PK l?V\Sl l .travis.ymlnu W+A language: php
php:
- 5.3
- 5.4
script: phpunit --stderr --bootstrap tests/bootstrap.php tests/tests.php
PK l?Vy+
composer.jsonnu W+A {
"name": "facebook/php-sdk",
"description": "Facebook PHP SDK",
"keywords": ["facebook", "sdk"],
"type": "library",
"homepage": "https://github.com/facebook/facebook-php-sdk",
"license": "Apache2",
"authors": [
{
"name": "Facebook",
"homepage": "https://github.com/facebook/facebook-php-sdk/contributors"
}
],
"require": {
"php": ">=5.2.0",
"ext-curl": "*",
"ext-json": "*"
},
"autoload": {
"classmap": ["src"]
}
}
PK l?V2 readme.mdnu W+A Facebook PHP SDK (v.3.2.0)
==========================
The [Facebook Platform](http://developers.facebook.com/) is
a set of APIs that make your app more social.
This repository contains the open source PHP SDK that allows you to
access Facebook Platform from your PHP app. Except as otherwise noted,
the Facebook PHP SDK is licensed under the Apache Licence, Version 2.0
(http://www.apache.org/licenses/LICENSE-2.0.html).
Usage
-----
The [examples][examples] are a good place to start. The minimal you'll need to
have is:
require 'facebook-php-sdk/src/facebook.php';
$facebook = new Facebook(array(
'appId' => 'YOUR_APP_ID',
'secret' => 'YOUR_APP_SECRET',
));
// Get User ID
$user = $facebook->getUser();
To make [API][API] calls:
if ($user) {
try {
// Proceed knowing you have a logged in user who's authenticated.
$user_profile = $facebook->api('/me');
} catch (FacebookApiException $e) {
error_log($e);
$user = null;
}
}
Login or logout url will be needed depending on current user state.
if ($user) {
$logoutUrl = $facebook->getLogoutUrl();
} else {
$loginUrl = $facebook->getLoginUrl();
}
[examples]: http://github.com/facebook/facebook-php-sdk/blob/master/examples/example.php
[API]: http://developers.facebook.com/docs/api
Tests
-----
In order to keep us nimble and allow us to bring you new functionality, without
compromising on stability, we have ensured full test coverage of the SDK.
We are including this in the open source repository to assure you of our
commitment to quality, but also with the hopes that you will contribute back to
help keep it stable. The easiest way to do so is to file bugs and include a
test case.
The tests can be executed by using this command from the base directory:
phpunit --stderr --bootstrap tests/bootstrap.php tests/tests.php
Contributing
===========
For us to accept contributions you will have to first have signed the
[Contributor License Agreement](https://developers.facebook.com/opensource/cla).
When commiting, keep all lines to less than 80 characters, and try to
follow the existing style.
Before creating a pull request, squash your commits into a single commit.
Add the comments where needed, and provide ample explanation in the
commit message.
Report Issues/Bugs
===============
[Bugs](https://developers.facebook.com/bugs)
[Questions](http://facebook.stackoverflow.com)
PK l?VZ@ examples/with_js_sdk.phpnu W+A '344617158898614',
'secret' => '6dc8ac871858b34798bc2488200e503d',
));
// See if there is a user from a cookie
$user = $facebook->getUser();
if ($user) {
try {
// Proceed knowing you have a logged in user who's authenticated.
$user_profile = $facebook->api('/me');
} catch (FacebookApiException $e) {
echo '
'.htmlspecialchars(print_r($e, true)).'
';
$user = null;
}
}
?>
Your user profile is
PK l?Vxz examples/example.phpnu W+A '344617158898614',
'secret' => '6dc8ac871858b34798bc2488200e503d',
));
// Get User ID
$user = $facebook->getUser();
// We may or may not have this data based on whether the user is logged in.
//
// If we have a $user id here, it means we know the user is logged into
// Facebook, but we don't know if the access token is valid. An access
// token is invalid if the user logged out of Facebook.
if ($user) {
try {
// Proceed knowing you have a logged in user who's authenticated.
$user_profile = $facebook->api('/me');
} catch (FacebookApiException $e) {
error_log($e);
$user = null;
}
}
// Login or logout url will be needed depending on current user state.
if ($user) {
$logoutUrl = $facebook->getLogoutUrl();
} else {
$loginUrl = $facebook->getLoginUrl();
}
// This call will always work since we are fetching public data.
$naitik = $facebook->api('/naitik');
?>
php-sdk
php-sdk
Logout
PHP Session
You
Your User Object (/me)
You are not Connected.
Public profile of Naitik
PK l?VB_ tests/tests.phpnu W+A self::APP_ID,
'secret' => self::SECRET,
));
$this->assertEquals($facebook->getAppId(), self::APP_ID,
'Expect the App ID to be set.');
$this->assertEquals($facebook->getAppSecret(), self::SECRET,
'Expect the API secret to be set.');
}
public function testConstructorWithFileUpload() {
$facebook = new TransientFacebook(array(
'appId' => self::APP_ID,
'secret' => self::SECRET,
'fileUpload' => true,
));
$this->assertEquals($facebook->getAppId(), self::APP_ID,
'Expect the App ID to be set.');
$this->assertEquals($facebook->getAppSecret(), self::SECRET,
'Expect the API secret to be set.');
$this->assertTrue($facebook->getFileUploadSupport(),
'Expect file upload support to be on.');
// alias (depricated) for getFileUploadSupport -- test until removed
$this->assertTrue($facebook->useFileUploadSupport(),
'Expect file upload support to be on.');
}
public function testSetAppId() {
$facebook = new TransientFacebook(array(
'appId' => self::APP_ID,
'secret' => self::SECRET,
));
$facebook->setAppId('dummy');
$this->assertEquals($facebook->getAppId(), 'dummy',
'Expect the App ID to be dummy.');
}
public function testSetAPISecret() {
$facebook = new TransientFacebook(array(
'appId' => self::APP_ID,
'secret' => self::SECRET,
));
$facebook->setApiSecret('dummy');
$this->assertEquals($facebook->getApiSecret(), 'dummy',
'Expect the API secret to be dummy.');
}
public function testSetAPPSecret() {
$facebook = new TransientFacebook(array(
'appId' => self::APP_ID,
'secret' => self::SECRET,
));
$facebook->setAppSecret('dummy');
$this->assertEquals($facebook->getAppSecret(), 'dummy',
'Expect the API secret to be dummy.');
}
public function testSetAccessToken() {
$facebook = new TransientFacebook(array(
'appId' => self::APP_ID,
'secret' => self::SECRET,
));
$facebook->setAccessToken('saltydog');
$this->assertEquals($facebook->getAccessToken(), 'saltydog',
'Expect installed access token to remain \'saltydog\'');
}
public function testSetFileUploadSupport() {
$facebook = new TransientFacebook(array(
'appId' => self::APP_ID,
'secret' => self::SECRET,
));
$this->assertFalse($facebook->getFileUploadSupport(),
'Expect file upload support to be off.');
// alias for getFileUploadSupport (depricated), testing until removed
$this->assertFalse($facebook->useFileUploadSupport(),
'Expect file upload support to be off.');
$facebook->setFileUploadSupport(true);
$this->assertTrue($facebook->getFileUploadSupport(),
'Expect file upload support to be on.');
// alias for getFileUploadSupport (depricated), testing until removed
$this->assertTrue($facebook->useFileUploadSupport(),
'Expect file upload support to be on.');
}
public function testGetCurrentURL() {
$facebook = new FBGetCurrentURLFacebook(array(
'appId' => self::APP_ID,
'secret' => self::SECRET,
));
// fake the HPHP $_SERVER globals
$_SERVER['HTTP_HOST'] = 'www.test.com';
$_SERVER['REQUEST_URI'] = '/unit-tests.php?one=one&two=two&three=three';
$current_url = $facebook->publicGetCurrentUrl();
$this->assertEquals(
'http://www.test.com/unit-tests.php?one=one&two=two&three=three',
$current_url,
'getCurrentUrl function is changing the current URL');
// ensure structure of valueless GET params is retained (sometimes
// an = sign was present, and sometimes it was not)
// first test when equal signs are present
$_SERVER['HTTP_HOST'] = 'www.test.com';
$_SERVER['REQUEST_URI'] = '/unit-tests.php?one=&two=&three=';
$current_url = $facebook->publicGetCurrentUrl();
$this->assertEquals(
'http://www.test.com/unit-tests.php?one=&two=&three=',
$current_url,
'getCurrentUrl function is changing the current URL');
// now confirm that
$_SERVER['HTTP_HOST'] = 'www.test.com';
$_SERVER['REQUEST_URI'] = '/unit-tests.php?one&two&three';
$current_url = $facebook->publicGetCurrentUrl();
$this->assertEquals(
'http://www.test.com/unit-tests.php?one&two&three',
$current_url,
'getCurrentUrl function is changing the current URL');
}
public function testGetLoginURL() {
$facebook = new Facebook(array(
'appId' => self::APP_ID,
'secret' => self::SECRET,
));
// fake the HPHP $_SERVER globals
$_SERVER['HTTP_HOST'] = 'www.test.com';
$_SERVER['REQUEST_URI'] = '/unit-tests.php';
$login_url = parse_url($facebook->getLoginUrl());
$this->assertEquals($login_url['scheme'], 'https');
$this->assertEquals($login_url['host'], 'www.facebook.com');
$this->assertEquals($login_url['path'], '/dialog/oauth');
$expected_login_params =
array('client_id' => self::APP_ID,
'redirect_uri' => 'http://www.test.com/unit-tests.php');
$query_map = array();
parse_str($login_url['query'], $query_map);
$this->assertIsSubset($expected_login_params, $query_map);
// we don't know what the state is, but we know it's an md5 and should
// be 32 characters long.
$this->assertEquals(strlen($query_map['state']), $num_characters = 32);
}
public function testGetLoginURLWithExtraParams() {
$facebook = new Facebook(array(
'appId' => self::APP_ID,
'secret' => self::SECRET,
));
// fake the HPHP $_SERVER globals
$_SERVER['HTTP_HOST'] = 'www.test.com';
$_SERVER['REQUEST_URI'] = '/unit-tests.php';
$extra_params = array('scope' => 'email, sms',
'nonsense' => 'nonsense');
$login_url = parse_url($facebook->getLoginUrl($extra_params));
$this->assertEquals($login_url['scheme'], 'https');
$this->assertEquals($login_url['host'], 'www.facebook.com');
$this->assertEquals($login_url['path'], '/dialog/oauth');
$expected_login_params =
array_merge(
array('client_id' => self::APP_ID,
'redirect_uri' => 'http://www.test.com/unit-tests.php'),
$extra_params);
$query_map = array();
parse_str($login_url['query'], $query_map);
$this->assertIsSubset($expected_login_params, $query_map);
// we don't know what the state is, but we know it's an md5 and should
// be 32 characters long.
$this->assertEquals(strlen($query_map['state']), $num_characters = 32);
}
public function testGetLoginURLWithScopeParamsAsArray() {
$facebook = new Facebook(array(
'appId' => self::APP_ID,
'secret' => self::SECRET,
));
// fake the HPHP $_SERVER globals
$_SERVER['HTTP_HOST'] = 'www.test.com';
$_SERVER['REQUEST_URI'] = '/unit-tests.php';
$scope_params_as_array = array('email','sms','read_stream');
$extra_params = array('scope' => $scope_params_as_array,
'nonsense' => 'nonsense');
$login_url = parse_url($facebook->getLoginUrl($extra_params));
$this->assertEquals($login_url['scheme'], 'https');
$this->assertEquals($login_url['host'], 'www.facebook.com');
$this->assertEquals($login_url['path'], '/dialog/oauth');
// expect api to flatten array params to comma separated list
// should do the same here before asserting to make sure API is behaving
// correctly;
$extra_params['scope'] = implode(',', $scope_params_as_array);
$expected_login_params =
array_merge(
array('client_id' => self::APP_ID,
'redirect_uri' => 'http://www.test.com/unit-tests.php'),
$extra_params);
$query_map = array();
parse_str($login_url['query'], $query_map);
$this->assertIsSubset($expected_login_params, $query_map);
// we don't know what the state is, but we know it's an md5 and should
// be 32 characters long.
$this->assertEquals(strlen($query_map['state']), $num_characters = 32);
}
public function testGetCodeWithValidCSRFState() {
$facebook = new FBCode(array(
'appId' => self::APP_ID,
'secret' => self::SECRET,
));
$facebook->setCSRFStateToken();
$code = $_REQUEST['code'] = $this->generateMD5HashOfRandomValue();
$_REQUEST['state'] = $facebook->getCSRFStateToken();
$this->assertEquals($code,
$facebook->publicGetCode(),
'Expect code to be pulled from $_REQUEST[\'code\']');
}
public function testGetCodeWithInvalidCSRFState() {
$facebook = new FBCode(array(
'appId' => self::APP_ID,
'secret' => self::SECRET,
));
$facebook->setCSRFStateToken();
$code = $_REQUEST['code'] = $this->generateMD5HashOfRandomValue();
$_REQUEST['state'] = $facebook->getCSRFStateToken().'forgery!!!';
$this->assertFalse($facebook->publicGetCode(),
'Expect getCode to fail, CSRF state should not match.');
}
public function testGetCodeWithMissingCSRFState() {
$facebook = new FBCode(array(
'appId' => self::APP_ID,
'secret' => self::SECRET,
));
$code = $_REQUEST['code'] = $this->generateMD5HashOfRandomValue();
// intentionally don't set CSRF token at all
$this->assertFalse($facebook->publicGetCode(),
'Expect getCode to fail, CSRF state not sent back.');
}
public function testGetUserFromSignedRequest() {
$facebook = new TransientFacebook(array(
'appId' => self::APP_ID,
'secret' => self::SECRET,
));
$_REQUEST['signed_request'] = self::$kValidSignedRequest;
$this->assertEquals('1677846385', $facebook->getUser(),
'Failed to get user ID from a valid signed request.');
}
public function testGetSignedRequestFromCookie() {
$facebook = new FBPublicCookie(array(
'appId' => self::APP_ID,
'secret' => self::SECRET,
));
$_COOKIE[$facebook->publicGetSignedRequestCookieName()] =
self::$kValidSignedRequest;
$this->assertNotNull($facebook->publicGetSignedRequest());
$this->assertEquals('1677846385', $facebook->getUser(),
'Failed to get user ID from a valid signed request.');
}
public function testGetSignedRequestWithIncorrectSignature() {
$facebook = new FBPublicCookie(array(
'appId' => self::APP_ID,
'secret' => self::SECRET,
));
$_COOKIE[$facebook->publicGetSignedRequestCookieName()] =
self::$kSignedRequestWithBogusSignature;
$this->assertNull($facebook->publicGetSignedRequest());
}
public function testNonUserAccessToken() {
$facebook = new FBAccessToken(array(
'appId' => self::APP_ID,
'secret' => self::SECRET,
));
// no cookies, and no request params, so no user or code,
// so no user access token (even with cookie support)
$this->assertEquals($facebook->publicGetApplicationAccessToken(),
$facebook->getAccessToken(),
'Access token should be that for logged out users.');
}
public function testMissingMetadataCookie() {
$fb = new FBPublicCookie(array(
'appId' => self::APP_ID,
'secret' => self::SECRET,
));
$this->assertEmpty($fb->publicGetMetadataCookie());
}
public function testEmptyMetadataCookie() {
$fb = new FBPublicCookie(array(
'appId' => self::APP_ID,
'secret' => self::SECRET,
));
$_COOKIE[$fb->publicGetMetadataCookieName()] = '';
$this->assertEmpty($fb->publicGetMetadataCookie());
}
public function testMetadataCookie() {
$fb = new FBPublicCookie(array(
'appId' => self::APP_ID,
'secret' => self::SECRET,
));
$key = 'foo';
$val = '42';
$_COOKIE[$fb->publicGetMetadataCookieName()] = "$key=$val";
$this->assertEquals(array($key => $val), $fb->publicGetMetadataCookie());
}
public function testQuotedMetadataCookie() {
$fb = new FBPublicCookie(array(
'appId' => self::APP_ID,
'secret' => self::SECRET,
));
$key = 'foo';
$val = '42';
$_COOKIE[$fb->publicGetMetadataCookieName()] = "\"$key=$val\"";
$this->assertEquals(array($key => $val), $fb->publicGetMetadataCookie());
}
public function testAPIForLoggedOutUsers() {
$facebook = new TransientFacebook(array(
'appId' => self::APP_ID,
'secret' => self::SECRET,
));
$response = $facebook->api(array(
'method' => 'fql.query',
'query' => 'SELECT name FROM user WHERE uid=4',
));
$this->assertEquals(count($response), 1,
'Expect one row back.');
$this->assertEquals($response[0]['name'], 'Mark Zuckerberg',
'Expect the name back.');
}
public function testAPIWithBogusAccessToken() {
$facebook = new TransientFacebook(array(
'appId' => self::APP_ID,
'secret' => self::SECRET,
));
$facebook->setAccessToken('this-is-not-really-an-access-token');
// if we don't set an access token and there's no way to
// get one, then the FQL query below works beautifully, handing
// over Zuck's public data. But if you specify a bogus access
// token as I have right here, then the FQL query should fail.
// We could return just Zuck's public data, but that wouldn't
// advertise the issue that the access token is at worst broken
// and at best expired.
try {
$response = $facebook->api(array(
'method' => 'fql.query',
'query' => 'SELECT name FROM profile WHERE id=4',
));
$this->fail('Should not get here.');
} catch(FacebookApiException $e) {
$result = $e->getResult();
$this->assertTrue(is_array($result), 'expect a result object');
$this->assertEquals('190', $result['error_code'], 'expect code');
}
}
public function testAPIGraphPublicData() {
$facebook = new TransientFacebook(array(
'appId' => self::APP_ID,
'secret' => self::SECRET,
));
$response = $facebook->api('/jerry');
$this->assertEquals(
$response['id'], '214707', 'should get expected id.');
}
public function testGraphAPIWithBogusAccessToken() {
$facebook = new TransientFacebook(array(
'appId' => self::APP_ID,
'secret' => self::SECRET,
));
$facebook->setAccessToken('this-is-not-really-an-access-token');
try {
$response = $facebook->api('/me');
$this->fail('Should not get here.');
} catch(FacebookApiException $e) {
// means the server got the access token and didn't like it
$msg = 'OAuthException: Invalid OAuth access token.';
$this->assertEquals($msg, (string) $e,
'Expect the invalid OAuth token message.');
}
}
public function testGraphAPIWithExpiredAccessToken() {
$facebook = new TransientFacebook(array(
'appId' => self::APP_ID,
'secret' => self::SECRET,
));
$facebook->setAccessToken(self::$kExpiredAccessToken);
try {
$response = $facebook->api('/me');
$this->fail('Should not get here.');
} catch(FacebookApiException $e) {
// means the server got the access token and didn't like it
$error_msg_start = 'OAuthException: Error validating access token:';
$this->assertTrue(strpos((string) $e, $error_msg_start) === 0,
'Expect the token validation error message.');
}
}
public function testGraphAPIMethod() {
$facebook = new TransientFacebook(array(
'appId' => self::APP_ID,
'secret' => self::SECRET,
));
try {
// naitik being bold about deleting his entire record....
// let's hope this never actually passes.
$response = $facebook->api('/naitik', $method = 'DELETE');
$this->fail('Should not get here.');
} catch(FacebookApiException $e) {
// ProfileDelete means the server understood the DELETE
$msg =
'OAuthException: (#200) User cannot access this application';
$this->assertEquals($msg, (string) $e,
'Expect the invalid session message.');
}
}
public function testGraphAPIOAuthSpecError() {
$facebook = new TransientFacebook(array(
'appId' => self::MIGRATED_APP_ID,
'secret' => self::MIGRATED_SECRET,
));
try {
$response = $facebook->api('/me', array(
'client_id' => self::MIGRATED_APP_ID));
$this->fail('Should not get here.');
} catch(FacebookApiException $e) {
// means the server got the access token
$msg = 'invalid_request: An active access token must be used '.
'to query information about the current user.';
$this->assertEquals($msg, (string) $e,
'Expect the invalid session message.');
}
}
public function testGraphAPIMethodOAuthSpecError() {
$facebook = new TransientFacebook(array(
'appId' => self::MIGRATED_APP_ID,
'secret' => self::MIGRATED_SECRET,
));
try {
$response = $facebook->api('/daaku.shah', 'DELETE', array(
'client_id' => self::MIGRATED_APP_ID));
$this->fail('Should not get here.');
} catch(FacebookApiException $e) {
$this->assertEquals(strpos($e, 'invalid_request'), 0);
}
}
public function testCurlFailure() {
$facebook = new TransientFacebook(array(
'appId' => self::APP_ID,
'secret' => self::SECRET,
));
if (!defined('CURLOPT_TIMEOUT_MS')) {
// can't test it if we don't have millisecond timeouts
return;
}
$exception = null;
try {
// we dont expect facebook will ever return in 1ms
Facebook::$CURL_OPTS[CURLOPT_TIMEOUT_MS] = 50;
$facebook->api('/naitik');
} catch(FacebookApiException $e) {
$exception = $e;
}
unset(Facebook::$CURL_OPTS[CURLOPT_TIMEOUT_MS]);
if (!$exception) {
$this->fail('no exception was thrown on timeout.');
}
$code = $exception->getCode();
if ($code != CURLE_OPERATION_TIMEOUTED && $code != CURLE_COULDNT_CONNECT) {
$this->fail("Expected curl error code 7 or 28 but got: $code");
}
$this->assertEquals('CurlException', $exception->getType(), 'expect type');
}
public function testGraphAPIWithOnlyParams() {
$facebook = new TransientFacebook(array(
'appId' => self::APP_ID,
'secret' => self::SECRET,
));
$response = $facebook->api('/jerry');
$this->assertTrue(isset($response['id']),
'User ID should be public.');
$this->assertTrue(isset($response['name']),
'User\'s name should be public.');
$this->assertTrue(isset($response['first_name']),
'User\'s first name should be public.');
$this->assertTrue(isset($response['last_name']),
'User\'s last name should be public.');
$this->assertFalse(isset($response['work']),
'User\'s work history should only be available with '.
'a valid access token.');
$this->assertFalse(isset($response['education']),
'User\'s education history should only be '.
'available with a valid access token.');
$this->assertFalse(isset($response['verified']),
'User\'s verification status should only be '.
'available with a valid access token.');
}
public function testLoginURLDefaults() {
$_SERVER['HTTP_HOST'] = 'fbrell.com';
$_SERVER['REQUEST_URI'] = '/examples';
$facebook = new TransientFacebook(array(
'appId' => self::APP_ID,
'secret' => self::SECRET,
));
$encodedUrl = rawurlencode('http://fbrell.com/examples');
$this->assertNotNull(strpos($facebook->getLoginUrl(), $encodedUrl),
'Expect the current url to exist.');
}
public function testLoginURLDefaultsDropStateQueryParam() {
$_SERVER['HTTP_HOST'] = 'fbrell.com';
$_SERVER['REQUEST_URI'] = '/examples?state=xx42xx';
$facebook = new TransientFacebook(array(
'appId' => self::APP_ID,
'secret' => self::SECRET,
));
$expectEncodedUrl = rawurlencode('http://fbrell.com/examples');
$this->assertTrue(strpos($facebook->getLoginUrl(), $expectEncodedUrl) > -1,
'Expect the current url to exist.');
$this->assertFalse(strpos($facebook->getLoginUrl(), 'xx42xx'),
'Expect the session param to be dropped.');
}
public function testLoginURLDefaultsDropCodeQueryParam() {
$_SERVER['HTTP_HOST'] = 'fbrell.com';
$_SERVER['REQUEST_URI'] = '/examples?code=xx42xx';
$facebook = new TransientFacebook(array(
'appId' => self::APP_ID,
'secret' => self::SECRET,
));
$expectEncodedUrl = rawurlencode('http://fbrell.com/examples');
$this->assertTrue(strpos($facebook->getLoginUrl(), $expectEncodedUrl) > -1,
'Expect the current url to exist.');
$this->assertFalse(strpos($facebook->getLoginUrl(), 'xx42xx'),
'Expect the session param to be dropped.');
}
public function testLoginURLDefaultsDropSignedRequestParamButNotOthers() {
$_SERVER['HTTP_HOST'] = 'fbrell.com';
$_SERVER['REQUEST_URI'] =
'/examples?signed_request=xx42xx&do_not_drop=xx43xx';
$facebook = new TransientFacebook(array(
'appId' => self::APP_ID,
'secret' => self::SECRET,
));
$expectEncodedUrl = rawurlencode('http://fbrell.com/examples');
$this->assertFalse(strpos($facebook->getLoginUrl(), 'xx42xx'),
'Expect the session param to be dropped.');
$this->assertTrue(strpos($facebook->getLoginUrl(), 'xx43xx') > -1,
'Expect the do_not_drop param to exist.');
}
public function testLoginURLCustomNext() {
$_SERVER['HTTP_HOST'] = 'fbrell.com';
$_SERVER['REQUEST_URI'] = '/examples';
$facebook = new TransientFacebook(array(
'appId' => self::APP_ID,
'secret' => self::SECRET,
));
$next = 'http://fbrell.com/custom';
$loginUrl = $facebook->getLoginUrl(array(
'redirect_uri' => $next,
'cancel_url' => $next
));
$currentEncodedUrl = rawurlencode('http://fbrell.com/examples');
$expectedEncodedUrl = rawurlencode($next);
$this->assertNotNull(strpos($loginUrl, $expectedEncodedUrl),
'Expect the custom url to exist.');
$this->assertFalse(strpos($loginUrl, $currentEncodedUrl),
'Expect the current url to not exist.');
}
public function testLogoutURLDefaults() {
$_SERVER['HTTP_HOST'] = 'fbrell.com';
$_SERVER['REQUEST_URI'] = '/examples';
$facebook = new TransientFacebook(array(
'appId' => self::APP_ID,
'secret' => self::SECRET,
));
$encodedUrl = rawurlencode('http://fbrell.com/examples');
$this->assertNotNull(strpos($facebook->getLogoutUrl(), $encodedUrl),
'Expect the current url to exist.');
$this->assertFalse(strpos($facebook->getLogoutUrl(), self::SECRET));
}
public function testLoginStatusURLDefaults() {
$_SERVER['HTTP_HOST'] = 'fbrell.com';
$_SERVER['REQUEST_URI'] = '/examples';
$facebook = new TransientFacebook(array(
'appId' => self::APP_ID,
'secret' => self::SECRET,
));
$encodedUrl = rawurlencode('http://fbrell.com/examples');
$this->assertNotNull(strpos($facebook->getLoginStatusUrl(), $encodedUrl),
'Expect the current url to exist.');
}
public function testLoginStatusURLCustom() {
$_SERVER['HTTP_HOST'] = 'fbrell.com';
$_SERVER['REQUEST_URI'] = '/examples';
$facebook = new TransientFacebook(array(
'appId' => self::APP_ID,
'secret' => self::SECRET,
));
$encodedUrl1 = rawurlencode('http://fbrell.com/examples');
$okUrl = 'http://fbrell.com/here1';
$encodedUrl2 = rawurlencode($okUrl);
$loginStatusUrl = $facebook->getLoginStatusUrl(array(
'ok_session' => $okUrl,
));
$this->assertNotNull(strpos($loginStatusUrl, $encodedUrl1),
'Expect the current url to exist.');
$this->assertNotNull(strpos($loginStatusUrl, $encodedUrl2),
'Expect the custom url to exist.');
}
public function testNonDefaultPort() {
$_SERVER['HTTP_HOST'] = 'fbrell.com:8080';
$_SERVER['REQUEST_URI'] = '/examples';
$facebook = new TransientFacebook(array(
'appId' => self::APP_ID,
'secret' => self::SECRET,
));
$encodedUrl = rawurlencode('http://fbrell.com:8080/examples');
$this->assertNotNull(strpos($facebook->getLoginUrl(), $encodedUrl),
'Expect the current url to exist.');
}
public function testSecureCurrentUrl() {
$_SERVER['HTTP_HOST'] = 'fbrell.com';
$_SERVER['REQUEST_URI'] = '/examples';
$_SERVER['HTTPS'] = 'on';
$facebook = new TransientFacebook(array(
'appId' => self::APP_ID,
'secret' => self::SECRET,
));
$encodedUrl = rawurlencode('https://fbrell.com/examples');
$this->assertNotNull(strpos($facebook->getLoginUrl(), $encodedUrl),
'Expect the current url to exist.');
}
public function testSecureCurrentUrlWithNonDefaultPort() {
$_SERVER['HTTP_HOST'] = 'fbrell.com:8080';
$_SERVER['REQUEST_URI'] = '/examples';
$_SERVER['HTTPS'] = 'on';
$facebook = new TransientFacebook(array(
'appId' => self::APP_ID,
'secret' => self::SECRET,
));
$encodedUrl = rawurlencode('https://fbrell.com:8080/examples');
$this->assertNotNull(strpos($facebook->getLoginUrl(), $encodedUrl),
'Expect the current url to exist.');
}
public function testAppSecretCall() {
$facebook = new TransientFacebook(array(
'appId' => self::APP_ID,
'secret' => self::SECRET,
));
try {
$response = $facebook->api('/' . self::APP_ID . '/insights');
$this->fail('Desktop applications need a user token for insights.');
} catch (FacebookApiException $e) {
// this test is failing as the graph call is returning the wrong
// error message
$this->assertEquals($e->getMessage(),
'An access token is required to request this resource.');
} catch (Exception $e) {
$this->fail('Incorrect exception type thrown when trying to gain ' .
'insights for desktop app without a user access token.');
}
}
public function testBase64UrlEncode() {
$input = 'Facebook rocks';
$output = 'RmFjZWJvb2sgcm9ja3M';
$this->assertEquals(FBPublic::publicBase64UrlDecode($output), $input);
}
public function testSignedToken() {
$facebook = new FBPublic(array(
'appId' => self::APP_ID,
'secret' => self::SECRET
));
$payload = $facebook->publicParseSignedRequest(self::$kValidSignedRequest);
$this->assertNotNull($payload, 'Expected token to parse');
$this->assertEquals($facebook->getSignedRequest(), null);
$_REQUEST['signed_request'] = self::$kValidSignedRequest;
$this->assertEquals($facebook->getSignedRequest(), $payload);
}
public function testNonTossedSignedtoken() {
$facebook = new FBPublic(array(
'appId' => self::APP_ID,
'secret' => self::SECRET
));
$payload = $facebook->publicParseSignedRequest(
self::$kNonTosedSignedRequest);
$this->assertNotNull($payload, 'Expected token to parse');
$this->assertNull($facebook->getSignedRequest());
$_REQUEST['signed_request'] = self::$kNonTosedSignedRequest;
$this->assertEquals($facebook->getSignedRequest(),
array('algorithm' => 'HMAC-SHA256'));
}
public function testSignedRequestWithWrongAlgo() {
$fb = new FBPublic(array(
'appId' => self::APP_ID,
'secret' => self::SECRET
));
$payload = $fb->publicParseSignedRequest(
self::$kSignedRequestWithWrongAlgo);
$this->assertNull($payload, 'Expected nothing back.');
}
public function testMakeAndParse() {
$fb = new FBPublic(array(
'appId' => self::APP_ID,
'secret' => self::SECRET
));
$data = array('foo' => 42);
$sr = $fb->publicMakeSignedRequest($data);
$decoded = $fb->publicParseSignedRequest($sr);
$this->assertEquals($data['foo'], $decoded['foo']);
}
/**
* @expectedException InvalidArgumentException
*/
public function testMakeSignedRequestExpectsArray() {
$fb = new FBPublic(array(
'appId' => self::APP_ID,
'secret' => self::SECRET
));
$sr = $fb->publicMakeSignedRequest('');
}
public function testBundledCACert() {
$facebook = new TransientFacebook(array(
'appId' => self::APP_ID,
'secret' => self::SECRET
));
// use the bundled cert from the start
Facebook::$CURL_OPTS[CURLOPT_CAINFO] =
dirname(__FILE__) . '/../src/fb_ca_chain_bundle.crt';
$response = $facebook->api('/naitik');
unset(Facebook::$CURL_OPTS[CURLOPT_CAINFO]);
$this->assertEquals(
$response['id'], '5526183', 'should get expected id.');
}
public function testVideoUpload() {
$facebook = new FBRecordURL(array(
'appId' => self::APP_ID,
'secret' => self::SECRET
));
$facebook->api(array('method' => 'video.upload'));
$this->assertContains('//api-video.', $facebook->getRequestedURL(),
'video.upload should go against api-video');
}
public function testVideoUploadGraph() {
$facebook = new FBRecordURL(array(
'appId' => self::APP_ID,
'secret' => self::SECRET
));
$facebook->api('/me/videos', 'POST');
$this->assertContains('//graph-video.', $facebook->getRequestedURL(),
'/me/videos should go against graph-video');
}
public function testGetUserAndAccessTokenFromSession() {
$facebook = new PersistentFBPublic(array(
'appId' => self::APP_ID,
'secret' => self::SECRET
));
$facebook->publicSetPersistentData('access_token',
self::$kExpiredAccessToken);
$facebook->publicSetPersistentData('user_id', 12345);
$this->assertEquals(self::$kExpiredAccessToken,
$facebook->getAccessToken(),
'Get access token from persistent store.');
$this->assertEquals('12345',
$facebook->getUser(),
'Get user id from persistent store.');
}
public function testGetUserAndAccessTokenFromSignedRequestNotSession() {
$facebook = new PersistentFBPublic(array(
'appId' => self::APP_ID,
'secret' => self::SECRET
));
$_REQUEST['signed_request'] = self::$kValidSignedRequest;
$facebook->publicSetPersistentData('user_id', 41572);
$facebook->publicSetPersistentData('access_token',
self::$kExpiredAccessToken);
$this->assertNotEquals('41572', $facebook->getUser(),
'Got user from session instead of signed request.');
$this->assertEquals('1677846385', $facebook->getUser(),
'Failed to get correct user ID from signed request.');
$this->assertNotEquals(
self::$kExpiredAccessToken,
$facebook->getAccessToken(),
'Got access token from session instead of signed request.');
$this->assertNotEmpty(
$facebook->getAccessToken(),
'Failed to extract an access token from the signed request.');
}
public function testGetUserWithoutCodeOrSignedRequestOrSession() {
$facebook = new PersistentFBPublic(array(
'appId' => self::APP_ID,
'secret' => self::SECRET
));
// deliberately leave $_REQUEST and _$SESSION empty
$this->assertEmpty($_REQUEST,
'GET, POST, and COOKIE params exist even though '.
'they should. Test cannot succeed unless all of '.
'$_REQUEST is empty.');
$this->assertEmpty($_SESSION,
'Session is carrying state and should not be.');
$this->assertEmpty($facebook->getUser(),
'Got a user id, even without a signed request, '.
'access token, or session variable.');
$this->assertEmpty($_SESSION,
'Session superglobal incorrectly populated by getUser.');
}
public function testGetAccessTokenUsingCodeInJsSdkCookie() {
$code = 'code1';
$access_token = 'at1';
$methods_to_stub = array('getSignedRequest', 'getAccessTokenFromCode');
$constructor_args = array(array(
'appId' => self::APP_ID,
'secret' => self::SECRET
));
$stub = $this->getMock(
'TransientFacebook', $methods_to_stub, $constructor_args);
$stub
->expects($this->once())
->method('getSignedRequest')
->will($this->returnValue(array('code' => $code)));
$stub
->expects($this->once())
->method('getAccessTokenFromCode')
->will($this->returnValueMap(array(array($code, '', $access_token))));
$this->assertEquals($stub->getAccessToken(), $access_token);
}
public function testSignedRequestWithoutAuthClearsData() {
$methods_to_stub = array('getSignedRequest', 'clearAllPersistentData');
$constructor_args = array(array(
'appId' => self::APP_ID,
'secret' => self::SECRET
));
$stub = $this->getMock(
'TransientFacebook', $methods_to_stub, $constructor_args);
$stub
->expects($this->once())
->method('getSignedRequest')
->will($this->returnValue(array('foo' => 1)));
$stub
->expects($this->once())
->method('clearAllPersistentData');
$this->assertEquals(self::APP_ID.'|'.self::SECRET, $stub->getAccessToken());
}
public function testInvalidCodeInSignedRequestWillClearData() {
$code = 'code1';
$methods_to_stub = array(
'getSignedRequest',
'getAccessTokenFromCode',
'clearAllPersistentData',
);
$constructor_args = array(array(
'appId' => self::APP_ID,
'secret' => self::SECRET
));
$stub = $this->getMock(
'TransientFacebook', $methods_to_stub, $constructor_args);
$stub
->expects($this->once())
->method('getSignedRequest')
->will($this->returnValue(array('code' => $code)));
$stub
->expects($this->once())
->method('getAccessTokenFromCode')
->will($this->returnValue(null));
$stub
->expects($this->once())
->method('clearAllPersistentData');
$this->assertEquals(self::APP_ID.'|'.self::SECRET, $stub->getAccessToken());
}
public function testInvalidCodeWillClearData() {
$code = 'code1';
$methods_to_stub = array(
'getCode',
'getAccessTokenFromCode',
'clearAllPersistentData',
);
$constructor_args = array(array(
'appId' => self::APP_ID,
'secret' => self::SECRET
));
$stub = $this->getMock(
'TransientFacebook', $methods_to_stub, $constructor_args);
$stub
->expects($this->once())
->method('getCode')
->will($this->returnValue($code));
$stub
->expects($this->once())
->method('getAccessTokenFromCode')
->will($this->returnValue(null));
$stub
->expects($this->once())
->method('clearAllPersistentData');
$this->assertEquals(self::APP_ID.'|'.self::SECRET, $stub->getAccessToken());
}
public function testValidCodeToToken() {
$code = 'code1';
$access_token = 'at1';
$methods_to_stub = array(
'getSignedRequest',
'getCode',
'getAccessTokenFromCode',
);
$constructor_args = array(array(
'appId' => self::APP_ID,
'secret' => self::SECRET
));
$stub = $this->getMock(
'TransientFacebook', $methods_to_stub, $constructor_args);
$stub
->expects($this->once())
->method('getCode')
->will($this->returnValue($code));
$stub
->expects($this->once())
->method('getAccessTokenFromCode')
->will($this->returnValueMap(array(array($code, null, $access_token))));
$this->assertEquals($stub->getAccessToken(), $access_token);
}
public function testSignedRequestWithoutAuthClearsDataInAvailData() {
$methods_to_stub = array('getSignedRequest', 'clearAllPersistentData');
$constructor_args = array(array(
'appId' => self::APP_ID,
'secret' => self::SECRET
));
$stub = $this->getMock(
'TransientFacebook', $methods_to_stub, $constructor_args);
$stub
->expects($this->once())
->method('getSignedRequest')
->will($this->returnValue(array('foo' => 1)));
$stub
->expects($this->once())
->method('clearAllPersistentData');
$this->assertEquals(0, $stub->getUser());
}
public function testFailedToGetUserFromAccessTokenClearsData() {
$methods_to_stub = array(
'getAccessToken',
'getUserFromAccessToken',
'clearAllPersistentData',
);
$constructor_args = array(array(
'appId' => self::APP_ID,
'secret' => self::SECRET
));
$stub = $this->getMock(
'TransientFacebook', $methods_to_stub, $constructor_args);
$stub
->expects($this->once())
->method('getAccessToken')
->will($this->returnValue('at1'));
$stub
->expects($this->once())
->method('getUserFromAccessToken');
$stub
->expects($this->once())
->method('clearAllPersistentData');
$this->assertEquals(0, $stub->getUser());
}
public function testUserFromAccessTokenIsStored() {
$methods_to_stub = array(
'getAccessToken',
'getUserFromAccessToken',
'setPersistentData',
);
$constructor_args = array(array(
'appId' => self::APP_ID,
'secret' => self::SECRET
));
$user = 42;
$stub = $this->getMock(
'TransientFacebook', $methods_to_stub, $constructor_args);
$stub
->expects($this->once())
->method('getAccessToken')
->will($this->returnValue('at1'));
$stub
->expects($this->once())
->method('getUserFromAccessToken')
->will($this->returnValue($user));
$stub
->expects($this->once())
->method('setPersistentData');
$this->assertEquals($user, $stub->getUser());
}
public function testUserFromAccessTokenPullsID() {
$methods_to_stub = array(
'getAccessToken',
'api',
);
$constructor_args = array(array(
'appId' => self::APP_ID,
'secret' => self::SECRET
));
$user = 42;
$stub = $this->getMock(
'TransientFacebook', $methods_to_stub, $constructor_args);
$stub
->expects($this->once())
->method('getAccessToken')
->will($this->returnValue('at1'));
$stub
->expects($this->once())
->method('api')
->will($this->returnValue(array('id' => $user)));
$this->assertEquals($user, $stub->getUser());
}
public function testUserFromAccessTokenResetsOnApiException() {
$methods_to_stub = array(
'getAccessToken',
'clearAllPersistentData',
'api',
);
$constructor_args = array(array(
'appId' => self::APP_ID,
'secret' => self::SECRET
));
$stub = $this->getMock(
'TransientFacebook', $methods_to_stub, $constructor_args);
$stub
->expects($this->once())
->method('getAccessToken')
->will($this->returnValue('at1'));
$stub
->expects($this->once())
->method('api')
->will($this->throwException(new FacebookApiException(false)));
$stub
->expects($this->once())
->method('clearAllPersistentData');
$this->assertEquals(0, $stub->getUser());
}
public function testEmptyCodeReturnsFalse() {
$fb = new FBPublicGetAccessTokenFromCode(array(
'appId' => self::APP_ID,
'secret' => self::SECRET
));
$this->assertFalse($fb->publicGetAccessTokenFromCode(''));
$this->assertFalse($fb->publicGetAccessTokenFromCode(null));
$this->assertFalse($fb->publicGetAccessTokenFromCode(false));
}
public function testNullRedirectURIUsesCurrentURL() {
$methods_to_stub = array(
'_oauthRequest',
'getCurrentUrl',
);
$constructor_args = array(array(
'appId' => self::APP_ID,
'secret' => self::SECRET
));
$access_token = 'at1';
$stub = $this->getMock(
'FBPublicGetAccessTokenFromCode', $methods_to_stub, $constructor_args);
$stub
->expects($this->once())
->method('_oauthRequest')
->will($this->returnValue("access_token=$access_token"));
$stub
->expects($this->once())
->method('getCurrentUrl');
$this->assertEquals(
$access_token, $stub->publicGetAccessTokenFromCode('c'));
}
public function testNullRedirectURIAllowsEmptyStringForCookie() {
$methods_to_stub = array(
'_oauthRequest',
'getCurrentUrl',
);
$constructor_args = array(array(
'appId' => self::APP_ID,
'secret' => self::SECRET
));
$access_token = 'at1';
$stub = $this->getMock(
'FBPublicGetAccessTokenFromCode', $methods_to_stub, $constructor_args);
$stub
->expects($this->once())
->method('_oauthRequest')
->will($this->returnValue("access_token=$access_token"));
$stub
->expects($this->never())
->method('getCurrentUrl');
$this->assertEquals(
$access_token, $stub->publicGetAccessTokenFromCode('c', ''));
}
public function testAPIExceptionDuringCodeExchangeIsIgnored() {
$methods_to_stub = array(
'_oauthRequest',
);
$constructor_args = array(array(
'appId' => self::APP_ID,
'secret' => self::SECRET
));
$stub = $this->getMock(
'FBPublicGetAccessTokenFromCode', $methods_to_stub, $constructor_args);
$stub
->expects($this->once())
->method('_oauthRequest')
->will($this->throwException(new FacebookApiException(false)));
$this->assertFalse($stub->publicGetAccessTokenFromCode('c', ''));
}
public function testEmptyResponseInCodeExchangeIsIgnored() {
$methods_to_stub = array(
'_oauthRequest',
);
$constructor_args = array(array(
'appId' => self::APP_ID,
'secret' => self::SECRET
));
$stub = $this->getMock(
'FBPublicGetAccessTokenFromCode', $methods_to_stub, $constructor_args);
$stub
->expects($this->once())
->method('_oauthRequest')
->will($this->returnValue(''));
$this->assertFalse($stub->publicGetAccessTokenFromCode('c', ''));
}
public function testExistingStateRestoredInConstructor() {
$fb = new FBPublicState(array(
'appId' => self::APP_ID,
'secret' => self::SECRET
));
$this->assertEquals(FBPublicState::STATE, $fb->publicGetState());
}
public function testMissingAccessTokenInCodeExchangeIsIgnored() {
$methods_to_stub = array(
'_oauthRequest',
);
$constructor_args = array(array(
'appId' => self::APP_ID,
'secret' => self::SECRET
));
$stub = $this->getMock(
'FBPublicGetAccessTokenFromCode', $methods_to_stub, $constructor_args);
$stub
->expects($this->once())
->method('_oauthRequest')
->will($this->returnValue('foo=1'));
$this->assertFalse($stub->publicGetAccessTokenFromCode('c', ''));
}
public function testExceptionConstructorWithErrorCode() {
$code = 404;
$e = new FacebookApiException(array('error_code' => $code));
$this->assertEquals($code, $e->getCode());
}
// this happens often despite the fact that it is useless
public function testExceptionTypeFalse() {
$e = new FacebookApiException(false);
$this->assertEquals('Exception', $e->getType());
}
public function testExceptionTypeMixedDraft00() {
$e = new FacebookApiException(array('error' => array('message' => 'foo')));
$this->assertEquals('Exception', $e->getType());
}
public function testExceptionTypeDraft00() {
$error = 'foo';
$e = new FacebookApiException(
array('error' => array('type' => $error, 'message' => 'hello world')));
$this->assertEquals($error, $e->getType());
}
public function testExceptionTypeDraft10() {
$error = 'foo';
$e = new FacebookApiException(array('error' => $error));
$this->assertEquals($error, $e->getType());
}
public function testExceptionTypeDefault() {
$e = new FacebookApiException(array('error' => false));
$this->assertEquals('Exception', $e->getType());
}
public function testExceptionToString() {
$e = new FacebookApiException(array(
'error_code' => 1,
'error_description' => 'foo',
));
$this->assertEquals('Exception: 1: foo', (string) $e);
}
public function testDestroyClearsCookie() {
$fb = new FBPublicCookie(array(
'appId' => self::APP_ID,
'secret' => self::SECRET,
));
$_COOKIE[$fb->publicGetSignedRequestCookieName()] = 'foo';
$_COOKIE[$fb->publicGetMetadataCookieName()] = 'base_domain=fbrell.com';
$_SERVER['HTTP_HOST'] = 'fbrell.com';
$fb->destroySession();
$this->assertFalse(
array_key_exists($fb->publicGetSignedRequestCookieName(), $_COOKIE));
}
public function testAuthExpireSessionDestroysSession() {
$methods_to_stub = array(
'_oauthRequest',
'destroySession',
);
$constructor_args = array(array(
'appId' => self::APP_ID,
'secret' => self::SECRET
));
$key = 'foo';
$val = 42;
$stub = $this->getMock(
'TransientFacebook', $methods_to_stub, $constructor_args);
$stub
->expects($this->once())
->method('_oauthRequest')
->will($this->returnValue("{\"$key\":$val}"));
$stub
->expects($this->once())
->method('destroySession');
$this->assertEquals(
array($key => $val),
$stub->api(array('method' => 'auth.expireSession'))
);
}
public function testLowercaseAuthRevokeAuthDestroysSession() {
$methods_to_stub = array(
'_oauthRequest',
'destroySession',
);
$constructor_args = array(array(
'appId' => self::APP_ID,
'secret' => self::SECRET
));
$key = 'foo';
$val = 42;
$stub = $this->getMock(
'TransientFacebook', $methods_to_stub, $constructor_args);
$stub
->expects($this->once())
->method('_oauthRequest')
->will($this->returnValue("{\"$key\":$val}"));
$stub
->expects($this->once())
->method('destroySession');
$this->assertEquals(
array($key => $val),
$stub->api(array('method' => 'auth.revokeauthorization'))
);
}
/**
* @expectedException FacebookAPIException
*/
public function testErrorCodeFromRestAPIThrowsException() {
$methods_to_stub = array(
'_oauthRequest',
);
$constructor_args = array(array(
'appId' => self::APP_ID,
'secret' => self::SECRET
));
$stub = $this->getMock(
'TransientFacebook', $methods_to_stub, $constructor_args);
$stub
->expects($this->once())
->method('_oauthRequest')
->will($this->returnValue('{"error_code": 500}'));
$stub->api(array('method' => 'foo'));
}
public function testJsonEncodeOfNonStringParams() {
$foo = array(1, 2);
$params = array(
'method' => 'get',
'foo' => $foo,
);
$fb = new FBRecordMakeRequest(array(
'appId' => self::APP_ID,
'secret' => self::SECRET,
));
$fb->api('/naitik', $params);
$requests = $fb->publicGetRequests();
$this->assertEquals(json_encode($foo), $requests[0]['params']['foo']);
}
public function testSessionBackedFacebook() {
$fb = new PersistentFBPublic(array(
'appId' => self::APP_ID,
'secret' => self::SECRET,
));
$key = 'state';
$val = 'foo';
$fb->publicSetPersistentData($key, $val);
$this->assertEquals(
$val,
$_SESSION[sprintf('fb_%s_%s', self::APP_ID, $key)]
);
$this->assertEquals(
$val,
$fb->publicGetPersistentData($key)
);
}
public function testSessionBackedFacebookIgnoresUnsupportedKey() {
$fb = new PersistentFBPublic(array(
'appId' => self::APP_ID,
'secret' => self::SECRET,
));
$key = '--invalid--';
$val = 'foo';
$fb->publicSetPersistentData($key, $val);
$this->assertFalse(
array_key_exists(
sprintf('fb_%s_%s', self::APP_ID, $key),
$_SESSION
)
);
$this->assertFalse($fb->publicGetPersistentData($key));
}
public function testClearSessionBackedFacebook() {
$fb = new PersistentFBPublic(array(
'appId' => self::APP_ID,
'secret' => self::SECRET,
));
$key = 'state';
$val = 'foo';
$fb->publicSetPersistentData($key, $val);
$this->assertEquals(
$val,
$_SESSION[sprintf('fb_%s_%s', self::APP_ID, $key)]
);
$this->assertEquals(
$val,
$fb->publicGetPersistentData($key)
);
$fb->publicClearPersistentData($key);
$this->assertFalse(
array_key_exists(
sprintf('fb_%s_%s', self::APP_ID, $key),
$_SESSION
)
);
$this->assertFalse($fb->publicGetPersistentData($key));
}
public function testSessionBackedFacebookIgnoresUnsupportedKeyInClear() {
$fb = new PersistentFBPublic(array(
'appId' => self::APP_ID,
'secret' => self::SECRET,
));
$key = '--invalid--';
$val = 'foo';
$session_var_name = sprintf('fb_%s_%s', self::APP_ID, $key);
$_SESSION[$session_var_name] = $val;
$fb->publicClearPersistentData($key);
$this->assertTrue(array_key_exists($session_var_name, $_SESSION));
$this->assertFalse($fb->publicGetPersistentData($key));
}
public function testClearAllSessionBackedFacebook() {
$fb = new PersistentFBPublic(array(
'appId' => self::APP_ID,
'secret' => self::SECRET,
));
$key = 'state';
$val = 'foo';
$session_var_name = sprintf('fb_%s_%s', self::APP_ID, $key);
$fb->publicSetPersistentData($key, $val);
$this->assertEquals($val, $_SESSION[$session_var_name]);
$this->assertEquals($val, $fb->publicGetPersistentData($key));
$fb->publicClearAllPersistentData();
$this->assertFalse(array_key_exists($session_var_name, $_SESSION));
$this->assertFalse($fb->publicGetPersistentData($key));
}
public function testSharedSessionBackedFacebook() {
$_SERVER['HTTP_HOST'] = 'fbrell.com';
$fb = new PersistentFBPublic(array(
'appId' => self::APP_ID,
'secret' => self::SECRET,
'sharedSession' => true,
));
$key = 'state';
$val = 'foo';
$session_var_name = sprintf(
'%s_fb_%s_%s',
$fb->publicGetSharedSessionID(),
self::APP_ID,
$key
);
$fb->publicSetPersistentData($key, $val);
$this->assertEquals($val, $_SESSION[$session_var_name]);
$this->assertEquals($val, $fb->publicGetPersistentData($key));
}
public function testSharedSessionBackedFacebookIgnoresUnsupportedKey() {
$_SERVER['HTTP_HOST'] = 'fbrell.com';
$fb = new PersistentFBPublic(array(
'appId' => self::APP_ID,
'secret' => self::SECRET,
'sharedSession' => true,
));
$key = '--invalid--';
$val = 'foo';
$session_var_name = sprintf(
'%s_fb_%s_%s',
$fb->publicGetSharedSessionID(),
self::APP_ID,
$key
);
$fb->publicSetPersistentData($key, $val);
$this->assertFalse(array_key_exists($session_var_name, $_SESSION));
$this->assertFalse($fb->publicGetPersistentData($key));
}
public function testSharedClearSessionBackedFacebook() {
$_SERVER['HTTP_HOST'] = 'fbrell.com';
$fb = new PersistentFBPublic(array(
'appId' => self::APP_ID,
'secret' => self::SECRET,
'sharedSession' => true,
));
$key = 'state';
$val = 'foo';
$session_var_name = sprintf(
'%s_fb_%s_%s',
$fb->publicGetSharedSessionID(),
self::APP_ID,
$key
);
$fb->publicSetPersistentData($key, $val);
$this->assertEquals($val, $_SESSION[$session_var_name]);
$this->assertEquals($val, $fb->publicGetPersistentData($key));
$fb->publicClearPersistentData($key);
$this->assertFalse(array_key_exists($session_var_name, $_SESSION));
$this->assertFalse($fb->publicGetPersistentData($key));
}
public function testSharedSessionBackedFacebookIgnoresUnsupportedKeyInClear() {
$_SERVER['HTTP_HOST'] = 'fbrell.com';
$fb = new PersistentFBPublic(array(
'appId' => self::APP_ID,
'secret' => self::SECRET,
'sharedSession' => true,
));
$key = '--invalid--';
$val = 'foo';
$session_var_name = sprintf(
'%s_fb_%s_%s',
$fb->publicGetSharedSessionID(),
self::APP_ID,
$key
);
$_SESSION[$session_var_name] = $val;
$fb->publicClearPersistentData($key);
$this->assertTrue(array_key_exists($session_var_name, $_SESSION));
$this->assertFalse($fb->publicGetPersistentData($key));
}
public function testSharedClearAllSessionBackedFacebook() {
$_SERVER['HTTP_HOST'] = 'fbrell.com';
$fb = new PersistentFBPublic(array(
'appId' => self::APP_ID,
'secret' => self::SECRET,
'sharedSession' => true,
));
$key = 'state';
$val = 'foo';
$session_var_name = sprintf(
'%s_fb_%s_%s',
$fb->publicGetSharedSessionID(),
self::APP_ID,
$key
);
$fb->publicSetPersistentData($key, $val);
$this->assertEquals($val, $_SESSION[$session_var_name]);
$this->assertEquals($val, $fb->publicGetPersistentData($key));
$fb->publicClearAllPersistentData();
$this->assertFalse(array_key_exists($session_var_name, $_SESSION));
$this->assertFalse($fb->publicGetPersistentData($key));
}
public function testSharedSessionBackedFacebookIsRestored() {
$_SERVER['HTTP_HOST'] = 'fbrell.com';
$fb = new PersistentFBPublic(array(
'appId' => self::APP_ID,
'secret' => self::SECRET,
'sharedSession' => true,
));
$key = 'state';
$val = 'foo';
$shared_session_id = $fb->publicGetSharedSessionID();
$session_var_name = sprintf(
'%s_fb_%s_%s',
$shared_session_id,
self::APP_ID,
$key
);
$fb->publicSetPersistentData($key, $val);
$this->assertEquals($val, $_SESSION[$session_var_name]);
$this->assertEquals($val, $fb->publicGetPersistentData($key));
// check the new instance has the same data
$fb = new PersistentFBPublic(array(
'appId' => self::APP_ID,
'secret' => self::SECRET,
'sharedSession' => true,
));
$this->assertEquals(
$shared_session_id,
$fb->publicGetSharedSessionID()
);
$this->assertEquals($val, $fb->publicGetPersistentData($key));
}
public function testSharedSessionBackedFacebookIsNotRestoredWhenCorrupt() {
$_SERVER['HTTP_HOST'] = 'fbrell.com';
$fb = new PersistentFBPublic(array(
'appId' => self::APP_ID,
'secret' => self::SECRET,
'sharedSession' => true,
));
$key = 'state';
$val = 'foo';
$shared_session_id = $fb->publicGetSharedSessionID();
$session_var_name = sprintf(
'%s_fb_%s_%s',
$shared_session_id,
self::APP_ID,
$key
);
$fb->publicSetPersistentData($key, $val);
$this->assertEquals($val, $_SESSION[$session_var_name]);
$this->assertEquals($val, $fb->publicGetPersistentData($key));
// break the cookie
$cookie_name = $fb->publicGetSharedSessionCookieName();
$_COOKIE[$cookie_name] = substr($_COOKIE[$cookie_name], 1);
// check the new instance does not have the data
$fb = new PersistentFBPublic(array(
'appId' => self::APP_ID,
'secret' => self::SECRET,
'sharedSession' => true,
));
$this->assertFalse($fb->publicGetPersistentData($key));
$this->assertNotEquals(
$shared_session_id,
$fb->publicGetSharedSessionID()
);
}
public function testHttpHost() {
$real = 'foo.com';
$_SERVER['HTTP_HOST'] = $real;
$_SERVER['HTTP_X_FORWARDED_HOST'] = 'evil.com';
$fb = new PersistentFBPublic(array(
'appId' => self::APP_ID,
'secret' => self::SECRET,
));
$this->assertEquals($real, $fb->publicGetHttpHost());
}
public function testHttpProtocol() {
$_SERVER['HTTPS'] = 'on';
$_SERVER['HTTP_X_FORWARDED_PROTO'] = 'http';
$fb = new PersistentFBPublic(array(
'appId' => self::APP_ID,
'secret' => self::SECRET,
));
$this->assertEquals('https', $fb->publicGetHttpProtocol());
}
public function testHttpHostForwarded() {
$real = 'foo.com';
$_SERVER['HTTP_HOST'] = 'localhost';
$_SERVER['HTTP_X_FORWARDED_HOST'] = $real;
$fb = new PersistentFBPublic(array(
'appId' => self::APP_ID,
'secret' => self::SECRET,
'trustForwarded' => true,
));
$this->assertEquals($real, $fb->publicGetHttpHost());
}
public function testHttpProtocolForwarded() {
$_SERVER['HTTPS'] = 'on';
$_SERVER['HTTP_X_FORWARDED_PROTO'] = 'http';
$fb = new PersistentFBPublic(array(
'appId' => self::APP_ID,
'secret' => self::SECRET,
'trustForwarded' => true,
));
$this->assertEquals('http', $fb->publicGetHttpProtocol());
}
public function testHttpProtocolForwardedSecure() {
$_SERVER['HTTPS'] = 'on';
$_SERVER['HTTP_X_FORWARDED_PROTO'] = 'https';
$fb = new PersistentFBPublic(array(
'appId' => self::APP_ID,
'secret' => self::SECRET,
'trustForwarded' => true,
));
$this->assertEquals('https', $fb->publicGetHttpProtocol());
}
/**
* @dataProvider provideEndsWith
*/
public function testEndsWith($big, $small, $result) {
$this->assertEquals(
$result,
PersistentFBPublic::publicEndsWith($big, $small)
);
}
public function provideEndsWith() {
return array(
array('', '', true),
array('', 'a', false),
array('a', '', true),
array('a', 'b', false),
array('a', 'a', true),
array('aa', 'a', true),
array('ab', 'a', false),
array('ba', 'a', true),
);
}
/**
* @dataProvider provideIsAllowedDomain
*/
public function testIsAllowedDomain($big, $small, $result) {
$this->assertEquals(
$result,
PersistentFBPublic::publicIsAllowedDomain($big, $small)
);
}
public function provideIsAllowedDomain() {
return array(
array('fbrell.com', 'fbrell.com', true),
array('foo.fbrell.com', 'fbrell.com', true),
array('foofbrell.com', 'fbrell.com', false),
array('evil.com', 'fbrell.com', false),
array('foo.fbrell.com', 'bar.fbrell.com', false),
);
}
protected function generateMD5HashOfRandomValue() {
return md5(uniqid(mt_rand(), true));
}
protected function setUp() {
parent::setUp();
}
protected function tearDown() {
$this->clearSuperGlobals();
parent::tearDown();
}
protected function clearSuperGlobals() {
unset($_SERVER['HTTPS']);
unset($_SERVER['HTTP_HOST']);
unset($_SERVER['REQUEST_URI']);
$_SESSION = array();
$_COOKIE = array();
$_REQUEST = array();
$_POST = array();
$_GET = array();
if (session_id()) {
session_destroy();
}
}
/**
* Checks that the correct args are a subset of the returned obj
* @param array $correct The correct array values
* @param array $actual The values in practice
* @param string $message to be shown on failure
*/
protected function assertIsSubset($correct, $actual, $msg='') {
foreach ($correct as $key => $value) {
$actual_value = $actual[$key];
$newMsg = (strlen($msg) ? ($msg.' ') : '').'Key: '.$key;
$this->assertEquals($value, $actual_value, $newMsg);
}
}
}
class TransientFacebook extends BaseFacebook {
protected function setPersistentData($key, $value) {}
protected function getPersistentData($key, $default = false) {
return $default;
}
protected function clearPersistentData($key) {}
protected function clearAllPersistentData() {}
}
class FBRecordURL extends TransientFacebook {
private $url;
protected function _oauthRequest($url, $params) {
$this->url = $url;
}
public function getRequestedURL() {
return $this->url;
}
}
class FBRecordMakeRequest extends TransientFacebook {
private $requests = array();
protected function makeRequest($url, $params, $ch=null) {
$this->requests[] = array(
'url' => $url,
'params' => $params,
);
return parent::makeRequest($url, $params, $ch);
}
public function publicGetRequests() {
return $this->requests;
}
}
class FBPublic extends TransientFacebook {
public static function publicBase64UrlDecode($input) {
return self::base64UrlDecode($input);
}
public function publicParseSignedRequest($input) {
return $this->parseSignedRequest($input);
}
public function publicMakeSignedRequest($data) {
return $this->makeSignedRequest($data);
}
}
class PersistentFBPublic extends Facebook {
public function publicParseSignedRequest($input) {
return $this->parseSignedRequest($input);
}
public function publicSetPersistentData($key, $value) {
$this->setPersistentData($key, $value);
}
public function publicGetPersistentData($key, $default = false) {
return $this->getPersistentData($key, $default);
}
public function publicClearPersistentData($key) {
return $this->clearPersistentData($key);
}
public function publicClearAllPersistentData() {
return $this->clearAllPersistentData();
}
public function publicGetSharedSessionID() {
return $this->sharedSessionID;
}
public static function publicIsAllowedDomain($big, $small) {
return self::isAllowedDomain($big, $small);
}
public static function publicEndsWith($big, $small) {
return self::endsWith($big, $small);
}
public function publicGetSharedSessionCookieName() {
return $this->getSharedSessionCookieName();
}
public function publicGetHttpHost() {
return $this->getHttpHost();
}
public function publicGetHttpProtocol() {
return $this->getHttpProtocol();
}
}
class FBCode extends Facebook {
public function publicGetCode() {
return $this->getCode();
}
public function setCSRFStateToken() {
$this->establishCSRFTokenState();
}
public function getCSRFStateToken() {
return $this->getPersistentData('state');
}
}
class FBAccessToken extends TransientFacebook {
public function publicGetApplicationAccessToken() {
return $this->getApplicationAccessToken();
}
}
class FBGetCurrentURLFacebook extends TransientFacebook {
public function publicGetCurrentUrl() {
return $this->getCurrentUrl();
}
}
class FBPublicCookie extends TransientFacebook {
public function publicGetSignedRequest() {
return $this->getSignedRequest();
}
public function publicGetSignedRequestCookieName() {
return $this->getSignedRequestCookieName();
}
public function publicGetMetadataCookie() {
return $this->getMetadataCookie();
}
public function publicGetMetadataCookieName() {
return $this->getMetadataCookieName();
}
}
class FBPublicGetAccessTokenFromCode extends TransientFacebook {
public function publicGetAccessTokenFromCode($code, $redirect_uri = null) {
return $this->getAccessTokenFromCode($code, $redirect_uri);
}
}
class FBPublicState extends TransientFacebook {
const STATE = 'foo';
protected function getPersistentData($key, $default = false) {
if ($key === 'state') {
return self::STATE;
}
return parent::getPersistentData($key, $default);
}
public function publicGetState() {
return $this->state;
}
}
PK l?Vx} } tests/bootstrap.phpnu W+A ( ( changelog.mdnu W+A Facebook PHP SDK (v.3.0.0)
==========================
The new PHP SDK (v3.0.0) is a major upgrade to the older one (v2.2.x):
- Uses OAuth authentication flows instead of our legacy authentication flow
- Consists of two classes. The first (class BaseFacebook) maintains the core of the upgrade, and the second one (class Facebook) is a small subclass that uses PHP sessions to store the user id and access token.
If you’re currently using the PHP SDK (v2.2.x) for authentication, you will recall that the login code looked like this:
$facebook = new Facebook(…);
$session = $facebook->getSession();
if ($session) {
// proceed knowing you have a valid user session
} else {
// proceed knowing you require user login and/or authentication
}
The login code is now:
$facebook = new Facebook(…);
$user = $facebook->getUser();
if ($user) {
// proceed knowing you have a logged in user who's authenticated
} else {
// proceed knowing you require user login and/or authentication
}
PK l?Vrk)a a src/facebook.phpnu W+A initSharedSession();
}
}
protected static $kSupportedKeys =
array('state', 'code', 'access_token', 'user_id');
protected function initSharedSession() {
$cookie_name = $this->getSharedSessionCookieName();
if (isset($_COOKIE[$cookie_name])) {
$data = $this->parseSignedRequest($_COOKIE[$cookie_name]);
if ($data && !empty($data['domain']) &&
self::isAllowedDomain($this->getHttpHost(), $data['domain'])) {
// good case
$this->sharedSessionID = $data['id'];
return;
}
// ignoring potentially unreachable data
}
// evil/corrupt/missing case
$base_domain = $this->getBaseDomain();
$this->sharedSessionID = md5(uniqid(mt_rand(), true));
$cookie_value = $this->makeSignedRequest(
array(
'domain' => $base_domain,
'id' => $this->sharedSessionID,
)
);
$_COOKIE[$cookie_name] = $cookie_value;
if (!headers_sent()) {
$expire = time() + self::FBSS_COOKIE_EXPIRE;
setcookie($cookie_name, $cookie_value, $expire, '/', '.'.$base_domain);
} else {
// @codeCoverageIgnoreStart
self::errorLog(
'Shared session ID cookie could not be set! You must ensure you '.
'create the Facebook instance before headers have been sent. This '.
'will cause authentication issues after the first request.'
);
// @codeCoverageIgnoreEnd
}
}
/**
* Provides the implementations of the inherited abstract
* methods. The implementation uses PHP sessions to maintain
* a store for authorization codes, user ids, CSRF states, and
* access tokens.
*/
protected function setPersistentData($key, $value) {
if (!in_array($key, self::$kSupportedKeys)) {
self::errorLog('Unsupported key passed to setPersistentData.');
return;
}
$session_var_name = $this->constructSessionVariableName($key);
$_SESSION[$session_var_name] = $value;
}
protected function getPersistentData($key, $default = false) {
if (!in_array($key, self::$kSupportedKeys)) {
self::errorLog('Unsupported key passed to getPersistentData.');
return $default;
}
$session_var_name = $this->constructSessionVariableName($key);
return isset($_SESSION[$session_var_name]) ?
$_SESSION[$session_var_name] : $default;
}
protected function clearPersistentData($key) {
if (!in_array($key, self::$kSupportedKeys)) {
self::errorLog('Unsupported key passed to clearPersistentData.');
return;
}
$session_var_name = $this->constructSessionVariableName($key);
unset($_SESSION[$session_var_name]);
}
protected function clearAllPersistentData() {
foreach (self::$kSupportedKeys as $key) {
$this->clearPersistentData($key);
}
if ($this->sharedSessionID) {
$this->deleteSharedSessionCookie();
}
}
protected function deleteSharedSessionCookie() {
$cookie_name = $this->getSharedSessionCookieName();
unset($_COOKIE[$cookie_name]);
$base_domain = $this->getBaseDomain();
setcookie($cookie_name, '', 1, '/', '.'.$base_domain);
}
protected function getSharedSessionCookieName() {
return self::FBSS_COOKIE_NAME . '_' . $this->getAppId();
}
protected function constructSessionVariableName($key) {
$parts = array('fb', $this->getAppId(), $key);
if ($this->sharedSessionID) {
array_unshift($parts, $this->sharedSessionID);
}
return implode('_', $parts);
}
}
PK l?V.^! ! src/base_facebook.phpnu W+A
*/
class FacebookApiException extends Exception
{
/**
* The result from the API server that represents the exception information.
*/
protected $result;
/**
* Make a new API Exception with the given result.
*
* @param array $result The result from the API server
*/
public function __construct($result) {
$this->result = $result;
$code = isset($result['error_code']) ? $result['error_code'] : 0;
if (isset($result['error_description'])) {
// OAuth 2.0 Draft 10 style
$msg = $result['error_description'];
} else if (isset($result['error']) && is_array($result['error'])) {
// OAuth 2.0 Draft 00 style
$msg = $result['error']['message'];
} else if (isset($result['error_msg'])) {
// Rest server style
$msg = $result['error_msg'];
} else {
$msg = 'Unknown Error. Check getResult()';
}
parent::__construct($msg, $code);
}
/**
* Return the associated result object returned by the API server.
*
* @return array The result from the API server
*/
public function getResult() {
return $this->result;
}
/**
* Returns the associated type for the error. This will default to
* 'Exception' when a type is not available.
*
* @return string
*/
public function getType() {
if (isset($this->result['error'])) {
$error = $this->result['error'];
if (is_string($error)) {
// OAuth 2.0 Draft 10 style
return $error;
} else if (is_array($error)) {
// OAuth 2.0 Draft 00 style
if (isset($error['type'])) {
return $error['type'];
}
}
}
return 'Exception';
}
/**
* To make debugging easier.
*
* @return string The string representation of the error
*/
public function __toString() {
$str = $this->getType() . ': ';
if ($this->code != 0) {
$str .= $this->code . ': ';
}
return $str . $this->message;
}
}
/**
* Provides access to the Facebook Platform. This class provides
* a majority of the functionality needed, but the class is abstract
* because it is designed to be sub-classed. The subclass must
* implement the four abstract methods listed at the bottom of
* the file.
*
* @author Naitik Shah
*/
abstract class BaseFacebook
{
/**
* Version.
*/
const VERSION = '3.2.0';
/**
* Signed Request Algorithm.
*/
const SIGNED_REQUEST_ALGORITHM = 'HMAC-SHA256';
/**
* Default options for curl.
*/
public static $CURL_OPTS = array(
CURLOPT_CONNECTTIMEOUT => 10,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_TIMEOUT => 60,
CURLOPT_USERAGENT => 'facebook-php-3.2',
);
/**
* List of query parameters that get automatically dropped when rebuilding
* the current URL.
*/
protected static $DROP_QUERY_PARAMS = array(
'code',
'state',
'signed_request',
);
/**
* Maps aliases to Facebook domains.
*/
public static $DOMAIN_MAP = array(
'api' => 'https://api.facebook.com/',
'api_video' => 'https://api-video.facebook.com/',
'api_read' => 'https://api-read.facebook.com/',
'graph' => 'https://graph.facebook.com/',
'graph_video' => 'https://graph-video.facebook.com/',
'www' => 'https://www.facebook.com/',
);
/**
* The Application ID.
*
* @var string
*/
protected $appId;
/**
* The Application App Secret.
*
* @var string
*/
protected $appSecret;
/**
* The ID of the Facebook user, or 0 if the user is logged out.
*
* @var integer
*/
protected $user;
/**
* The data from the signed_request token.
*/
protected $signedRequest;
/**
* A CSRF state variable to assist in the defense against CSRF attacks.
*/
protected $state;
/**
* The OAuth access token received in exchange for a valid authorization
* code. null means the access token has yet to be determined.
*
* @var string
*/
protected $accessToken = null;
/**
* Indicates if the CURL based @ syntax for file uploads is enabled.
*
* @var boolean
*/
protected $fileUploadSupport = false;
/**
* Indicates if we trust HTTP_X_FORWARDED_* headers.
*
* @var boolean
*/
protected $trustForwarded = false;
/**
* Initialize a Facebook Application.
*
* The configuration:
* - appId: the application ID
* - secret: the application secret
* - fileUpload: (optional) boolean indicating if file uploads are enabled
*
* @param array $config The application configuration
*/
public function __construct($config) {
$this->setAppId($config['appId']);
$this->setAppSecret($config['secret']);
if (isset($config['fileUpload'])) {
$this->setFileUploadSupport($config['fileUpload']);
}
if (isset($config['trustForwarded']) && $config['trustForwarded']) {
$this->trustForwarded = true;
}
$state = $this->getPersistentData('state');
if (!empty($state)) {
$this->state = $state;
}
}
/**
* Set the Application ID.
*
* @param string $appId The Application ID
* @return BaseFacebook
*/
public function setAppId($appId) {
$this->appId = $appId;
return $this;
}
/**
* Get the Application ID.
*
* @return string the Application ID
*/
public function getAppId() {
return $this->appId;
}
/**
* Set the App Secret.
*
* @param string $apiSecret The App Secret
* @return BaseFacebook
* @deprecated
*/
public function setApiSecret($apiSecret) {
$this->setAppSecret($apiSecret);
return $this;
}
/**
* Set the App Secret.
*
* @param string $appSecret The App Secret
* @return BaseFacebook
*/
public function setAppSecret($appSecret) {
$this->appSecret = $appSecret;
return $this;
}
/**
* Get the App Secret.
*
* @return string the App Secret
* @deprecated
*/
public function getApiSecret() {
return $this->getAppSecret();
}
/**
* Get the App Secret.
*
* @return string the App Secret
*/
public function getAppSecret() {
return $this->appSecret;
}
/**
* Set the file upload support status.
*
* @param boolean $fileUploadSupport The file upload support status.
* @return BaseFacebook
*/
public function setFileUploadSupport($fileUploadSupport) {
$this->fileUploadSupport = $fileUploadSupport;
return $this;
}
/**
* Get the file upload support status.
*
* @return boolean true if and only if the server supports file upload.
*/
public function getFileUploadSupport() {
return $this->fileUploadSupport;
}
/**
* DEPRECATED! Please use getFileUploadSupport instead.
*
* Get the file upload support status.
*
* @return boolean true if and only if the server supports file upload.
*/
public function useFileUploadSupport() {
return $this->getFileUploadSupport();
}
/**
* Sets the access token for api calls. Use this if you get
* your access token by other means and just want the SDK
* to use it.
*
* @param string $access_token an access token.
* @return BaseFacebook
*/
public function setAccessToken($access_token) {
$this->accessToken = $access_token;
return $this;
}
/**
* Extend an access token, while removing the short-lived token that might
* have been generated via client-side flow. Thanks to http://bit.ly/b0Pt0H
* for the workaround.
*/
public function setExtendedAccessToken() {
try {
// need to circumvent json_decode by calling _oauthRequest
// directly, since response isn't JSON format.
$access_token_response = $this->_oauthRequest(
$this->getUrl('graph', '/oauth/access_token'),
$params = array(
'client_id' => $this->getAppId(),
'client_secret' => $this->getAppSecret(),
'grant_type' => 'fb_exchange_token',
'fb_exchange_token' => $this->getAccessToken(),
)
);
}
catch (FacebookApiException $e) {
// most likely that user very recently revoked authorization.
// In any event, we don't have an access token, so say so.
return false;
}
if (empty($access_token_response)) {
return false;
}
$response_params = array();
parse_str($access_token_response, $response_params);
if (!isset($response_params['access_token'])) {
return false;
}
$this->destroySession();
$this->setPersistentData(
'access_token', $response_params['access_token']
);
}
/**
* Determines the access token that should be used for API calls.
* The first time this is called, $this->accessToken is set equal
* to either a valid user access token, or it's set to the application
* access token if a valid user access token wasn't available. Subsequent
* calls return whatever the first call returned.
*
* @return string The access token
*/
public function getAccessToken() {
if ($this->accessToken !== null) {
// we've done this already and cached it. Just return.
return $this->accessToken;
}
// first establish access token to be the application
// access token, in case we navigate to the /oauth/access_token
// endpoint, where SOME access token is required.
$this->setAccessToken($this->getApplicationAccessToken());
$user_access_token = $this->getUserAccessToken();
if ($user_access_token) {
$this->setAccessToken($user_access_token);
}
return $this->accessToken;
}
/**
* Determines and returns the user access token, first using
* the signed request if present, and then falling back on
* the authorization code if present. The intent is to
* return a valid user access token, or false if one is determined
* to not be available.
*
* @return string A valid user access token, or false if one
* could not be determined.
*/
protected function getUserAccessToken() {
// first, consider a signed request if it's supplied.
// if there is a signed request, then it alone determines
// the access token.
$signed_request = $this->getSignedRequest();
if ($signed_request) {
// apps.facebook.com hands the access_token in the signed_request
if (array_key_exists('oauth_token', $signed_request)) {
$access_token = $signed_request['oauth_token'];
$this->setPersistentData('access_token', $access_token);
return $access_token;
}
// the JS SDK puts a code in with the redirect_uri of ''
if (array_key_exists('code', $signed_request)) {
$code = $signed_request['code'];
$access_token = $this->getAccessTokenFromCode($code, '');
if ($access_token) {
$this->setPersistentData('code', $code);
$this->setPersistentData('access_token', $access_token);
return $access_token;
}
}
// signed request states there's no access token, so anything
// stored should be cleared.
$this->clearAllPersistentData();
return false; // respect the signed request's data, even
// if there's an authorization code or something else
}
$code = $this->getCode();
if ($code && $code != $this->getPersistentData('code')) {
$access_token = $this->getAccessTokenFromCode($code);
if ($access_token) {
$this->setPersistentData('code', $code);
$this->setPersistentData('access_token', $access_token);
return $access_token;
}
// code was bogus, so everything based on it should be invalidated.
$this->clearAllPersistentData();
return false;
}
// as a fallback, just return whatever is in the persistent
// store, knowing nothing explicit (signed request, authorization
// code, etc.) was present to shadow it (or we saw a code in $_REQUEST,
// but it's the same as what's in the persistent store)
return $this->getPersistentData('access_token');
}
/**
* Retrieve the signed request, either from a request parameter or,
* if not present, from a cookie.
*
* @return string the signed request, if available, or null otherwise.
*/
public function getSignedRequest() {
if (!$this->signedRequest) {
if (isset($_REQUEST['signed_request'])) {
$this->signedRequest = $this->parseSignedRequest(
$_REQUEST['signed_request']);
} else if (isset($_COOKIE[$this->getSignedRequestCookieName()])) {
$this->signedRequest = $this->parseSignedRequest(
$_COOKIE[$this->getSignedRequestCookieName()]);
}
}
return $this->signedRequest;
}
/**
* Get the UID of the connected user, or 0
* if the Facebook user is not connected.
*
* @return string the UID if available.
*/
public function getUser() {
if ($this->user !== null) {
// we've already determined this and cached the value.
return $this->user;
}
return $this->user = $this->getUserFromAvailableData();
}
/**
* Determines the connected user by first examining any signed
* requests, then considering an authorization code, and then
* falling back to any persistent store storing the user.
*
* @return integer The id of the connected Facebook user,
* or 0 if no such user exists.
*/
protected function getUserFromAvailableData() {
// if a signed request is supplied, then it solely determines
// who the user is.
$signed_request = $this->getSignedRequest();
if ($signed_request) {
if (array_key_exists('user_id', $signed_request)) {
$user = $signed_request['user_id'];
$this->setPersistentData('user_id', $signed_request['user_id']);
return $user;
}
// if the signed request didn't present a user id, then invalidate
// all entries in any persistent store.
$this->clearAllPersistentData();
return 0;
}
$user = $this->getPersistentData('user_id', $default = 0);
$persisted_access_token = $this->getPersistentData('access_token');
// use access_token to fetch user id if we have a user access_token, or if
// the cached access token has changed.
$access_token = $this->getAccessToken();
if ($access_token &&
$access_token != $this->getApplicationAccessToken() &&
!($user && $persisted_access_token == $access_token)) {
$user = $this->getUserFromAccessToken();
if ($user) {
$this->setPersistentData('user_id', $user);
} else {
$this->clearAllPersistentData();
}
}
return $user;
}
/**
* Get a Login URL for use with redirects. By default, full page redirect is
* assumed. If you are using the generated URL with a window.open() call in
* JavaScript, you can pass in display=popup as part of the $params.
*
* The parameters:
* - redirect_uri: the url to go to after a successful login
* - scope: comma separated list of requested extended perms
*
* @param array $params Provide custom parameters
* @return string The URL for the login flow
*/
public function getLoginUrl($params=array()) {
$this->establishCSRFTokenState();
$currentUrl = $this->getCurrentUrl();
// if 'scope' is passed as an array, convert to comma separated list
$scopeParams = isset($params['scope']) ? $params['scope'] : null;
if ($scopeParams && is_array($scopeParams)) {
$params['scope'] = implode(',', $scopeParams);
}
return $this->getUrl(
'www',
'dialog/oauth',
array_merge(array(
'client_id' => $this->getAppId(),
'redirect_uri' => $currentUrl, // possibly overwritten
'state' => $this->state),
$params));
}
/**
* Get a Logout URL suitable for use with redirects.
*
* The parameters:
* - next: the url to go to after a successful logout
*
* @param array $params Provide custom parameters
* @return string The URL for the logout flow
*/
public function getLogoutUrl($params=array()) {
return $this->getUrl(
'www',
'logout.php',
array_merge(array(
'next' => $this->getCurrentUrl(),
'access_token' => $this->getUserAccessToken(),
), $params)
);
}
/**
* Get a login status URL to fetch the status from Facebook.
*
* The parameters:
* - ok_session: the URL to go to if a session is found
* - no_session: the URL to go to if the user is not connected
* - no_user: the URL to go to if the user is not signed into facebook
*
* @param array $params Provide custom parameters
* @return string The URL for the logout flow
*/
public function getLoginStatusUrl($params=array()) {
return $this->getUrl(
'www',
'extern/login_status.php',
array_merge(array(
'api_key' => $this->getAppId(),
'no_session' => $this->getCurrentUrl(),
'no_user' => $this->getCurrentUrl(),
'ok_session' => $this->getCurrentUrl(),
'session_version' => 3,
), $params)
);
}
/**
* Make an API call.
*
* @return mixed The decoded response
*/
public function api(/* polymorphic */) {
$args = func_get_args();
if (is_array($args[0])) {
return $this->_restserver($args[0]);
} else {
return call_user_func_array(array($this, '_graph'), $args);
}
}
/**
* Constructs and returns the name of the cookie that
* potentially houses the signed request for the app user.
* The cookie is not set by the BaseFacebook class, but
* it may be set by the JavaScript SDK.
*
* @return string the name of the cookie that would house
* the signed request value.
*/
protected function getSignedRequestCookieName() {
return 'fbsr_'.$this->getAppId();
}
/**
* Constructs and returns the name of the coookie that potentially contain
* metadata. The cookie is not set by the BaseFacebook class, but it may be
* set by the JavaScript SDK.
*
* @return string the name of the cookie that would house metadata.
*/
protected function getMetadataCookieName() {
return 'fbm_'.$this->getAppId();
}
/**
* Get the authorization code from the query parameters, if it exists,
* and otherwise return false to signal no authorization code was
* discoverable.
*
* @return mixed The authorization code, or false if the authorization
* code could not be determined.
*/
protected function getCode() {
if (isset($_REQUEST['code'])) {
if ($this->state !== null &&
isset($_REQUEST['state']) &&
$this->state === $_REQUEST['state']) {
// CSRF state has done its job, so clear it
$this->state = null;
$this->clearPersistentData('state');
return $_REQUEST['code'];
} else {
self::errorLog('CSRF state token does not match one provided.');
return false;
}
}
return false;
}
/**
* Retrieves the UID with the understanding that
* $this->accessToken has already been set and is
* seemingly legitimate. It relies on Facebook's Graph API
* to retrieve user information and then extract
* the user ID.
*
* @return integer Returns the UID of the Facebook user, or 0
* if the Facebook user could not be determined.
*/
protected function getUserFromAccessToken() {
try {
$user_info = $this->api('/me');
return $user_info['id'];
} catch (FacebookApiException $e) {
return 0;
}
}
/**
* Returns the access token that should be used for logged out
* users when no authorization code is available.
*
* @return string The application access token, useful for gathering
* public information about users and applications.
*/
protected function getApplicationAccessToken() {
return $this->appId.'|'.$this->appSecret;
}
/**
* Lays down a CSRF state token for this process.
*
* @return void
*/
protected function establishCSRFTokenState() {
if ($this->state === null) {
$this->state = md5(uniqid(mt_rand(), true));
$this->setPersistentData('state', $this->state);
}
}
/**
* Retrieves an access token for the given authorization code
* (previously generated from www.facebook.com on behalf of
* a specific user). The authorization code is sent to graph.facebook.com
* and a legitimate access token is generated provided the access token
* and the user for which it was generated all match, and the user is
* either logged in to Facebook or has granted an offline access permission.
*
* @param string $code An authorization code.
* @return mixed An access token exchanged for the authorization code, or
* false if an access token could not be generated.
*/
protected function getAccessTokenFromCode($code, $redirect_uri = null) {
if (empty($code)) {
return false;
}
if ($redirect_uri === null) {
$redirect_uri = $this->getCurrentUrl();
}
try {
// need to circumvent json_decode by calling _oauthRequest
// directly, since response isn't JSON format.
$access_token_response =
$this->_oauthRequest(
$this->getUrl('graph', '/oauth/access_token'),
$params = array('client_id' => $this->getAppId(),
'client_secret' => $this->getAppSecret(),
'redirect_uri' => $redirect_uri,
'code' => $code));
} catch (FacebookApiException $e) {
// most likely that user very recently revoked authorization.
// In any event, we don't have an access token, so say so.
return false;
}
if (empty($access_token_response)) {
return false;
}
$response_params = array();
parse_str($access_token_response, $response_params);
if (!isset($response_params['access_token'])) {
return false;
}
return $response_params['access_token'];
}
/**
* Invoke the old restserver.php endpoint.
*
* @param array $params Method call object
*
* @return mixed The decoded response object
* @throws FacebookApiException
*/
protected function _restserver($params) {
// generic application level parameters
$params['api_key'] = $this->getAppId();
$params['format'] = 'json-strings';
$result = json_decode($this->_oauthRequest(
$this->getApiUrl($params['method']),
$params
), true);
// results are returned, errors are thrown
if (is_array($result) && isset($result['error_code'])) {
$this->throwAPIException($result);
// @codeCoverageIgnoreStart
}
// @codeCoverageIgnoreEnd
$method = strtolower($params['method']);
if ($method === 'auth.expiresession' ||
$method === 'auth.revokeauthorization') {
$this->destroySession();
}
return $result;
}
/**
* Return true if this is video post.
*
* @param string $path The path
* @param string $method The http method (default 'GET')
*
* @return boolean true if this is video post
*/
protected function isVideoPost($path, $method = 'GET') {
if ($method == 'POST' && preg_match("/^(\/)(.+)(\/)(videos)$/", $path)) {
return true;
}
return false;
}
/**
* Invoke the Graph API.
*
* @param string $path The path (required)
* @param string $method The http method (default 'GET')
* @param array $params The query/post data
*
* @return mixed The decoded response object
* @throws FacebookApiException
*/
protected function _graph($path, $method = 'GET', $params = array()) {
if (is_array($method) && empty($params)) {
$params = $method;
$method = 'GET';
}
$params['method'] = $method; // method override as we always do a POST
if ($this->isVideoPost($path, $method)) {
$domainKey = 'graph_video';
} else {
$domainKey = 'graph';
}
$result = json_decode($this->_oauthRequest(
$this->getUrl($domainKey, $path),
$params
), true);
// results are returned, errors are thrown
if (is_array($result) && isset($result['error'])) {
$this->throwAPIException($result);
// @codeCoverageIgnoreStart
}
// @codeCoverageIgnoreEnd
return $result;
}
/**
* Make a OAuth Request.
*
* @param string $url The path (required)
* @param array $params The query/post data
*
* @return string The decoded response object
* @throws FacebookApiException
*/
protected function _oauthRequest($url, $params) {
if (!isset($params['access_token'])) {
$params['access_token'] = $this->getAccessToken();
}
// json_encode all params values that are not strings
foreach ($params as $key => $value) {
if (!is_string($value)) {
$params[$key] = json_encode($value);
}
}
return $this->makeRequest($url, $params);
}
/**
* Makes an HTTP request. This method can be overridden by subclasses if
* developers want to do fancier things or use something other than curl to
* make the request.
*
* @param string $url The URL to make the request to
* @param array $params The parameters to use for the POST body
* @param CurlHandler $ch Initialized curl handle
*
* @return string The response text
*/
protected function makeRequest($url, $params, $ch=null) {
if (!$ch) {
$ch = curl_init();
}
$opts = self::$CURL_OPTS;
if ($this->getFileUploadSupport()) {
$opts[CURLOPT_POSTFIELDS] = $params;
} else {
$opts[CURLOPT_POSTFIELDS] = http_build_query($params, null, '&');
}
$opts[CURLOPT_URL] = $url;
// disable the 'Expect: 100-continue' behaviour. This causes CURL to wait
// for 2 seconds if the server does not support this header.
if (isset($opts[CURLOPT_HTTPHEADER])) {
$existing_headers = $opts[CURLOPT_HTTPHEADER];
$existing_headers[] = 'Expect:';
$opts[CURLOPT_HTTPHEADER] = $existing_headers;
} else {
$opts[CURLOPT_HTTPHEADER] = array('Expect:');
}
curl_setopt_array($ch, $opts);
$result = curl_exec($ch);
if (curl_errno($ch) == 60) { // CURLE_SSL_CACERT
self::errorLog('Invalid or no certificate authority found, '.
'using bundled information');
curl_setopt($ch, CURLOPT_CAINFO,
dirname(__FILE__) . '/fb_ca_chain_bundle.crt');
$result = curl_exec($ch);
}
// With dual stacked DNS responses, it's possible for a server to
// have IPv6 enabled but not have IPv6 connectivity. If this is
// the case, curl will try IPv4 first and if that fails, then it will
// fall back to IPv6 and the error EHOSTUNREACH is returned by the
// operating system.
if ($result === false && empty($opts[CURLOPT_IPRESOLVE])) {
$matches = array();
$regex = '/Failed to connect to ([^:].*): Network is unreachable/';
if (preg_match($regex, curl_error($ch), $matches)) {
if (strlen(@inet_pton($matches[1])) === 16) {
self::errorLog('Invalid IPv6 configuration on server, '.
'Please disable or get native IPv6 on your server.');
self::$CURL_OPTS[CURLOPT_IPRESOLVE] = CURL_IPRESOLVE_V4;
curl_setopt($ch, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V4);
$result = curl_exec($ch);
}
}
}
if ($result === false) {
$e = new FacebookApiException(array(
'error_code' => curl_errno($ch),
'error' => array(
'message' => curl_error($ch),
'type' => 'CurlException',
),
));
curl_close($ch);
throw $e;
}
curl_close($ch);
return $result;
}
/**
* Parses a signed_request and validates the signature.
*
* @param string $signed_request A signed token
* @return array The payload inside it or null if the sig is wrong
*/
protected function parseSignedRequest($signed_request) {
list($encoded_sig, $payload) = explode('.', $signed_request, 2);
// decode the data
$sig = self::base64UrlDecode($encoded_sig);
$data = json_decode(self::base64UrlDecode($payload), true);
if (strtoupper($data['algorithm']) !== self::SIGNED_REQUEST_ALGORITHM) {
self::errorLog(
'Unknown algorithm. Expected ' . self::SIGNED_REQUEST_ALGORITHM);
return null;
}
// check sig
$expected_sig = hash_hmac('sha256', $payload,
$this->getAppSecret(), $raw = true);
if ($sig !== $expected_sig) {
self::errorLog('Bad Signed JSON signature!');
return null;
}
return $data;
}
/**
* Makes a signed_request blob using the given data.
*
* @param array The data array.
* @return string The signed request.
*/
protected function makeSignedRequest($data) {
if (!is_array($data)) {
throw new InvalidArgumentException(
'makeSignedRequest expects an array. Got: ' . print_r($data, true));
}
$data['algorithm'] = self::SIGNED_REQUEST_ALGORITHM;
$data['issued_at'] = time();
$json = json_encode($data);
$b64 = self::base64UrlEncode($json);
$raw_sig = hash_hmac('sha256', $b64, $this->getAppSecret(), $raw = true);
$sig = self::base64UrlEncode($raw_sig);
return $sig.'.'.$b64;
}
/**
* Build the URL for api given parameters.
*
* @param $method String the method name.
* @return string The URL for the given parameters
*/
protected function getApiUrl($method) {
static $READ_ONLY_CALLS =
array('admin.getallocation' => 1,
'admin.getappproperties' => 1,
'admin.getbannedusers' => 1,
'admin.getlivestreamvialink' => 1,
'admin.getmetrics' => 1,
'admin.getrestrictioninfo' => 1,
'application.getpublicinfo' => 1,
'auth.getapppublickey' => 1,
'auth.getsession' => 1,
'auth.getsignedpublicsessiondata' => 1,
'comments.get' => 1,
'connect.getunconnectedfriendscount' => 1,
'dashboard.getactivity' => 1,
'dashboard.getcount' => 1,
'dashboard.getglobalnews' => 1,
'dashboard.getnews' => 1,
'dashboard.multigetcount' => 1,
'dashboard.multigetnews' => 1,
'data.getcookies' => 1,
'events.get' => 1,
'events.getmembers' => 1,
'fbml.getcustomtags' => 1,
'feed.getappfriendstories' => 1,
'feed.getregisteredtemplatebundlebyid' => 1,
'feed.getregisteredtemplatebundles' => 1,
'fql.multiquery' => 1,
'fql.query' => 1,
'friends.arefriends' => 1,
'friends.get' => 1,
'friends.getappusers' => 1,
'friends.getlists' => 1,
'friends.getmutualfriends' => 1,
'gifts.get' => 1,
'groups.get' => 1,
'groups.getmembers' => 1,
'intl.gettranslations' => 1,
'links.get' => 1,
'notes.get' => 1,
'notifications.get' => 1,
'pages.getinfo' => 1,
'pages.isadmin' => 1,
'pages.isappadded' => 1,
'pages.isfan' => 1,
'permissions.checkavailableapiaccess' => 1,
'permissions.checkgrantedapiaccess' => 1,
'photos.get' => 1,
'photos.getalbums' => 1,
'photos.gettags' => 1,
'profile.getinfo' => 1,
'profile.getinfooptions' => 1,
'stream.get' => 1,
'stream.getcomments' => 1,
'stream.getfilters' => 1,
'users.getinfo' => 1,
'users.getloggedinuser' => 1,
'users.getstandardinfo' => 1,
'users.hasapppermission' => 1,
'users.isappuser' => 1,
'users.isverified' => 1,
'video.getuploadlimits' => 1);
$name = 'api';
if (isset($READ_ONLY_CALLS[strtolower($method)])) {
$name = 'api_read';
} else if (strtolower($method) == 'video.upload') {
$name = 'api_video';
}
return self::getUrl($name, 'restserver.php');
}
/**
* Build the URL for given domain alias, path and parameters.
*
* @param $name string The name of the domain
* @param $path string Optional path (without a leading slash)
* @param $params array Optional query parameters
*
* @return string The URL for the given parameters
*/
protected function getUrl($name, $path='', $params=array()) {
$url = self::$DOMAIN_MAP[$name];
if ($path) {
if ($path[0] === '/') {
$path = substr($path, 1);
}
$url .= $path;
}
if ($params) {
$url .= '?' . http_build_query($params, null, '&');
}
return $url;
}
protected function getHttpHost() {
if ($this->trustForwarded && isset($_SERVER['HTTP_X_FORWARDED_HOST'])) {
return $_SERVER['HTTP_X_FORWARDED_HOST'];
}
return $_SERVER['HTTP_HOST'];
}
protected function getHttpProtocol() {
if ($this->trustForwarded && isset($_SERVER['HTTP_X_FORWARDED_PROTO'])) {
if ($_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https') {
return 'https';
}
return 'http';
}
if (isset($_SERVER['HTTPS']) &&
($_SERVER['HTTPS'] === 'on' || $_SERVER['HTTPS'] == 1)) {
return 'https';
}
return 'http';
}
/**
* Get the base domain used for the cookie.
*/
protected function getBaseDomain() {
// The base domain is stored in the metadata cookie if not we fallback
// to the current hostname
$metadata = $this->getMetadataCookie();
if (array_key_exists('base_domain', $metadata) &&
!empty($metadata['base_domain'])) {
return trim($metadata['base_domain'], '.');
}
return $this->getHttpHost();
}
/**
/**
* Returns the Current URL, stripping it of known FB parameters that should
* not persist.
*
* @return string The current URL
*/
protected function getCurrentUrl() {
$protocol = $this->getHttpProtocol() . '://';
$host = $this->getHttpHost();
$currentUrl = $protocol.$host.$_SERVER['REQUEST_URI'];
$parts = parse_url($currentUrl);
$query = '';
if (!empty($parts['query'])) {
// drop known fb params
$params = explode('&', $parts['query']);
$retained_params = array();
foreach ($params as $param) {
if ($this->shouldRetainParam($param)) {
$retained_params[] = $param;
}
}
if (!empty($retained_params)) {
$query = '?'.implode($retained_params, '&');
}
}
// use port if non default
$port =
isset($parts['port']) &&
(($protocol === 'http://' && $parts['port'] !== 80) ||
($protocol === 'https://' && $parts['port'] !== 443))
? ':' . $parts['port'] : '';
// rebuild
return $protocol . $parts['host'] . $port . $parts['path'] . $query;
}
/**
* Returns true if and only if the key or key/value pair should
* be retained as part of the query string. This amounts to
* a brute-force search of the very small list of Facebook-specific
* params that should be stripped out.
*
* @param string $param A key or key/value pair within a URL's query (e.g.
* 'foo=a', 'foo=', or 'foo'.
*
* @return boolean
*/
protected function shouldRetainParam($param) {
foreach (self::$DROP_QUERY_PARAMS as $drop_query_param) {
if (strpos($param, $drop_query_param.'=') === 0) {
return false;
}
}
return true;
}
/**
* Analyzes the supplied result to see if it was thrown
* because the access token is no longer valid. If that is
* the case, then we destroy the session.
*
* @param $result array A record storing the error message returned
* by a failed API call.
*/
protected function throwAPIException($result) {
$e = new FacebookApiException($result);
switch ($e->getType()) {
// OAuth 2.0 Draft 00 style
case 'OAuthException':
// OAuth 2.0 Draft 10 style
case 'invalid_token':
// REST server errors are just Exceptions
case 'Exception':
$message = $e->getMessage();
if ((strpos($message, 'Error validating access token') !== false) ||
(strpos($message, 'Invalid OAuth access token') !== false) ||
(strpos($message, 'An active access token must be used') !== false)
) {
$this->destroySession();
}
break;
}
throw $e;
}
/**
* Prints to the error log if you aren't in command line mode.
*
* @param string $msg Log message
*/
protected static function errorLog($msg) {
// disable error log if we are running in a CLI environment
// @codeCoverageIgnoreStart
if (php_sapi_name() != 'cli') {
error_log($msg);
}
// uncomment this if you want to see the errors on the page
// print 'error_log: '.$msg."\n";
// @codeCoverageIgnoreEnd
}
/**
* Base64 encoding that doesn't need to be urlencode()ed.
* Exactly the same as base64_encode except it uses
* - instead of +
* _ instead of /
* No padded =
*
* @param string $input base64UrlEncoded string
* @return string
*/
protected static function base64UrlDecode($input) {
return base64_decode(strtr($input, '-_', '+/'));
}
/**
* Base64 encoding that doesn't need to be urlencode()ed.
* Exactly the same as base64_encode except it uses
* - instead of +
* _ instead of /
*
* @param string $input string
* @return string base64Url encoded string
*/
protected static function base64UrlEncode($input) {
$str = strtr(base64_encode($input), '+/', '-_');
$str = str_replace('=', '', $str);
return $str;
}
/**
* Destroy the current session
*/
public function destroySession() {
$this->accessToken = null;
$this->signedRequest = null;
$this->user = null;
$this->clearAllPersistentData();
// Javascript sets a cookie that will be used in getSignedRequest that we
// need to clear if we can
$cookie_name = $this->getSignedRequestCookieName();
if (array_key_exists($cookie_name, $_COOKIE)) {
unset($_COOKIE[$cookie_name]);
if (!headers_sent()) {
$base_domain = $this->getBaseDomain();
setcookie($cookie_name, '', 1, '/', '.'.$base_domain);
} else {
// @codeCoverageIgnoreStart
self::errorLog(
'There exists a cookie that we wanted to clear that we couldn\'t '.
'clear because headers was already sent. Make sure to do the first '.
'API call before outputing anything.'
);
// @codeCoverageIgnoreEnd
}
}
}
/**
* Parses the metadata cookie that our Javascript API set
*
* @return an array mapping key to value
*/
protected function getMetadataCookie() {
$cookie_name = $this->getMetadataCookieName();
if (!array_key_exists($cookie_name, $_COOKIE)) {
return array();
}
// The cookie value can be wrapped in "-characters so remove them
$cookie_value = trim($_COOKIE[$cookie_name], '"');
if (empty($cookie_value)) {
return array();
}
$parts = explode('&', $cookie_value);
$metadata = array();
foreach ($parts as $part) {
$pair = explode('=', $part, 2);
if (!empty($pair[0])) {
$metadata[urldecode($pair[0])] =
(count($pair) > 1) ? urldecode($pair[1]) : '';
}
}
return $metadata;
}
protected static function isAllowedDomain($big, $small) {
if ($big === $small) {
return true;
}
return self::endsWith($big, '.'.$small);
}
protected static function endsWith($big, $small) {
$len = strlen($small);
if ($len === 0) {
return true;
}
return substr($big, -$len) === $small;
}
/**
* Each of the following four methods should be overridden in
* a concrete subclass, as they are in the provided Facebook class.
* The Facebook class uses PHP sessions to provide a primitive
* persistent store, but another subclass--one that you implement--
* might use a database, memcache, or an in-memory cache.
*
* @see Facebook
*/
/**
* Stores the given ($key, $value) pair, so that future calls to
* getPersistentData($key) return $value. This call may be in another request.
*
* @param string $key
* @param array $value
*
* @return void
*/
abstract protected function setPersistentData($key, $value);
/**
* Get the data for $key, persisted by BaseFacebook::setPersistentData()
*
* @param string $key The key of the data to retrieve
* @param boolean $default The default value to return if $key is not found
*
* @return mixed
*/
abstract protected function getPersistentData($key, $default = false);
/**
* Clear the data with $key from the persistent storage
*
* @param string $key
* @return void
*/
abstract protected function clearPersistentData($key);
/**
* Clear all data from the persistent storage
*
* @return void
*/
abstract protected function clearAllPersistentData();
}
PK l?VzQ Q src/fb_ca_chain_bundle.crtnu W+A -----BEGIN CERTIFICATE-----
MIIFgjCCBGqgAwIBAgIQDKKbZcnESGaLDuEaVk6fQjANBgkqhkiG9w0BAQUFADBm
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSUwIwYDVQQDExxEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
ZSBDQS0zMB4XDTEwMDExMzAwMDAwMFoXDTEzMDQxMTIzNTk1OVowaDELMAkGA1UE
BhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcTCVBhbG8gQWx0bzEX
MBUGA1UEChMORmFjZWJvb2ssIEluYy4xFzAVBgNVBAMUDiouZmFjZWJvb2suY29t
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9rzj7QIuLM3sdHu1HcI1VcR3g
b5FExKNV646agxSle1aQ/sJev1mh/u91ynwqd2BQmM0brZ1Hc3QrfYyAaiGGgEkp
xbhezyfeYhAyO0TKAYxPnm2cTjB5HICzk6xEIwFbA7SBJ2fSyW1CFhYZyo3tIBjj
19VjKyBfpRaPkzLmRwIDAQABo4ICrDCCAqgwHwYDVR0jBBgwFoAUUOpzidsp+xCP
nuUBINTeeZlIg/cwHQYDVR0OBBYEFPp+tsFBozkjrHlEnZ9J4cFj2eM0MA4GA1Ud
DwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMF8GA1UdHwRYMFYwKaAnoCWGI2h0dHA6
Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9jYTMtZmIuY3JsMCmgJ6AlhiNodHRwOi8vY3Js
NC5kaWdpY2VydC5jb20vY2EzLWZiLmNybDCCAcYGA1UdIASCAb0wggG5MIIBtQYL
YIZIAYb9bAEDAAEwggGkMDoGCCsGAQUFBwIBFi5odHRwOi8vd3d3LmRpZ2ljZXJ0
LmNvbS9zc2wtY3BzLXJlcG9zaXRvcnkuaHRtMIIBZAYIKwYBBQUHAgIwggFWHoIB
UgBBAG4AeQAgAHUAcwBlACAAbwBmACAAdABoAGkAcwAgAEMAZQByAHQAaQBmAGkA
YwBhAHQAZQAgAGMAbwBuAHMAdABpAHQAdQB0AGUAcwAgAGEAYwBjAGUAcAB0AGEA
bgBjAGUAIABvAGYAIAB0AGgAZQAgAEQAaQBnAGkAQwBlAHIAdAAgAEMAUAAvAEMA
UABTACAAYQBuAGQAIAB0AGgAZQAgAFIAZQBsAHkAaQBuAGcAIABQAGEAcgB0AHkA
IABBAGcAcgBlAGUAbQBlAG4AdAAgAHcAaABpAGMAaAAgAGwAaQBtAGkAdAAgAGwA
aQBhAGIAaQBsAGkAdAB5ACAAYQBuAGQAIABhAHIAZQAgAGkAbgBjAG8AcgBwAG8A
cgBhAHQAZQBkACAAaABlAHIAZQBpAG4AIABiAHkAIAByAGUAZgBlAHIAZQBuAGMA
ZQAuMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQUF
AAOCAQEACOkTIdxMy11+CKrbGNLBSg5xHaTvu/v1wbyn3dO/mf68pPfJnX6ShPYy
4XM4Vk0x4uaFaU4wAGke+nCKGi5dyg0Esg7nemLNKEJaFAJZ9enxZm334lSCeARy
wlDtxULGOFRyGIZZPmbV2eNq5xdU/g3IuBEhL722mTpAye9FU/J8Wsnw54/gANyO
Gzkewigua8ip8Lbs9Cht399yAfbfhUP1DrAm/xEcnHrzPr3cdCtOyJaM6SRPpRqH
ITK5Nc06tat9lXVosSinT3KqydzxBYua9gCFFiR3x3DgZfvXkC6KDdUlDrNcJUub
a1BHnLLP4mxTHL6faAXYd05IxNn/IA==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGVTCCBT2gAwIBAgIQCFH5WYFBRcq94CTiEsnCDjANBgkqhkiG9w0BAQUFADBs
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
ZSBFViBSb290IENBMB4XDTA3MDQwMzAwMDAwMFoXDTIyMDQwMzAwMDAwMFowZjEL
MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
LmRpZ2ljZXJ0LmNvbTElMCMGA1UEAxMcRGlnaUNlcnQgSGlnaCBBc3N1cmFuY2Ug
Q0EtMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL9hCikQH17+NDdR
CPge+yLtYb4LDXBMUGMmdRW5QYiXtvCgFbsIYOBC6AUpEIc2iihlqO8xB3RtNpcv
KEZmBMcqeSZ6mdWOw21PoF6tvD2Rwll7XjZswFPPAAgyPhBkWBATaccM7pxCUQD5
BUTuJM56H+2MEb0SqPMV9Bx6MWkBG6fmXcCabH4JnudSREoQOiPkm7YDr6ictFuf
1EutkozOtREqqjcYjbTCuNhcBoz4/yO9NV7UfD5+gw6RlgWYw7If48hl66l7XaAs
zPw82W3tzPpLQ4zJ1LilYRyyQLYoEt+5+F/+07LJ7z20Hkt8HEyZNp496+ynaF4d
32duXvsCAwEAAaOCAvcwggLzMA4GA1UdDwEB/wQEAwIBhjCCAcYGA1UdIASCAb0w
ggG5MIIBtQYLYIZIAYb9bAEDAAIwggGkMDoGCCsGAQUFBwIBFi5odHRwOi8vd3d3
LmRpZ2ljZXJ0LmNvbS9zc2wtY3BzLXJlcG9zaXRvcnkuaHRtMIIBZAYIKwYBBQUH
AgIwggFWHoIBUgBBAG4AeQAgAHUAcwBlACAAbwBmACAAdABoAGkAcwAgAEMAZQBy
AHQAaQBmAGkAYwBhAHQAZQAgAGMAbwBuAHMAdABpAHQAdQB0AGUAcwAgAGEAYwBj
AGUAcAB0AGEAbgBjAGUAIABvAGYAIAB0AGgAZQAgAEQAaQBnAGkAQwBlAHIAdAAg
AEMAUAAvAEMAUABTACAAYQBuAGQAIAB0AGgAZQAgAFIAZQBsAHkAaQBuAGcAIABQ
AGEAcgB0AHkAIABBAGcAcgBlAGUAbQBlAG4AdAAgAHcAaABpAGMAaAAgAGwAaQBt
AGkAdAAgAGwAaQBhAGIAaQBsAGkAdAB5ACAAYQBuAGQAIABhAHIAZQAgAGkAbgBj
AG8AcgBwAG8AcgBhAHQAZQBkACAAaABlAHIAZQBpAG4AIABiAHkAIAByAGUAZgBl
AHIAZQBuAGMAZQAuMA8GA1UdEwEB/wQFMAMBAf8wNAYIKwYBBQUHAQEEKDAmMCQG
CCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wgY8GA1UdHwSBhzCB
hDBAoD6gPIY6aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0SGlnaEFz
c3VyYW5jZUVWUm9vdENBLmNybDBAoD6gPIY6aHR0cDovL2NybDQuZGlnaWNlcnQu
Y29tL0RpZ2lDZXJ0SGlnaEFzc3VyYW5jZUVWUm9vdENBLmNybDAfBgNVHSMEGDAW
gBSxPsNpA/i/RwHUmCYaCALvY2QrwzAdBgNVHQ4EFgQUUOpzidsp+xCPnuUBINTe
eZlIg/cwDQYJKoZIhvcNAQEFBQADggEBAF1PhPGoiNOjsrycbeUpSXfh59bcqdg1
rslx3OXb3J0kIZCmz7cBHJvUV5eR13UWpRLXuT0uiT05aYrWNTf58SHEW0CtWakv
XzoAKUMncQPkvTAyVab+hA4LmzgZLEN8rEO/dTHlIxxFVbdpCJG1z9fVsV7un5Tk
1nq5GMO41lJjHBC6iy9tXcwFOPRWBW3vnuzoYTYMFEuFFFoMg08iXFnLjIpx2vrF
EIRYzwfu45DC9fkpx1ojcflZtGQriLCnNseaIGHr+k61rmsb5OPs4tk8QUmoIKRU
9ZKNu8BVIASm2LAXFszj0Mi0PeXZhMbT9m5teMl5Q+h6N/9cNUm/ocU=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEQjCCA6ugAwIBAgIEQoclDjANBgkqhkiG9w0BAQUFADCBwzELMAkGA1UEBhMC
VVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50cnVzdC5u
ZXQvQ1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1UECxMc
KGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDE6MDgGA1UEAxMxRW50cnVzdC5u
ZXQgU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNjEy
MjIxNTI3MjdaFw0xNDA3MjIxNTU3MjdaMGwxCzAJBgNVBAYTAlVTMRUwEwYDVQQK
EwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xKzApBgNV
BAMTIkRpZ2lDZXJ0IEhpZ2ggQXNzdXJhbmNlIEVWIFJvb3QgQ0EwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDGzOVz5vvUu+UtLTKm3+WBP8nNJUm2cSrD
1ZQ0Z6IKHLBfaaZAscS3so/QmKSpQVk609yU1jzbdDikSsxNJYL3SqVTEjju80lt
cZF+Y7arpl/DpIT4T2JRvvjF7Ns4kuMG5QiRDMQoQVX7y1qJFX5x6DW/TXIJPb46
OFBbdzEbjbPHJEWap6xtABRaBLe6E+tRCphBQSJOZWGHgUFQpnlcid4ZSlfVLuZd
HFMsfpjNGgYWpGhz0DQEE1yhcdNafFXbXmThN4cwVgTlEbQpgBLxeTmIogIRfCdm
t4i3ePLKCqg4qwpkwr9mXZWEwaElHoddGlALIBLMQbtuC1E4uEvLAgMBAAGjggET
MIIBDzASBgNVHRMBAf8ECDAGAQH/AgEBMCcGA1UdJQQgMB4GCCsGAQUFBwMBBggr
BgEFBQcDAgYIKwYBBQUHAwQwMwYIKwYBBQUHAQEEJzAlMCMGCCsGAQUFBzABhhdo
dHRwOi8vb2NzcC5lbnRydXN0Lm5ldDAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8v
Y3JsLmVudHJ1c3QubmV0L3NlcnZlcjEuY3JsMB0GA1UdDgQWBBSxPsNpA/i/RwHU
mCYaCALvY2QrwzALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAU8BdiE1U9s/8KAGv7
UISX8+1i0BowGQYJKoZIhvZ9B0EABAwwChsEVjcuMQMCAIEwDQYJKoZIhvcNAQEF
BQADgYEAUuVY7HCc/9EvhaYzC1rAIo348LtGIiMduEl5Xa24G8tmJnDioD2GU06r
1kjLX/ktCdpdBgXadbjtdrZXTP59uN0AXlsdaTiFufsqVLPvkp5yMnqnuI3E2o6p
NpAkoQSbB6kUCNnXcW26valgOjDLZFOnr241QiwdBAJAAE/rRa8=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIE2DCCBEGgAwIBAgIEN0rSQzANBgkqhkiG9w0BAQUFADCBwzELMAkGA1UEBhMC
VVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50cnVzdC5u
ZXQvQ1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1UECxMc
KGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDE6MDgGA1UEAxMxRW50cnVzdC5u
ZXQgU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05OTA1
MjUxNjA5NDBaFw0xOTA1MjUxNjM5NDBaMIHDMQswCQYDVQQGEwJVUzEUMBIGA1UE
ChMLRW50cnVzdC5uZXQxOzA5BgNVBAsTMnd3dy5lbnRydXN0Lm5ldC9DUFMgaW5j
b3JwLiBieSByZWYuIChsaW1pdHMgbGlhYi4pMSUwIwYDVQQLExwoYykgMTk5OSBF
bnRydXN0Lm5ldCBMaW1pdGVkMTowOAYDVQQDEzFFbnRydXN0Lm5ldCBTZWN1cmUg
U2VydmVyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGdMA0GCSqGSIb3DQEBAQUA
A4GLADCBhwKBgQDNKIM0VBuJ8w+vN5Ex/68xYMmo6LIQaO2f55M28Qpku0f1BBc/
I0dNxScZgSYMVHINiC3ZH5oSn7yzcdOAGT9HZnuMNSjSuQrfJNqc1lB5gXpa0zf3
wkrYKZImZNHkmGw6AIr1NJtl+O3jEP/9uElY3KDegjlrgbEWGWG5VLbmQwIBA6OC
AdcwggHTMBEGCWCGSAGG+EIBAQQEAwIABzCCARkGA1UdHwSCARAwggEMMIHeoIHb
oIHYpIHVMIHSMQswCQYDVQQGEwJVUzEUMBIGA1UEChMLRW50cnVzdC5uZXQxOzA5
BgNVBAsTMnd3dy5lbnRydXN0Lm5ldC9DUFMgaW5jb3JwLiBieSByZWYuIChsaW1p
dHMgbGlhYi4pMSUwIwYDVQQLExwoYykgMTk5OSBFbnRydXN0Lm5ldCBMaW1pdGVk
MTowOAYDVQQDEzFFbnRydXN0Lm5ldCBTZWN1cmUgU2VydmVyIENlcnRpZmljYXRp
b24gQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMCmgJ6AlhiNodHRwOi8vd3d3LmVu
dHJ1c3QubmV0L0NSTC9uZXQxLmNybDArBgNVHRAEJDAigA8xOTk5MDUyNTE2MDk0
MFqBDzIwMTkwNTI1MTYwOTQwWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAU8Bdi
E1U9s/8KAGv7UISX8+1i0BowHQYDVR0OBBYEFPAXYhNVPbP/CgBr+1CEl/PtYtAa
MAwGA1UdEwQFMAMBAf8wGQYJKoZIhvZ9B0EABAwwChsEVjQuMAMCBJAwDQYJKoZI
hvcNAQEFBQADgYEAkNwwAvpkdMKnCqV8IY00F6j7Rw7/JXyNEwr75Ji174z4xRAN
95K+8cPV1ZVqBLssziY2ZcgxxufuP+NXdYR6Ee9GTxj005i7qIcyunL2POI9n9cd
2cNgQ4xYDiKWL2KjLB+6rQXvqzJ4h6BUcxm1XAX5Uj5tLUUL9wqT6u0G+bI=
-----END CERTIFICATE-----
PK l?V\Sl l .travis.ymlnu W+A PK l?Vy+
composer.jsonnu W+A PK l?V2 readme.mdnu W+A PK l?VZ@ examples/with_js_sdk.phpnu W+A PK l?Vxz 4 examples/example.phpnu W+A PK l?VB_ tests/tests.phpnu W+A PK l?Vx} } tests/bootstrap.phpnu W+A PK l?V%Č
v! .gitignorenu W+A PK l?V%>( ( ! changelog.mdnu W+A PK l?Vrk)a a & src/facebook.phpnu W+A PK l?V.^! ! : src/base_facebook.phpnu W+A PK l?VzQ Q & src/fb_ca_chain_bundle.crtnu W+A PK