php-sdk changes to support signed_request

Author: ptarjan

src/facebook.php

@@ -97,6 +97,7 @@ class Facebook
    */
   protected static $DROP_QUERY_PARAMS = array(
     'session',
+    'signed_request',
   );
 
   /**
@@ -124,6 +125,11 @@ class Facebook
    */
   protected $session;
 
+  /**
+   * The data from the signed_request token.
+   */
+  protected $signedRequest;
+
   /**
    * Indicates that we already loaded the session as best as we could.
    */
@@ -237,6 +243,21 @@ public function getBaseDomain() {
     return $this->baseDomain;
   }
 
+  /**
+   * Get the data from a signed_request token
+   *
+   * @return String the base domain
+   */
+  public function getSignedRequest() {
+    if (!$this->signedRequest) {
+      if (isset($_REQUEST['signed_request'])) {
+        $this->signedRequest = $this->parseSignedRequest(
+          $_REQUEST['signed_request']);
+      }
+    }
+    return $this->signedRequest;
+  }
+
   /**
    * Set the Session.
    *
@@ -256,7 +277,7 @@ public function setSession($session=null, $write_cookie=true) {
 
   /**
    * Get the session object. This will automatically look for a signed session
-   * sent via the Cookie or Query Parameters if needed.
+   * sent via the signed_request, Cookie or Query Parameters if needed.
    *
    * @return Array the session
    */
@@ -265,8 +286,15 @@ public function getSession() {
       $session = null;
       $write_cookie = true;
 
+      // try loading session from signed_request in $_REQUEST
+      $signedRequest = $this->getSignedRequest();
+      if ($signedRequest) {
+        // sig is good, use the signedRequest
+        $session = $this->createSessionFromSignedRequest($signedRequest);
+      }
+
       // try loading session from $_REQUEST
-      if (isset($_REQUEST['session'])) {
+      if (!$session && isset($_REQUEST['session'])) {
         $session = json_decode(
           get_magic_quotes_gpc()
             ? stripslashes($_REQUEST['session'])
@@ -309,6 +337,21 @@ public function getUser() {
     return $session ? $session['uid'] : null;
   }
 
+  /**
+   * Gets a OAuth access token.
+   *
+   * @return String the access token
+   */
+  public function getAccessToken() {
+    $session = $this->getSession();
+    // either user session signed, or app signed
+    if ($session) {
+      return $session['access_token'];
+    } else {
+      return $this->getAppId() .'|'. $this->getApiSecret();
+    }
+  }
+
   /**
    * Get a Login URL for use with redirects. By default, full page redirect is
    * assumed. If you are using the generated URL with a window.open() call in
@@ -351,14 +394,12 @@ public function getLoginUrl($params=array()) {
    * @return String the URL for the logout flow
    */
   public function getLogoutUrl($params=array()) {
-    $session = $this->getSession();
     return $this->getUrl(
       'www',
       'logout.php',
       array_merge(array(
-        'api_key'     => $this->getAppId(),
-        'next'        => $this->getCurrentUrl(),
-        'session_key' => $session['session_key'],
+        'next'         => $this->getCurrentUrl(),
+        'access_token' => $this->getAccessToken(),
       ), $params)
     );
   }
@@ -469,13 +510,7 @@ protected function _graph($path, $method='GET', $params=array()) {
    */
   protected function _oauthRequest($url, $params) {
     if (!isset($params['access_token'])) {
-      $session = $this->getSession();
-      // either user session signed, or app signed
-      if ($session) {
-        $params['access_token'] = $session['access_token'];
-      } else {
-        $params['access_token'] = $this->getAppId() .'|'. $this->getApiSecret();
-      }
+      $params['access_token'] = $this->getAccessToken();
     }
 
     // json_encode all params values that are not strings
@@ -576,7 +611,7 @@ protected function setCookieFromSession($session=null) {
     }
 
     if (headers_sent()) {
-      self::error_log('Could not set cookie. Headers already sent.');
+      self::errorLog('Could not set cookie. Headers already sent.');
 
     // ignore for code coverage as we will never be able to setcookie in a CLI
     // environment
@@ -597,8 +632,6 @@ protected function validateSessionObject($session) {
     // make sure some essential fields exist
     if (is_array($session) &&
         isset($session['uid']) &&
-        isset($session['session_key']) &&
-        isset($session['secret']) &&
         isset($session['access_token']) &&
         isset($session['sig'])) {
       // validate the signature
@@ -609,7 +642,7 @@ protected function validateSessionObject($session) {
         $this->getApiSecret()
       );
       if ($session['sig'] != $expected_sig) {
-        self::error_log('Got invalid session signature in cookie.');
+        self::errorLog('Got invalid session signature in cookie.');
         $session = null;
       }
       // check expiry time
@@ -619,6 +652,67 @@ protected function validateSessionObject($session) {
     return $session;
   }
 
+  /**
+   * Returns something that looks like our JS session object from the
+   * signed token's data
+   *
+   * TODO: Nuke this once the login flow uses OAuth2
+   *
+   * @param Array the output of getSignedRequest
+   * @return Array Something that will work as a session
+   */
+  protected function createSessionFromSignedRequest($data) {
+    if (!isset($data['oauth_token'])) {
+      return null;
+    }
+
+    $session = array(
+      'uid'          => $data['user_id'],
+      'access_token' => $data['oauth_token'],
+      'expires'      => $data['expires'],
+    );
+
+    // put a real sig, so that validateSignature works
+    $session['sig'] = self::generateSignature(
+      $session,
+      $this->getApiSecret()
+    );
+
+    return $session;
+  }
+
+  /**
+   * Parses a signed_request and validates the signature.
+   * Then saves it in $this->signed_data
+   *
+   * @param String A signed token
+   * @param Boolean Should we remove the parts of the payload that
+   *                are used by the algorithm?
+   * @return Array the payload inside it or null if the sig is wrong
+   */
+  protected function parseSignedRequest($signed_request) {
+    list($encoded_sig, $payload) = explode('.', $signed_request, 2);
+
+    // decode the data
+    $sig = self::base64UrlDecode($encoded_sig);
+    $data = json_decode(self::base64UrlDecode($payload), true);
+
+    if (strtoupper($data['algorithm']) !== 'HMAC-SHA256') {
+      self::errorLog('Unknown algorithm. Expected HMAC-SHA256');
+      return null;
+    }
+
+    // check sig
+    $expected_sig = hash_hmac('sha256', $payload,
+                              $this->getApiSecret(), $raw = true);
+    if ($sig !== $expected_sig) {
+      self::errorLog('Bad Signed JSON signature!');
+      return null;
+    }
+
+    return $data;
+  }
+
   /**
    * Build the URL for api given parameters.
    *
@@ -775,11 +869,11 @@ protected static function generateSignature($params, $secret) {
   }
 
   /**
-   * Prints to the error log if you aren't in command line mode. 
+   * Prints to the error log if you aren't in command line mode.
    *
    * @param String log message
    */
-  protected static function error_log($msg) {
+  protected static function errorLog($msg) {
     // disable error log if we are running in a CLI environment
     // @codeCoverageIgnoreStart
     if (php_sapi_name() != 'cli') {
@@ -789,4 +883,16 @@ protected static function error_log($msg) {
     // print 'error_log: '.$msg."\n";
     // @codeCoverageIgnoreEnd
   }
+
+  /**
+   * Base64 encoding that doesn't need to be urlencode()ed.
+   * Exactly the same as base64_encode except it uses
+   *   - instead of +
+   *   _ instead of /
+   *
+   * @param String base64UrlEncodeded string
+   */
+  protected static function base64UrlDecode($input) {
+    return base64_decode(strtr($input, '-_', '+/'));
+  }
 }

tests/tests.php

@@ -19,6 +19,9 @@ class FacebookTest extends PHPUnit_Framework_TestCase
     'uid'          => '1677846385',
   );
 
+  private static $VALID_SIGNED_REQUEST = 'ZcZocIFknCpcTLhwsRwwH5nL6oq7OmKWJx41xRTi59E.eyJhbGdvcml0aG0iOiJITUFDLVNIQTI1NiIsImV4cGlyZXMiOiIxMjczMzU5NjAwIiwib2F1dGhfdG9rZW4iOiIyNTQ3NTIwNzMxNTJ8Mi5JX2VURmtjVEtTelg1bm8zakk0cjFRX18uMzYwMC4xMjczMzU5NjAwLTE2Nzc4NDYzODV8dUk3R3dybUJVZWQ4c2VaWjA1SmJkekdGVXBrLiIsInNlc3Npb25fa2V5IjoiMi5JX2VURmtjVEtTelg1bm8zakk0cjFRX18uMzYwMC4xMjczMzU5NjAwLTE2Nzc4NDYzODUiLCJ1c2VyX2lkIjoiMTY3Nzg0NjM4NSJ9';
+  private static $NON_TOSSED_SIGNED_REQUEST = 'laEjO-az9kzgFOUldy1G7EyaP6tMQEsbFIDrB1RUamE.eyJhbGdvcml0aG0iOiJITUFDLVNIQTI1NiJ9';
+
   public function testConstructor() {
     $facebook = new Facebook(array(
       'appId'  => self::APP_ID,
@@ -111,15 +114,30 @@ public function testSetNullSession() {
                       'Expect null session back.');
   }
 
+  public function testNonUserAccessToken() {
+    $facebook = new Facebook(array(
+      'appId'  => self::APP_ID,
+      'secret' => self::SECRET,
+      'cookie' => true,
+    ));
+    $this->assertTrue($facebook->getAccessToken() ==
+                      self::APP_ID.'|'.self::SECRET,
+                      'Expect appId|secret.');
+  }
+
   public function testSetSession() {
     $facebook = new Facebook(array(
       'appId'  => self::APP_ID,
       'secret' => self::SECRET,
       'cookie' => true,
     ));
     $facebook->setSession(self::$VALID_EXPIRED_SESSION);
-    $this->assertTrue($facebook->getUser() == '1677846385',
+    $this->assertTrue($facebook->getUser() ==
+                      self::$VALID_EXPIRED_SESSION['uid'],
                       'Expect uid back.');
+    $this->assertTrue($facebook->getAccessToken() ==
+                      self::$VALID_EXPIRED_SESSION['access_token'],
+                      'Expect access token back.');
   }
 
   public function testGetSessionFromCookie() {
@@ -166,7 +184,8 @@ public function testSessionFromQueryString() {
       'secret' => self::SECRET,
     ));
 
-    $this->assertEquals($facebook->getUser(), '1677846385',
+    $this->assertEquals($facebook->getUser(),
+                        self::$VALID_EXPIRED_SESSION['uid'],
                         'Expect uid back.');
     unset($_REQUEST['session']);
   }
@@ -466,7 +485,8 @@ public function testMagicQuotesQueryString() {
       'secret' => self::SECRET,
     ));
 
-    $this->assertEquals($facebook->getUser(), '1677846385',
+    $this->assertEquals($facebook->getUser(),
+                        self::$VALID_EXPIRED_SESSION['uid'],
                         'Expect uid back.');
     unset($_REQUEST['session']);
   }
@@ -577,4 +597,57 @@ public function testAppSecretCall() {
     $this->assertTrue(count($response['data']) > 0,
                       'Expect some data back.');
   }
+
+  public function testBase64UrlEncode() {
+    $input = 'Facebook rocks';
+    $output = 'RmFjZWJvb2sgcm9ja3M';
+
+    $this->assertEquals(FBPublic::publicBase64UrlDecode($output), $input);
+  }
+
+  public function testSignedToken() {
+    $facebook = new FBPublic(array(
+      'appId'  => self::APP_ID,
+      'secret' => self::SECRET,
+    ));
+    $payload = $facebook->publicParseSignedRequest(self::$VALID_SIGNED_REQUEST);
+    $this->assertNotNull($payload, 'Expected token to parse');
+    $session = $facebook->publicCreateSessionFromSignedRequest($payload);
+    foreach (array('uid', 'access_token') as $key) {
+      $this->assertEquals($session[$key], self::$VALID_EXPIRED_SESSION[$key]);
+    }
+    $this->assertEquals($facebook->getSignedRequest(), null);
+    $_REQUEST['signed_request'] = self::$VALID_SIGNED_REQUEST;
+    $this->assertEquals($facebook->getSignedRequest(), $payload);
+    unset($_REQUEST['signed_request']);
+  }
+
+  public function testNonTossedSignedtoken() {
+    $facebook = new FBPublic(array(
+      'appId'  => self::APP_ID,
+      'secret' => self::SECRET,
+    ));
+    $payload = $facebook->publicParseSignedRequest(
+      self::$NON_TOSSED_SIGNED_REQUEST);
+    $this->assertNotNull($payload, 'Expected token to parse');
+    $session = $facebook->publicCreateSessionFromSignedRequest($payload);
+    $this->assertNull($session);
+    $this->assertNull($facebook->getSignedRequest());
+    $_REQUEST['signed_request'] = self::$NON_TOSSED_SIGNED_REQUEST;
+    $this->assertEquals($facebook->getSignedRequest(),
+      array('algorithm' => 'HMAC-SHA256'));
+    unset($_REQUEST['signed_request']);
+  }
+}
+
+class FBPublic extends Facebook {
+  public static function publicBase64UrlDecode($input) {
+    return self::base64UrlDecode($input);
+  }
+  public function publicParseSignedRequest($intput) {
+    return $this->parseSignedRequest($intput);
+  }
+  public function publicCreateSessionFromSignedRequest($payload) {
+    return $this->createSessionFromSignedRequest($payload);
+  }
 }