From c754f8f454b5909ce0987bd4a5b725db48c8f8ce Mon Sep 17 00:00:00 2001 From: Dominic Morgan Date: Thu, 9 Feb 2012 11:43:44 +0000 Subject: [PATCH 01/52] Make getApplicationAccessToken public For posting apprequests, we need to use the application access token not the user one. It is easy to specify this in the parameters to api call except that the method to retrieve it is protected. I can see no obvious reason why. --- src/base_facebook.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/base_facebook.php b/src/base_facebook.php index 772cc97e..cacd5ed4 100644 --- a/src/base_facebook.php +++ b/src/base_facebook.php @@ -665,7 +665,7 @@ protected function getUserFromAccessToken() { * @return string The application access token, useful for gathering * public information about users and applications. */ - protected function getApplicationAccessToken() { + public function getApplicationAccessToken() { return $this->appId.'|'.$this->appSecret; } From fb6733f80f6125570af42db0bedfca3acc856899 Mon Sep 17 00:00:00 2001 From: David Harkness Date: Fri, 24 Feb 2012 13:55:56 -0800 Subject: [PATCH 02/52] Marked deprecated methods with @deprecated. Constructor reuses $state local variable pulled from persistent storage. --- src/base_facebook.php | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/src/base_facebook.php b/src/base_facebook.php index 772cc97e..f6d404b1 100644 --- a/src/base_facebook.php +++ b/src/base_facebook.php @@ -219,7 +219,7 @@ public function __construct($config) { $state = $this->getPersistentData('state'); if (!empty($state)) { - $this->state = $this->getPersistentData('state'); + $this->state = $state; } } @@ -248,7 +248,7 @@ public function getAppId() { * * @param string $apiSecret The App Secret * @return BaseFacebook - * @deprecated + * @deprecated Use setAppSecret instead. */ public function setApiSecret($apiSecret) { $this->setAppSecret($apiSecret); @@ -270,7 +270,7 @@ public function setAppSecret($appSecret) { * Get the App Secret. * * @return string the App Secret - * @deprecated + * @deprecated Use getAppSecret instead. */ public function getApiSecret() { return $this->getAppSecret(); @@ -306,11 +306,10 @@ public function getFileUploadSupport() { } /** - * DEPRECATED! Please use getFileUploadSupport instead. - * * Get the file upload support status. * * @return boolean true if and only if the server supports file upload. + * @deprecated Use getFileUploadSupport instead. */ public function useFileUploadSupport() { return $this->getFileUploadSupport(); From 716657efef9ed6c944bde7b35946ad510ae571b3 Mon Sep 17 00:00:00 2001 From: Doru Moisa Date: Fri, 17 Aug 2012 00:19:45 +0300 Subject: [PATCH 03/52] added proxy support; fixed multiple chained proxies present in HTTP_X_FORWARDED_HOST which cause getHttpHost() to break api calls --- src/base_facebook.php | 81 +++++++++++++++++++++++++++++++++++++++---- 1 file changed, 75 insertions(+), 6 deletions(-) diff --git a/src/base_facebook.php b/src/base_facebook.php index ac48a468..cf9e63cb 100644 --- a/src/base_facebook.php +++ b/src/base_facebook.php @@ -212,6 +212,13 @@ abstract class BaseFacebook */ protected $trustForwarded = false; + /** + * The proxy used for making requests. + * + * @var string + */ + protected $proxy = null; + /** * Initialize a Facebook Application. * @@ -219,6 +226,7 @@ abstract class BaseFacebook * - appId: the application ID * - secret: the application secret * - fileUpload: (optional) boolean indicating if file uploads are enabled + * - proxy: (optional) http proxy (ex: http://my.proxy.host:8080) * * @param array $config The application configuration */ @@ -231,6 +239,9 @@ public function __construct($config) { if (isset($config['trustForwarded']) && $config['trustForwarded']) { $this->trustForwarded = true; } + if (isset($config['proxy']) && $config['proxy']) { + $this->setProxy($config['proxy']); + } $state = $this->getPersistentData('state'); if (!empty($state)) { $this->state = $state; @@ -319,6 +330,47 @@ public function getFileUploadSupport() { return $this->fileUploadSupport; } + /** + * Sets the proxy to be used when doing http requests to the rmote servers + * + * @param string $proxyUrl The procy URL string, including scheme, username, + * password or port + * @return BaseFacebook + */ + public function setProxy($proxyUrl) { + if(!preg_match('#^(http|socks)://#', $proxyUrl)) { + $proxyUrl = 'http://'.$proxyUrl; + } + $parts = parse_url(http://github.com/$proxyUrl); + $this->proxy = array( + 'host' => $parts['host'], + 'port' => isset($parts['port']) ? $parts['port'] : 80, + 'user' => isset($parts['user']) ? $parts['user'] : NULL, + 'pass' => isset($parts['pass']) ? $parts['pass'] : NULL, + 'type' => (isset($parts['scheme']) && $parts['scheme'] == 'socks') ? + CURLPROXY_SOCKS5 : CURLPROXY_HTTP, + ); + return $this; + } + + public function getProxy() { + if(!$this->proxy) { + return null; + } + $scheme = $this->proxy['type'] == CURLPROXY_SOCKS5 ? 'socks://' : 'http://'; + $userpw = ''; + if($this->proxy['user']) { + $userpw = $this->proxy['user']; + if($this->proxy['pass']) { + $userpw .= ':'.$this->proxy['pass']; + } + $userpw .= '@'; + } + $host = $this->proxy['host']; + $port = $this->proxy['port'] != 80 ? '' : (':'.$this->proxy['port']); + return $scheme.$userpw.$host.$port; + } + /** * DEPRECATED! Please use getFileUploadSupport instead. * @@ -367,20 +419,20 @@ public function setExtendedAccessToken() { // In any event, we don't have an access token, so say so. return false; } - + if (empty($access_token_response)) { return false; } - + $response_params = array(); parse_str($access_token_response, $response_params); - + if (!isset($response_params['access_token'])) { return false; } - + $this->destroySession(); - + $this->setPersistentData( 'access_token', $response_params['access_token'] ); @@ -933,6 +985,22 @@ protected function makeRequest($url, $params, $ch=null) { $opts[CURLOPT_HTTPHEADER] = array('Expect:'); } + // set proxy, if needed + if($this->proxy) { + $opts[CURLOPT_HTTPPROXYTUNNEL] = true; + $opts[CURLOPT_PROXY] = $this->proxy['host']; + if($this->proxy['user']) { + $userpwd = $this->proxy['user']; + if($this->proxy['pass']) { + $userpwd .= ':'.$this->proxy['pass']; + } + $opts[CURLOPT_PROXYUSERPWD] = $userpwd; + $opts[CURLOPT_PROXYAUTH] = CURLAUTH_BASIC | CURLAUTH_NTLM; + } + $opts[CURLOPT_PROXYPORT] = $this->proxy['port']; + $opts[CURLOPT_PROXYTYPE] = $this->proxy['type']; + } + curl_setopt_array($ch, $opts); $result = curl_exec($ch); @@ -1131,7 +1199,8 @@ protected function getUrl($name, $path='', $params=array()) { protected function getHttpHost() { if ($this->trustForwarded && isset($_SERVER['HTTP_X_FORWARDED_HOST'])) { - return $_SERVER['HTTP_X_FORWARDED_HOST']; + $hostsStack = explode(', ', $_SERVER['HTTP_X_FORWARDED_HOST']); + return trim(array_pop($hostsStack)); } return $_SERVER['HTTP_HOST']; } From 1d083d88d9bfe13fcb881711e6af6083cd11c370 Mon Sep 17 00:00:00 2001 From: Doru Moisa Date: Wed, 19 Sep 2012 15:33:57 +0300 Subject: [PATCH 04/52] fixed typos --- src/base_facebook.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/base_facebook.php b/src/base_facebook.php index cf9e63cb..1253bc73 100644 --- a/src/base_facebook.php +++ b/src/base_facebook.php @@ -331,9 +331,9 @@ public function getFileUploadSupport() { } /** - * Sets the proxy to be used when doing http requests to the rmote servers + * Sets the proxy to be used when doing http requests to the remote servers * - * @param string $proxyUrl The procy URL string, including scheme, username, + * @param string $proxyUrl The proxy URL string, including scheme, username, * password or port * @return BaseFacebook */ From ecca054c40d0442738bb07d74acf0d7c88199c11 Mon Sep 17 00:00:00 2001 From: dosercz Date: Fri, 30 Nov 2012 01:44:03 +0100 Subject: [PATCH 05/52] fix curl ssl cacert invalid file --- src/base_facebook.php | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/base_facebook.php b/src/base_facebook.php index b5ac87be..993b678e 100644 --- a/src/base_facebook.php +++ b/src/base_facebook.php @@ -935,8 +935,10 @@ protected function makeRequest($url, $params, $ch=null) { curl_setopt_array($ch, $opts); $result = curl_exec($ch); - - if (curl_errno($ch) == 60) { // CURLE_SSL_CACERT + + $errno = curl_errno($ch); + // CURLE_SSL_CACERT || CURLE_SSL_CACERT_BADFILE + if ($errno == 60 || $errno == 77) { self::errorLog('Invalid or no certificate authority found, '. 'using bundled information'); curl_setopt($ch, CURLOPT_CAINFO, From 2a5a03fbe2bc4fd4f20cd262a10cde25de985dbe Mon Sep 17 00:00:00 2001 From: John Goodwin Date: Mon, 28 Jan 2013 15:29:35 -0500 Subject: [PATCH 06/52] Fix bug in CSRF state persistence when using shared sessions. BaseFacebook loads the stored state in its constructor. However, at that point, the shared session ID has not yet been initialized, so getPersistentData() will return data from the non-shared-session cookie. Since initSharedSession() depends upon state initialized in BaseFacebook::__construct, just re-initialized the stored state in the shared session situation. Added appropriate tests to check CSRF state persistence with and without shared sessions. --- src/facebook.php | 10 ++++++++++ tests/tests.php | 43 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 53 insertions(+) diff --git a/src/facebook.php b/src/facebook.php index a2238ef6..3a991561 100644 --- a/src/facebook.php +++ b/src/facebook.php @@ -51,6 +51,16 @@ public function __construct($config) { parent::__construct($config); if (!empty($config['sharedSession'])) { $this->initSharedSession(); + + // re-load the persisted state, since parent + // attempted to read out of non-shared cookie + $state = $this->getPersistentData('state'); + if (!empty($state)) { + $this->state = $state; + } else { + $this->state = null; + } + } } diff --git a/tests/tests.php b/tests/tests.php index d261cce1..ac4892b4 100644 --- a/tests/tests.php +++ b/tests/tests.php @@ -325,6 +325,45 @@ public function testGetCodeWithMissingCSRFState() { 'Expect getCode to fail, CSRF state not sent back.'); } + public function testPersistentCSRFState() + { + $facebook = new FBCode(array( + 'appId' => self::APP_ID, + 'secret' => self::SECRET, + )); + $facebook->setCSRFStateToken(); + $code = $facebook->getCSRFStateToken(); + + $facebook = new FBCode(array( + 'appId' => self::APP_ID, + 'secret' => self::SECRET, + )); + + $this->assertEquals($code, $facebook->publicGetState(), + 'Persisted CSRF state token not loaded correctly'); + } + + public function testPersistentCSRFStateWithSharedSession() + { + $_SERVER['HTTP_HOST'] = 'fbrell.com'; + $facebook = new FBCode(array( + 'appId' => self::APP_ID, + 'secret' => self::SECRET, + 'sharedSession' => true, + )); + $facebook->setCSRFStateToken(); + $code = $facebook->getCSRFStateToken(); + + $facebook = new FBCode(array( + 'appId' => self::APP_ID, + 'secret' => self::SECRET, + 'sharedSession' => true, + )); + + $this->assertEquals($code, $facebook->publicGetState(), + 'Persisted CSRF state token not loaded correctly with shared session'); + } + public function testGetUserFromSignedRequest() { $facebook = new TransientFacebook(array( 'appId' => self::APP_ID, @@ -1959,6 +1998,10 @@ public function publicGetCode() { return $this->getCode(); } + public function publicGetState() { + return $this->state; + } + public function setCSRFStateToken() { $this->establishCSRFTokenState(); } From f6079f17b8a2b91510b39db57c15c5cb2e5a4844 Mon Sep 17 00:00:00 2001 From: Gary Rafferty Date: Tue, 5 Feb 2013 10:29:39 +0000 Subject: [PATCH 07/52] Add phpunit as a composer dependency, and ignore vendored files --- .gitignore | 3 +++ composer.json | 3 ++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 7053dc17..9ac749b0 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,4 @@ /coverage/ +vendor/ +composer.lock +composer.phar diff --git a/composer.json b/composer.json index 6ec7c917..b85f7559 100644 --- a/composer.json +++ b/composer.json @@ -14,7 +14,8 @@ "require": { "php": ">=5.2.0", "ext-curl": "*", - "ext-json": "*" + "ext-json": "*", + "phpunit/phpunit": "3.7.*" }, "autoload": { "classmap": ["src"] From 73278f798b62a397ac3cba12d2ceea9626229892 Mon Sep 17 00:00:00 2001 From: Hoke Date: Mon, 11 Feb 2013 11:11:46 -0800 Subject: [PATCH 08/52] Ensure signature comparison always takes the same amount of time to avoid Remote Timing Attacks. --- src/base_facebook.php | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/src/base_facebook.php b/src/base_facebook.php index 2ea0fb43..a2f4012d 100644 --- a/src/base_facebook.php +++ b/src/base_facebook.php @@ -1010,12 +1010,23 @@ protected function parseSignedRequest($signed_request) { // check sig $expected_sig = hash_hmac('sha256', $payload, $this->getAppSecret(), $raw = true); - if ($sig !== $expected_sig) { + + if (strlen($expected_sig) !== strlen($sig)) { self::errorLog('Bad Signed JSON signature!'); return null; } - return $data; + $result = 0; + for ($i = 0; $i < strlen($expected_sig); $i++) { + $result |= ord($expected_sig[$i]) ^ ord($sig[$i]); + } + + if($result == 0) { + return $data; + } else { + self::errorLog('Bad Signed JSON signature!'); + return null; + } } /** From bf594364c979abf929f9f9973feb79a7ee9065d6 Mon Sep 17 00:00:00 2001 From: Gary Rafferty Date: Tue, 2 Apr 2013 18:24:54 +0100 Subject: [PATCH 09/52] Only require phpunit in development environment --- composer.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/composer.json b/composer.json index b85f7559..38cba016 100644 --- a/composer.json +++ b/composer.json @@ -14,7 +14,9 @@ "require": { "php": ">=5.2.0", "ext-curl": "*", - "ext-json": "*", + "ext-json": "*" + }, + "require-dev": { "phpunit/phpunit": "3.7.*" }, "autoload": { From 0b0d711498fb4a283ce84802c34e49a491134a1f Mon Sep 17 00:00:00 2001 From: AnanthaKancherla Date: Thu, 11 Apr 2013 11:38:16 -0700 Subject: [PATCH 10/52] Added the extra param: appsecret_proof to the oauth api calls --- src/base_facebook.php | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/src/base_facebook.php b/src/base_facebook.php index 2ea0fb43..995c5d50 100644 --- a/src/base_facebook.php +++ b/src/base_facebook.php @@ -899,6 +899,10 @@ protected function _oauthRequest($url, $params) { $params['access_token'] = $this->getAccessToken(); } + if (isset($params['access_token'])) { + $params['appsecret_proof'] = $this->getAppSecretProof($params['access_token']); + } + // json_encode all params values that are not strings foreach ($params as $key => $value) { if (!is_string($value)) { @@ -909,6 +913,19 @@ protected function _oauthRequest($url, $params) { return $this->makeRequest($url, $params); } + /** + * Generate a proof of App Secret + * This is required for all API calls originating from a server + * It is a sha256 hash of the access_token made using the app secret + * + * @param string $access_token The access_token to be hashed (required) + * + * @return string The sha256 hash of the access_token + */ + protected function getAppSecretProof($access_token) { + return hash_hmac('sha256', $access_token, $this->getAppSecret()); + } + /** * Makes an HTTP request. This method can be overridden by subclasses if * developers want to do fancier things or use something other than curl to From e4ee2b572dd3af82b241a30c05134587e6f24d56 Mon Sep 17 00:00:00 2001 From: Steve Woodson Date: Tue, 30 Apr 2013 12:24:49 -0500 Subject: [PATCH 11/52] Removed duplicate multiline comment start --- src/base_facebook.php | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/base_facebook.php b/src/base_facebook.php index 2ea0fb43..8137ca9f 100644 --- a/src/base_facebook.php +++ b/src/base_facebook.php @@ -1180,8 +1180,6 @@ protected function getBaseDomain() { return $this->getHttpHost(); } - /** - /** * Returns the Current URL, stripping it of known FB parameters that should * not persist. From 49c322b719f77db35658ddebafda9d55abfbc489 Mon Sep 17 00:00:00 2001 From: alixandru Date: Thu, 23 May 2013 10:18:38 +0300 Subject: [PATCH 12/52] Use OS-specific directory separator instead of hard-coded forward slash Fix issue with cURL on Windows machines when the local CA cert file is used. For some reason cURL refuses to use the CA cert bundle if forward-slashes are present in its path name. --- src/base_facebook.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/base_facebook.php b/src/base_facebook.php index 995c5d50..fad13769 100644 --- a/src/base_facebook.php +++ b/src/base_facebook.php @@ -967,7 +967,7 @@ protected function makeRequest($url, $params, $ch=null) { self::errorLog('Invalid or no certificate authority found, '. 'using bundled information'); curl_setopt($ch, CURLOPT_CAINFO, - dirname(__FILE__) . '/fb_ca_chain_bundle.crt'); + dirname(__FILE__) . DIRECTORY_SEPARATOR . 'fb_ca_chain_bundle.crt'); $result = curl_exec($ch); } From 0e795a411ef7d2ce96cdafba7262f490770d0ad2 Mon Sep 17 00:00:00 2001 From: liuggio Date: Wed, 10 Jul 2013 15:27:52 +0200 Subject: [PATCH 13/52] added relative link to the example --- readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/readme.md b/readme.md index ebbe667e..0250474e 100644 --- a/readme.md +++ b/readme.md @@ -45,7 +45,7 @@ Login or logout url will be needed depending on current user state. $loginUrl = $facebook->getLoginUrl(); } -[examples]: http://github.com/facebook/facebook-php-sdk/blob/master/examples/example.php +[examples]: /examples/example.php [API]: http://developers.facebook.com/docs/api From 2c445494af75de46ecf8c3aafdafefd8af28fb0e Mon Sep 17 00:00:00 2001 From: liuggio Date: Wed, 10 Jul 2013 15:29:30 +0200 Subject: [PATCH 14/52] added color to the snippets --- readme.md | 52 +++++++++++++++++++++++++++------------------------- 1 file changed, 27 insertions(+), 25 deletions(-) diff --git a/readme.md b/readme.md index 0250474e..c97948dc 100644 --- a/readme.md +++ b/readme.md @@ -14,40 +14,42 @@ Usage The [examples][examples] are a good place to start. The minimal you'll need to have is: +```php +require 'facebook-php-sdk/src/facebook.php'; - require 'facebook-php-sdk/src/facebook.php'; +$facebook = new Facebook(array( + 'appId' => 'YOUR_APP_ID', + 'secret' => 'YOUR_APP_SECRET', +)); - $facebook = new Facebook(array( - 'appId' => 'YOUR_APP_ID', - 'secret' => 'YOUR_APP_SECRET', - )); - - // Get User ID - $user = $facebook->getUser(); +// Get User ID +$user = $facebook->getUser(); +``` To make [API][API] calls: - - if ($user) { - try { - // Proceed knowing you have a logged in user who's authenticated. - $user_profile = $facebook->api('/me'); - } catch (FacebookApiException $e) { - error_log($e); - $user = null; - } - } +```php +if ($user) { + try { + // Proceed knowing you have a logged in user who's authenticated. + $user_profile = $facebook->api('/me'); + } catch (FacebookApiException $e) { + error_log($e); + $user = null; + } +} +``` Login or logout url will be needed depending on current user state. - - if ($user) { - $logoutUrl = $facebook->getLogoutUrl(); - } else { - $loginUrl = $facebook->getLoginUrl(); - } +```php +if ($user) { + $logoutUrl = $facebook->getLogoutUrl(); +} else { + $loginUrl = $facebook->getLoginUrl(); +} [examples]: /examples/example.php [API]: http://developers.facebook.com/docs/api - +``` Tests ----- From db98cc5c1a62de90d3133ce5c5b1e0a1bc7eae08 Mon Sep 17 00:00:00 2001 From: liuggio Date: Wed, 10 Jul 2013 15:32:32 +0200 Subject: [PATCH 15/52] added composer usage example --- readme.md | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/readme.md b/readme.md index c97948dc..6b609be7 100644 --- a/readme.md +++ b/readme.md @@ -46,10 +46,30 @@ if ($user) { } else { $loginUrl = $facebook->getLoginUrl(); } +``` + +With Composer: + +- Add the `"facebook/php-sdk": "@stable"` into the `require` section of your `composer.json`. +- Run `composer install`. +- The example will look like + +```php +if (($loader = require_once __DIR__ . '/vendor/autoload.php') == null) { + die('Vendor directory not found, Please run composer install.'); +} + +$facebook = new Facebook(array( + 'appId' => 'YOUR_APP_ID', + 'secret' => 'YOUR_APP_SECRET', +)); + +// Get User ID +$user = $facebook->getUser(); +``` [examples]: /examples/example.php [API]: http://developers.facebook.com/docs/api -``` Tests ----- From 9d48501b5b9b215a61a8700cd5ccb2ef73d0c919 Mon Sep 17 00:00:00 2001 From: Matt Garmur Date: Fri, 30 Aug 2013 13:10:48 -0700 Subject: [PATCH 16/52] If appsecret_proof param is sent in code, do not override in sdk --- src/base_facebook.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/base_facebook.php b/src/base_facebook.php index 995c5d50..360877d2 100644 --- a/src/base_facebook.php +++ b/src/base_facebook.php @@ -899,7 +899,7 @@ protected function _oauthRequest($url, $params) { $params['access_token'] = $this->getAccessToken(); } - if (isset($params['access_token'])) { + if (isset($params['access_token']) && !isset($params['appsecret_proof'])) { $params['appsecret_proof'] = $this->getAppSecretProof($params['access_token']); } From 88ffc930171edcfaf8ae4ec842402e5db6d60a7e Mon Sep 17 00:00:00 2001 From: Sean Kinsey Date: Tue, 27 Aug 2013 09:45:45 -0700 Subject: [PATCH 17/52] Make getLoginStatusUrl use /dialog/oauth To make this a drop in replacement for the old endpoint, we also need support from the /dialog/oauth endpoint. Specifically, the current endpoint, when using display=none, always return the response as part of the fragment, while the PHP SDK needs the signed_request as a query string argument. --- examples/example.php | 5 +++++ src/base_facebook.php | 30 ++++++++++++------------------ 2 files changed, 17 insertions(+), 18 deletions(-) diff --git a/examples/example.php b/examples/example.php index cd0b378c..4c22fa96 100644 --- a/examples/example.php +++ b/examples/example.php @@ -46,6 +46,7 @@ if ($user) { $logoutUrl = $facebook->getLogoutUrl(); } else { + $statusUrl = $facebook->getLoginStatusUrl(); $loginUrl = $facebook->getLoginUrl(); } @@ -76,6 +77,10 @@ Logout +
+ Check the login status using OAuth 2.0 handled by the PHP SDK: + Check the login status +
Login using OAuth 2.0 handled by the PHP SDK: Login with Facebook diff --git a/src/base_facebook.php b/src/base_facebook.php index 995c5d50..0415ce25 100644 --- a/src/base_facebook.php +++ b/src/base_facebook.php @@ -589,11 +589,15 @@ public function getLoginUrl($params=array()) { return $this->getUrl( 'www', 'dialog/oauth', - array_merge(array( - 'client_id' => $this->getAppId(), - 'redirect_uri' => $currentUrl, // possibly overwritten - 'state' => $this->state), - $params)); + array_merge( + array( + 'client_id' => $this->getAppId(), + 'redirect_uri' => $currentUrl, // possibly overwritten + 'state' => $this->state, + 'sdk' => 'php-sdk-'.self::VERSION + ), + $params + )); } /** @@ -619,24 +623,14 @@ public function getLogoutUrl($params=array()) { /** * Get a login status URL to fetch the status from Facebook. * - * The parameters: - * - ok_session: the URL to go to if a session is found - * - no_session: the URL to go to if the user is not connected - * - no_user: the URL to go to if the user is not signed into facebook - * * @param array $params Provide custom parameters * @return string The URL for the logout flow */ public function getLoginStatusUrl($params=array()) { - return $this->getUrl( - 'www', - 'extern/login_status.php', + return $this->getLoginUrl( array_merge(array( - 'api_key' => $this->getAppId(), - 'no_session' => $this->getCurrentUrl(), - 'no_user' => $this->getCurrentUrl(), - 'ok_session' => $this->getCurrentUrl(), - 'session_version' => 3, + 'response_type' => 'code', + 'display' => 'none', ), $params) ); } From 98984b7f4e3b696e1226f4251d02300abb17a0a7 Mon Sep 17 00:00:00 2001 From: Fosco Marotto Date: Tue, 15 Oct 2013 09:16:28 -0700 Subject: [PATCH 18/52] Check isset before unset --- src/facebook.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/facebook.php b/src/facebook.php index a2238ef6..3d389b7c 100644 --- a/src/facebook.php +++ b/src/facebook.php @@ -127,7 +127,9 @@ protected function clearPersistentData($key) { } $session_var_name = $this->constructSessionVariableName($key); - unset($_SESSION[$session_var_name]); + if (isset($_SESSION[$session_var_name])) { + unset($_SESSION[$session_var_name]); + } } protected function clearAllPersistentData() { From 4a85a99158a934c60c0d8c8e4038fdc865dbf643 Mon Sep 17 00:00:00 2001 From: Fosco Marotto Date: Fri, 18 Oct 2013 22:45:39 -0700 Subject: [PATCH 19/52] Improved validation in parseSignedRequest. --- src/base_facebook.php | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/src/base_facebook.php b/src/base_facebook.php index 27ba964a..d21fcbe1 100644 --- a/src/base_facebook.php +++ b/src/base_facebook.php @@ -1007,13 +1007,21 @@ protected function makeRequest($url, $params, $ch=null) { * @return array The payload inside it or null if the sig is wrong */ protected function parseSignedRequest($signed_request) { + + if (!$signed_request || strpos($signed_request, '.') === false) { + self::errorLog('Signed request was invalid!'); + return null; + } + list($encoded_sig, $payload) = explode('.', $signed_request, 2); // decode the data $sig = self::base64UrlDecode($encoded_sig); $data = json_decode(self::base64UrlDecode($payload), true); - if (strtoupper($data['algorithm']) !== self::SIGNED_REQUEST_ALGORITHM) { + if (!isset($data['algorithm']) + || strtoupper($data['algorithm']) !== self::SIGNED_REQUEST_ALGORITHM + ) { self::errorLog( 'Unknown algorithm. Expected ' . self::SIGNED_REQUEST_ALGORITHM); return null; From 9c69b9cdf0bfd0ce74d4e92c661ecb8fb71197b8 Mon Sep 17 00:00:00 2001 From: Fosco Marotto Date: Fri, 18 Oct 2013 23:40:26 -0700 Subject: [PATCH 20/52] Added validation and test for non-int error_code defaulting to 0. --- src/base_facebook.php | 5 ++++- tests/tests.php | 5 +++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/src/base_facebook.php b/src/base_facebook.php index 27ba964a..62025041 100644 --- a/src/base_facebook.php +++ b/src/base_facebook.php @@ -42,7 +42,10 @@ class FacebookApiException extends Exception public function __construct($result) { $this->result = $result; - $code = isset($result['error_code']) ? $result['error_code'] : 0; + $code = 0; + if (isset($result['error_code']) && is_int($result['error_code'])) { + $code = $result['error_code']; + } if (isset($result['error_description'])) { // OAuth 2.0 Draft 10 style diff --git a/tests/tests.php b/tests/tests.php index ac4892b4..20ab4a07 100644 --- a/tests/tests.php +++ b/tests/tests.php @@ -1350,6 +1350,11 @@ public function testExceptionConstructorWithErrorCode() { $this->assertEquals($code, $e->getCode()); } + public function testExceptionConstructorWithInvalidErrorCode() { + $e = new FacebookApiException(array('error_code' => 'not an int')); + $this->assertEquals(0, $e->getCode()); + } + // this happens often despite the fact that it is useless public function testExceptionTypeFalse() { $e = new FacebookApiException(false); From 9619cf4baf9477886f453b4dc056f4a98c90465c Mon Sep 17 00:00:00 2001 From: Phil Sturgeon Date: Thu, 17 Oct 2013 07:00:43 -0400 Subject: [PATCH 21/52] Update .travis.yml --- .travis.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.travis.yml b/.travis.yml index 2790134e..9c49978d 100644 --- a/.travis.yml +++ b/.travis.yml @@ -2,4 +2,5 @@ language: php php: - 5.3 - 5.4 + - 5.5 script: phpunit --stderr --bootstrap tests/bootstrap.php tests/tests.php From 77cee5b09504b936a0a498916449dfce409a2fb1 Mon Sep 17 00:00:00 2001 From: Phil Sturgeon Date: Thu, 29 Aug 2013 14:34:20 -0400 Subject: [PATCH 22/52] Don't convert CURLFile params to JSON PHP 5.5 will throw deprecation warnings if users are uploading files with the previously documented `'source' => '@/foo/bar.jpg',` syntax. The new approach is to use `'source' => new CurlFile('/foo/bar.jpg', 'image/jpeg'),`, which obviously avoids accidental uploads (or upload attempts) from user-provided content which starts with a `"@"` character. --- src/base_facebook.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/base_facebook.php b/src/base_facebook.php index 27ba964a..813b7af7 100644 --- a/src/base_facebook.php +++ b/src/base_facebook.php @@ -898,7 +898,7 @@ protected function _oauthRequest($url, $params) { // json_encode all params values that are not strings foreach ($params as $key => $value) { - if (!is_string($value)) { + if (!is_string($value) and !($value instanceof CURLFile)) { $params[$key] = json_encode($value); } } From d236be642e43ea5984c641e4a67cec8492bd22a3 Mon Sep 17 00:00:00 2001 From: Phil Sturgeon Date: Fri, 1 Nov 2013 10:41:32 -0400 Subject: [PATCH 23/52] and -> && --- src/base_facebook.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/base_facebook.php b/src/base_facebook.php index 813b7af7..a2a0cfd0 100644 --- a/src/base_facebook.php +++ b/src/base_facebook.php @@ -898,7 +898,7 @@ protected function _oauthRequest($url, $params) { // json_encode all params values that are not strings foreach ($params as $key => $value) { - if (!is_string($value) and !($value instanceof CURLFile)) { + if (!is_string($value) && !($value instanceof CURLFile)) { $params[$key] = json_encode($value); } } From 77343f3bae4ba0f45a36188b87e0d21cc416effd Mon Sep 17 00:00:00 2001 From: Doru Moisa Date: Sat, 2 Nov 2013 00:52:38 +0200 Subject: [PATCH 24/52] Added support for multiple chained proxies that append a comma and their hostnames to the previous X-Forwarded-Host header. If we have Client <---> Fwd Proxy1 (first.proxy) <---> Fwd Proxy2 (second.proxy )<---> Application (third.server), then we will have these values for a script executed on third.server:: $_SERVER['HTTP_X_FORWARDED_HOST'] = 'first.proxy, second.proxy'; $_SERVER['HTTP_HOST'] = 'third.server'; If we use the raw value from $_SERVER['HTTP_X_FORWARDED_HOST'] for composing return URLs, we will generate invalid return URLs, in our case 'http://first.proxy, second.proxy/fb_oauth.php', and get a 'Oauth exception 191' or some other error message. If we properly process the X-Forwarded-Host value by taking the leftmost host, we will not get errors. --- src/base_facebook.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/base_facebook.php b/src/base_facebook.php index f6ed47a4..434f4959 100644 --- a/src/base_facebook.php +++ b/src/base_facebook.php @@ -1156,7 +1156,7 @@ protected function getUrl($name, $path='', $params=array()) { protected function getHttpHost() { if ($this->trustForwarded && isset($_SERVER['HTTP_X_FORWARDED_HOST'])) { - return $_SERVER['HTTP_X_FORWARDED_HOST']; + return strtok($_SERVER['HTTP_X_FORWARDED_HOST'], ','); } return $_SERVER['HTTP_HOST']; } From 2e8d65a97f2f1a341ef65b5b864f5ce513b1a00c Mon Sep 17 00:00:00 2001 From: Matthew Hokanson Date: Sat, 2 Nov 2013 11:20:06 -0700 Subject: [PATCH 25/52] Add space to if statement. --- src/base_facebook.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/base_facebook.php b/src/base_facebook.php index a2f4012d..7cb30ebd 100644 --- a/src/base_facebook.php +++ b/src/base_facebook.php @@ -1021,7 +1021,7 @@ protected function parseSignedRequest($signed_request) { $result |= ord($expected_sig[$i]) ^ ord($sig[$i]); } - if($result == 0) { + if ($result == 0) { return $data; } else { self::errorLog('Bad Signed JSON signature!'); From 3a7afe2d4645c259866f4aaff8b92aac79fa61bf Mon Sep 17 00:00:00 2001 From: Andrea Giuliano Date: Wed, 16 Oct 2013 11:13:12 +0200 Subject: [PATCH 26/52] Add http method and parameters description --- readme.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/readme.md b/readme.md index 6b609be7..f94f252c 100644 --- a/readme.md +++ b/readme.md @@ -39,6 +39,13 @@ if ($user) { } ``` +You can make api calls by choosing the `HTTP method` and setting optional `parameters`: +```php +$facebook->api('/me/feed/', 'post', array( + 'message' => 'I want to display this message on my wall' +)); +``` + Login or logout url will be needed depending on current user state. ```php if ($user) { From 9c3992b382daf6097c4fe08b28d07e422283640c Mon Sep 17 00:00:00 2001 From: Andrea Giuliano Date: Wed, 16 Oct 2013 11:13:42 +0200 Subject: [PATCH 27/52] add fql query description with api method --- readme.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/readme.md b/readme.md index f94f252c..12a9a6e1 100644 --- a/readme.md +++ b/readme.md @@ -46,6 +46,15 @@ $facebook->api('/me/feed/', 'post', array( )); ``` +To run an FQL query you have to pass directly the parameters in as an array, setting the `method` property to `fql.query`: + +```php +$facebook->api(array( + 'method' => 'fql.query', + 'query' => 'SELECT ...' +)); +``` + Login or logout url will be needed depending on current user state. ```php if ($user) { From a0a31b5a5e581ff525cf893885b2b11244db10ae Mon Sep 17 00:00:00 2001 From: Andrea Giuliano Date: Mon, 4 Nov 2013 11:19:44 +0100 Subject: [PATCH 28/52] Remove not recommended FQL --- readme.md | 8 -------- 1 file changed, 8 deletions(-) diff --git a/readme.md b/readme.md index 12a9a6e1..e9b58445 100644 --- a/readme.md +++ b/readme.md @@ -46,14 +46,6 @@ $facebook->api('/me/feed/', 'post', array( )); ``` -To run an FQL query you have to pass directly the parameters in as an array, setting the `method` property to `fql.query`: - -```php -$facebook->api(array( - 'method' => 'fql.query', - 'query' => 'SELECT ...' -)); -``` Login or logout url will be needed depending on current user state. ```php From b1c72d126d2e7b6595117d482e6230bb4ed58d0b Mon Sep 17 00:00:00 2001 From: Matt Garmur Date: Tue, 5 Nov 2013 10:54:55 -0800 Subject: [PATCH 29/52] Added test cases --- tests/tests.php | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/tests/tests.php b/tests/tests.php index d261cce1..82471df4 100644 --- a/tests/tests.php +++ b/tests/tests.php @@ -1305,6 +1305,31 @@ public function testMissingAccessTokenInCodeExchangeIsIgnored() { $this->assertFalse($stub->publicGetAccessTokenFromCode('c', '')); } + public function testAppsecretProofNoParams() { + $fb = new FBRecordMakeRequest(array( + 'appId' => self::APP_ID, + 'secret' => self::SECRET, + )); + $token = $fb->getAccessToken(); + $proof = $fb->publicGetAppSecretProof($token); + $params = array(); + $fb->api('/mattynoce', $params); + $requests = $fb->publicGetRequests(); + $this->assertEquals($proof, $requests[0]['params']['appsecret_proof']); + } + + public function testAppsecretProofWithParams() { + $fb = new FBRecordMakeRequest(array( + 'appId' => self::APP_ID, + 'secret' => self::SECRET, + )); + $proof = 'foo'; + $params = array('appsecret_proof' => $proof); + $fb->api('/mattynoce', $params); + $requests = $fb->publicGetRequests(); + $this->assertEquals($proof, $requests[0]['params']['appsecret_proof']); + } + public function testExceptionConstructorWithErrorCode() { $code = 404; $e = new FacebookApiException(array('error_code' => $code)); @@ -1891,6 +1916,10 @@ protected function makeRequest($url, $params, $ch=null) { public function publicGetRequests() { return $this->requests; } + + public function publicGetAppSecretProof($access_token) { + return $this->getAppSecretProof($access_token); + } } class FBPublic extends TransientFacebook { From d70830499eee351550c3d505b9bbfac4fc26a8ba Mon Sep 17 00:00:00 2001 From: Davies Liu Date: Wed, 13 Nov 2013 11:24:26 -0800 Subject: [PATCH 30/52] fix #111: shouldRetainParam() should handle 'code' shouldRetainParam function doesn't work as advertised in a comment, return false if given 'code', 'code=', or 'code=a' --- src/base_facebook.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/base_facebook.php b/src/base_facebook.php index d6a063fd..bb924741 100644 --- a/src/base_facebook.php +++ b/src/base_facebook.php @@ -1258,7 +1258,8 @@ protected function getCurrentUrl() { */ protected function shouldRetainParam($param) { foreach (self::$DROP_QUERY_PARAMS as $drop_query_param) { - if (strpos($param, $drop_query_param.'=') === 0) { + if ($param === $drop_query_param || + strpos($param, $drop_query_param.'=') === 0) { return false; } } From 34f51d97d505e08c83ff11d0257c1631b60918eb Mon Sep 17 00:00:00 2001 From: Doru Moisa Date: Fri, 15 Nov 2013 10:17:00 +0200 Subject: [PATCH 31/52] switched from strtok() to explode() --- src/base_facebook.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/base_facebook.php b/src/base_facebook.php index 434f4959..acc6224f 100644 --- a/src/base_facebook.php +++ b/src/base_facebook.php @@ -1156,7 +1156,9 @@ protected function getUrl($name, $path='', $params=array()) { protected function getHttpHost() { if ($this->trustForwarded && isset($_SERVER['HTTP_X_FORWARDED_HOST'])) { - return strtok($_SERVER['HTTP_X_FORWARDED_HOST'], ','); + $forwardProxies = explode(',', $_SERVER['HTTP_X_FORWARDED_HOST']); + $forwardProxies = array_filter($forwarders); + return current($forwardProxies); } return $_SERVER['HTTP_HOST']; } From 54928ba29d7aae26e7bca4fb652f08d99723fee5 Mon Sep 17 00:00:00 2001 From: Doru Moisa Date: Fri, 15 Nov 2013 10:53:22 +0200 Subject: [PATCH 32/52] fixed typo --- src/base_facebook.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/base_facebook.php b/src/base_facebook.php index acc6224f..cc7b4f21 100644 --- a/src/base_facebook.php +++ b/src/base_facebook.php @@ -1157,7 +1157,7 @@ protected function getUrl($name, $path='', $params=array()) { protected function getHttpHost() { if ($this->trustForwarded && isset($_SERVER['HTTP_X_FORWARDED_HOST'])) { $forwardProxies = explode(',', $_SERVER['HTTP_X_FORWARDED_HOST']); - $forwardProxies = array_filter($forwarders); + $forwardProxies = array_filter($forwardProxies); return current($forwardProxies); } return $_SERVER['HTTP_HOST']; From deca1bd0517f995ef9d5bb20ee2c29eafa8c6750 Mon Sep 17 00:00:00 2001 From: Fosco Marotto Date: Tue, 19 Nov 2013 15:10:45 -0800 Subject: [PATCH 33/52] Added .DS_Store and .idea to .gitignore --- .gitignore | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.gitignore b/.gitignore index 9ac749b0..c2a70fcc 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,5 @@ vendor/ composer.lock composer.phar +.DS_Store +.idea/ From 6714042fa2f5979d4c64c7d11fb4bcab16bdf6cb Mon Sep 17 00:00:00 2001 From: Fosco Marotto Date: Tue, 19 Nov 2013 15:11:14 -0800 Subject: [PATCH 34/52] Added ability to disable the signed_request parameter for non-canvas apps. --- src/base_facebook.php | 21 ++++++++++++++++++--- tests/tests.php | 15 ++++++++++++++- 2 files changed, 32 insertions(+), 4 deletions(-) diff --git a/src/base_facebook.php b/src/base_facebook.php index bb924741..8cf25042 100644 --- a/src/base_facebook.php +++ b/src/base_facebook.php @@ -123,7 +123,7 @@ abstract class BaseFacebook /** * Version. */ - const VERSION = '3.2.2'; + const VERSION = '3.2.3'; /** * Signed Request Algorithm. @@ -215,6 +215,13 @@ abstract class BaseFacebook */ protected $trustForwarded = false; + /** + * Indicates if signed_request is allowed in query parameters. + * + * @var boolean + */ + protected $allowSignedRequest = true; + /** * Initialize a Facebook Application. * @@ -222,6 +229,9 @@ abstract class BaseFacebook * - appId: the application ID * - secret: the application secret * - fileUpload: (optional) boolean indicating if file uploads are enabled + * - allowSignedRequest: (optional) boolean indicating if signed_request is + * allowed in query parameters or POST body. Should be + * false for non-canvas apps. Defaults to true. * * @param array $config The application configuration */ @@ -234,6 +244,10 @@ public function __construct($config) { if (isset($config['trustForwarded']) && $config['trustForwarded']) { $this->trustForwarded = true; } + if (isset($config['allowSignedRequest']) + && !$config['allowSignedRequest']) { + $this->allowSignedRequest = false; + } $state = $this->getPersistentData('state'); if (!empty($state)) { $this->state = $state; @@ -490,9 +504,10 @@ protected function getUserAccessToken() { */ public function getSignedRequest() { if (!$this->signedRequest) { - if (!empty($_REQUEST['signed_request'])) { + if ($this->allowSignedRequest && !empty($_REQUEST['signed_request'])) { $this->signedRequest = $this->parseSignedRequest( - $_REQUEST['signed_request']); + $_REQUEST['signed_request'] + ); } else if (!empty($_COOKIE[$this->getSignedRequestCookieName()])) { $this->signedRequest = $this->parseSignedRequest( $_COOKIE[$this->getSignedRequestCookieName()]); diff --git a/tests/tests.php b/tests/tests.php index 20ab4a07..845885f7 100644 --- a/tests/tests.php +++ b/tests/tests.php @@ -375,7 +375,20 @@ public function testGetUserFromSignedRequest() { 'Failed to get user ID from a valid signed request.'); } - public function testSignedRequestRewrite(){ + public function testDisallowSignedRequest() { + $facebook = new TransientFacebook(array( + 'appId' => self::APP_ID, + 'secret' => self::SECRET, + 'allowSignedRequest' => false + )); + + $_REQUEST['signed_request'] = self::kValidSignedRequest(); + $this->assertEquals(0, $facebook->getUser(), + 'Should not have received valid user from signed_request.'); + } + + + public function testSignedRequestRewrite(){ $facebook = new FBRewrite(array( 'appId' => self::APP_ID, 'secret' => self::SECRET, From d0735d0f87445293cf836712ea6306ecd65e2ca3 Mon Sep 17 00:00:00 2001 From: Doru Moisa Date: Wed, 20 Nov 2013 10:21:27 +0200 Subject: [PATCH 35/52] removed stateful functions; allow for fallback when the forwardProxies array is empty (via gfosco) --- src/base_facebook.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/base_facebook.php b/src/base_facebook.php index e76958a1..bf676e18 100644 --- a/src/base_facebook.php +++ b/src/base_facebook.php @@ -1183,8 +1183,9 @@ protected function getUrl($name, $path='', $params=array()) { protected function getHttpHost() { if ($this->trustForwarded && isset($_SERVER['HTTP_X_FORWARDED_HOST'])) { $forwardProxies = explode(',', $_SERVER['HTTP_X_FORWARDED_HOST']); - $forwardProxies = array_filter($forwardProxies); - return current($forwardProxies); + if (!empty($forwardProxies)) { + return $forwardProxies[0]; + } } return $_SERVER['HTTP_HOST']; } From ab2798fa0772ebd1290d982a78f3fd8b1acc8778 Mon Sep 17 00:00:00 2001 From: Fosco Marotto Date: Wed, 20 Nov 2013 09:21:57 -0800 Subject: [PATCH 36/52] Updated version number in readme.md --- readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/readme.md b/readme.md index e9b58445..ecbfffe3 100644 --- a/readme.md +++ b/readme.md @@ -1,4 +1,4 @@ -Facebook PHP SDK (v.3.2.2) +Facebook PHP SDK (v.3.2.3) The [Facebook Platform](http://developers.facebook.com/) is a set of APIs that make your app more social. From 3660cb5170cf81e26a11f5b91c2fd74668c236da Mon Sep 17 00:00:00 2001 From: "Syed I.R" Date: Thu, 21 Nov 2013 04:05:06 +0530 Subject: [PATCH 37/52] Updated/Added/Fixed PHPDoc Blocks. - Fixed typo(s) - Fixed blocks having wrong format - Fixed comment blocks - Added missing types - Added missing doc blocks (with explaination) - Added missing @params - Added reference to other methods (Referenced using @see wherever required) - Formated doc blocks (grouping, line breaks, missing vars) - Removed additional space(s) --- src/base_facebook.php | 85 +++++++++++++++++++++++++++++++++++-------- src/facebook.php | 71 ++++++++++++++++++++++++++++++++---- 2 files changed, 133 insertions(+), 23 deletions(-) diff --git a/src/base_facebook.php b/src/base_facebook.php index 8cf25042..c94649a1 100644 --- a/src/base_facebook.php +++ b/src/base_facebook.php @@ -31,6 +31,8 @@ class FacebookApiException extends Exception { /** * The result from the API server that represents the exception information. + * + * @var mixed */ protected $result; @@ -132,6 +134,8 @@ abstract class BaseFacebook /** * Default options for curl. + * + * @var array */ public static $CURL_OPTS = array( CURLOPT_CONNECTTIMEOUT => 10, @@ -143,6 +147,8 @@ abstract class BaseFacebook /** * List of query parameters that get automatically dropped when rebuilding * the current URL. + * + * @var array */ protected static $DROP_QUERY_PARAMS = array( 'code', @@ -152,6 +158,8 @@ abstract class BaseFacebook /** * Maps aliases to Facebook domains. + * + * @var array */ public static $DOMAIN_MAP = array( 'api' => 'https://api.facebook.com/', @@ -185,11 +193,15 @@ abstract class BaseFacebook /** * The data from the signed_request token. + * + * @var string */ protected $signedRequest; /** * A CSRF state variable to assist in the defense against CSRF attacks. + * + * @var string */ protected $state; @@ -258,6 +270,7 @@ public function __construct($config) { * Set the Application ID. * * @param string $appId The Application ID + * * @return BaseFacebook */ public function setAppId($appId) { @@ -278,8 +291,10 @@ public function getAppId() { * Set the App Secret. * * @param string $apiSecret The App Secret + * * @return BaseFacebook * @deprecated Use setAppSecret instead. + * @see setAppSecret() */ public function setApiSecret($apiSecret) { $this->setAppSecret($apiSecret); @@ -290,6 +305,7 @@ public function setApiSecret($apiSecret) { * Set the App Secret. * * @param string $appSecret The App Secret + * * @return BaseFacebook */ public function setAppSecret($appSecret) { @@ -301,7 +317,9 @@ public function setAppSecret($appSecret) { * Get the App Secret. * * @return string the App Secret + * * @deprecated Use getAppSecret instead. + * @see getAppSecret() */ public function getApiSecret() { return $this->getAppSecret(); @@ -320,6 +338,7 @@ public function getAppSecret() { * Set the file upload support status. * * @param boolean $fileUploadSupport The file upload support status. + * * @return BaseFacebook */ public function setFileUploadSupport($fileUploadSupport) { @@ -340,7 +359,9 @@ public function getFileUploadSupport() { * Get the file upload support status. * * @return boolean true if and only if the server supports file upload. + * * @deprecated Use getFileUploadSupport instead. + * @see getFileUploadSupport() */ public function useFileUploadSupport() { return $this->getFileUploadSupport(); @@ -352,6 +373,7 @@ public function useFileUploadSupport() { * to use it. * * @param string $access_token an access token. + * * @return BaseFacebook */ public function setAccessToken($access_token) { @@ -680,7 +702,7 @@ protected function getSignedRequestCookieName() { } /** - * Constructs and returns the name of the coookie that potentially contain + * Constructs and returns the name of the cookie that potentially contain * metadata. The cookie is not set by the BaseFacebook class, but it may be * set by the JavaScript SDK. * @@ -768,6 +790,7 @@ protected function establishCSRFTokenState() { * either logged in to Facebook or has granted an offline access permission. * * @param string $code An authorization code. + * @param string $redirect_uri Optional redirect URI. Default null * @return mixed An access token exchanged for the authorization code, or * false if an access token could not be generated. */ @@ -973,7 +996,7 @@ protected function makeRequest($url, $params, $ch=null) { curl_setopt_array($ch, $opts); $result = curl_exec($ch); - + $errno = curl_errno($ch); // CURLE_SSL_CACERT || CURLE_SSL_CACERT_BADFILE if ($errno == 60 || $errno == 77) { @@ -1022,6 +1045,7 @@ protected function makeRequest($url, $params, $ch=null) { * Parses a signed_request and validates the signature. * * @param string $signed_request A signed token + * * @return array The payload inside it or null if the sig is wrong */ protected function parseSignedRequest($signed_request) { @@ -1062,7 +1086,8 @@ protected function parseSignedRequest($signed_request) { /** * Makes a signed_request blob using the given data. * - * @param array The data array. + * @param array $data The data array. + * * @return string The signed request. */ protected function makeSignedRequest($data) { @@ -1082,7 +1107,8 @@ protected function makeSignedRequest($data) { /** * Build the URL for api given parameters. * - * @param $method String the method name. + * @param string $method The method name. + * * @return string The URL for the given parameters */ protected function getApiUrl($method) { @@ -1159,9 +1185,9 @@ protected function getApiUrl($method) { /** * Build the URL for given domain alias, path and parameters. * - * @param $name string The name of the domain - * @param $path string Optional path (without a leading slash) - * @param $params array Optional query parameters + * @param string $name The name of the domain + * @param string $path Optional path (without a leading slash) + * @param array $params Optional query parameters * * @return string The URL for the given parameters */ @@ -1180,6 +1206,11 @@ protected function getUrl($name, $path='', $params=array()) { return $url; } + /** + * Returns the HTTP Host + * + * @return string The HTTP Host + */ protected function getHttpHost() { if ($this->trustForwarded && isset($_SERVER['HTTP_X_FORWARDED_HOST'])) { return $_SERVER['HTTP_X_FORWARDED_HOST']; @@ -1187,6 +1218,11 @@ protected function getHttpHost() { return $_SERVER['HTTP_HOST']; } + /** + * Returns the HTTP Protocol + * + * @return string The HTTP Protocol + */ protected function getHttpProtocol() { if ($this->trustForwarded && isset($_SERVER['HTTP_X_FORWARDED_PROTO'])) { if ($_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https') { @@ -1208,7 +1244,9 @@ protected function getHttpProtocol() { } /** - * Get the base domain used for the cookie. + * Returns the base domain used for the cookie. + * + * @return string The base domain */ protected function getBaseDomain() { // The base domain is stored in the metadata cookie if not we fallback @@ -1267,7 +1305,7 @@ protected function getCurrentUrl() { * params that should be stripped out. * * @param string $param A key or key/value pair within a URL's query (e.g. - * 'foo=a', 'foo=', or 'foo'. + * 'foo=a', 'foo=', or 'foo'. * * @return boolean */ @@ -1287,7 +1325,7 @@ protected function shouldRetainParam($param) { * because the access token is no longer valid. If that is * the case, then we destroy the session. * - * @param $result array A record storing the error message returned + * @param array $result A record storing the error message returned * by a failed API call. */ protected function throwAPIException($result) { @@ -1336,8 +1374,8 @@ protected static function errorLog($msg) { * _ instead of / * No padded = * - * @param string $input base64UrlEncoded string - * @return string + * @param string $input base64UrlEncoded input + * @return string The decoded string */ protected static function base64UrlDecode($input) { return base64_decode(strtr($input, '-_', '+/')); @@ -1349,8 +1387,8 @@ protected static function base64UrlDecode($input) { * - instead of + * _ instead of / * - * @param string $input string - * @return string base64Url encoded string + * @param string $input The input to encode + * @return string The base64Url encoded input, as a string. */ protected static function base64UrlEncode($input) { $str = strtr(base64_encode($input), '+/', '-_'); @@ -1390,7 +1428,7 @@ public function destroySession() { /** * Parses the metadata cookie that our Javascript API set * - * @return an array mapping key to value + * @return array an array mapping key to value */ protected function getMetadataCookie() { $cookie_name = $this->getMetadataCookieName(); @@ -1418,6 +1456,14 @@ protected function getMetadataCookie() { return $metadata; } + /** + * Finds whether the given domain is allowed or not + * + * @param string $big The value to be checked against $small + * @param string $small The input string + * + * @return boolean Returns TRUE if $big matches $small + */ protected static function isAllowedDomain($big, $small) { if ($big === $small) { return true; @@ -1425,6 +1471,14 @@ protected static function isAllowedDomain($big, $small) { return self::endsWith($big, '.'.$small); } + /** + * Checks if $big string ends with $small string + * + * @param string $big The value to be checked against $small + * @param string $small The input string + * + * @return boolean TRUE if $big ends with $small + */ protected static function endsWith($big, $small) { $len = strlen($small); if ($len === 0) { @@ -1468,6 +1522,7 @@ abstract protected function getPersistentData($key, $default = false); * Clear the data with $key from the persistent storage * * @param string $key + * * @return void */ abstract protected function clearPersistentData($key); diff --git a/src/facebook.php b/src/facebook.php index 743906c8..51de333b 100644 --- a/src/facebook.php +++ b/src/facebook.php @@ -23,13 +23,22 @@ */ class Facebook extends BaseFacebook { + /** + * Cookie prefix + */ const FBSS_COOKIE_NAME = 'fbss'; - // We can set this to a high number because the main session - // expiration will trump this. + /** + * We can set this to a high number because the main session + * expiration will trump this. + */ const FBSS_COOKIE_EXPIRE = 31556926; // 1 year - // Stores the shared session ID if one is set. + /** + * Stores the shared session ID if one is set. + * + * @var string + */ protected $sharedSessionID; /** @@ -38,11 +47,12 @@ class Facebook extends BaseFacebook * access token if during the course of execution * we discover them. * - * @param Array $config the application configuration. Additionally + * @param array $config the application configuration. Additionally * accepts "sharedSession" as a boolean to turn on a secondary * cookie for environments with a shared session (that is, your app * shares the domain with other apps). - * @see BaseFacebook::__construct in facebook.php + * + * @see BaseFacebook::__construct */ public function __construct($config) { if (!session_id()) { @@ -53,20 +63,28 @@ public function __construct($config) { $this->initSharedSession(); // re-load the persisted state, since parent - // attempted to read out of non-shared cookie + // attempted to read out of non-shared cookie $state = $this->getPersistentData('state'); if (!empty($state)) { $this->state = $state; } else { $this->state = null; } - + } } + /** + * Supported keys for persistent data + * + * @var array + */ protected static $kSupportedKeys = array('state', 'code', 'access_token', 'user_id'); + /** + * Initiates Shared Session + */ protected function initSharedSession() { $cookie_name = $this->getSharedSessionCookieName(); if (isset($_COOKIE[$cookie_name])) { @@ -105,10 +123,16 @@ protected function initSharedSession() { /** * Provides the implementations of the inherited abstract - * methods. The implementation uses PHP sessions to maintain + * methods. The implementation uses PHP sessions to maintain * a store for authorization codes, user ids, CSRF states, and * access tokens. */ + + /** + * {@inheritdoc} + * + * @see BaseFacebook::setPersistentData() + */ protected function setPersistentData($key, $value) { if (!in_array($key, self::$kSupportedKeys)) { self::errorLog('Unsupported key passed to setPersistentData.'); @@ -119,6 +143,11 @@ protected function setPersistentData($key, $value) { $_SESSION[$session_var_name] = $value; } + /** + * {@inheritdoc} + * + * @see BaseFacebook::getPersistentData() + */ protected function getPersistentData($key, $default = false) { if (!in_array($key, self::$kSupportedKeys)) { self::errorLog('Unsupported key passed to getPersistentData.'); @@ -130,6 +159,11 @@ protected function getPersistentData($key, $default = false) { $_SESSION[$session_var_name] : $default; } + /** + * {@inheritdoc} + * + * @see BaseFacebook::clearPersistentData() + */ protected function clearPersistentData($key) { if (!in_array($key, self::$kSupportedKeys)) { self::errorLog('Unsupported key passed to clearPersistentData.'); @@ -142,6 +176,11 @@ protected function clearPersistentData($key) { } } + /** + * {@inheritdoc} + * + * @see BaseFacebook::clearAllPersistentData() + */ protected function clearAllPersistentData() { foreach (self::$kSupportedKeys as $key) { $this->clearPersistentData($key); @@ -151,6 +190,9 @@ protected function clearAllPersistentData() { } } + /** + * Deletes Shared session cookie + */ protected function deleteSharedSessionCookie() { $cookie_name = $this->getSharedSessionCookieName(); unset($_COOKIE[$cookie_name]); @@ -158,10 +200,23 @@ protected function deleteSharedSessionCookie() { setcookie($cookie_name, '', 1, '/', '.'.$base_domain); } + /** + * Returns the Shared session cookie name + * + * @return string The Shared session cookie name + */ protected function getSharedSessionCookieName() { return self::FBSS_COOKIE_NAME . '_' . $this->getAppId(); } + /** + * Constructs and returns the name of the session key. + * + * @see setPersistentData() + * @param string $key The key for which the session variable name to construct. + * + * @return string The name of the session key. + */ protected function constructSessionVariableName($key) { $parts = array('fb', $this->getAppId(), $key); if ($this->sharedSessionID) { From dc3f9e706be3c41731f78769e3f2a79568d04ef7 Mon Sep 17 00:00:00 2001 From: "Syed I.R" Date: Fri, 22 Nov 2013 00:21:26 +0530 Subject: [PATCH 38/52] Aded line breaks and aligned comments Updated as per request. --- src/base_facebook.php | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/src/base_facebook.php b/src/base_facebook.php index c94649a1..93d6e6b8 100644 --- a/src/base_facebook.php +++ b/src/base_facebook.php @@ -791,6 +791,7 @@ protected function establishCSRFTokenState() { * * @param string $code An authorization code. * @param string $redirect_uri Optional redirect URI. Default null + * * @return mixed An access token exchanged for the authorization code, or * false if an access token could not be generated. */ @@ -1185,9 +1186,9 @@ protected function getApiUrl($method) { /** * Build the URL for given domain alias, path and parameters. * - * @param string $name The name of the domain - * @param string $path Optional path (without a leading slash) - * @param array $params Optional query parameters + * @param string $name The name of the domain + * @param string $path Optional path (without a leading slash) + * @param array $params Optional query parameters * * @return string The URL for the given parameters */ @@ -1375,6 +1376,7 @@ protected static function errorLog($msg) { * No padded = * * @param string $input base64UrlEncoded input + * * @return string The decoded string */ protected static function base64UrlDecode($input) { @@ -1459,7 +1461,7 @@ protected function getMetadataCookie() { /** * Finds whether the given domain is allowed or not * - * @param string $big The value to be checked against $small + * @param string $big The value to be checked against $small * @param string $small The input string * * @return boolean Returns TRUE if $big matches $small @@ -1474,7 +1476,7 @@ protected static function isAllowedDomain($big, $small) { /** * Checks if $big string ends with $small string * - * @param string $big The value to be checked against $small + * @param string $big The value to be checked against $small * @param string $small The input string * * @return boolean TRUE if $big ends with $small From 04cbf7fbf4a945ce8fec26d248eac463bdbb1233 Mon Sep 17 00:00:00 2001 From: ptarjan Date: Thu, 21 Nov 2013 19:31:53 -0800 Subject: [PATCH 39/52] use the same signedRequest in the test --- src/base_facebook.php | 2 +- tests/tests.php | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/src/base_facebook.php b/src/base_facebook.php index f6ed47a4..df496e34 100644 --- a/src/base_facebook.php +++ b/src/base_facebook.php @@ -958,7 +958,7 @@ protected function makeRequest($url, $params, $ch=null) { curl_setopt_array($ch, $opts); $result = curl_exec($ch); - + $errno = curl_errno($ch); // CURLE_SSL_CACERT || CURLE_SSL_CACERT_BADFILE if ($errno == 60 || $errno == 77) { diff --git a/tests/tests.php b/tests/tests.php index 20ab4a07..ca050741 100644 --- a/tests/tests.php +++ b/tests/tests.php @@ -829,10 +829,11 @@ public function testSignedToken() { 'appId' => self::APP_ID, 'secret' => self::SECRET )); - $payload = $facebook->publicParseSignedRequest(self::kValidSignedRequest()); + $sr = self::kValidSignedRequest(); + $payload = $facebook->publicParseSignedRequest($sr); $this->assertNotNull($payload, 'Expected token to parse'); $this->assertEquals($facebook->getSignedRequest(), null); - $_REQUEST['signed_request'] = self::kValidSignedRequest(); + $_REQUEST['signed_request'] = $sr; $this->assertEquals($facebook->getSignedRequest(), $payload); } From f14afbf0ab5a4080c2966b090b172b8197d308c3 Mon Sep 17 00:00:00 2001 From: Dimitrios Kanellopoulos Date: Sun, 24 Nov 2013 15:49:25 +0100 Subject: [PATCH 40/52] Don't check against CSRF if there was no state (code) generated. If in a signle handler you call the getCode twice, the function logs that there was a Token mismatch at ERROR level. This is not valid because the functions resets the state but forgets to check against it --- src/base_facebook.php | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/src/base_facebook.php b/src/base_facebook.php index bf676e18..06da8d49 100644 --- a/src/base_facebook.php +++ b/src/base_facebook.php @@ -699,10 +699,8 @@ protected function getMetadataCookieName() { * code could not be determined. */ protected function getCode() { - if (isset($_REQUEST['code'])) { - if ($this->state !== null && - isset($_REQUEST['state']) && - $this->state === $_REQUEST['state']) { + if (isset($_REQUEST['code']) && $this->state !== null) { + if ($this->state === $_REQUEST['state']) { // CSRF state has done its job, so clear it $this->state = null; From 8031796e65cdf8fc601042988cce4ab55ed28dd7 Mon Sep 17 00:00:00 2001 From: Dimitrios Kanellopoulos Date: Sun, 24 Nov 2013 15:52:10 +0100 Subject: [PATCH 41/52] Remove excessive identation and check if state is set before comparing --- src/base_facebook.php | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/src/base_facebook.php b/src/base_facebook.php index 06da8d49..166ce0c9 100644 --- a/src/base_facebook.php +++ b/src/base_facebook.php @@ -699,19 +699,16 @@ protected function getMetadataCookieName() { * code could not be determined. */ protected function getCode() { - if (isset($_REQUEST['code']) && $this->state !== null) { - if ($this->state === $_REQUEST['state']) { - + if (!isset($_REQUEST['code']) || $this->state === null) { + return false; + } + if (isset($_REQUEST['state']) && $this->state === $_REQUEST['state']) { // CSRF state has done its job, so clear it $this->state = null; $this->clearPersistentData('state'); return $_REQUEST['code']; - } else { - self::errorLog('CSRF state token does not match one provided.'); - return false; - } } - + self::errorLog('CSRF state token does not match one provided.'); return false; } From fa4aeaf5b8447074356e9bd174d44ceb9e84048c Mon Sep 17 00:00:00 2001 From: Dimitrios Kanellopoulos Date: Wed, 27 Nov 2013 14:12:48 +0100 Subject: [PATCH 42/52] Add linebreak for code standarts --- src/base_facebook.php | 1 + 1 file changed, 1 insertion(+) diff --git a/src/base_facebook.php b/src/base_facebook.php index 166ce0c9..7eff1c73 100644 --- a/src/base_facebook.php +++ b/src/base_facebook.php @@ -709,6 +709,7 @@ protected function getCode() { return $_REQUEST['code']; } self::errorLog('CSRF state token does not match one provided.'); + return false; } From 1c28899c89e96172b8bde010fa9e0649bd8699b2 Mon Sep 17 00:00:00 2001 From: Dimitrios Kanellopoulos Date: Sat, 30 Nov 2013 17:18:49 +0100 Subject: [PATCH 43/52] Cleaner condition --- src/base_facebook.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/base_facebook.php b/src/base_facebook.php index 7eff1c73..3adb26fb 100644 --- a/src/base_facebook.php +++ b/src/base_facebook.php @@ -699,10 +699,10 @@ protected function getMetadataCookieName() { * code could not be determined. */ protected function getCode() { - if (!isset($_REQUEST['code']) || $this->state === null) { + if (!isset($_REQUEST['code']) || !isset($_REQUEST['state']) || $this->state === null) { return false; } - if (isset($_REQUEST['state']) && $this->state === $_REQUEST['state']) { + if ($this->state === $_REQUEST['state']) { // CSRF state has done its job, so clear it $this->state = null; $this->clearPersistentData('state'); From d54b3c4be5e8c47911f6ebfc3b2f642260be5f20 Mon Sep 17 00:00:00 2001 From: Dimitrios Kanellopoulos Date: Tue, 10 Dec 2013 17:24:28 +0100 Subject: [PATCH 44/52] Remove check of $this->state if is null since it's not needed --- src/base_facebook.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/base_facebook.php b/src/base_facebook.php index 3adb26fb..4ad8d5e9 100644 --- a/src/base_facebook.php +++ b/src/base_facebook.php @@ -699,7 +699,7 @@ protected function getMetadataCookieName() { * code could not be determined. */ protected function getCode() { - if (!isset($_REQUEST['code']) || !isset($_REQUEST['state']) || $this->state === null) { + if (!isset($_REQUEST['code']) || !isset($_REQUEST['state'])) { return false; } if ($this->state === $_REQUEST['state']) { From fdfa88667de91d49a803684f8a532bcc3fda76fb Mon Sep 17 00:00:00 2001 From: Mathieu Boillat Date: Wed, 29 Jan 2014 23:51:40 +0100 Subject: [PATCH 45/52] Check if session is really active If you started and stopped a PHP session then session_id won't be empty (but session is closed). If you use session_status you can get the real state of a PHP session. --- src/facebook.php | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/facebook.php b/src/facebook.php index 51de333b..7907c6af 100644 --- a/src/facebook.php +++ b/src/facebook.php @@ -55,8 +55,14 @@ class Facebook extends BaseFacebook * @see BaseFacebook::__construct */ public function __construct($config) { - if (!session_id()) { - session_start(); + if (function_exists('session_status')) { + if (session_status() !== PHP_SESSION_ACTIVE) { + session_start(); + } + } else { + if (!session_id()) { + session_start(); + } } parent::__construct($config); if (!empty($config['sharedSession'])) { From ae71cdee05256c691f7507259eac1cd4a4fa4257 Mon Sep 17 00:00:00 2001 From: Mathieu Boillat Date: Fri, 21 Feb 2014 11:19:09 +0100 Subject: [PATCH 46/52] Update facebook.php --- src/facebook.php | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/src/facebook.php b/src/facebook.php index 7907c6af..b6b827dc 100644 --- a/src/facebook.php +++ b/src/facebook.php @@ -55,14 +55,9 @@ class Facebook extends BaseFacebook * @see BaseFacebook::__construct */ public function __construct($config) { - if (function_exists('session_status')) { - if (session_status() !== PHP_SESSION_ACTIVE) { - session_start(); - } - } else { - if (!session_id()) { - session_start(); - } + if ((function_exists('session_status') + && session_status() !== PHP_SESSION_ACTIVE) || !session_id()) { + session_start(); } parent::__construct($config); if (!empty($config['sharedSession'])) { From e553dc576d2a34d416e74628a27dd5b9af745fbc Mon Sep 17 00:00:00 2001 From: Fosco Marotto Date: Tue, 11 Mar 2014 11:11:51 -0700 Subject: [PATCH 47/52] Removed deprecated getLoginStatusUrl --- src/base_facebook.php | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/src/base_facebook.php b/src/base_facebook.php index b9d403ef..95e18fb1 100644 --- a/src/base_facebook.php +++ b/src/base_facebook.php @@ -659,21 +659,6 @@ public function getLogoutUrl($params=array()) { ); } - /** - * Get a login status URL to fetch the status from Facebook. - * - * @param array $params Provide custom parameters - * @return string The URL for the logout flow - */ - public function getLoginStatusUrl($params=array()) { - return $this->getLoginUrl( - array_merge(array( - 'response_type' => 'code', - 'display' => 'none', - ), $params) - ); - } - /** * Make an API call. * From 8a992afce97122556c4e42b0f1c1d60b9d49276d Mon Sep 17 00:00:00 2001 From: Fosco Marotto Date: Thu, 3 Apr 2014 19:27:38 -0700 Subject: [PATCH 48/52] Removed getLoginStatusUrl tests: --- tests/tests.php | 31 ------------------------------- 1 file changed, 31 deletions(-) diff --git a/tests/tests.php b/tests/tests.php index b28a3f18..fa1d83a7 100644 --- a/tests/tests.php +++ b/tests/tests.php @@ -761,37 +761,6 @@ public function testLogoutURLDefaults() { $this->assertFalse(strpos($facebook->getLogoutUrl(), self::SECRET)); } - public function testLoginStatusURLDefaults() { - $_SERVER['HTTP_HOST'] = 'fbrell.com'; - $_SERVER['REQUEST_URI'] = '/examples'; - $facebook = new TransientFacebook(array( - 'appId' => self::APP_ID, - 'secret' => self::SECRET, - )); - $encodedUrl = rawurlencode('http://fbrell.com/examples'); - $this->assertNotNull(strpos($facebook->getLoginStatusUrl(), $encodedUrl), - 'Expect the current url to exist.'); - } - - public function testLoginStatusURLCustom() { - $_SERVER['HTTP_HOST'] = 'fbrell.com'; - $_SERVER['REQUEST_URI'] = '/examples'; - $facebook = new TransientFacebook(array( - 'appId' => self::APP_ID, - 'secret' => self::SECRET, - )); - $encodedUrl1 = rawurlencode('http://fbrell.com/examples'); - $okUrl = 'http://fbrell.com/here1'; - $encodedUrl2 = rawurlencode($okUrl); - $loginStatusUrl = $facebook->getLoginStatusUrl(array( - 'ok_session' => $okUrl, - )); - $this->assertNotNull(strpos($loginStatusUrl, $encodedUrl1), - 'Expect the current url to exist.'); - $this->assertNotNull(strpos($loginStatusUrl, $encodedUrl2), - 'Expect the custom url to exist.'); - } - public function testNonDefaultPort() { $_SERVER['HTTP_HOST'] = 'fbrell.com:8080'; $_SERVER['REQUEST_URI'] = '/examples'; From 52394114509e627bdb79faab9069c9a553784e98 Mon Sep 17 00:00:00 2001 From: Fosco Marotto Date: Wed, 30 Apr 2014 07:56:06 -0700 Subject: [PATCH 49/52] Updated readme to point to new repository. --- readme.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/readme.md b/readme.md index ecbfffe3..22f4cc59 100644 --- a/readme.md +++ b/readme.md @@ -1,3 +1,14 @@ +### New SDK Released + +We've released version 4 of the Facebook SDK for PHP here: [https://github +.com/facebook/facebook-php-sdk-v4](https://github +.com/facebook/facebook-php-sdk-v4) +Please use the new repository for new projects and contributions. +See the [Facebook Developers](https://developers.facebook.com/docs/php/) site + for documentation. + +----- + Facebook PHP SDK (v.3.2.3) The [Facebook Platform](http://developers.facebook.com/) is From b31c5a7911773a0684e89c7d1d84b0ca575e6cc8 Mon Sep 17 00:00:00 2001 From: Naitik Shah Date: Wed, 30 Apr 2014 21:58:13 -0700 Subject: [PATCH 50/52] fix link to new sdk repo --- readme.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/readme.md b/readme.md index 22f4cc59..e85bee89 100644 --- a/readme.md +++ b/readme.md @@ -1,8 +1,6 @@ ### New SDK Released -We've released version 4 of the Facebook SDK for PHP here: [https://github -.com/facebook/facebook-php-sdk-v4](https://github -.com/facebook/facebook-php-sdk-v4) +We've released version 4 of the Facebook SDK for PHP here: [https://github.com/facebook/facebook-php-sdk-v4](https://github.com/facebook/facebook-php-sdk-v4) Please use the new repository for new projects and contributions. See the [Facebook Developers](https://developers.facebook.com/docs/php/) site for documentation. From 4821853f6ea4681e8acacfa1eee54f19e76fdb3e Mon Sep 17 00:00:00 2001 From: Stanislav Chistenko Date: Wed, 7 May 2014 13:55:10 +0700 Subject: [PATCH 51/52] Update example.php: remove getLoginStatusUrl usage --- examples/example.php | 5 ----- 1 file changed, 5 deletions(-) diff --git a/examples/example.php b/examples/example.php index 4c22fa96..cd0b378c 100644 --- a/examples/example.php +++ b/examples/example.php @@ -46,7 +46,6 @@ if ($user) { $logoutUrl = $facebook->getLogoutUrl(); } else { - $statusUrl = $facebook->getLoginStatusUrl(); $loginUrl = $facebook->getLoginUrl(); } @@ -77,10 +76,6 @@ Logout -
- Check the login status using OAuth 2.0 handled by the PHP SDK: - Check the login status -
Login using OAuth 2.0 handled by the PHP SDK: Login with Facebook From 8e7e7951e99d86b68ce1135537d559663d759af0 Mon Sep 17 00:00:00 2001 From: Fosco Marotto Date: Tue, 13 Jan 2015 11:27:37 -0800 Subject: [PATCH 52/52] This SDK is deprecated. Use v4, see readme for link. --- examples/example.php | 5 +++++ readme.md | 8 +++++++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/examples/example.php b/examples/example.php index cd0b378c..645adf2b 100644 --- a/examples/example.php +++ b/examples/example.php @@ -1,4 +1,9 @@