api_key = $api_key;
$this->secret = $secret;
$this->api_client = new FacebookRestClient($api_key, $secret);
$this->validate_fb_params();
if (isset($this->fb_params['friends'])) {
$this->api_client->friends_list = explode(',', $this->fb_params['friends']);
}
if (isset($this->fb_params['added'])) {
$this->api_client->added = $this->fb_params['added'];
}
}
public function validate_fb_params() {
$this->fb_params = $this->get_valid_fb_params($_POST, 48*3600, 'fb_sig');
if (!$this->fb_params) {
$this->fb_params = $this->get_valid_fb_params($_GET, 48*3600, 'fb_sig');
}
if ($this->fb_params) {
// If we got any fb_params passed in at all, then either:
// - they included an fb_user / fb_session_key, which we should assume to be correct
// - they didn't include an fb_user / fb_session_key, which means the user doesn't have a
// valid session and if we want to get one we'll need to use require_login(). (Calling
// set_user with null values for user/session_key will work properly.)
// Note that we should *not* use our cookies in this scenario, since they may be referring to
// the wrong user.
$user = isset($this->fb_params['user']) ? $this->fb_params['user'] : null;
$session_key = isset($this->fb_params['session_key']) ? $this->fb_params['session_key'] : null;
$expires = isset($this->fb_params['expires']) ? $this->fb_params['expires'] : null;
$this->set_user($user, $session_key, $expires);
} else if (!empty($_COOKIE) && $cookies = $this->get_valid_fb_params($_COOKIE, null, $this->api_key)) {
// use $api_key . '_' as a prefix for the cookies in case there are
// multiple facebook clients on the same domain.
$this->set_user($cookies['user'], $cookies['session_key']);
} else if (isset($_GET['auth_token']) && $session = $this->do_get_session($_GET['auth_token'])) {
$this->set_user($session['uid'], $session['session_key'], $session['expires']);
}
return !empty($this->fb_params);
}
public function do_get_session($auth_token) {
try {
return $this->api_client->auth_getSession($auth_token);
} catch (FacebookRestClientException $e) {
// API_EC_PARAM means we don't have a logged in user, otherwise who
// knows what it means, so just throw it.
if ($e->getCode() != FacebookAPIErrorCodes::API_EC_PARAM) {
throw $e;
}
}
}
public function redirect($url) {
if ($this->in_fb_canvas()) {
echo '';
} else if (preg_match('/^https?:\/\/([^\/]*\.)?facebook\.com(:\d+)?/i', $url)) {
// make sure facebook.com url's load in the full frame so that we don't
// get a frame within a frame.
echo "";
} else {
header('Location: ' . $url);
}
exit;
}
public function in_frame() {
return isset($this->fb_params['in_canvas']) || isset($this->fb_params['in_iframe']);
}
public function in_fb_canvas() {
return isset($this->fb_params['in_canvas']);
}
public function get_loggedin_user() {
return $this->user;
}
public static function current_url() {
return 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
}
public function require_login() {
if ($user = $this->get_loggedin_user()) {
return $user;
}
$this->redirect($this->get_login_url(self::current_url(), $this->in_frame()));
}
public function require_install() {
// this was renamed, keeping for compatibility's sake
return $this->require_add();
}
public function require_add() {
if ($user = $this->get_loggedin_user()) {
if ($this->fb_params['added']) {
return $user;
}
}
$this->redirect($this->get_add_url(self::current_url()));
}
public function require_frame() {
if (!$this->in_frame()) {
$this->redirect($this->get_login_url(self::current_url(), true));
}
}
public static function get_facebook_url($subdomain='www') {
return 'http://' . $subdomain . '.facebook.com';
}
public function get_install_url($next=null) {
// this was renamed, keeping for compatibility's sake
return $this->get_add_url($next);
}
public function get_add_url($next=null) {
return self::get_facebook_url().'/add.php?api_key='.$this->api_key .
($next ? '&next=' . urlencode($next) : '');
}
public function get_login_url($next, $canvas) {
return self::get_facebook_url().'/login.php?v=1.0&api_key=' . $this->api_key .
($next ? '&next=' . urlencode($next) : '') .
($canvas ? '&canvas' : '');
}
public static function generate_sig($params_array, $secret) {
$str = '';
ksort($params_array);
// Note: make sure that the signature parameter is not already included in
// $params_array.
foreach ($params_array as $k=>$v) {
$str .= "$k=$v";
}
$str .= $secret;
return md5($str);
}
public function set_user($user, $session_key, $expires=null) {
if (!$this->in_fb_canvas() && (!isset($_COOKIE[$this->api_key . '_user'])
|| $_COOKIE[$this->api_key . '_user'] != $user)) {
$cookies = array();
$cookies['user'] = $user;
$cookies['session_key'] = $session_key;
$sig = self::generate_sig($cookies, $this->secret);
foreach ($cookies as $name => $val) {
setcookie($this->api_key . '_' . $name, $val, (int)$expires);
$_COOKIE[$this->api_key . '_' . $name] = $val;
}
setcookie($this->api_key, $sig, (int)$expires);
$_COOKIE[$this->api_key] = $sig;
}
$this->user = $user;
$this->api_client->session_key = $session_key;
}
/**
* Tries to undo the badness of magic quotes as best we can
* @param string $val Should come directly from $_GET, $_POST, etc.
* @return string val without added slashes
*/
public static function no_magic_quotes($val) {
if (get_magic_quotes_gpc()) {
return stripslashes($val);
} else {
return $val;
}
}
public function get_valid_fb_params($params, $timeout=null, $namespace='fb_sig') {
$prefix = $namespace . '_';
$prefix_len = strlen($prefix);
$fb_params = array();
foreach ($params as $name => $val) {
if (strpos($name, $prefix) === 0) {
$fb_params[substr($name, $prefix_len)] = self::no_magic_quotes($val);
}
}
if ($timeout && (!isset($fb_params['time']) || time() - $fb_params['time'] > $timeout)) {
return array();
}
if (!isset($params[$namespace]) || !$this->verify_signature($fb_params, $params[$namespace])) {
return array();
}
return $fb_params;
}
public function verify_signature($fb_params, $expected_sig) {
return self::generate_sig($fb_params, $this->secret) == $expected_sig;
}
}
?>