Exemplo n.º 1
0
 public function auth_getSession($auth_token)
 {
     if (!$auth_token) {
         $this->throw_code(api10_FacebookApiErrorCode::API_EC_PARAM);
     }
     $info = api_authtoken_get_info($this->app_id, $auth_token);
     if (!$info || !$info['session_key']) {
         // if the auth_token is invalid or hasn't been bound to a session key
         $this->throw_code(api10_FacebookApiErrorCode::API_EC_PARAM);
     }
     $session_info = api_session_get_info($info['session_key'], $this->app_id);
     if (!$session_info) {
         // There might be multiple valid auth_token <-> session_key
         // mappings, but only one of the session_key values is actually
         // valid.
         $this->throw_code(api10_FacebookApiErrorCode::API_EC_PARAM);
     }
     $session = new api10_session_info();
     $session->session_key = $info['session_key'];
     $session->uid = api_session_extract_uid($info['session_key'], $this->app_id);
     if ($session_info['session_timeout'] == 0) {
         $session->expires = 0;
     } else {
         $session->expires = $session_info['key_create_time'] + $session_info['session_timeout'];
     }
     $app_info = application_get_info($this->app_id);
     if ($app_info['desktop']) {
         $session->secret = $session_info['session_secret'];
     }
     return $session;
 }
Exemplo n.º 2
0
function api_session_get_info($session_key, $app_id)
{
    global $data_conn;
    $uid = api_session_extract_uid($session_key);
    if (!$uid) {
        // we got passed a bad session key - apps do that sometimes
        return null;
    }
    if ($data_conn) {
        $sql = 'SELECT * FROM session WHERE uid=%d and session_key=%s';
        if ($ret = queryf($data_conn, $sql, $uid, $session_key)) {
            $row = mysql_fetch_assoc($ret);
            return $row;
        }
    }
    return false;
}
Exemplo n.º 3
0
/**
 * Validate an API request from a vendor - check that it has a valid api_key, the correct
 * signature, and that it has an active session.  Retrieve the application_id
 * and user_id associated with the request.
 *
 * @param $request The array of arguments (name=>values) passed to us (e.g. $_REQUEST).
 * To successfully validate, $message it must contain 'api_key', 'session_key', 'method', and 'sig'.
 * @param $app_id gets filled in with the appropriate application id on success.
 * @param $uid gets filled in with the user id associated with the session on success.
 * @param $config optional array of flags to disable various checks
 * @return API_EC_SUCCESS on success, or another API_EC_* if the request failed validation.
 */
function api_validate_api_request($request, &$app_id, &$uid, $throttle = true, $use_session_secret = false)
{
    $api_key = isset($request['api_key']) ? $request['api_key'] : null;
    if (!$api_key || !($app_info = application_get_info_from_key($api_key))) {
        return API_EC_PARAM_API_KEY;
    }
    $app_id = $app_info['application_id'];
    // If application is disabled, their api_key is no longer valid,
    // though we may store it for future request tracking.
    if ($app_info['approved'] == -1) {
        return API_EC_PARAM_API_KEY;
    }
    // Similarly, if the app is deleted, the api_key is no good.  If
    // we've done everything else right, deleted apps shouldn't be
    // returned by the application_get_info_* functions, but better safe
    // than sorry.
    if ($app_info['deleted']) {
        return API_EC_PARAM_API_KEY;
    }
    $session_key = isset($request['session_key']) ? $request['session_key'] : null;
    if ($app_info['desktop']) {
        if ($throttle && ($ec = api_desktop_check_call_limit($app_id, $session_key)) !== API_EC_SUCCESS) {
            return $ec;
        }
    } else {
        if ($app_info['ip_list'] && !iplist_contains_ip($app_info['ip_list'], $_SERVER['REMOTE_ADDR'])) {
            return API_EC_BAD_IP;
        }
        if ($throttle && ($ec = api_server_check_call_limit($app_id)) !== API_EC_SUCCESS) {
            return $ec;
        }
    }
    //If $use_session_secret is true, then session_key must be provided
    if ($use_session_secret && !$session_key) {
        return API_EC_PARAM_SESSION_KEY;
    }
    $secret = $app_info['secret'];
    // will sig check after checking the session, since some apps have a session secret
    $method = isset($request['method']) ? $request['method'] : null;
    if (!$method) {
        return API_EC_METHOD;
    }
    $method_requires_session = api_method_requires_session($method);
    // Some methods don't require a session key but still work with session key.
    // Even if the method doesn't require a session key and the session key is passed in, the session key
    // should be respected, it's up to the individual method to figure out the tangled mess for itself...
    if ($method_requires_session || $session_key) {
        // If the method requires a session and one isn't provided, FAIL fast...
        if ($method_requires_session && !$session_key) {
            return API_EC_PARAM_SESSION_KEY;
        }
        if ($app_info['desktop'] || $use_session_secret) {
            $session_info = api_session_get_info($session_key, $app_id);
            $secret = $session_info['session_secret'];
        }
        // If the developer provides a session key even if it's not required, fail if it's not valid...
        if ($session_key && false == ($uid = api_session_extract_uid($session_key, $app_id))) {
            return API_EC_PARAM_SESSION_KEY;
        }
        if ($session_key && ($ec = api_session_check_valid($session_key, $app_id)) !== API_EC_SUCCESS) {
            return $ec;
        }
        /* The request has now been validated! */
        $GLOBALS['user'] = $uid;
        // a bunch of utility functions expect a global $user to be set
    }
    $sig = isset($request['sig']) ? $request['sig'] : null;
    if (!api_request_is_properly_signed($request, $secret, $sig)) {
        return API_EC_PARAM_SIGNATURE;
    }
    return API_EC_SUCCESS;
}