*/ class FacebookApiException extends Exception { /** * The result from the API server that represents the exception information. */ protected $result; /** * Make a new API Exception with the given result. * * @param Array $result the result from the API server */ public function __construct($result) { $this->result = $result; $code = isset($result['error_code']) ? $result['error_code'] : 0; if (isset($result['error_description'])) { // OAuth 2.0 Draft 10 style $msg = $result['error_description']; } else if (isset($result['error']) && is_array($result['error'])) { // OAuth 2.0 Draft 00 style $msg = $result['error']['message']; } else if (isset($result['error_msg'])) { // Rest server style $msg = $result['error_msg']; } else { $msg = 'Unknown Error. Check getResult()'; } parent::__construct($msg, $code); } /** * Return the associated result object returned by the API server. * * @returns Array the result from the API server */ public function getResult() { return $this->result; } /** * Returns the associated type for the error. This will default to * 'Exception' when a type is not available. * * @return String */ public function getType() { if (isset($this->result['error'])) { $error = $this->result['error']; if (is_string($error)) { // OAuth 2.0 Draft 10 style return $error; } else if (is_array($error)) { // OAuth 2.0 Draft 00 style if (isset($error['type'])) { return $error['type']; } } } return 'Exception'; } /** * To make debugging easier. * * @returns String the string representation of the error */ public function __toString() { $str = $this->getType() . ': '; if ($this->code != 0) { $str .= $this->code . ': '; } return $str . $this->message; } } /** * Provides access to the Facebook Platform. This class provides * a majority of the functionality needed, but the class is abstract * because it is designed to be subclassed. The subclass must * implement the three abstract methods listed at the bottom of * the file. * * @author Naitik Shah */ abstract class BaseFacebook { /** * Version. */ const VERSION = '3.0.0'; /** * Default options for curl. */ public static $CURL_OPTS = array( CURLOPT_CONNECTTIMEOUT => 10, CURLOPT_RETURNTRANSFER => true, CURLOPT_TIMEOUT => 60, CURLOPT_USERAGENT => 'facebook-php-3.0', ); /** * List of query parameters that get automatically dropped when rebuilding * the current URL. */ protected static $DROP_QUERY_PARAMS = array( 'code', 'state', 'signed_request', ); /** * Maps aliases to Facebook domains. */ public static $DOMAIN_MAP = array( 'api' => 'https://api.facebook.com/', 'api_video' => 'https://api-video.facebook.com/', 'api_read' => 'https://api-read.facebook.com/', 'graph' => 'https://graph.facebook.com/', 'www' => 'https://www.facebook.com/', ); /** * The Application ID. */ protected $appId; /** * The Application API Secret. */ protected $apiSecret; /** * The ID of the Facebook user, or 0 if the user is logged out. */ protected $user; /** * The data from the signed_request token. */ protected $signedRequest; /** * A CSRF state variable to assist in the defense against * CSRF attacks. */ protected $state; /** * The OAuth access token received in exchange for a valid authorization * code. null means the access token has yet to be determined. */ protected $accessToken = null; /** * Indicates if the CURL based @ syntax for file uploads is enabled. */ protected $fileUploadSupport = false; /** * Initialize a Facebook Application. * * The configuration: * - appId: the application ID * - secret: the application secret * - fileUpload: (optional) boolean indicating if file uploads are enabled * * @param Array $config the application configuration */ public function __construct($config) { $this->setAppId($config['appId']); $this->setApiSecret($config['secret']); if (isset($config['fileUpload'])) { $this->setFileUploadSupport($config['fileUpload']); } if (isset($_COOKIE[$this->getCSRFTokenCookieName()])) { $this->state = $_COOKIE[$this->getCSRFTokenCookieName()]; } } /** * Set the Application ID. * * @param String $appId the Application ID */ public function setAppId($appId) { $this->appId = $appId; return $this; } /** * Get the Application ID. * * @return String the Application ID */ public function getAppId() { return $this->appId; } /** * Set the API Secret. * * @param String $appId the API Secret */ public function setApiSecret($apiSecret) { $this->apiSecret = $apiSecret; return $this; } /** * Get the API Secret. * * @return String the API Secret */ public function getApiSecret() { return $this->apiSecret; } /** * Set the file upload support status. * * @param Boolean the file upload support status. */ public function setFileUploadSupport($fileUploadSupport) { $this->fileUploadSupport = $fileUploadSupport; return $this; } /** * Get the file upload support status. * * @return Boolean true if and only if the server supports * file upload. */ public function useFileUploadSupport() { return $this->fileUploadSupport; } /** * Sets the access token for api calls. Use this if you get * your access token by other means and just want the SDK * to use it. * * @param String $access_token an access token. */ public function setAccessToken($access_token) { $this->accessToken = $access_token; return $this; } /** * Determines the access token that should be used for API calls. * The first time this is called, $this->accessToken is set equal * to either a valid user access token, or it's set to the application * access token if a valid user access token wasn't available. Subsequent * calls return whatever the first call returned. * * @return String the access token */ public function getAccessToken() { if ($this->accessToken !== null) { // we've done this already and cached it. Just return. return $this->accessToken; } // first establish access token to be the application // access token, in case we navigate to the /oauth/access_token // endpoint, where SOME access token is required. $this->setAccessToken($this->getApplicationAccessToken()); if ($user_access_token = $this->getUserAccessToken()) { $this->setAccessToken($user_access_token); } return $this->accessToken; } /** * Determines and returns the user access token, first using * the signed request if present, and then falling back on * the authorization code if present. The intent is to * return a valid user access token, or false if one is determined * to not be available. * * @return String a valid user access token, or false if one * could not be determined. */ protected function getUserAccessToken() { // first, consider a signed request if it's supplied. // if there is a signed request, then it alone determines // the access token. $signed_request = $this->getSignedRequest(); if ($signed_request) { if (array_key_exists('oauth_token', $signed_request)) { $access_token = $signed_request['oauth_token']; $this->setPersistentData('access_token', $access_token); return $access_token; } // signed request states there's no access token, so anything // stored should be cleared. $this->clearAllPersistentData(); return false; // respect the signed request's data, even // if there's an authorization code or something else } $code = $this->getCode(); if ($code && $code != $this->getPersistentData('code')) { $access_token = $this->getAccessTokenFromCode($code); if ($access_token) { $this->setPersistentData('code', $code); $this->setPersistentData('access_token', $access_token); return $access_token; } // code was bogus, so everything based on it should be invalidated. $this->clearAllPersistentData(); return false; } // as a fallback, just return whatever is in the persistent // store, knowing nothing explicit (signed request, authorization // code, etc.) was present to shadow it (or we saw a code in $_REQUEST, // but it's the same as what's in the persistent store) return $this->getPersistentData('access_token'); } /** * Get the data from a signed_request token. * * @return String the base domain */ public function getSignedRequest() { if (!$this->signedRequest) { if (isset($_REQUEST['signed_request'])) { $this->signedRequest = $this->parseSignedRequest( $_REQUEST['signed_request']); } } return $this->signedRequest; } /** * Get the UID of the connected user, or 0 * if the Facebook user is not connected. * * @return String the UID if available. */ public function getUser() { if ($this->user !== null) { // we've already determined this and cached the value. return $this->user; } return $this->user = $this->getUserFromAvailableData(); } /** * Determines the connected user by first examining any signed * requests, then considering an authorization code, and then * falling back to any persistent store storing the user. * * @return Integer the id of the connected Facebook user, or 0 * if no such user exists. */ protected function getUserFromAvailableData() { // if a signed request is supplied, then it solely determines // who the user is. $signed_request = $this->getSignedRequest(); if ($signed_request) { if (array_key_exists('user_id', $signed_request)) { $user = $signed_request['user_id']; $this->setPersistentData('user_id', $signed_request['user_id']); return $user; } // if the signed request didn't present a user id, then invalidate // all entries in any persistent store. $this->clearAllPersistentData(); return 0; } $user = $this->getPersistentData('user_id', $default = 0); $persisted_access_token = $this->getPersistentData('access_token'); // use access_token to fetch user id if we have a user access_token, or if // the cached access token has changed. $access_token = $this->getAccessToken(); if ($access_token && $access_token != $this->getApplicationAccessToken() && !($user && $persisted_access_token == $access_token)) { $user = $this->getUserFromAccessToken(); if ($user) { $this->setPersistentData('user_id', $user); } else { $this->clearAllPersistentData(); } } return $user; } /** * Get a Login URL for use with redirects. By default, full page redirect is * assumed. If you are using the generated URL with a window.open() call in * JavaScript, you can pass in display=popup as part of the $params. * * The parameters: * - redirect_uri: the url to go to after a successful login * - scope: comma separated list of requested extended perms * * @param Array $params provide custom parameters * @return String the URL for the login flow */ public function getLoginUrl($params=array()) { $this->establishCSRFTokenState(); $currentUrl = $this->getCurrentUrl(); return $this->getUrl( 'www', 'dialog/oauth', array_merge(array( 'client_id' => $this->getAppId(), 'redirect_uri' => $currentUrl, // possibly overwritten 'state' => $this->state), $params)); } /** * Get a Logout URL suitable for use with redirects. * * The parameters: * - next: the url to go to after a successful logout * * @param Array $params provide custom parameters * @return String the URL for the logout flow */ public function getLogoutUrl($params=array()) { return $this->getUrl( 'www', 'logout.php', array_merge(array( 'next' => $this->getCurrentUrl(), 'access_token' => $this->getAccessToken(), ), $params) ); } /** * Get a login status URL to fetch the status from Facebook. * * The parameters: * - ok_session: the URL to go to if a session is found * - no_session: the URL to go to if the user is not connected * - no_user: the URL to go to if the user is not signed into facebook * * @param Array $params provide custom parameters * @return String the URL for the logout flow */ public function getLoginStatusUrl($params=array()) { return $this->getUrl( 'www', 'extern/login_status.php', array_merge(array( 'api_key' => $this->getAppId(), 'no_session' => $this->getCurrentUrl(), 'no_user' => $this->getCurrentUrl(), 'ok_session' => $this->getCurrentUrl(), 'session_version' => 3, ), $params) ); } /** * Make an API call. * * @param Array $params the API call parameters * @return the decoded response */ public function api(/* polymorphic */) { $args = func_get_args(); if (is_array($args[0])) { return $this->_restserver($args[0]); } else { return call_user_func_array(array($this, '_graph'), $args); } } /** * Get the authorization code from the query parameters, if it exists, * and otherwise return false to signal no authorization code was * discoverable. * * @return mixed the authorization code, or false if the authorization * code could not be determined. */ protected function getCode() { if (isset($_REQUEST['code'])) { if ($this->state !== null && isset($_REQUEST['state']) && $this->state === $_REQUEST['state']) { // CSRF state has done its job, so clear it $this->state = null; unset($_COOKIE[$this->getCSRFTokenCookieName()]); return $_REQUEST['code']; } else { self::errorLog('CSRF state token does not match one provided.'); return false; } } return false; } /** * Retrieves the UID with the understanding that * $this->accessToken has already been set and is * seemingly legitimate. It relies on Facebook's Graph API * to retreive user information and then extract * the user ID. * * @return Integer returns the UID of the Facebook user, or * 0 if the Facebook user could not be determined. */ protected function getUserFromAccessToken() { try { $user_info = $this->api('/me'); return $user_info['id']; } catch (FacebookApiException $e) { return 0; } } /** * Returns the access token that should be used for logged out * users when no authorization code is available. * * @return String the application access token, useful for * gathering public information about users and applications. */ protected function getApplicationAccessToken() { return $this->appId.'|'.$this->apiSecret; } /** * Lays down a CSRF state token for this process. We * only generate a new CSRF token if one isn't currently * circulating in the domain's cookie jar. * * @return void */ protected function establishCSRFTokenState() { if ($this->state === null) { $this->state = md5(uniqid(mt_rand(), true)); setcookie($name = $this->getCSRFTokenCookieName(), $value = $this->state, $expires = time() + 3600); // sticks for an hour } } /** * Retreives an access token for the given authorization code * (previously generated from www.facebook.com on behalf of * a specific user). The authorization code is sent to graph.facebook.com * and a legitimate access token is generated provided the access token * and the user for which it was generated all match, and the user is * either logged in to Facebook or has granted an offline access permission. * * @param String $code an authorization code. * @return mixed an access token exchanged for the authorization code, or * false if an access token could not be generated. */ protected function getAccessTokenFromCode($code) { if (empty($code)) { return false; } try { // need to circumvent json_decode by calling _oauthRequest // directly, since response isn't JSON format. $access_token_response = $this->_oauthRequest( $this->getUrl('graph', '/oauth/access_token'), $params = array('client_id' => $this->getAppId(), 'client_secret' => $this->getApiSecret(), 'redirect_uri' => $this->getCurrentUrl(), 'code' => $code)); } catch (FacebookApiException $e) { // most likely that user very recently revoked authorization. // In any event, we don't have an access token, so say so. return false; } if (empty($access_token_response)) { return false; } $response_params = array(); parse_str($access_token_response, $response_params); if (!isset($response_params['access_token'])) { return false; } return $response_params['access_token']; } /** * Invoke the old restserver.php endpoint. * * @param Array $params method call object * @return the decoded response object * @throws FacebookApiException */ protected function _restserver($params) { // generic application level parameters $params['api_key'] = $this->getAppId(); $params['format'] = 'json-strings'; $result = json_decode($this->_oauthRequest( $this->getApiUrl($params['method']), $params ), true); // results are returned, errors are thrown if (is_array($result) && isset($result['error_code'])) { throw new FacebookApiException($result); } return $result; } /** * Invoke the Graph API. * * @param String $path the path (required) * @param String $method the http method (default 'GET') * @param Array $params the query/post data * @return the decoded response object * @throws FacebookApiException */ protected function _graph($path, $method = 'GET', $params = array()) { if (is_array($method) && empty($params)) { $params = $method; $method = 'GET'; } $params['method'] = $method; // method override as we always do a POST $result = json_decode($this->_oauthRequest( $this->getUrl('graph', $path), $params ), true); // results are returned, errors are thrown if (is_array($result) && isset($result['error'])) { $this->throwAPIException($result); } return $result; } /** * Make a OAuth Request. * * @param String $path the path (required) * @param Array $params the query/post data * @return the decoded response object * @throws FacebookApiException */ protected function _oauthRequest($url, $params) { if (!isset($params['access_token'])) { $params['access_token'] = $this->getAccessToken(); } // json_encode all params values that are not strings foreach ($params as $key => $value) { if (!is_string($value)) { $params[$key] = json_encode($value); } } return $this->makeRequest($url, $params); } /** * Makes an HTTP request. This method can be overriden by subclasses if * developers want to do fancier things or use something other than curl to * make the request. * * @param String $url the URL to make the request to * @param Array $params the parameters to use for the POST body * @param CurlHandler $ch optional initialized curl handle * @return String the response text */ protected function makeRequest($url, $params, $ch=null) { if (!$ch) { $ch = curl_init(); } $opts = self::$CURL_OPTS; if ($this->useFileUploadSupport()) { $opts[CURLOPT_POSTFIELDS] = $params; } else { $opts[CURLOPT_POSTFIELDS] = http_build_query($params, null, '&'); } $opts[CURLOPT_URL] = $url; // disable the 'Expect: 100-continue' behaviour. This causes CURL to wait // for 2 seconds if the server does not support this header. if (isset($opts[CURLOPT_HTTPHEADER])) { $existing_headers = $opts[CURLOPT_HTTPHEADER]; $existing_headers[] = 'Expect:'; $opts[CURLOPT_HTTPHEADER] = $existing_headers; } else { $opts[CURLOPT_HTTPHEADER] = array('Expect:'); } curl_setopt_array($ch, $opts); $result = curl_exec($ch); if (curl_errno($ch) == 60) { // CURLE_SSL_CACERT self::errorLog('Invalid or no certificate authority found, '. 'using bundled information'); curl_setopt($ch, CURLOPT_CAINFO, dirname(__FILE__) . '/fb_ca_chain_bundle.crt'); $result = curl_exec($ch); } if ($result === false) { $e = new FacebookApiException(array( 'error_code' => curl_errno($ch), 'error' => array( 'message' => curl_error($ch), 'type' => 'CurlException', ), )); curl_close($ch); throw $e; } curl_close($ch); return $result; } /** * The name of the cookie housing the CSRF protection value. * * @return String the cookie name */ protected function getCSRFTokenCookieName() { return 'fbcsrf_'.$this->getAppId(); } /** * Parses a signed_request and validates the signature. * * @param String A signed token * @return Array the payload inside it or null if the sig is wrong */ protected function parseSignedRequest($signed_request) { list($encoded_sig, $payload) = explode('.', $signed_request, 2); // decode the data $sig = self::base64UrlDecode($encoded_sig); $data = json_decode(self::base64UrlDecode($payload), true); if (strtoupper($data['algorithm']) !== 'HMAC-SHA256') { self::errorLog('Unknown algorithm. Expected HMAC-SHA256'); return null; } // check sig $expected_sig = hash_hmac('sha256', $payload, $this->getApiSecret(), $raw = true); if ($sig !== $expected_sig) { self::errorLog('Bad Signed JSON signature!'); return null; } return $data; } /** * Build the URL for api given parameters. * * @param $method String the method name. * @return String the URL for the given parameters */ protected function getApiUrl($method) { static $READ_ONLY_CALLS = array('admin.getallocation' => 1, 'admin.getappproperties' => 1, 'admin.getbannedusers' => 1, 'admin.getlivestreamvialink' => 1, 'admin.getmetrics' => 1, 'admin.getrestrictioninfo' => 1, 'application.getpublicinfo' => 1, 'auth.getapppublickey' => 1, 'auth.getsession' => 1, 'auth.getsignedpublicsessiondata' => 1, 'comments.get' => 1, 'connect.getunconnectedfriendscount' => 1, 'dashboard.getactivity' => 1, 'dashboard.getcount' => 1, 'dashboard.getglobalnews' => 1, 'dashboard.getnews' => 1, 'dashboard.multigetcount' => 1, 'dashboard.multigetnews' => 1, 'data.getcookies' => 1, 'events.get' => 1, 'events.getmembers' => 1, 'fbml.getcustomtags' => 1, 'feed.getappfriendstories' => 1, 'feed.getregisteredtemplatebundlebyid' => 1, 'feed.getregisteredtemplatebundles' => 1, 'fql.multiquery' => 1, 'fql.query' => 1, 'friends.arefriends' => 1, 'friends.get' => 1, 'friends.getappusers' => 1, 'friends.getlists' => 1, 'friends.getmutualfriends' => 1, 'gifts.get' => 1, 'groups.get' => 1, 'groups.getmembers' => 1, 'intl.gettranslations' => 1, 'links.get' => 1, 'notes.get' => 1, 'notifications.get' => 1, 'pages.getinfo' => 1, 'pages.isadmin' => 1, 'pages.isappadded' => 1, 'pages.isfan' => 1, 'permissions.checkavailableapiaccess' => 1, 'permissions.checkgrantedapiaccess' => 1, 'photos.get' => 1, 'photos.getalbums' => 1, 'photos.gettags' => 1, 'profile.getinfo' => 1, 'profile.getinfooptions' => 1, 'stream.get' => 1, 'stream.getcomments' => 1, 'stream.getfilters' => 1, 'users.getinfo' => 1, 'users.getloggedinuser' => 1, 'users.getstandardinfo' => 1, 'users.hasapppermission' => 1, 'users.isappuser' => 1, 'users.isverified' => 1, 'video.getuploadlimits' => 1); $name = 'api'; if (isset($READ_ONLY_CALLS[strtolower($method)])) { $name = 'api_read'; } else if (strtolower($method) == 'video.upload') { $name = 'api_video'; } return self::getUrl($name, 'restserver.php'); } /** * Build the URL for given domain alias, path and parameters. * * @param $name String the name of the domain * @param $path String optional path (without a leading slash) * @param $params Array optional query parameters * @return String the URL for the given parameters */ protected function getUrl($name, $path='', $params=array()) { $url = self::$DOMAIN_MAP[$name]; if ($path) { if ($path[0] === '/') { $path = substr($path, 1); } $url .= $path; } if ($params) { $url .= '?' . http_build_query($params, null, '&'); } return $url; } /** * Returns the Current URL, stripping it of known FB parameters that should * not persist. * * @return String the current URL */ protected function getCurrentUrl() { $protocol = isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on' ? 'https://' : 'http://'; $currentUrl = $protocol . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']; $parts = parse_url($currentUrl); // drop known fb params $query = ''; if (!empty($parts['query'])) { $params = array(); parse_str($parts['query'], $params); foreach(self::$DROP_QUERY_PARAMS as $key) { unset($params[$key]); } if (!empty($params)) { $query = '?' . http_build_query($params, null, '&'); } } // use port if non default $port = isset($parts['port']) && (($protocol === 'http://' && $parts['port'] !== 80) || ($protocol === 'https://' && $parts['port'] !== 443)) ? ':' . $parts['port'] : ''; // rebuild return $protocol . $parts['host'] . $port . $parts['path'] . $query; } /** * Analyzes the supplied result to see if it was thrown * because the access token is no longer valid. If that is * the case, then the persistent store is cleared. * * @param $result a record storing the error message returned * by a failed API call. */ protected function throwAPIException($result) { $e = new FacebookApiException($result); switch ($e->getType()) { // OAuth 2.0 Draft 00 style case 'OAuthException': // OAuth 2.0 Draft 10 style case 'invalid_token': $message = $e->getMessage(); if ((strpos($message, 'Error validating access token') !== false) || (strpos($message, 'Invalid OAuth access token') !== false)) { $this->setAccessToken(null); $this->user = 0; $this->clearAllPersistentData(); } } throw $e; } /** * Prints to the error log if you aren't in command line mode. * * @param String log message */ protected static function errorLog($msg) { // disable error log if we are running in a CLI environment // @codeCoverageIgnoreStart if (php_sapi_name() != 'cli') { error_log($msg); } // uncomment this if you want to see the errors on the page // print 'error_log: '.$msg."\n"; // @codeCoverageIgnoreEnd } /** * Base64 encoding that doesn't need to be urlencode()ed. * Exactly the same as base64_encode except it uses * - instead of + * _ instead of / * * @param String base64UrlEncodeded string */ protected static function base64UrlDecode($input) { return base64_decode(strtr($input, '-_', '+/')); } /** * Each of the following three methods should be overridden in * a concrete subclass, as they are in the provided Facebook class. * The Facebook class uses PHP sessions to provide a primitive * persistent store, but another subclass--one that you implement-- * might use a database, memcache, or an in-memory cache. * * @see Facebook */ abstract protected function setPersistentData($key, $value); abstract protected function getPersistentData($key, $default = false); abstract protected function clearAllPersistentData(); }