/** * Parses a signed request. * * @param string $signedRequest * * @return array * * @throws FacebookSDKException */ private function parseSignedRequest($signedRequest) { if (strpos($signedRequest, '.') !== false) { list($encodedSig, $encodedData) = explode('.', $signedRequest, 2); $sig = FacebookSession::_base64UrlDecode($encodedSig); $data = json_decode(FacebookSession::_base64UrlDecode($encodedData), true); if (isset($data['algorithm']) && $data['algorithm'] === 'HMAC-SHA256') { $expectedSig = hash_hmac('sha256', $encodedData, FacebookSession::_getTargetAppSecret(), true); if (strlen($sig) !== strlen($expectedSig)) { throw new FacebookSDKException('Invalid signature on signed request.', 602); } $validate = 0; for ($i = 0; $i < strlen($sig); $i++) { $validate |= ord($expectedSig[$i]) ^ ord($sig[$i]); } if ($validate !== 0) { throw new FacebookSDKException('Invalid signature on signed request.', 602); } return $data; } else { throw new FacebookSDKException('Invalid signed request, using wrong algorithm.', 605); } } else { throw new FacebookSDKException('Malformed signed request.', 606); } }