make sure facebook.com url's load in the full frame so that we don't
      // get a frame within a frame.
      echo "<script type=\"text/javascript\">\ntop.location.href = \"$url\";\n</script>";
    } else {
      header('Location: ' . $url);
    }
    exit;
  }

  public function in_frame() {
    return isset($this->fb_params['in_canvas'])
        || isset($this->fb_params['in_iframe']);
  }
  public function in_fb_canvas() {
    return isset($this->fb_params['in_canvas']);
  }

  public function get_loggedin_user() {
    return $this->user;
  }

  public function get_canvas_user() {
    return $this->canvas_user;
  }

  public function get_profile_user() {
    return $this->profile_user;
  }

  public static function current_url() {
    return 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
  }

  // require_add and require_install have been removed.
  // see http://developer.facebook.com/news.php?blog=1&story=116 for more details
  public function require_login() {
    if ($user = $this->get_loggedin_user()) {
      return $user;
    }
    $this->redirect($this->get_login_url(self::current_url(), $this->in_frame()));
  }

  public function require_frame() {
    if (!$this->in_frame()) {
      $this->redirect($this->get_login_url(self::current_url(), true));
    }
  }

  public static function get_facebook_url($subdomain='www') {
    return 'http://' . $subdomain . '.facebook.com';
  }

  public function get_install_url($next=null) {
    // this was renamed, keeping for compatibility's sake
    return $this->get_add_url($next);
  }

  public function get_add_url($next=null) {
    $page = self::get_facebook_url().'/add.php';
    $params = array('api_key' => $this->api_key);

    if ($next) {
      $params['next'] = $next;
    }

    return $page . '?' . http_build_query($params);
  }

  public function get_login_url($next, $canvas) {
    $page = self::get_facebook_url().'/login.php';
    $params = array('api_key' => $this->api_key,
                    'v'       => '1.0');

    if ($next) {
      $params['next'] = $next;
    }
    if ($canvas) {
      $params['canvas'] = '1';
    }

    return $page . '?' . http_build_query($params);
  }

  public function get_logout_url($next) {
    $page = self::get_facebook_url().'/logout.php';
    $params = array('app_key'     => $this->api_key,
                    'session_key' => $this->api_client->session_key);

    if ($next) {
      $params['connect_next'] = 1;
      $params['next'] = $next;
    }

    return $page . '?' . http_build_query($params);
  }

  public function set_user($user, $session_key, $expires=null, $session_secret=null) {
    if (!$this->in_fb_canvas() && (!isset($_COOKIE[$this->api_key . '_user'])
                                   || $_COOKIE[$this->api_key . '_user'] != $user)) {
      $this->set_cookies($user, $session_key, $expires, $session_secret);
    }
    $this->user = $user;
    $this->api_client->session_key = $session_key;
    $this->session_expires = $expires;
  }

  public function set_cookies($user, $session_key, $expires=null, $session_secret=null) {
    $cookies = array();
    $cookies['user'] = $user;
    $cookies['session_key'] = $session_key;
    if ($expires != null) {
      $cookies['expires'] = $expires;
    }
    if ($session_secret != null) {
      $cookies['ss'] = $session_secret;
    }

    foreach ($cookies as $name => $val) {
      setcookie($this->api_key . '_' . $name, $val, (int)$expires, '', $this->base_domain);
      $_COOKIE[$this->api_key . '_' . $name] = $val;
    }
    $sig = self::generate_sig($cookies, $this->secret);
    setcookie($this->api_key, $sig, (int)$expires, '', $this->base_domain);
    $_COOKIE[$this->api_key] = $sig;

    if ($this->base_domain != null) {
      $base_domain_cookie = 'base_domain_' . $this->api_key;
      setcookie($base_domain_cookie, $this->base_domain, (int)$expires, '', $this->base_domain);
      $_COOKIE[$base_domain_cookie] = $this->base_domain;
    }
  }

  /**
   * Tries to undo the badness of magic quotes as best we can
   * @param     string   $val   Should come directly from $_GET, $_POST, etc.
   * @return    string   val without added slashes
   */
  public static function no_magic_quotes($val) {
    if (get_magic_quotes_gpc()) {
      return stripslashes($val);
    } else {
      return $val;
    }
  }

  /*
   * Get the signed parameters that were sent from Facebook. Validates the set
   * of parameters against the included signature.
   *
   * Since Facebook sends data to your callback URL via unsecured means, the
   * signature is the only way to make sure that the data actually came from
   * Facebook. So if an app receives a request at the callback URL, it should
   * always verify the signature that comes with against your own secret key.
   * Otherwise, it's possible for someone to spoof a request by
   * pretending to be someone else, i.e.:
   *      www.your-callback-url.com/?fb_user=10101
   *
   * This is done automatically by verify_fb_params.
   *
   * @param  assoc  $params     a full array of external parameters.
   *                            presumed $_GET, $_POST, or $_COOKIE
   * @param  int    $timeout    number of seconds that the args are good for.
   *                            Specifically good for forcing cookies to expire.
   * @param  string $namespace  prefix string for the set of parameters we want
   *                            to verify. i.e., fb_sig or fb_post_sig
   *
   * @return  assoc the subset of parameters containing the given prefix,
   *                and also matching the signature associated with them.
   *          OR    an empty array if the params do not validate
   */
  public function get_valid_fb_params($params, $timeout=null, $namespace='fb_sig') {
    $prefix = $namespace . '_';
    $prefix_len = strlen($prefix);
    $fb_params = array();
    if (empty($params)) {
      return array();
    }

    foreach ($params as $name => $val) {
      // pull out only those parameters that match the prefix
      // note that the signature itself ($params[$namespace]) is not in the list
      if (strpos($name, $prefix) === 0) {
        $fb_params[substr($name, $prefix_len)] = self::no_magic_quotes($val);
      }
    }

    // validate that the request hasn't expired. this is most likely
    // for params that come from $_COOKIE
    if ($timeout && (!isset($fb_params['time']) || time() - $fb_params['time'] > $timeout)) {
      return array();
    }

    // validate that the params match the signature
    $signature = isset($params[$namespace]) ? $params[$namespace] : null;
    if (!$signature || (!$this->verify_signature($fb_params, $signature))) {
      return array();
    }
    return $fb_params;
  }

  /**
   *  Validates the account that a user was trying to set up an
   *  independent account through Facebook Connect.
   *
   *  @param  user The user attempting to set up an independent account.
   *  @param  hash The hash passed to the reclamation URL used.
   *  @return bool True if the user is the one that selected the
   *               reclamation link.
   */
  public function verify_account_reclamation($user, $hash) {
    return $hash == md5($user . $this->secret);
  }

  /**
   * Validates that a given set of parameters match their signature.
   * Parameters all match a given input prefix, such as "fb_sig".
   *
   * @param $fb_params     an array of all Facebook-sent parameters,
   *                       not including the signature itself
   * @param $expected_sig  the expected result to check against
   */
  public function verify_signature($fb_params, $expected_sig) {
    return self::generate_sig($fb_params, $this->secret) == $expected_sig;
  }

  /**
   * Validate the given signed public session data structure with
   * public key of the app that
   * the session proof belongs to.
   *
   * @param $signed_data the session info that is passed by another app
   * @param string $public_key Optional public key of the app. If this
   *               is not passed, function will make an API call to get it.
   * return true if the session proof passed verification.
   */
  public function verify_signed_public_session_data($signed_data,
                                                    $public_key = null) {

    // If public key is not already provided, we need to get it through API
    if (!$public_key) {
      $public_key = $this->api_client->auth_getAppPublicKey(
        $signed_data['api_key']);
    }

    // Create data to verify
    $data_to_serialize = $signed_data;
    unset($data_to_serialize['sig']);
    $serialized_data = implode('_', $data_to_serialize);

    // Decode signature
    $signature = base64_decode($signed_data['sig']);
    $result = openssl_verify($serialized_data, $signature, $public_key,
                             OPENSSL_ALGO_SHA1);
    return $result == 1;
  }

  /*
   * Generate a signature using the application secret key.
   *
   * The only two entities that know your secret key are you and Facebook,
   * according to the Terms of Service. Since nobody else can generate
   * the signature, you can rely on it to verify that the information
   * came from Facebook.
   *
   * @param $params_array   an array of all Facebook-sent parameters,
   *                        NOT INCLUDING the signature itself
   * @param $secret         your app's secret key
   *
   * @return a hash to be checked against the signature provided by Facebook
   */
  public static function generate_sig($params_array, $secret) {
    $str = '';

    ksort($params_array);
    // Note: make sure that the signature parameter is not already included in
    //       $params_array.
    foreach ($params_array as $k=>$v) {
      $str .= "$k=$v";
    }
    $str .= $secret;

    return md5($str);
  }

  public function encode_validationError($summary, $message) {
    return json_encode(
               array('errorCode'    => FACEBOOK_API_VALIDATION_ERROR,
                     'errorTitle'   => $summary,
                     'errorMessage' => $message));
  }

  public function encode_multiFeedStory($feed, $next) {
    return json_encode(
               array('method'   => 'multiFeedStory',
                     'content'  =>
                     array('next' => $next,
                           'feed' => $feed)));
  }

  public function encode_feedStory($feed, $next) {
    return json_encode(
               array('method'   => 'feedStory',
                     'content'  =>
                     array('next' => $next,
                           'feed' => $feed)));
  }

  public function create_templatizedFeedStory($title_template, $title_data=array(),
                                    $body_template='', $body_data = array(), $body_general=null,
                                    $image_1=null, $image_1_link=null,
                                    $image_2=null, $image_2_link=null,
                                    $image_3=null, $image_3_link=null,
                                    $image_4=null, $image_4_link=null) {
    return array('title_template'=> $title_template,
                 'title_data'   => $title_data,
                 'body_template'=> $body_template,
                 'body_data'    => $body_data,
                 'body_general' => $body_general,
                 'image_1'      => $image_1,
                 'image_1_link' => $image_1_link,
                 'image_2'      => $image_2,
                 'image_2_link' => $image_2_link,
                 'image_3'      => $image_3,
                 'image_3_link' => $image_3_link,
                 'image_4'      => $image_4,
                 'image_4_link' => $image_4_link);
  }


}