2 // Copyright 2004-2009 Facebook. All Rights Reserved.
4 // +---------------------------------------------------------------------------+
5 // | Facebook Platform PHP5 client |
6 // +---------------------------------------------------------------------------+
7 // | Copyright (c) 2007 Facebook, Inc. |
8 // | All rights reserved. |
10 // | Redistribution and use in source and binary forms, with or without |
11 // | modification, are permitted provided that the following conditions |
14 // | 1. Redistributions of source code must retain the above copyright |
15 // | notice, this list of conditions and the following disclaimer. |
16 // | 2. Redistributions in binary form must reproduce the above copyright |
17 // | notice, this list of conditions and the following disclaimer in the |
18 // | documentation and/or other materials provided with the distribution. |
20 // | THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR |
21 // | IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES |
22 // | OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. |
23 // | IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, |
24 // | INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
25 // | NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
26 // | DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
27 // | THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
28 // | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
29 // | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
30 // +---------------------------------------------------------------------------+
31 // | For help with this library, contact developers-help@facebook.com |
32 // +---------------------------------------------------------------------------+
34 include_once 'facebookapi_php5_restlib.php';
36 define('FACEBOOK_API_VALIDATION_ERROR', 1);
41 public $generate_session_secret;
42 public $session_expires;
48 public $ext_perms = array();
49 protected $base_domain;
52 * Create a Facebook client like this:
54 * $fb = new Facebook(API_KEY, SECRET);
56 * This will automatically pull in any parameters, validate them against the
57 * session signature, and chuck them in the public $fb_params member variable.
59 * @param api_key your Developer API key
60 * @param secret your Developer API secret
61 * @param generate_session_secret whether to automatically generate a session
62 * if the user doesn't have one, but
63 * there is an auth token present in the url,
65 public function __construct($api_key, $secret, $generate_session_secret=false) {
66 $this->api_key = $api_key;
67 $this->secret = $secret;
68 $this->generate_session_secret = $generate_session_secret;
69 $this->api_client = new FacebookRestClient($api_key, $secret, null);
70 $this->validate_fb_params();
72 // Set the default user id for methods that allow the caller to
73 // pass an explicit uid instead of using a session key.
76 $defaultUser = $this->user;
77 } else if ($this->profile_user) {
78 $defaultUser = $this->profile_user;
79 } else if ($this->canvas_user) {
80 $defaultUser = $this->canvas_user;
83 $this->api_client->set_user($defaultUser);
86 if (isset($this->fb_params['friends'])) {
87 $this->api_client->friends_list =
88 array_filter(explode(',', $this->fb_params['friends']));
90 if (isset($this->fb_params['added'])) {
91 $this->api_client->added = $this->fb_params['added'];
93 if (isset($this->fb_params['canvas_user'])) {
94 $this->api_client->canvas_user = $this->fb_params['canvas_user'];
99 * Validates that the parameters passed in were sent from Facebook. It does so
100 * by validating that the signature matches one that could only be generated
101 * by using your application's secret key.
103 * Facebook-provided parameters will come from $_POST, $_GET, or $_COOKIE,
104 * in that order. $_POST and $_GET are always more up-to-date than cookies,
105 * so we prefer those if they are available.
107 * For nitty-gritty details of when each of these is used, check out
108 * http://wiki.developers.facebook.com/index.php/Verifying_The_Signature
110 public function validate_fb_params() {
111 $this->fb_params = $this->get_valid_fb_params($_POST, 48 * 3600, 'fb_sig');
113 // note that with preload FQL, it's possible to receive POST params in
114 // addition to GET, so use a different prefix to differentiate them
115 if (!$this->fb_params) {
116 $fb_params = $this->get_valid_fb_params($_GET, 48 * 3600, 'fb_sig');
117 $fb_post_params = $this->get_valid_fb_params($_POST,
118 48 * 3600, // 48 hours
120 $this->fb_params = array_merge($fb_params, $fb_post_params);
123 // Okay, something came in via POST or GET
124 if ($this->fb_params) {
125 $user = isset($this->fb_params['user']) ?
126 $this->fb_params['user'] : null;
127 $this->profile_user = isset($this->fb_params['profile_user']) ?
128 $this->fb_params['profile_user'] : null;
129 $this->canvas_user = isset($this->fb_params['canvas_user']) ?
130 $this->fb_params['canvas_user'] : null;
131 $this->base_domain = isset($this->fb_params['base_domain']) ?
132 $this->fb_params['base_domain'] : null;
133 $this->ext_perms = isset($this->fb_params['ext_perms']) ?
134 explode(',', $this->fb_params['ext_perms'])
137 if (isset($this->fb_params['session_key'])) {
138 $session_key = $this->fb_params['session_key'];
139 } else if (isset($this->fb_params['profile_session_key'])) {
140 $session_key = $this->fb_params['profile_session_key'];
144 $expires = isset($this->fb_params['expires']) ?
145 $this->fb_params['expires'] : null;
146 $this->set_user($user,
149 } else if ($cookies =
150 $this->get_valid_fb_params($_COOKIE, null, $this->api_key)) {
151 // if no Facebook parameters were found in the GET or POST variables,
152 // then fall back to cookies, which may have cached user information
153 // Cookies are also used to receive session data via the Javascript API
154 $base_domain_cookie = 'base_domain_' . $this->api_key;
155 if (isset($_COOKIE[$base_domain_cookie])) {
156 $this->base_domain = $_COOKIE[$base_domain_cookie];
159 // use $api_key . '_' as a prefix for the cookies in case there are
160 // multiple facebook clients on the same domain.
161 $expires = isset($cookies['expires']) ? $cookies['expires'] : null;
162 $this->set_user($cookies['user'],
163 $cookies['session_key'],
167 return !empty($this->fb_params);
170 // Store a temporary session secret for the current session
171 // for use with the JS client library
172 public function promote_session() {
174 $session_secret = $this->api_client->auth_promoteSession();
175 if (!$this->in_fb_canvas()) {
176 $this->set_cookies($this->user, $this->api_client->session_key, $this->session_expires, $session_secret);
178 return $session_secret;
179 } catch (FacebookRestClientException $e) {
180 // API_EC_PARAM means we don't have a logged in user, otherwise who
181 // knows what it means, so just throw it.
182 if ($e->getCode() != FacebookAPIErrorCodes::API_EC_PARAM) {
188 public function do_get_session($auth_token) {
190 return $this->api_client->auth_getSession($auth_token, $this->generate_session_secret);
191 } catch (FacebookRestClientException $e) {
192 // API_EC_PARAM means we don't have a logged in user, otherwise who
193 // knows what it means, so just throw it.
194 if ($e->getCode() != FacebookAPIErrorCodes::API_EC_PARAM) {
200 // Invalidate the session currently being used, and clear any state associated
201 // with it. Note that the user will still remain logged into Facebook.
202 public function expire_session() {
204 if ($this->api_client->auth_expireSession()) {
205 $this->clear_cookie_state();
210 } catch (Exception $e) {
211 $this->clear_cookie_state();
215 /** Logs the user out of all temporary application sessions as well as their
216 * Facebook session. Note this will only work if the user has a valid current
217 * session with the application.
219 * @param string $next URL to redirect to upon logging out
222 public function logout($next) {
223 $logout_url = $this->get_logout_url($next);
225 // Clear any stored state
226 $this->clear_cookie_state();
228 $this->redirect($logout_url);
232 * Clears any persistent state stored about the user, including
233 * cookies and information related to the current session in the
237 public function clear_cookie_state() {
238 if (!$this->in_fb_canvas() && isset($_COOKIE[$this->api_key . '_user'])) {
239 $cookies = array('user', 'session_key', 'expires', 'ss');
240 foreach ($cookies as $name) {
241 setcookie($this->api_key . '_' . $name,
246 unset($_COOKIE[$this->api_key . '_' . $name]);
248 setcookie($this->api_key, false, time() - 3600, '', $this->base_domain);
249 unset($_COOKIE[$this->api_key]);
252 // now, clear the rest of the stored state
254 $this->api_client->session_key = 0;
257 public function redirect($url) {
258 if ($this->in_fb_canvas()) {
259 echo '<fb:redirect url="' . $url . '"/>';
260 } else if (preg_match('/^https?:\/\/([^\/]*\.)?facebook\.com(:\d+)?/i', $url)) {
261 // make sure facebook.com url's load in the full frame so that we don't
262 // get a frame within a frame.
263 echo "<script type=\"text/javascript\">\ntop.location.href = \"$url\";\n</script>";
265 header('Location: ' . $url);
270 public function in_frame() {
271 return isset($this->fb_params['in_canvas'])
272 || isset($this->fb_params['in_iframe']);
274 public function in_fb_canvas() {
275 return isset($this->fb_params['in_canvas']);
278 public function get_loggedin_user() {
282 public function get_canvas_user() {
283 return $this->canvas_user;
286 public function get_profile_user() {
287 return $this->profile_user;
290 public static function current_url() {
291 return 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
294 // require_add and require_install have been removed.
295 // see http://developer.facebook.com/news.php?blog=1&story=116 for more details
296 public function require_login($required_permissions = '') {
297 $user = $this->get_loggedin_user();
298 $has_permissions = true;
300 if ($required_permissions) {
301 $this->require_frame();
302 $permissions = array_map('trim', explode(',', $required_permissions));
303 foreach ($permissions as $permission) {
304 if (!in_array($permission, $this->ext_perms)) {
305 $has_permissions = false;
311 if ($user && $has_permissions) {
316 $this->get_login_url(self::current_url(), $this->in_frame(),
317 $required_permissions));
320 public function require_frame() {
321 if (!$this->in_frame()) {
322 $this->redirect($this->get_login_url(self::current_url(), true));
326 public static function get_facebook_url($subdomain='www') {
327 return 'http://' . $subdomain . '.facebook.com';
330 public function get_install_url($next=null) {
331 // this was renamed, keeping for compatibility's sake
332 return $this->get_add_url($next);
335 public function get_add_url($next=null) {
336 $page = self::get_facebook_url().'/add.php';
337 $params = array('api_key' => $this->api_key);
340 $params['next'] = $next;
343 return $page . '?' . http_build_query($params);
346 public function get_login_url($next, $canvas, $req_perms = '') {
347 $page = self::get_facebook_url().'/login.php';
348 $params = array('api_key' => $this->api_key,
350 'req_perms' => $req_perms);
353 $params['next'] = $next;
356 $params['canvas'] = '1';
359 return $page . '?' . http_build_query($params);
362 public function get_logout_url($next) {
363 $page = self::get_facebook_url().'/logout.php';
364 $params = array('app_key' => $this->api_key,
365 'session_key' => $this->api_client->session_key);
368 $params['connect_next'] = 1;
369 $params['next'] = $next;
372 return $page . '?' . http_build_query($params);
375 public function set_user($user, $session_key, $expires=null, $session_secret=null) {
376 if (!$this->in_fb_canvas() && (!isset($_COOKIE[$this->api_key . '_user'])
377 || $_COOKIE[$this->api_key . '_user'] != $user)) {
378 $this->set_cookies($user, $session_key, $expires, $session_secret);
381 $this->api_client->session_key = $session_key;
382 $this->session_expires = $expires;
385 public function set_cookies($user, $session_key, $expires=null, $session_secret=null) {
387 $cookies['user'] = $user;
388 $cookies['session_key'] = $session_key;
389 if ($expires != null) {
390 $cookies['expires'] = $expires;
392 if ($session_secret != null) {
393 $cookies['ss'] = $session_secret;
396 foreach ($cookies as $name => $val) {
397 setcookie($this->api_key . '_' . $name, $val, (int)$expires, '', $this->base_domain);
398 $_COOKIE[$this->api_key . '_' . $name] = $val;
400 $sig = self::generate_sig($cookies, $this->secret);
401 setcookie($this->api_key, $sig, (int)$expires, '', $this->base_domain);
402 $_COOKIE[$this->api_key] = $sig;
404 if ($this->base_domain != null) {
405 $base_domain_cookie = 'base_domain_' . $this->api_key;
406 setcookie($base_domain_cookie, $this->base_domain, (int)$expires, '', $this->base_domain);
407 $_COOKIE[$base_domain_cookie] = $this->base_domain;
412 * Tries to undo the badness of magic quotes as best we can
413 * @param string $val Should come directly from $_GET, $_POST, etc.
414 * @return string val without added slashes
416 public static function no_magic_quotes($val) {
417 if (get_magic_quotes_gpc()) {
418 return stripslashes($val);
425 * Get the signed parameters that were sent from Facebook. Validates the set
426 * of parameters against the included signature.
428 * Since Facebook sends data to your callback URL via unsecured means, the
429 * signature is the only way to make sure that the data actually came from
430 * Facebook. So if an app receives a request at the callback URL, it should
431 * always verify the signature that comes with against your own secret key.
432 * Otherwise, it's possible for someone to spoof a request by
433 * pretending to be someone else, i.e.:
434 * www.your-callback-url.com/?fb_user=10101
436 * This is done automatically by verify_fb_params.
438 * @param assoc $params a full array of external parameters.
439 * presumed $_GET, $_POST, or $_COOKIE
440 * @param int $timeout number of seconds that the args are good for.
441 * Specifically good for forcing cookies to expire.
442 * @param string $namespace prefix string for the set of parameters we want
443 * to verify. i.e., fb_sig or fb_post_sig
445 * @return assoc the subset of parameters containing the given prefix,
446 * and also matching the signature associated with them.
447 * OR an empty array if the params do not validate
449 public function get_valid_fb_params($params, $timeout=null, $namespace='fb_sig') {
450 $prefix = $namespace . '_';
451 $prefix_len = strlen($prefix);
452 $fb_params = array();
453 if (empty($params)) {
457 foreach ($params as $name => $val) {
458 // pull out only those parameters that match the prefix
459 // note that the signature itself ($params[$namespace]) is not in the list
460 if (strpos($name, $prefix) === 0) {
461 $fb_params[substr($name, $prefix_len)] = self::no_magic_quotes($val);
465 // validate that the request hasn't expired. this is most likely
466 // for params that come from $_COOKIE
467 if ($timeout && (!isset($fb_params['time']) || time() - $fb_params['time'] > $timeout)) {
471 // validate that the params match the signature
472 $signature = isset($params[$namespace]) ? $params[$namespace] : null;
473 if (!$signature || (!$this->verify_signature($fb_params, $signature))) {
480 * Validates the account that a user was trying to set up an
481 * independent account through Facebook Connect.
483 * @param user The user attempting to set up an independent account.
484 * @param hash The hash passed to the reclamation URL used.
485 * @return bool True if the user is the one that selected the
488 public function verify_account_reclamation($user, $hash) {
489 return $hash == md5($user . $this->secret);
493 * Validates that a given set of parameters match their signature.
494 * Parameters all match a given input prefix, such as "fb_sig".
496 * @param $fb_params an array of all Facebook-sent parameters,
497 * not including the signature itself
498 * @param $expected_sig the expected result to check against
500 public function verify_signature($fb_params, $expected_sig) {
501 return self::generate_sig($fb_params, $this->secret) == $expected_sig;
505 * Validate the given signed public session data structure with
506 * public key of the app that
507 * the session proof belongs to.
509 * @param $signed_data the session info that is passed by another app
510 * @param string $public_key Optional public key of the app. If this
511 * is not passed, function will make an API call to get it.
512 * return true if the session proof passed verification.
514 public function verify_signed_public_session_data($signed_data,
515 $public_key = null) {
517 // If public key is not already provided, we need to get it through API
519 $public_key = $this->api_client->auth_getAppPublicKey(
520 $signed_data['api_key']);
523 // Create data to verify
524 $data_to_serialize = $signed_data;
525 unset($data_to_serialize['sig']);
526 $serialized_data = implode('_', $data_to_serialize);
529 $signature = base64_decode($signed_data['sig']);
530 $result = openssl_verify($serialized_data, $signature, $public_key,
536 * Generate a signature using the application secret key.
538 * The only two entities that know your secret key are you and Facebook,
539 * according to the Terms of Service. Since nobody else can generate
540 * the signature, you can rely on it to verify that the information
541 * came from Facebook.
543 * @param $params_array an array of all Facebook-sent parameters,
544 * NOT INCLUDING the signature itself
545 * @param $secret your app's secret key
547 * @return a hash to be checked against the signature provided by Facebook
549 public static function generate_sig($params_array, $secret) {
552 ksort($params_array);
553 // Note: make sure that the signature parameter is not already included in
555 foreach ($params_array as $k=>$v) {
563 public function encode_validationError($summary, $message) {
565 array('errorCode' => FACEBOOK_API_VALIDATION_ERROR,
566 'errorTitle' => $summary,
567 'errorMessage' => $message));
570 public function encode_multiFeedStory($feed, $next) {
572 array('method' => 'multiFeedStory',
574 array('next' => $next,
578 public function encode_feedStory($feed, $next) {
580 array('method' => 'feedStory',
582 array('next' => $next,
586 public function create_templatizedFeedStory($title_template, $title_data=array(),
587 $body_template='', $body_data = array(), $body_general=null,
588 $image_1=null, $image_1_link=null,
589 $image_2=null, $image_2_link=null,
590 $image_3=null, $image_3_link=null,
591 $image_4=null, $image_4_link=null) {
592 return array('title_template'=> $title_template,
593 'title_data' => $title_data,
594 'body_template'=> $body_template,
595 'body_data' => $body_data,
596 'body_general' => $body_general,
597 'image_1' => $image_1,
598 'image_1_link' => $image_1_link,
599 'image_2' => $image_2,
600 'image_2_link' => $image_2_link,
601 'image_3' => $image_3,
602 'image_3_link' => $image_3_link,
603 'image_4' => $image_4,
604 'image_4_link' => $image_4_link);