function get_fb_validation_vars($user, $app_id, $others = array(), $logged_in_others = array(), $require_login = null) { global $DEMO_SESSION_KEY; $app_info = application_get_short_info($app_id); $secret = $app_info['secret']; $others['time'] = (string) microtime(true); if (is_array($user)) { $user = $user['user']; } if ($user) { $others['added'] = (int) is_platform_app_installed($app_id, $user); $session_key = $DEMO_SESSION_KEY; // FBOPEN:NOTE - stub: assume user session exists if ($session_key) { $others['user'] = $user; $others['session_key'] = $session_key; $session_info = api_session_get_info($session_key, $app_id); if ($app_info['desktop']) { // use the session secret instead of the normal one $secret = $session_info['session_secret']; } if ($session_info['session_timeout'] == 0) { $others['expires'] = 0; } else { $others['expires'] = $session_info['key_create_time'] + $session_info['session_timeout']; } $others += $logged_in_others; } elseif ($require_login) { $others['user'] = $user; } } $others['api_key'] = $app_info['apikey']; $vars = array(); foreach ($others as $n => $v) { $vars['fb_sig_' . $n] = $v; } $vars['fb_sig'] = api_generate_sig($others, $secret); return $vars; }
/** * Checks if a session is still valid (ie has not timed out). * * @return API_EC_SUCCESS on success or another API_EC_* on error */ function api_session_check_valid($session_key, $app_id) { // make sure we are passed a well-formed session key before trying // it. attempts to match v0.9 and v1 session keys. if (preg_match('/^[0-9a-f]+-[.\\w-]+$/', $session_key)) { $info = api_session_get_info($session_key, $app_id); } else { $info = null; } if ($info) { $app_info = application_get_info($app_id); if (!$app_info) { error_log('api_session_check_valid: invalid app id?'); return API_EC_UNKNOWN; } if (!api_is_session_timed_out($session_key, $app_id)) { if ($app_info['desktop']) { // desktop apps have a timeout based on the time since the last // request instead of time since session created. $info['key_create_time'] = time(); // FBOPEN: NOTE - Here, you may wish to set this new session in // memcache or some more temporary storage, as these turn over // quite a bit. } return API_EC_SUCCESS; } else { return API_EC_PARAM_SESSION_KEY; } } else { return API_EC_PARAM_SESSION_KEY; } }
public function auth_getSession($auth_token) { if (!$auth_token) { $this->throw_code(api10_FacebookApiErrorCode::API_EC_PARAM); } $info = api_authtoken_get_info($this->app_id, $auth_token); if (!$info || !$info['session_key']) { // if the auth_token is invalid or hasn't been bound to a session key $this->throw_code(api10_FacebookApiErrorCode::API_EC_PARAM); } $session_info = api_session_get_info($info['session_key'], $this->app_id); if (!$session_info) { // There might be multiple valid auth_token <-> session_key // mappings, but only one of the session_key values is actually // valid. $this->throw_code(api10_FacebookApiErrorCode::API_EC_PARAM); } $session = new api10_session_info(); $session->session_key = $info['session_key']; $session->uid = api_session_extract_uid($info['session_key'], $this->app_id); if ($session_info['session_timeout'] == 0) { $session->expires = 0; } else { $session->expires = $session_info['key_create_time'] + $session_info['session_timeout']; } $app_info = application_get_info($this->app_id); if ($app_info['desktop']) { $session->secret = $session_info['session_secret']; } return $session; }
/** * Validate an API request from a vendor - check that it has a valid api_key, the correct * signature, and that it has an active session. Retrieve the application_id * and user_id associated with the request. * * @param $request The array of arguments (name=>values) passed to us (e.g. $_REQUEST). * To successfully validate, $message it must contain 'api_key', 'session_key', 'method', and 'sig'. * @param $app_id gets filled in with the appropriate application id on success. * @param $uid gets filled in with the user id associated with the session on success. * @param $config optional array of flags to disable various checks * @return API_EC_SUCCESS on success, or another API_EC_* if the request failed validation. */ function api_validate_api_request($request, &$app_id, &$uid, $throttle = true, $use_session_secret = false) { $api_key = isset($request['api_key']) ? $request['api_key'] : null; if (!$api_key || !($app_info = application_get_info_from_key($api_key))) { return API_EC_PARAM_API_KEY; } $app_id = $app_info['application_id']; // If application is disabled, their api_key is no longer valid, // though we may store it for future request tracking. if ($app_info['approved'] == -1) { return API_EC_PARAM_API_KEY; } // Similarly, if the app is deleted, the api_key is no good. If // we've done everything else right, deleted apps shouldn't be // returned by the application_get_info_* functions, but better safe // than sorry. if ($app_info['deleted']) { return API_EC_PARAM_API_KEY; } $session_key = isset($request['session_key']) ? $request['session_key'] : null; if ($app_info['desktop']) { if ($throttle && ($ec = api_desktop_check_call_limit($app_id, $session_key)) !== API_EC_SUCCESS) { return $ec; } } else { if ($app_info['ip_list'] && !iplist_contains_ip($app_info['ip_list'], $_SERVER['REMOTE_ADDR'])) { return API_EC_BAD_IP; } if ($throttle && ($ec = api_server_check_call_limit($app_id)) !== API_EC_SUCCESS) { return $ec; } } //If $use_session_secret is true, then session_key must be provided if ($use_session_secret && !$session_key) { return API_EC_PARAM_SESSION_KEY; } $secret = $app_info['secret']; // will sig check after checking the session, since some apps have a session secret $method = isset($request['method']) ? $request['method'] : null; if (!$method) { return API_EC_METHOD; } $method_requires_session = api_method_requires_session($method); // Some methods don't require a session key but still work with session key. // Even if the method doesn't require a session key and the session key is passed in, the session key // should be respected, it's up to the individual method to figure out the tangled mess for itself... if ($method_requires_session || $session_key) { // If the method requires a session and one isn't provided, FAIL fast... if ($method_requires_session && !$session_key) { return API_EC_PARAM_SESSION_KEY; } if ($app_info['desktop'] || $use_session_secret) { $session_info = api_session_get_info($session_key, $app_id); $secret = $session_info['session_secret']; } // If the developer provides a session key even if it's not required, fail if it's not valid... if ($session_key && false == ($uid = api_session_extract_uid($session_key, $app_id))) { return API_EC_PARAM_SESSION_KEY; } if ($session_key && ($ec = api_session_check_valid($session_key, $app_id)) !== API_EC_SUCCESS) { return $ec; } /* The request has now been validated! */ $GLOBALS['user'] = $uid; // a bunch of utility functions expect a global $user to be set } $sig = isset($request['sig']) ? $request['sig'] : null; if (!api_request_is_properly_signed($request, $secret, $sig)) { return API_EC_PARAM_SIGNATURE; } return API_EC_SUCCESS; }