function saveSignedRequest()
{
$signed_request = $_POST['signed_request'];
$secret = Config::get_mandatory('fb_secret');
list($encoded_sig, $payload) = explode('.', $signed_request, 2);
// decode the data
$sig = Fb::base64_url_decode($encoded_sig);
$data = json_decode(Fb::base64_url_decode($payload), true);
if (strtoupper($data['algorithm']) !== 'HMAC-SHA256') {
error_log('Unknown algorithm. Expected HMAC-SHA256');
return null;
}
// check sig
$expected_sig = hash_hmac('sha256', $payload, $secret, $raw = true);
if ($sig !== $expected_sig) {
error_log('Bad Signed JSON signature!');
return null;
}
// save to session, so we have it throughout app
$_SESSION['signed_request'] = $data;
return $data;
}
