protected function finalize_params($method, $params)
{
list($get, $post) = $this->add_standard_params($method, $params);
// we need to do this before signing the params
$this->convert_array_values_to_json($post);
$post['sig'] = Facebook::generate_sig(array_merge($get, $post), $this->secret);
return array($get, $post);
}
private function create_post_string($method, $params)
{
$params['method'] = $method;
$params['session_key'] = $this->session_key;
$params['api_key'] = $this->api_key;
$params['call_id'] = microtime(true);
if ($params['call_id'] <= $this->last_call_id) {
$params['call_id'] = $this->last_call_id + 0.001;
}
$this->last_call_id = $params['call_id'];
if (!isset($params['v'])) {
$params['v'] = '1.0';
}
$post_params = array();
foreach ($params as $key => &$val) {
if (is_array($val)) {
$val = implode(',', $val);
}
$post_params[] = $key . '=' . urlencode($val);
}
$secret = $this->secret;
$post_params[] = 'sig=' . Facebook::generate_sig($params, $secret);
return implode('&', $post_params);
}
public function post_request($method, $params)
{
$params['method'] = $method;
$params['session_key'] = $this->session_key;
$params['api_key'] = $this->api_key;
$params['call_id'] = microtime(true);
if ($params['call_id'] <= $this->last_call_id) {
$params['call_id'] = $this->last_call_id + 0.001;
}
$this->last_call_id = $params['call_id'];
if (!isset($params['v'])) {
$params['v'] = '1.0';
}
foreach ($params as $key => $val) {
if (is_array($val)) {
$params[$key] = implode(',', $val);
}
}
$secret = $this->secret;
$params['sig'] = Facebook::generate_sig($params, $secret);
$boundary = md5(time());
$content = array();
$content[] = '--' . $boundary;
foreach ($params as $key => $val) {
$content[] = 'Content-Disposition: form-data; name="' . $key . '"' . "\r\n\r\n" . $val . "\r\n--" . $boundary;
}
if ($params['filename']) {
$filename = $params['filename'];
preg_match('/.*?\\.([a-zA-Z]+)/', $filename, $match);
$type = strtolower($match[1]);
if ($type == 'jpg') {
$type = 'jpeg';
}
$content[] = 'Content-Disposition: form-data; filename="' . $filename . '"' . "\r\n" . 'Content-Type: image/' . $type . "\r\n\r\n" . file_get_contents($filename) . "\r\n--" . $boundary;
}
$content[] = array_pop($content) . '--';
$content = implode("\r\n", $content);
if (function_exists('curl_init')) {
$url = parse_url($this->server_addr);
$header = array('User-Agent: Facebook Photo API PHP5 Client 1.0 ' . phpversion(), 'Content-Type: multipart/form-data; boundary=' . $boundary, 'MIME-version: 1.0', 'Content-Length: ' . strlen($content));
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $this->server_addr);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $content);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, $header);
$result = curl_exec($ch);
curl_close($ch);
} else {
$header = 'User-Agent: Facebook Photo API PHP5 Client 1.0 ' . phpversion() . "\r\n" . 'Content-Type: multipart/form-data; boundary=' . $boundary . "\r\n" . 'MIME-version: 1.0' . "\r\n" . 'Content-length: ' . strlen($content) . "\r\n" . 'Keep-Alive: 300' . "\r\n" . 'Connection: keep-alive';
if (function_exists('fsockopen')) {
$url = parse_url($this->server_addr);
$sock = @fsockopen($url['host'], 80, $errno, $errstr, 5);
$header = 'POST ' . $url['path'] . ' HTTP/1.1' . "\r\n" . 'Host: ' . $url['host'] . "\r\n" . $header;
fwrite($sock, $header . "\r\n\r\n" . $content);
} else {
$context = array('http' => array('method' => 'POST', 'header' => $header, 'content' => $content));
$contextid = stream_context_create($context);
$sock = fopen($this->server_addr, 'r', false, $contextid);
}
if ($sock) {
$result = '';
while (!feof($sock)) {
$temp = fgets($sock, 4096);
$result .= $temp;
if (!$temp) {
break;
}
//wtf facebook? return feof already...
}
fclose($sock);
}
}
preg_match('/<.*>/s', $result, $match);
return $match[0];
}
private function finalize_params($method, &$params)
{
$this->add_standard_params($method, $params);
// we need to do this before signing the params
$this->convert_array_values_to_json($params);
$params['sig'] = Facebook::generate_sig($params, $this->secret);
}
public function post_request($method, $params)
{
$params['method'] = $method;
$params['session_key'] = $this->session_key;
$params['api_key'] = $this->api_key;
$params['call_id'] = microtime(true);
// error_log("Using API key for request: ".$this->api_key);
// error_log("Using session key for request: ".$this->session_key);
// $paramcallid = intval($params['call_id']);
// $thiscallid = intval($this->last_call_id);
// $paramcallid *= 10;
// $thiscallid *= 10;
// $paramcallid *= 10;
// $thiscallid *= 10;
// if (intval($params['call_id'])*100 <= intval($this->last_call_id)*100) {
// $params['call_id'] = $this->last_call_id + 1;
// }
$this->last_call_id = $params['call_id'];
if (!isset($params['v'])) {
$params['v'] = '1.0';
}
$post_params = array();
foreach ($params as $key => &$val) {
if (is_array($val)) {
$val = implode(',', $val);
}
$post_params[] = $key . '=' . urlencode($val);
}
$secret = $this->secret;
if (isset($GLOBALS['facebook_config']) && isset($GLOBALS['facebook_config']['server_debug'])) {
error_log(var_export($params, true));
}
$post_params[] = 'sig=' . Facebook::generate_sig($params, $secret);
$post_string = implode('&', $post_params);
if (function_exists('curl_init')) {
// Use CURL if installed...
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $this->server_addr);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_string);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_USERAGENT, 'Facebook API PHP5 Client 1.1 (curl) ' . phpversion());
if ($this->session_key) {
curl_setopt($ch, CURLOPT_COOKIEFILE, dirname(__FILE__) . "/../cookie_" . $this->session_key . ".txt");
curl_setopt($ch, CURLOPT_COOKIEJAR, dirname(__FILE__) . "/../cookie_" . $this->session_key . ".txt");
} else {
curl_setopt($ch, CURLOPT_COOKIEFILE, dirname(__FILE__) . "/../cookie_" . $this->api_key . ".txt");
curl_setopt($ch, CURLOPT_COOKIEJAR, dirname(__FILE__) . "/../cookie_" . $this->api_key . ".txt");
}
$http_proxy = "";
if (isset($GLOBALS['facebook_config']) && isset($GLOBALS['facebook_config']['http_proxy'])) {
$http_host = parse_url($this->server_addr, PHP_URL_HOST);
// Never proxy to localhost
$is_remote = !($http_host === 'localhost' || $http_host === '127.0.0.1');
if (isset($GLOBALS['facebook_config']) && isset($GLOBALS['facebook_config']['non_proxy_hosts'])) {
foreach ($GLOBALS['facebook_config']['non_proxy_hosts'] as $non_proxy_host) {
// The host is still remote (if it is already) iff the host is not listed as a non-proxy host
$is_remote = $is_remote && !$http_host === $non_proxy_host;
}
}
if ($is_remote) {
$http_proxy = $GLOBALS['facebook_config']['http_proxy'];
curl_setopt($ch, CURLOPT_PROXY, $http_proxy);
curl_setopt($ch, CURLOPT_HTTPPROXYTUNNEL, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
} else {
error_log("Skipping proxy because of local URL");
}
}
$result = curl_exec($ch);
if (!$result) {
$ce = curl_error($ch);
// Throw an exception if there is a communication failure
throw new FacebookRestClientException("Exception during communication: {$ce} ({$this->server_addr})" . ($http_proxy ? " (via {$http_proxy})" : ""), FacebookAPIErrorCodes::API_EC_UNKNOWN);
}
curl_close($ch);
} else {
// Non-CURL based version...
$context = array('http' => array('method' => 'POST', 'header' => 'Content-type: application/x-www-form-urlencoded' . "\r\n" . 'User-Agent: Facebook API PHP5 Client 1.1 (non-curl) ' . phpversion() . "\r\n" . 'Content-length: ' . strlen($post_string), 'content' => $post_string));
$contextid = stream_context_create($context);
$sock = fopen($this->server_addr, 'r', false, $contextid);
if ($sock) {
$result = '';
while (!feof($sock)) {
$result .= fgets($sock, 4096);
}
fclose($sock);
}
}
return $result;
}
public function post_request($method, $params)
{
$params['method'] = $method;
$params['session_key'] = $this->session_key;
$params['api_key'] = $this->api_key;
$params['call_id'] = microtime(true);
if ($params['call_id'] <= $this->last_call_id) {
$params['call_id'] = $this->last_call_id + 0.001;
}
$this->last_call_id = $params['call_id'];
if (!isset($params['v'])) {
$params['v'] = '1.0';
}
$post_params = array();
foreach ($params as $key => &$val) {
if (is_array($val)) {
$val = implode(',', $val);
}
$post_params[] = $key . '=' . urlencode($val);
}
$secret = $this->secret;
$post_params[] = 'sig=' . Facebook::generate_sig($params, $secret);
$post_string = implode('&', $post_params);
if (function_exists('curl_init')) {
// Use CURL if installed...
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $this->server_addr);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_string);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_USERAGENT, 'Facebook API PHP5 Client 1.1 (curl) ' . phpversion());
$result = curl_exec($ch);
curl_close($ch);
} else {
// Non-CURL based version...
$context = array('http' => array('method' => 'POST', 'header' => 'Content-type: application/x-www-form-urlencoded' . "\r\n" . 'User-Agent: Facebook API PHP5 Client 1.1 (non-curl) ' . phpversion() . "\r\n" . 'Content-length: ' . strlen($post_string), 'content' => $post_string));
$contextid = stream_context_create($context);
$sock = fopen($this->server_addr, 'r', false, $contextid);
if ($sock) {
$result = '';
while (!feof($sock)) {
$result .= fgets($sock, 4096);
}
fclose($sock);
}
}
return $result;
}
/**
* @dataProvider provideForSigning
*/
public function testSigning($params, $secret, $msg)
{
$s = new NetworkFacebookSigner();
$sig = $s->sign($params, $secret);
$this->assertEquals(Facebook::generate_sig($params, $secret), $sig, $msg . ' test case');
}
if (isset($_REQUEST['social_session_key'])) {
$client = RingsideSocialUtils::getAdminClient();
$domain_info = $client->admin_getDomainProperties(array('secret_key'), null, $_REQUEST['network_key']);
error_log("For network " . $_REQUEST['network_key'] . ", the values are: " . var_export($domain_info, true));
$secret = $domain_info['secret_key'];
$params = array('social_session_key' => $_GET['social_session_key'], 'next' => $_GET['next']);
error_log("Verifying signature with params: " . var_export($params, true) . " and secret '{$secret}'");
$check_sig = Facebook::generate_sig($params, $secret);
if ($check_sig == $_REQUEST['sig']) {
$social_session_key = $_GET['social_session_key'];
error_log("Site connect signature verified. Setting cookie.");
setcookie('PHPSESSID', $social_session_key);
$next = $_REQUEST['next'];
// TODO: Think about restricting this redirect to the registered site's domain, like app login redirection
if (strpos($next, '?') !== false) {
$next .= "&";
} else {
$next .= "?";
}
$params = array('sc_social_session_key' => $social_session_key, 'sc_sig' => Facebook::generate_sig(array('social_session_key' => $social_session_key), $domain_info['secret']));
$next .= http_build_query($params);
header('Location: ' . $next, null, 302);
exit;
} else {
error_log("WARNING: Site Connect signature verification failed ({$check_sig} expected, " . $_REQUEST['sig'] . " found)");
}
} else {
error_log("Invalid Site Connect session request");
}
?>
Invalid request
public function testNetworkRedirect()
{
$_SERVER['HTTP_HOST'] = 'localhost';
$_SERVER['REQUEST_URI'] = '/web/url';
$params = array('soc_session_key' => '', 'session_key' => 'session-key', 'user' => '10000', 'in_iframe' => 0, 'in_canvas' => 1, 'time' => time(), 'added' => 1, 'api_key' => 'api-key');
$_GET =& $params;
$_GET['fb_sig'] = Facebook::generate_sig($_GET, 'secret');
foreach ($_GET as $key => $value) {
if (strncmp($key, 'fb_sig', 6) === 0) {
continue;
}
$_GET['fb_sig_' . $key] = $value;
unset($_GET[$key]);
}
$ringside = new RedirectingClient('api-key', 'secret', 'http://localhost/web/url', 'http://localhost/server/url', 'http://localhost/social/url');
$this->assertEquals('10000', $ringside->get_loggedin_user());
$this->assertNull($ringside->get_network_id());
$this->assertNull($ringside->get_network_user());
$ringside->require_network_login();
// Confirm that the client forced a redirect; we don't care what PHP thinks the current URL is
$this->assertEquals('http://localhost/social/url/map.php?v=1.0&method=map&api_key=api-key&snid=&sid=10000&social_session_key=&session_key=session-key&next=' . urlencode(Facebook::current_url()) . '&canvas', $ringside->redirect);
}
public function __construct($platform_params = null)
{
parent::__construct();
if (!isset($_POST['fb_sig_session_key'])) {
$facebook_params = array();
foreach ($platform_params as $name => $value) {
$facebook_params[self::$prefix . $name] = $value;
}
$facebook_params[self::$prefix . 'sig'] = Facebook::generate_sig($facebook_params, $this->sig_secret);
foreach ($facebook_params as $name => $value) {
$_POST[$name] = $value;
}
}
$this->platform_handler = new Facebook($this->sig_api_key, $this->sig_secret);
$this->sig_user = $this->platform_handler->user;
}
include_once '../lib/client/facebook.php';
include_once '../lib/AppConfig.class.php';
// Create a new Facebook client object
$facebook = new Facebook(AppConfig::$api_key, AppConfig::$secret);
// Prevent this page from being viewed outside the context of http://app.facebook.com/appname/
$facebook->require_frame();
// Prevent this page from being viewed without a valid logged in user
// -- NOTE: This does not mean that the logged in user has added the application
$user = $facebook->require_login();
// Require the viewing user to have added the application.
$facebook->require_add();
// Use the get_valid_fb_params to return an array of the fb_sig_* parameters
$app_params = $facebook->get_valid_fb_params($_POST, 48 * 3600, 'fb_sig');
// Use the generate_sig method to create a signature from the application parameters and the secret
$request_sig = $facebook->generate_sig($app_params, AppConfig::$secret);
$sig_match = $facebook->verify_signature($app_params, $request_sig);
?>
<div style="padding: 10px;">
<h2>Hello <fb:name firstnameonly="true" uid="<?php
echo $user;
?>
" useyou="false"/>!</h2>
<?php
if ($sig_match) {
?>
<p>The signature "<?php
echo $request_sig;
?>
" does match the request parameters.</p>
<?php
