function get_fb_validation_vars($user, $app_id, $others = array(), $logged_in_others = array(), $require_login = null)
{
global $DEMO_SESSION_KEY;
$app_info = application_get_short_info($app_id);
$secret = $app_info['secret'];
$others['time'] = (string) microtime(true);
if (is_array($user)) {
$user = $user['user'];
}
if ($user) {
$others['added'] = (int) is_platform_app_installed($app_id, $user);
$session_key = $DEMO_SESSION_KEY;
// FBOPEN:NOTE - stub: assume user session exists
if ($session_key) {
$others['user'] = $user;
$others['session_key'] = $session_key;
$session_info = api_session_get_info($session_key, $app_id);
if ($app_info['desktop']) {
// use the session secret instead of the normal one
$secret = $session_info['session_secret'];
}
if ($session_info['session_timeout'] == 0) {
$others['expires'] = 0;
} else {
$others['expires'] = $session_info['key_create_time'] + $session_info['session_timeout'];
}
$others += $logged_in_others;
} elseif ($require_login) {
$others['user'] = $user;
}
}
$others['api_key'] = $app_info['apikey'];
$vars = array();
foreach ($others as $n => $v) {
$vars['fb_sig_' . $n] = $v;
}
$vars['fb_sig'] = api_generate_sig($others, $secret);
return $vars;
}
/**
* Checks if a session is still valid (ie has not timed out).
*
* @return API_EC_SUCCESS on success or another API_EC_* on error
*/
function api_session_check_valid($session_key, $app_id)
{
// make sure we are passed a well-formed session key before trying
// it. attempts to match v0.9 and v1 session keys.
if (preg_match('/^[0-9a-f]+-[.\\w-]+$/', $session_key)) {
$info = api_session_get_info($session_key, $app_id);
} else {
$info = null;
}
if ($info) {
$app_info = application_get_info($app_id);
if (!$app_info) {
error_log('api_session_check_valid: invalid app id?');
return API_EC_UNKNOWN;
}
if (!api_is_session_timed_out($session_key, $app_id)) {
if ($app_info['desktop']) {
// desktop apps have a timeout based on the time since the last
// request instead of time since session created.
$info['key_create_time'] = time();
// FBOPEN: NOTE - Here, you may wish to set this new session in
// memcache or some more temporary storage, as these turn over
// quite a bit.
}
return API_EC_SUCCESS;
} else {
return API_EC_PARAM_SESSION_KEY;
}
} else {
return API_EC_PARAM_SESSION_KEY;
}
}
public function auth_getSession($auth_token)
{
if (!$auth_token) {
$this->throw_code(api10_FacebookApiErrorCode::API_EC_PARAM);
}
$info = api_authtoken_get_info($this->app_id, $auth_token);
if (!$info || !$info['session_key']) {
// if the auth_token is invalid or hasn't been bound to a session key
$this->throw_code(api10_FacebookApiErrorCode::API_EC_PARAM);
}
$session_info = api_session_get_info($info['session_key'], $this->app_id);
if (!$session_info) {
// There might be multiple valid auth_token <-> session_key
// mappings, but only one of the session_key values is actually
// valid.
$this->throw_code(api10_FacebookApiErrorCode::API_EC_PARAM);
}
$session = new api10_session_info();
$session->session_key = $info['session_key'];
$session->uid = api_session_extract_uid($info['session_key'], $this->app_id);
if ($session_info['session_timeout'] == 0) {
$session->expires = 0;
} else {
$session->expires = $session_info['key_create_time'] + $session_info['session_timeout'];
}
$app_info = application_get_info($this->app_id);
if ($app_info['desktop']) {
$session->secret = $session_info['session_secret'];
}
return $session;
}
/**
* Validate an API request from a vendor - check that it has a valid api_key, the correct
* signature, and that it has an active session. Retrieve the application_id
* and user_id associated with the request.
*
* @param $request The array of arguments (name=>values) passed to us (e.g. $_REQUEST).
* To successfully validate, $message it must contain 'api_key', 'session_key', 'method', and 'sig'.
* @param $app_id gets filled in with the appropriate application id on success.
* @param $uid gets filled in with the user id associated with the session on success.
* @param $config optional array of flags to disable various checks
* @return API_EC_SUCCESS on success, or another API_EC_* if the request failed validation.
*/
function api_validate_api_request($request, &$app_id, &$uid, $throttle = true, $use_session_secret = false)
{
$api_key = isset($request['api_key']) ? $request['api_key'] : null;
if (!$api_key || !($app_info = application_get_info_from_key($api_key))) {
return API_EC_PARAM_API_KEY;
}
$app_id = $app_info['application_id'];
// If application is disabled, their api_key is no longer valid,
// though we may store it for future request tracking.
if ($app_info['approved'] == -1) {
return API_EC_PARAM_API_KEY;
}
// Similarly, if the app is deleted, the api_key is no good. If
// we've done everything else right, deleted apps shouldn't be
// returned by the application_get_info_* functions, but better safe
// than sorry.
if ($app_info['deleted']) {
return API_EC_PARAM_API_KEY;
}
$session_key = isset($request['session_key']) ? $request['session_key'] : null;
if ($app_info['desktop']) {
if ($throttle && ($ec = api_desktop_check_call_limit($app_id, $session_key)) !== API_EC_SUCCESS) {
return $ec;
}
} else {
if ($app_info['ip_list'] && !iplist_contains_ip($app_info['ip_list'], $_SERVER['REMOTE_ADDR'])) {
return API_EC_BAD_IP;
}
if ($throttle && ($ec = api_server_check_call_limit($app_id)) !== API_EC_SUCCESS) {
return $ec;
}
}
//If $use_session_secret is true, then session_key must be provided
if ($use_session_secret && !$session_key) {
return API_EC_PARAM_SESSION_KEY;
}
$secret = $app_info['secret'];
// will sig check after checking the session, since some apps have a session secret
$method = isset($request['method']) ? $request['method'] : null;
if (!$method) {
return API_EC_METHOD;
}
$method_requires_session = api_method_requires_session($method);
// Some methods don't require a session key but still work with session key.
// Even if the method doesn't require a session key and the session key is passed in, the session key
// should be respected, it's up to the individual method to figure out the tangled mess for itself...
if ($method_requires_session || $session_key) {
// If the method requires a session and one isn't provided, FAIL fast...
if ($method_requires_session && !$session_key) {
return API_EC_PARAM_SESSION_KEY;
}
if ($app_info['desktop'] || $use_session_secret) {
$session_info = api_session_get_info($session_key, $app_id);
$secret = $session_info['session_secret'];
}
// If the developer provides a session key even if it's not required, fail if it's not valid...
if ($session_key && false == ($uid = api_session_extract_uid($session_key, $app_id))) {
return API_EC_PARAM_SESSION_KEY;
}
if ($session_key && ($ec = api_session_check_valid($session_key, $app_id)) !== API_EC_SUCCESS) {
return $ec;
}
/* The request has now been validated! */
$GLOBALS['user'] = $uid;
// a bunch of utility functions expect a global $user to be set
}
$sig = isset($request['sig']) ? $request['sig'] : null;
if (!api_request_is_properly_signed($request, $secret, $sig)) {
return API_EC_PARAM_SIGNATURE;
}
return API_EC_SUCCESS;
}
