public function auth_getSession($auth_token)
{
if (!$auth_token) {
$this->throw_code(api10_FacebookApiErrorCode::API_EC_PARAM);
}
$info = api_authtoken_get_info($this->app_id, $auth_token);
if (!$info || !$info['session_key']) {
// if the auth_token is invalid or hasn't been bound to a session key
$this->throw_code(api10_FacebookApiErrorCode::API_EC_PARAM);
}
$session_info = api_session_get_info($info['session_key'], $this->app_id);
if (!$session_info) {
// There might be multiple valid auth_token <-> session_key
// mappings, but only one of the session_key values is actually
// valid.
$this->throw_code(api10_FacebookApiErrorCode::API_EC_PARAM);
}
$session = new api10_session_info();
$session->session_key = $info['session_key'];
$session->uid = api_session_extract_uid($info['session_key'], $this->app_id);
if ($session_info['session_timeout'] == 0) {
$session->expires = 0;
} else {
$session->expires = $session_info['key_create_time'] + $session_info['session_timeout'];
}
$app_info = application_get_info($this->app_id);
if ($app_info['desktop']) {
$session->secret = $session_info['session_secret'];
}
return $session;
}
function api_session_get_info($session_key, $app_id)
{
global $data_conn;
$uid = api_session_extract_uid($session_key);
if (!$uid) {
// we got passed a bad session key - apps do that sometimes
return null;
}
if ($data_conn) {
$sql = 'SELECT * FROM session WHERE uid=%d and session_key=%s';
if ($ret = queryf($data_conn, $sql, $uid, $session_key)) {
$row = mysql_fetch_assoc($ret);
return $row;
}
}
return false;
}
/**
* Validate an API request from a vendor - check that it has a valid api_key, the correct
* signature, and that it has an active session. Retrieve the application_id
* and user_id associated with the request.
*
* @param $request The array of arguments (name=>values) passed to us (e.g. $_REQUEST).
* To successfully validate, $message it must contain 'api_key', 'session_key', 'method', and 'sig'.
* @param $app_id gets filled in with the appropriate application id on success.
* @param $uid gets filled in with the user id associated with the session on success.
* @param $config optional array of flags to disable various checks
* @return API_EC_SUCCESS on success, or another API_EC_* if the request failed validation.
*/
function api_validate_api_request($request, &$app_id, &$uid, $throttle = true, $use_session_secret = false)
{
$api_key = isset($request['api_key']) ? $request['api_key'] : null;
if (!$api_key || !($app_info = application_get_info_from_key($api_key))) {
return API_EC_PARAM_API_KEY;
}
$app_id = $app_info['application_id'];
// If application is disabled, their api_key is no longer valid,
// though we may store it for future request tracking.
if ($app_info['approved'] == -1) {
return API_EC_PARAM_API_KEY;
}
// Similarly, if the app is deleted, the api_key is no good. If
// we've done everything else right, deleted apps shouldn't be
// returned by the application_get_info_* functions, but better safe
// than sorry.
if ($app_info['deleted']) {
return API_EC_PARAM_API_KEY;
}
$session_key = isset($request['session_key']) ? $request['session_key'] : null;
if ($app_info['desktop']) {
if ($throttle && ($ec = api_desktop_check_call_limit($app_id, $session_key)) !== API_EC_SUCCESS) {
return $ec;
}
} else {
if ($app_info['ip_list'] && !iplist_contains_ip($app_info['ip_list'], $_SERVER['REMOTE_ADDR'])) {
return API_EC_BAD_IP;
}
if ($throttle && ($ec = api_server_check_call_limit($app_id)) !== API_EC_SUCCESS) {
return $ec;
}
}
//If $use_session_secret is true, then session_key must be provided
if ($use_session_secret && !$session_key) {
return API_EC_PARAM_SESSION_KEY;
}
$secret = $app_info['secret'];
// will sig check after checking the session, since some apps have a session secret
$method = isset($request['method']) ? $request['method'] : null;
if (!$method) {
return API_EC_METHOD;
}
$method_requires_session = api_method_requires_session($method);
// Some methods don't require a session key but still work with session key.
// Even if the method doesn't require a session key and the session key is passed in, the session key
// should be respected, it's up to the individual method to figure out the tangled mess for itself...
if ($method_requires_session || $session_key) {
// If the method requires a session and one isn't provided, FAIL fast...
if ($method_requires_session && !$session_key) {
return API_EC_PARAM_SESSION_KEY;
}
if ($app_info['desktop'] || $use_session_secret) {
$session_info = api_session_get_info($session_key, $app_id);
$secret = $session_info['session_secret'];
}
// If the developer provides a session key even if it's not required, fail if it's not valid...
if ($session_key && false == ($uid = api_session_extract_uid($session_key, $app_id))) {
return API_EC_PARAM_SESSION_KEY;
}
if ($session_key && ($ec = api_session_check_valid($session_key, $app_id)) !== API_EC_SUCCESS) {
return $ec;
}
/* The request has now been validated! */
$GLOBALS['user'] = $uid;
// a bunch of utility functions expect a global $user to be set
}
$sig = isset($request['sig']) ? $request['sig'] : null;
if (!api_request_is_properly_signed($request, $secret, $sig)) {
return API_EC_PARAM_SIGNATURE;
}
return API_EC_SUCCESS;
}
