1127 lines
33 KiB
PHP
1127 lines
33 KiB
PHP
<?php
|
|
/**
|
|
* Copyright 2011 Facebook, Inc.
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
* not use this file except in compliance with the License. You may obtain
|
|
* a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
* License for the specific language governing permissions and limitations
|
|
* under the License.
|
|
*/
|
|
|
|
if (!function_exists('curl_init')) {
|
|
throw new Exception('Facebook needs the CURL PHP extension.');
|
|
}
|
|
if (!function_exists('json_decode')) {
|
|
throw new Exception('Facebook needs the JSON PHP extension.');
|
|
}
|
|
|
|
/**
|
|
* Thrown when an API call returns an exception.
|
|
*
|
|
* @author Naitik Shah <naitik@facebook.com>
|
|
*/
|
|
class FacebookApiException extends Exception
|
|
{
|
|
/**
|
|
* The result from the API server that represents the exception information.
|
|
*/
|
|
protected $result;
|
|
|
|
/**
|
|
* Make a new API Exception with the given result.
|
|
*
|
|
* @param array $result The result from the API server
|
|
*/
|
|
public function __construct($result) {
|
|
$this->result = $result;
|
|
|
|
$code = isset($result['error_code']) ? $result['error_code'] : 0;
|
|
|
|
if (isset($result['error_description'])) {
|
|
// OAuth 2.0 Draft 10 style
|
|
$msg = $result['error_description'];
|
|
} else if (isset($result['error']) && is_array($result['error'])) {
|
|
// OAuth 2.0 Draft 00 style
|
|
$msg = $result['error']['message'];
|
|
} else if (isset($result['error_msg'])) {
|
|
// Rest server style
|
|
$msg = $result['error_msg'];
|
|
} else {
|
|
$msg = 'Unknown Error. Check getResult()';
|
|
}
|
|
|
|
parent::__construct($msg, $code);
|
|
}
|
|
|
|
/**
|
|
* Return the associated result object returned by the API server.
|
|
*
|
|
* @return array The result from the API server
|
|
*/
|
|
public function getResult() {
|
|
return $this->result;
|
|
}
|
|
|
|
/**
|
|
* Returns the associated type for the error. This will default to
|
|
* 'Exception' when a type is not available.
|
|
*
|
|
* @return string
|
|
*/
|
|
public function getType() {
|
|
if (isset($this->result['error'])) {
|
|
$error = $this->result['error'];
|
|
if (is_string($error)) {
|
|
// OAuth 2.0 Draft 10 style
|
|
return $error;
|
|
} else if (is_array($error)) {
|
|
// OAuth 2.0 Draft 00 style
|
|
if (isset($error['type'])) {
|
|
return $error['type'];
|
|
}
|
|
}
|
|
}
|
|
|
|
return 'Exception';
|
|
}
|
|
|
|
/**
|
|
* To make debugging easier.
|
|
*
|
|
* @return string The string representation of the error
|
|
*/
|
|
public function __toString() {
|
|
$str = $this->getType() . ': ';
|
|
if ($this->code != 0) {
|
|
$str .= $this->code . ': ';
|
|
}
|
|
return $str . $this->message;
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Provides access to the Facebook Platform. This class provides
|
|
* a majority of the functionality needed, but the class is abstract
|
|
* because it is designed to be sub-classed. The subclass must
|
|
* implement the four abstract methods listed at the bottom of
|
|
* the file.
|
|
*
|
|
* @author Naitik Shah <naitik@facebook.com>
|
|
*/
|
|
abstract class BaseFacebook
|
|
{
|
|
/**
|
|
* Version.
|
|
*/
|
|
const VERSION = '3.1.1';
|
|
|
|
/**
|
|
* Default options for curl.
|
|
*/
|
|
public static $CURL_OPTS = array(
|
|
CURLOPT_CONNECTTIMEOUT => 10,
|
|
CURLOPT_RETURNTRANSFER => true,
|
|
CURLOPT_TIMEOUT => 60,
|
|
CURLOPT_USERAGENT => 'facebook-php-3.1',
|
|
);
|
|
|
|
/**
|
|
* List of query parameters that get automatically dropped when rebuilding
|
|
* the current URL.
|
|
*/
|
|
protected static $DROP_QUERY_PARAMS = array(
|
|
'code',
|
|
'state',
|
|
'signed_request',
|
|
);
|
|
|
|
/**
|
|
* Maps aliases to Facebook domains.
|
|
*/
|
|
public static $DOMAIN_MAP = array(
|
|
'api' => 'https://api.facebook.com/',
|
|
'api_video' => 'https://api-video.facebook.com/',
|
|
'api_read' => 'https://api-read.facebook.com/',
|
|
'graph' => 'https://graph.facebook.com/',
|
|
'www' => 'https://www.facebook.com/',
|
|
);
|
|
|
|
/**
|
|
* The Application ID.
|
|
*
|
|
* @var string
|
|
*/
|
|
protected $appId;
|
|
|
|
/**
|
|
* The Application API Secret.
|
|
*
|
|
* @var string
|
|
*/
|
|
protected $apiSecret;
|
|
|
|
/**
|
|
* The ID of the Facebook user, or 0 if the user is logged out.
|
|
*
|
|
* @var integer
|
|
*/
|
|
protected $user;
|
|
|
|
/**
|
|
* The data from the signed_request token.
|
|
*/
|
|
protected $signedRequest;
|
|
|
|
/**
|
|
* A CSRF state variable to assist in the defense against CSRF attacks.
|
|
*/
|
|
protected $state;
|
|
|
|
/**
|
|
* The OAuth access token received in exchange for a valid authorization
|
|
* code. null means the access token has yet to be determined.
|
|
*
|
|
* @var string
|
|
*/
|
|
protected $accessToken = null;
|
|
|
|
/**
|
|
* Indicates if the CURL based @ syntax for file uploads is enabled.
|
|
*
|
|
* @var boolean
|
|
*/
|
|
protected $fileUploadSupport = false;
|
|
|
|
/**
|
|
* Initialize a Facebook Application.
|
|
*
|
|
* The configuration:
|
|
* - appId: the application ID
|
|
* - secret: the application secret
|
|
* - fileUpload: (optional) boolean indicating if file uploads are enabled
|
|
*
|
|
* @param array $config The application configuration
|
|
*/
|
|
public function __construct($config) {
|
|
$this->setAppId($config['appId']);
|
|
$this->setApiSecret($config['secret']);
|
|
if (isset($config['fileUpload'])) {
|
|
$this->setFileUploadSupport($config['fileUpload']);
|
|
}
|
|
|
|
$state = $this->getPersistentData('state');
|
|
if (!empty($state)) {
|
|
$this->state = $this->getPersistentData('state');
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Set the Application ID.
|
|
*
|
|
* @param string $appId The Application ID
|
|
* @return BaseFacebook
|
|
*/
|
|
public function setAppId($appId) {
|
|
$this->appId = $appId;
|
|
return $this;
|
|
}
|
|
|
|
/**
|
|
* Get the Application ID.
|
|
*
|
|
* @return string the Application ID
|
|
*/
|
|
public function getAppId() {
|
|
return $this->appId;
|
|
}
|
|
|
|
/**
|
|
* Set the API Secret.
|
|
*
|
|
* @param string $apiSecret The API Secret
|
|
* @return BaseFacebook
|
|
*/
|
|
public function setApiSecret($apiSecret) {
|
|
$this->apiSecret = $apiSecret;
|
|
return $this;
|
|
}
|
|
|
|
/**
|
|
* Get the API Secret.
|
|
*
|
|
* @return string the API Secret
|
|
*/
|
|
public function getApiSecret() {
|
|
return $this->apiSecret;
|
|
}
|
|
|
|
/**
|
|
* Set the file upload support status.
|
|
*
|
|
* @param boolean $fileUploadSupport The file upload support status.
|
|
* @return BaseFacebook
|
|
*/
|
|
public function setFileUploadSupport($fileUploadSupport) {
|
|
$this->fileUploadSupport = $fileUploadSupport;
|
|
return $this;
|
|
}
|
|
|
|
/**
|
|
* Get the file upload support status.
|
|
*
|
|
* @return boolean true if and only if the server supports file upload.
|
|
*/
|
|
public function useFileUploadSupport() {
|
|
return $this->fileUploadSupport;
|
|
}
|
|
|
|
/**
|
|
* Sets the access token for api calls. Use this if you get
|
|
* your access token by other means and just want the SDK
|
|
* to use it.
|
|
*
|
|
* @param string $access_token an access token.
|
|
* @return BaseFacebook
|
|
*/
|
|
public function setAccessToken($access_token) {
|
|
$this->accessToken = $access_token;
|
|
return $this;
|
|
}
|
|
|
|
/**
|
|
* Determines the access token that should be used for API calls.
|
|
* The first time this is called, $this->accessToken is set equal
|
|
* to either a valid user access token, or it's set to the application
|
|
* access token if a valid user access token wasn't available. Subsequent
|
|
* calls return whatever the first call returned.
|
|
*
|
|
* @return string The access token
|
|
*/
|
|
public function getAccessToken() {
|
|
if ($this->accessToken !== null) {
|
|
// we've done this already and cached it. Just return.
|
|
return $this->accessToken;
|
|
}
|
|
|
|
// first establish access token to be the application
|
|
// access token, in case we navigate to the /oauth/access_token
|
|
// endpoint, where SOME access token is required.
|
|
$this->setAccessToken($this->getApplicationAccessToken());
|
|
if ($user_access_token = $this->getUserAccessToken()) {
|
|
$this->setAccessToken($user_access_token);
|
|
}
|
|
|
|
return $this->accessToken;
|
|
}
|
|
|
|
/**
|
|
* Determines and returns the user access token, first using
|
|
* the signed request if present, and then falling back on
|
|
* the authorization code if present. The intent is to
|
|
* return a valid user access token, or false if one is determined
|
|
* to not be available.
|
|
*
|
|
* @return string A valid user access token, or false if one
|
|
* could not be determined.
|
|
*/
|
|
protected function getUserAccessToken() {
|
|
// first, consider a signed request if it's supplied.
|
|
// if there is a signed request, then it alone determines
|
|
// the access token.
|
|
$signed_request = $this->getSignedRequest();
|
|
if ($signed_request) {
|
|
// apps.facebook.com hands the access_token in the signed_request
|
|
if (array_key_exists('oauth_token', $signed_request)) {
|
|
$access_token = $signed_request['oauth_token'];
|
|
$this->setPersistentData('access_token', $access_token);
|
|
return $access_token;
|
|
}
|
|
|
|
// the JS SDK puts a code in with the redirect_uri of ''
|
|
if (array_key_exists('code', $signed_request)) {
|
|
$code = $signed_request['code'];
|
|
$access_token = $this->getAccessTokenFromCode($code, '');
|
|
if ($access_token) {
|
|
$this->setPersistentData('code', $code);
|
|
$this->setPersistentData('access_token', $access_token);
|
|
return $access_token;
|
|
}
|
|
}
|
|
|
|
// signed request states there's no access token, so anything
|
|
// stored should be cleared.
|
|
$this->clearAllPersistentData();
|
|
return false; // respect the signed request's data, even
|
|
// if there's an authorization code or something else
|
|
}
|
|
|
|
$code = $this->getCode();
|
|
if ($code && $code != $this->getPersistentData('code')) {
|
|
$access_token = $this->getAccessTokenFromCode($code);
|
|
if ($access_token) {
|
|
$this->setPersistentData('code', $code);
|
|
$this->setPersistentData('access_token', $access_token);
|
|
return $access_token;
|
|
}
|
|
|
|
// code was bogus, so everything based on it should be invalidated.
|
|
$this->clearAllPersistentData();
|
|
return false;
|
|
}
|
|
|
|
// as a fallback, just return whatever is in the persistent
|
|
// store, knowing nothing explicit (signed request, authorization
|
|
// code, etc.) was present to shadow it (or we saw a code in $_REQUEST,
|
|
// but it's the same as what's in the persistent store)
|
|
return $this->getPersistentData('access_token');
|
|
}
|
|
|
|
/**
|
|
* Retrieve the signed request, either from a request parameter or,
|
|
* if not present, from a cookie.
|
|
*
|
|
* @return string the signed request, if available, or null otherwise.
|
|
*/
|
|
public function getSignedRequest() {
|
|
if (!$this->signedRequest) {
|
|
if (isset($_REQUEST['signed_request'])) {
|
|
$this->signedRequest = $this->parseSignedRequest(
|
|
$_REQUEST['signed_request']);
|
|
} else if (isset($_COOKIE[$this->getSignedRequestCookieName()])) {
|
|
$this->signedRequest = $this->parseSignedRequest(
|
|
$_COOKIE[$this->getSignedRequestCookieName()]);
|
|
}
|
|
}
|
|
return $this->signedRequest;
|
|
}
|
|
|
|
/**
|
|
* Get the UID of the connected user, or 0
|
|
* if the Facebook user is not connected.
|
|
*
|
|
* @return string the UID if available.
|
|
*/
|
|
public function getUser() {
|
|
if ($this->user !== null) {
|
|
// we've already determined this and cached the value.
|
|
return $this->user;
|
|
}
|
|
|
|
return $this->user = $this->getUserFromAvailableData();
|
|
}
|
|
|
|
/**
|
|
* Determines the connected user by first examining any signed
|
|
* requests, then considering an authorization code, and then
|
|
* falling back to any persistent store storing the user.
|
|
*
|
|
* @return integer The id of the connected Facebook user,
|
|
* or 0 if no such user exists.
|
|
*/
|
|
protected function getUserFromAvailableData() {
|
|
// if a signed request is supplied, then it solely determines
|
|
// who the user is.
|
|
$signed_request = $this->getSignedRequest();
|
|
if ($signed_request) {
|
|
if (array_key_exists('user_id', $signed_request)) {
|
|
$user = $signed_request['user_id'];
|
|
$this->setPersistentData('user_id', $signed_request['user_id']);
|
|
return $user;
|
|
}
|
|
|
|
// if the signed request didn't present a user id, then invalidate
|
|
// all entries in any persistent store.
|
|
$this->clearAllPersistentData();
|
|
return 0;
|
|
}
|
|
|
|
$user = $this->getPersistentData('user_id', $default = 0);
|
|
$persisted_access_token = $this->getPersistentData('access_token');
|
|
|
|
// use access_token to fetch user id if we have a user access_token, or if
|
|
// the cached access token has changed.
|
|
$access_token = $this->getAccessToken();
|
|
if ($access_token &&
|
|
$access_token != $this->getApplicationAccessToken() &&
|
|
!($user && $persisted_access_token == $access_token)) {
|
|
$user = $this->getUserFromAccessToken();
|
|
if ($user) {
|
|
$this->setPersistentData('user_id', $user);
|
|
} else {
|
|
$this->clearAllPersistentData();
|
|
}
|
|
}
|
|
|
|
return $user;
|
|
}
|
|
|
|
/**
|
|
* Get a Login URL for use with redirects. By default, full page redirect is
|
|
* assumed. If you are using the generated URL with a window.open() call in
|
|
* JavaScript, you can pass in display=popup as part of the $params.
|
|
*
|
|
* The parameters:
|
|
* - redirect_uri: the url to go to after a successful login
|
|
* - scope: comma separated list of requested extended perms
|
|
*
|
|
* @param array $params Provide custom parameters
|
|
* @return string The URL for the login flow
|
|
*/
|
|
public function getLoginUrl($params=array()) {
|
|
$this->establishCSRFTokenState();
|
|
$currentUrl = $this->getCurrentUrl();
|
|
|
|
// if 'scope' is passed as an array, convert to comma separated list
|
|
$scopeParams = isset($params['scope']) ? $params['scope'] : null;
|
|
if ($scopeParams && is_array($scopeParams)) {
|
|
$params['scope'] = implode(',', $scopeParams);
|
|
}
|
|
|
|
return $this->getUrl(
|
|
'www',
|
|
'dialog/oauth',
|
|
array_merge(array(
|
|
'client_id' => $this->getAppId(),
|
|
'redirect_uri' => $currentUrl, // possibly overwritten
|
|
'state' => $this->state),
|
|
$params));
|
|
}
|
|
|
|
/**
|
|
* Get a Logout URL suitable for use with redirects.
|
|
*
|
|
* The parameters:
|
|
* - next: the url to go to after a successful logout
|
|
*
|
|
* @param array $params Provide custom parameters
|
|
* @return string The URL for the logout flow
|
|
*/
|
|
public function getLogoutUrl($params=array()) {
|
|
return $this->getUrl(
|
|
'www',
|
|
'logout.php',
|
|
array_merge(array(
|
|
'next' => $this->getCurrentUrl(),
|
|
'access_token' => $this->getAccessToken(),
|
|
), $params)
|
|
);
|
|
}
|
|
|
|
/**
|
|
* Get a login status URL to fetch the status from Facebook.
|
|
*
|
|
* The parameters:
|
|
* - ok_session: the URL to go to if a session is found
|
|
* - no_session: the URL to go to if the user is not connected
|
|
* - no_user: the URL to go to if the user is not signed into facebook
|
|
*
|
|
* @param array $params Provide custom parameters
|
|
* @return string The URL for the logout flow
|
|
*/
|
|
public function getLoginStatusUrl($params=array()) {
|
|
return $this->getUrl(
|
|
'www',
|
|
'extern/login_status.php',
|
|
array_merge(array(
|
|
'api_key' => $this->getAppId(),
|
|
'no_session' => $this->getCurrentUrl(),
|
|
'no_user' => $this->getCurrentUrl(),
|
|
'ok_session' => $this->getCurrentUrl(),
|
|
'session_version' => 3,
|
|
), $params)
|
|
);
|
|
}
|
|
|
|
/**
|
|
* Make an API call.
|
|
*
|
|
* @return mixed The decoded response
|
|
*/
|
|
public function api(/* polymorphic */) {
|
|
$args = func_get_args();
|
|
if (is_array($args[0])) {
|
|
return $this->_restserver($args[0]);
|
|
} else {
|
|
return call_user_func_array(array($this, '_graph'), $args);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Constructs and returns the name of the cookie that
|
|
* potentially houses the signed request for the app user.
|
|
* The cookie is not set by the BaseFacebook class, but
|
|
* it may be set by the JavaScript SDK.
|
|
*
|
|
* @return string the name of the cookie that would house
|
|
* the signed request value.
|
|
*/
|
|
protected function getSignedRequestCookieName() {
|
|
return 'fbsr_'.$this->getAppId();
|
|
}
|
|
|
|
/**
|
|
* Get the authorization code from the query parameters, if it exists,
|
|
* and otherwise return false to signal no authorization code was
|
|
* discoverable.
|
|
*
|
|
* @return mixed The authorization code, or false if the authorization
|
|
* code could not be determined.
|
|
*/
|
|
protected function getCode() {
|
|
if (isset($_REQUEST['code'])) {
|
|
if ($this->state !== null &&
|
|
isset($_REQUEST['state']) &&
|
|
$this->state === $_REQUEST['state']) {
|
|
|
|
// CSRF state has done its job, so clear it
|
|
$this->state = null;
|
|
$this->clearPersistentData('state');
|
|
return $_REQUEST['code'];
|
|
} else {
|
|
self::errorLog('CSRF state token does not match one provided.');
|
|
return false;
|
|
}
|
|
}
|
|
|
|
return false;
|
|
}
|
|
|
|
/**
|
|
* Retrieves the UID with the understanding that
|
|
* $this->accessToken has already been set and is
|
|
* seemingly legitimate. It relies on Facebook's Graph API
|
|
* to retrieve user information and then extract
|
|
* the user ID.
|
|
*
|
|
* @return integer Returns the UID of the Facebook user, or 0
|
|
* if the Facebook user could not be determined.
|
|
*/
|
|
protected function getUserFromAccessToken() {
|
|
try {
|
|
$user_info = $this->api('/me');
|
|
return $user_info['id'];
|
|
} catch (FacebookApiException $e) {
|
|
return 0;
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Returns the access token that should be used for logged out
|
|
* users when no authorization code is available.
|
|
*
|
|
* @return string The application access token, useful for gathering
|
|
* public information about users and applications.
|
|
*/
|
|
protected function getApplicationAccessToken() {
|
|
return $this->appId.'|'.$this->apiSecret;
|
|
}
|
|
|
|
/**
|
|
* Lays down a CSRF state token for this process.
|
|
*
|
|
* @return void
|
|
*/
|
|
protected function establishCSRFTokenState() {
|
|
if ($this->state === null) {
|
|
$this->state = md5(uniqid(mt_rand(), true));
|
|
$this->setPersistentData('state', $this->state);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Retrieves an access token for the given authorization code
|
|
* (previously generated from www.facebook.com on behalf of
|
|
* a specific user). The authorization code is sent to graph.facebook.com
|
|
* and a legitimate access token is generated provided the access token
|
|
* and the user for which it was generated all match, and the user is
|
|
* either logged in to Facebook or has granted an offline access permission.
|
|
*
|
|
* @param string $code An authorization code.
|
|
* @return mixed An access token exchanged for the authorization code, or
|
|
* false if an access token could not be generated.
|
|
*/
|
|
protected function getAccessTokenFromCode($code, $redirect_uri = null) {
|
|
if (empty($code)) {
|
|
return false;
|
|
}
|
|
|
|
if ($redirect_uri === null) {
|
|
$redirect_uri = $this->getCurrentUrl();
|
|
}
|
|
|
|
try {
|
|
// need to circumvent json_decode by calling _oauthRequest
|
|
// directly, since response isn't JSON format.
|
|
$access_token_response =
|
|
$this->_oauthRequest(
|
|
$this->getUrl('graph', '/oauth/access_token'),
|
|
$params = array('client_id' => $this->getAppId(),
|
|
'client_secret' => $this->getApiSecret(),
|
|
'redirect_uri' => $redirect_uri,
|
|
'code' => $code));
|
|
} catch (FacebookApiException $e) {
|
|
// most likely that user very recently revoked authorization.
|
|
// In any event, we don't have an access token, so say so.
|
|
return false;
|
|
}
|
|
|
|
if (empty($access_token_response)) {
|
|
return false;
|
|
}
|
|
|
|
$response_params = array();
|
|
parse_str($access_token_response, $response_params);
|
|
if (!isset($response_params['access_token'])) {
|
|
return false;
|
|
}
|
|
|
|
return $response_params['access_token'];
|
|
}
|
|
|
|
/**
|
|
* Invoke the old restserver.php endpoint.
|
|
*
|
|
* @param array $params Method call object
|
|
*
|
|
* @return mixed The decoded response object
|
|
* @throws FacebookApiException
|
|
*/
|
|
protected function _restserver($params) {
|
|
// generic application level parameters
|
|
$params['api_key'] = $this->getAppId();
|
|
$params['format'] = 'json-strings';
|
|
|
|
$result = json_decode($this->_oauthRequest(
|
|
$this->getApiUrl($params['method']),
|
|
$params
|
|
), true);
|
|
|
|
// results are returned, errors are thrown
|
|
if (is_array($result) && isset($result['error_code'])) {
|
|
throw new FacebookApiException($result);
|
|
}
|
|
|
|
return $result;
|
|
}
|
|
|
|
/**
|
|
* Invoke the Graph API.
|
|
*
|
|
* @param string $path The path (required)
|
|
* @param string $method The http method (default 'GET')
|
|
* @param array $params The query/post data
|
|
*
|
|
* @return mixed The decoded response object
|
|
* @throws FacebookApiException
|
|
*/
|
|
protected function _graph($path, $method = 'GET', $params = array()) {
|
|
if (is_array($method) && empty($params)) {
|
|
$params = $method;
|
|
$method = 'GET';
|
|
}
|
|
$params['method'] = $method; // method override as we always do a POST
|
|
|
|
$result = json_decode($this->_oauthRequest(
|
|
$this->getUrl('graph', $path),
|
|
$params
|
|
), true);
|
|
|
|
// results are returned, errors are thrown
|
|
if (is_array($result) && isset($result['error'])) {
|
|
$this->throwAPIException($result);
|
|
}
|
|
|
|
return $result;
|
|
}
|
|
|
|
/**
|
|
* Make a OAuth Request.
|
|
*
|
|
* @param string $url The path (required)
|
|
* @param array $params The query/post data
|
|
*
|
|
* @return string The decoded response object
|
|
* @throws FacebookApiException
|
|
*/
|
|
protected function _oauthRequest($url, $params) {
|
|
if (!isset($params['access_token'])) {
|
|
$params['access_token'] = $this->getAccessToken();
|
|
}
|
|
|
|
// json_encode all params values that are not strings
|
|
foreach ($params as $key => $value) {
|
|
if (!is_string($value)) {
|
|
$params[$key] = json_encode($value);
|
|
}
|
|
}
|
|
|
|
return $this->makeRequest($url, $params);
|
|
}
|
|
|
|
/**
|
|
* Makes an HTTP request. This method can be overridden by subclasses if
|
|
* developers want to do fancier things or use something other than curl to
|
|
* make the request.
|
|
*
|
|
* @param string $url The URL to make the request to
|
|
* @param array $params The parameters to use for the POST body
|
|
* @param CurlHandler $ch Initialized curl handle
|
|
*
|
|
* @return string The response text
|
|
*/
|
|
protected function makeRequest($url, $params, $ch=null) {
|
|
if (!$ch) {
|
|
$ch = curl_init();
|
|
}
|
|
|
|
$opts = self::$CURL_OPTS;
|
|
if ($this->useFileUploadSupport()) {
|
|
$opts[CURLOPT_POSTFIELDS] = $params;
|
|
} else {
|
|
$opts[CURLOPT_POSTFIELDS] = http_build_query($params, null, '&');
|
|
}
|
|
$opts[CURLOPT_URL] = $url;
|
|
|
|
// disable the 'Expect: 100-continue' behaviour. This causes CURL to wait
|
|
// for 2 seconds if the server does not support this header.
|
|
if (isset($opts[CURLOPT_HTTPHEADER])) {
|
|
$existing_headers = $opts[CURLOPT_HTTPHEADER];
|
|
$existing_headers[] = 'Expect:';
|
|
$opts[CURLOPT_HTTPHEADER] = $existing_headers;
|
|
} else {
|
|
$opts[CURLOPT_HTTPHEADER] = array('Expect:');
|
|
}
|
|
|
|
curl_setopt_array($ch, $opts);
|
|
$result = curl_exec($ch);
|
|
|
|
if (curl_errno($ch) == 60) { // CURLE_SSL_CACERT
|
|
self::errorLog('Invalid or no certificate authority found, '.
|
|
'using bundled information');
|
|
curl_setopt($ch, CURLOPT_CAINFO,
|
|
dirname(__FILE__) . '/fb_ca_chain_bundle.crt');
|
|
$result = curl_exec($ch);
|
|
}
|
|
|
|
if ($result === false) {
|
|
$e = new FacebookApiException(array(
|
|
'error_code' => curl_errno($ch),
|
|
'error' => array(
|
|
'message' => curl_error($ch),
|
|
'type' => 'CurlException',
|
|
),
|
|
));
|
|
curl_close($ch);
|
|
throw $e;
|
|
}
|
|
curl_close($ch);
|
|
return $result;
|
|
}
|
|
|
|
/**
|
|
* Parses a signed_request and validates the signature.
|
|
*
|
|
* @param string $signed_request A signed token
|
|
* @return array The payload inside it or null if the sig is wrong
|
|
*/
|
|
protected function parseSignedRequest($signed_request) {
|
|
list($encoded_sig, $payload) = explode('.', $signed_request, 2);
|
|
|
|
// decode the data
|
|
$sig = self::base64UrlDecode($encoded_sig);
|
|
$data = json_decode(self::base64UrlDecode($payload), true);
|
|
|
|
if (strtoupper($data['algorithm']) !== 'HMAC-SHA256') {
|
|
self::errorLog('Unknown algorithm. Expected HMAC-SHA256');
|
|
return null;
|
|
}
|
|
|
|
// check sig
|
|
$expected_sig = hash_hmac('sha256', $payload,
|
|
$this->getApiSecret(), $raw = true);
|
|
if ($sig !== $expected_sig) {
|
|
self::errorLog('Bad Signed JSON signature!');
|
|
return null;
|
|
}
|
|
|
|
return $data;
|
|
}
|
|
|
|
/**
|
|
* Build the URL for api given parameters.
|
|
*
|
|
* @param $method String the method name.
|
|
* @return string The URL for the given parameters
|
|
*/
|
|
protected function getApiUrl($method) {
|
|
static $READ_ONLY_CALLS =
|
|
array('admin.getallocation' => 1,
|
|
'admin.getappproperties' => 1,
|
|
'admin.getbannedusers' => 1,
|
|
'admin.getlivestreamvialink' => 1,
|
|
'admin.getmetrics' => 1,
|
|
'admin.getrestrictioninfo' => 1,
|
|
'application.getpublicinfo' => 1,
|
|
'auth.getapppublickey' => 1,
|
|
'auth.getsession' => 1,
|
|
'auth.getsignedpublicsessiondata' => 1,
|
|
'comments.get' => 1,
|
|
'connect.getunconnectedfriendscount' => 1,
|
|
'dashboard.getactivity' => 1,
|
|
'dashboard.getcount' => 1,
|
|
'dashboard.getglobalnews' => 1,
|
|
'dashboard.getnews' => 1,
|
|
'dashboard.multigetcount' => 1,
|
|
'dashboard.multigetnews' => 1,
|
|
'data.getcookies' => 1,
|
|
'events.get' => 1,
|
|
'events.getmembers' => 1,
|
|
'fbml.getcustomtags' => 1,
|
|
'feed.getappfriendstories' => 1,
|
|
'feed.getregisteredtemplatebundlebyid' => 1,
|
|
'feed.getregisteredtemplatebundles' => 1,
|
|
'fql.multiquery' => 1,
|
|
'fql.query' => 1,
|
|
'friends.arefriends' => 1,
|
|
'friends.get' => 1,
|
|
'friends.getappusers' => 1,
|
|
'friends.getlists' => 1,
|
|
'friends.getmutualfriends' => 1,
|
|
'gifts.get' => 1,
|
|
'groups.get' => 1,
|
|
'groups.getmembers' => 1,
|
|
'intl.gettranslations' => 1,
|
|
'links.get' => 1,
|
|
'notes.get' => 1,
|
|
'notifications.get' => 1,
|
|
'pages.getinfo' => 1,
|
|
'pages.isadmin' => 1,
|
|
'pages.isappadded' => 1,
|
|
'pages.isfan' => 1,
|
|
'permissions.checkavailableapiaccess' => 1,
|
|
'permissions.checkgrantedapiaccess' => 1,
|
|
'photos.get' => 1,
|
|
'photos.getalbums' => 1,
|
|
'photos.gettags' => 1,
|
|
'profile.getinfo' => 1,
|
|
'profile.getinfooptions' => 1,
|
|
'stream.get' => 1,
|
|
'stream.getcomments' => 1,
|
|
'stream.getfilters' => 1,
|
|
'users.getinfo' => 1,
|
|
'users.getloggedinuser' => 1,
|
|
'users.getstandardinfo' => 1,
|
|
'users.hasapppermission' => 1,
|
|
'users.isappuser' => 1,
|
|
'users.isverified' => 1,
|
|
'video.getuploadlimits' => 1);
|
|
$name = 'api';
|
|
if (isset($READ_ONLY_CALLS[strtolower($method)])) {
|
|
$name = 'api_read';
|
|
} else if (strtolower($method) == 'video.upload') {
|
|
$name = 'api_video';
|
|
}
|
|
return self::getUrl($name, 'restserver.php');
|
|
}
|
|
|
|
/**
|
|
* Build the URL for given domain alias, path and parameters.
|
|
*
|
|
* @param $name string The name of the domain
|
|
* @param $path string Optional path (without a leading slash)
|
|
* @param $params array Optional query parameters
|
|
*
|
|
* @return string The URL for the given parameters
|
|
*/
|
|
protected function getUrl($name, $path='', $params=array()) {
|
|
$url = self::$DOMAIN_MAP[$name];
|
|
if ($path) {
|
|
if ($path[0] === '/') {
|
|
$path = substr($path, 1);
|
|
}
|
|
$url .= $path;
|
|
}
|
|
if ($params) {
|
|
$url .= '?' . http_build_query($params, null, '&');
|
|
}
|
|
|
|
return $url;
|
|
}
|
|
|
|
/**
|
|
* Returns the Current URL, stripping it of known FB parameters that should
|
|
* not persist.
|
|
*
|
|
* @return string The current URL
|
|
*/
|
|
protected function getCurrentUrl() {
|
|
if (isset($_SERVER['HTTPS']) && ($_SERVER['HTTPS'] == 'on' || $_SERVER['HTTPS'] == 1)
|
|
|| isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https'
|
|
) {
|
|
$protocol = 'https://';
|
|
}
|
|
else {
|
|
$protocol = 'http://';
|
|
}
|
|
$currentUrl = $protocol . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
|
|
$parts = parse_url($currentUrl);
|
|
|
|
$query = '';
|
|
if (!empty($parts['query'])) {
|
|
// drop known fb params
|
|
$params = explode('&', $parts['query']);
|
|
$retained_params = array();
|
|
foreach ($params as $param) {
|
|
if ($this->shouldRetainParam($param)) {
|
|
$retained_params[] = $param;
|
|
}
|
|
}
|
|
|
|
if (!empty($retained_params)) {
|
|
$query = '?'.implode($retained_params, '&');
|
|
}
|
|
}
|
|
|
|
// use port if non default
|
|
$port =
|
|
isset($parts['port']) &&
|
|
(($protocol === 'http://' && $parts['port'] !== 80) ||
|
|
($protocol === 'https://' && $parts['port'] !== 443))
|
|
? ':' . $parts['port'] : '';
|
|
|
|
// rebuild
|
|
return $protocol . $parts['host'] . $port . $parts['path'] . $query;
|
|
}
|
|
|
|
/**
|
|
* Returns true if and only if the key or key/value pair should
|
|
* be retained as part of the query string. This amounts to
|
|
* a brute-force search of the very small list of Facebook-specific
|
|
* params that should be stripped out.
|
|
*
|
|
* @param string $param A key or key/value pair within a URL's query (e.g.
|
|
* 'foo=a', 'foo=', or 'foo'.
|
|
*
|
|
* @return boolean
|
|
*/
|
|
protected function shouldRetainParam($param) {
|
|
foreach (self::$DROP_QUERY_PARAMS as $drop_query_param) {
|
|
if (strpos($param, $drop_query_param.'=') === 0) {
|
|
return false;
|
|
}
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
/**
|
|
* Analyzes the supplied result to see if it was thrown
|
|
* because the access token is no longer valid. If that is
|
|
* the case, then the persistent store is cleared.
|
|
*
|
|
* @param $result array A record storing the error message returned
|
|
* by a failed API call.
|
|
*/
|
|
protected function throwAPIException($result) {
|
|
$e = new FacebookApiException($result);
|
|
switch ($e->getType()) {
|
|
// OAuth 2.0 Draft 00 style
|
|
case 'OAuthException':
|
|
// OAuth 2.0 Draft 10 style
|
|
case 'invalid_token':
|
|
$message = $e->getMessage();
|
|
if ((strpos($message, 'Error validating access token') !== false) ||
|
|
(strpos($message, 'Invalid OAuth access token') !== false)) {
|
|
$this->setAccessToken(null);
|
|
$this->user = 0;
|
|
$this->clearAllPersistentData();
|
|
}
|
|
}
|
|
|
|
throw $e;
|
|
}
|
|
|
|
|
|
/**
|
|
* Prints to the error log if you aren't in command line mode.
|
|
*
|
|
* @param string $msg Log message
|
|
*/
|
|
protected static function errorLog($msg) {
|
|
// disable error log if we are running in a CLI environment
|
|
// @codeCoverageIgnoreStart
|
|
if (php_sapi_name() != 'cli') {
|
|
error_log($msg);
|
|
}
|
|
// uncomment this if you want to see the errors on the page
|
|
// print 'error_log: '.$msg."\n";
|
|
// @codeCoverageIgnoreEnd
|
|
}
|
|
|
|
/**
|
|
* Base64 encoding that doesn't need to be urlencode()ed.
|
|
* Exactly the same as base64_encode except it uses
|
|
* - instead of +
|
|
* _ instead of /
|
|
*
|
|
* @param string $input base64UrlEncoded string
|
|
* @return string
|
|
*/
|
|
protected static function base64UrlDecode($input) {
|
|
return base64_decode(strtr($input, '-_', '+/'));
|
|
}
|
|
|
|
/**
|
|
* Each of the following four methods should be overridden in
|
|
* a concrete subclass, as they are in the provided Facebook class.
|
|
* The Facebook class uses PHP sessions to provide a primitive
|
|
* persistent store, but another subclass--one that you implement--
|
|
* might use a database, memcache, or an in-memory cache.
|
|
*
|
|
* @see Facebook
|
|
*/
|
|
|
|
/**
|
|
* Stores the given ($key, $value) pair, so that future calls to
|
|
* getPersistentData($key) return $value. This call may be in another request.
|
|
*
|
|
* @param string $key
|
|
* @param array $value
|
|
*
|
|
* @return void
|
|
*/
|
|
abstract protected function setPersistentData($key, $value);
|
|
|
|
/**
|
|
* Get the data for $key, persisted by BaseFacebook::setPersistentData()
|
|
*
|
|
* @param string $key The key of the data to retrieve
|
|
* @param boolean $default The default value to return if $key is not found
|
|
*
|
|
* @return mixed
|
|
*/
|
|
abstract protected function getPersistentData($key, $default = false);
|
|
|
|
/**
|
|
* Clear the data with $key from the persistent storage
|
|
*
|
|
* @param string $key
|
|
* @return void
|
|
*/
|
|
abstract protected function clearPersistentData($key);
|
|
|
|
/**
|
|
* Clear all data from the persistent storage
|
|
*
|
|
* @return void
|
|
*/
|
|
abstract protected function clearAllPersistentData();
|
|
}
|