/**
* Parses a signed request.
*
* @param string $signedRequest
*
* @return array
*
* @throws FacebookSDKException
*/
private function parseSignedRequest($signedRequest)
{
if (strpos($signedRequest, '.') !== false) {
list($encodedSig, $encodedData) = explode('.', $signedRequest, 2);
$sig = FacebookSession::_base64UrlDecode($encodedSig);
$data = json_decode(FacebookSession::_base64UrlDecode($encodedData), true);
if (isset($data['algorithm']) && $data['algorithm'] === 'HMAC-SHA256') {
$expectedSig = hash_hmac('sha256', $encodedData, FacebookSession::_getTargetAppSecret(), true);
if (strlen($sig) !== strlen($expectedSig)) {
throw new FacebookSDKException('Invalid signature on signed request.', 602);
}
$validate = 0;
for ($i = 0; $i < strlen($sig); $i++) {
$validate |= ord($expectedSig[$i]) ^ ord($sig[$i]);
}
if ($validate !== 0) {
throw new FacebookSDKException('Invalid signature on signed request.', 602);
}
return $data;
} else {
throw new FacebookSDKException('Invalid signed request, using wrong algorithm.', 605);
}
} else {
throw new FacebookSDKException('Malformed signed request.', 606);
}
}
