\Facebook

Extends the BaseFacebook class with the intent of using PHP sessions to store user ids and access tokens.

Summary

Methods
Properties
Constants
__construct()
setAppId()
getAppId()
setApiSecret()
setAppSecret()
getApiSecret()
getAppSecret()
setFileUploadSupport()
getFileUploadSupport()
useFileUploadSupport()
setAccessToken()
setExtendedAccessToken()
getAccessToken()
getSignedRequest()
getUser()
getLoginUrl()
getLogoutUrl()
api()
getApplicationAccessToken()
destroySession()
$CURL_OPTS
$DOMAIN_MAP
VERSION
SIGNED_REQUEST_ALGORITHM
FBSS_COOKIE_NAME
FBSS_COOKIE_EXPIRE
getUserAccessToken()
getUserFromAvailableData()
getSignedRequestCookieName()
getMetadataCookieName()
getCode()
getUserFromAccessToken()
establishCSRFTokenState()
getAccessTokenFromCode()
_restserver()
isVideoPost()
_graph()
_oauthRequest()
getAppSecretProof()
makeRequest()
parseSignedRequest()
makeSignedRequest()
getApiUrl()
getUrl()
getHttpHost()
getHttpProtocol()
getBaseDomain()
getCurrentUrl()
shouldRetainParam()
throwAPIException()
errorLog()
base64UrlDecode()
base64UrlEncode()
getMetadataCookie()
isAllowedDomain()
endsWith()
setPersistentData()
getPersistentData()
clearPersistentData()
clearAllPersistentData()
initSharedSession()
deleteSharedSessionCookie()
getSharedSessionCookieName()
constructSessionVariableName()
$DROP_QUERY_PARAMS
$appId
$appSecret
$user
$signedRequest
$state
$accessToken
$fileUploadSupport
$trustForwarded
$allowSignedRequest
$sharedSessionID
$kSupportedKeys
N/A
No private methods found
No private properties found
N/A

Constants

VERSION

VERSION

Version.

SIGNED_REQUEST_ALGORITHM

SIGNED_REQUEST_ALGORITHM

Signed Request Algorithm.

Properties

$CURL_OPTS

$CURL_OPTS : array

Default options for curl.

Type

array

$DOMAIN_MAP

$DOMAIN_MAP : array

Maps aliases to Facebook domains.

Type

array

$DROP_QUERY_PARAMS

$DROP_QUERY_PARAMS : array

List of query parameters that get automatically dropped when rebuilding the current URL.

Type

array

$appId

$appId : string

The Application ID.

Type

string

$appSecret

$appSecret : string

The Application App Secret.

Type

string

$user

$user : integer

The ID of the Facebook user, or 0 if the user is logged out.

Type

integer

$signedRequest

$signedRequest : string

The data from the signed_request token.

Type

string

$state

$state : string

A CSRF state variable to assist in the defense against CSRF attacks.

Type

string

$accessToken

$accessToken : string

The OAuth access token received in exchange for a valid authorization code. null means the access token has yet to be determined.

Type

string

$fileUploadSupport

$fileUploadSupport : boolean

Indicates if the CURL based @ syntax for file uploads is enabled.

Type

boolean

$trustForwarded

$trustForwarded : boolean

Indicates if we trust HTTP_X_FORWARDED_* headers.

Type

boolean

$allowSignedRequest

$allowSignedRequest : boolean

Indicates if signed_request is allowed in query parameters.

Type

boolean

$sharedSessionID

$sharedSessionID : string

Stores the shared session ID if one is set.

Type

string

$kSupportedKeys

$kSupportedKeys : array

Supported keys for persistent data

Type

array

Methods

__construct()

__construct(array $config)

Identical to the parent constructor, except that we start a PHP session to store the user ID and access token if during the course of execution we discover them.

The configuration:

  • appId: the application ID
  • secret: the application secret
  • fileUpload: (optional) boolean indicating if file uploads are enabled
  • allowSignedRequest: (optional) boolean indicating if signed_request is
                    allowed in query parameters or POST body.  Should be
                    false for non-canvas apps.  Defaults to true.

Parameters

array $config

the application configuration. Additionally accepts "sharedSession" as a boolean to turn on a secondary cookie for environments with a shared session (that is, your app shares the domain with other apps).

setAppId()

setAppId(string $appId) : \BaseFacebook

Set the Application ID.

Parameters

string $appId

The Application ID

Returns

\BaseFacebook

getAppId()

getAppId() : string

Get the Application ID.

Returns

string —

the Application ID

setApiSecret()

setApiSecret(string $apiSecret) : \BaseFacebook

Set the App Secret.

Parameters

string $apiSecret

The App Secret

Returns

\BaseFacebook

setAppSecret()

setAppSecret(string $appSecret) : \BaseFacebook

Set the App Secret.

Parameters

string $appSecret

The App Secret

Returns

\BaseFacebook

getApiSecret()

getApiSecret() : string

Get the App Secret.

Returns

string —

the App Secret

getAppSecret()

getAppSecret() : string

Get the App Secret.

Returns

string —

the App Secret

setFileUploadSupport()

setFileUploadSupport(boolean $fileUploadSupport) : \BaseFacebook

Set the file upload support status.

Parameters

boolean $fileUploadSupport

The file upload support status.

Returns

\BaseFacebook

getFileUploadSupport()

getFileUploadSupport() : boolean

Get the file upload support status.

Returns

boolean —

true if and only if the server supports file upload.

useFileUploadSupport()

useFileUploadSupport() : boolean

Get the file upload support status.

Returns

boolean —

true if and only if the server supports file upload.

setAccessToken()

setAccessToken(string $access_token) : \BaseFacebook

Sets the access token for api calls. Use this if you get your access token by other means and just want the SDK to use it.

Parameters

string $access_token

an access token.

Returns

\BaseFacebook

setExtendedAccessToken()

setExtendedAccessToken()

Extend an access token, while removing the short-lived token that might have been generated via client-side flow. Thanks to http://bit.ly/b0Pt0H for the workaround.

getAccessToken()

getAccessToken() : string

Determines the access token that should be used for API calls.

The first time this is called, $this->accessToken is set equal to either a valid user access token, or it's set to the application access token if a valid user access token wasn't available. Subsequent calls return whatever the first call returned.

Returns

string —

The access token

getSignedRequest()

getSignedRequest() : string

Retrieve the signed request, either from a request parameter or, if not present, from a cookie.

Returns

string —

the signed request, if available, or null otherwise.

getUser()

getUser() : string

Get the UID of the connected user, or 0 if the Facebook user is not connected.

Returns

string —

the UID if available.

getLoginUrl()

getLoginUrl(array $params) : string

Get a Login URL for use with redirects. By default, full page redirect is assumed. If you are using the generated URL with a window.open() call in JavaScript, you can pass in display=popup as part of the $params.

The parameters:

  • redirect_uri: the url to go to after a successful login
  • scope: comma separated list of requested extended perms

Parameters

array $params

Provide custom parameters

Returns

string —

The URL for the login flow

getLogoutUrl()

getLogoutUrl(array $params) : string

Get a Logout URL suitable for use with redirects.

The parameters:

  • next: the url to go to after a successful logout

Parameters

array $params

Provide custom parameters

Returns

string —

The URL for the logout flow

api()

api() : mixed

Make an API call.

Returns

mixed —

The decoded response

getApplicationAccessToken()

getApplicationAccessToken() : string

Returns the access token that should be used for logged out users when no authorization code is available.

Returns

string —

The application access token, useful for gathering

           public information about users and applications.

destroySession()

destroySession()

Destroy the current session

getUserAccessToken()

getUserAccessToken() : string

Determines and returns the user access token, first using the signed request if present, and then falling back on the authorization code if present. The intent is to return a valid user access token, or false if one is determined to not be available.

Returns

string —

A valid user access token, or false if one

           could not be determined.

getUserFromAvailableData()

getUserFromAvailableData() : integer

Determines the connected user by first examining any signed requests, then considering an authorization code, and then falling back to any persistent store storing the user.

Returns

integer —

The id of the connected Facebook user,

            or 0 if no such user exists.

getSignedRequestCookieName()

getSignedRequestCookieName() : string

Constructs and returns the name of the cookie that potentially houses the signed request for the app user.

The cookie is not set by the BaseFacebook class, but it may be set by the JavaScript SDK.

Returns

string —

the name of the cookie that would house

    the signed request value.

getMetadataCookieName()

getMetadataCookieName() : string

Constructs and returns the name of the cookie that potentially contain metadata. The cookie is not set by the BaseFacebook class, but it may be set by the JavaScript SDK.

Returns

string —

the name of the cookie that would house metadata.

getCode()

getCode() : mixed

Get the authorization code from the query parameters, if it exists, and otherwise return false to signal no authorization code was discoverable.

Returns

mixed —

The authorization code, or false if the authorization

          code could not be determined.

getUserFromAccessToken()

getUserFromAccessToken() : integer

Retrieves the UID with the understanding that $this->accessToken has already been set and is seemingly legitimate. It relies on Facebook's Graph API to retrieve user information and then extract the user ID.

Returns

integer —

Returns the UID of the Facebook user, or 0

            if the Facebook user could not be determined.

establishCSRFTokenState()

establishCSRFTokenState() : void

Lays down a CSRF state token for this process.

getAccessTokenFromCode()

getAccessTokenFromCode(string $code, string $redirect_uri) : mixed

Retrieves an access token for the given authorization code (previously generated from www.facebook.com on behalf of a specific user). The authorization code is sent to graph.facebook.com and a legitimate access token is generated provided the access token and the user for which it was generated all match, and the user is either logged in to Facebook or has granted an offline access permission.

Parameters

string $code

An authorization code.

string $redirect_uri

Optional redirect URI. Default null

Returns

mixed —

An access token exchanged for the authorization code, or

          false if an access token could not be generated.

_restserver()

_restserver(array $params) : mixed

Invoke the old restserver.php endpoint.

Parameters

array $params

Method call object

Throws

\FacebookApiException

Returns

mixed —

The decoded response object

isVideoPost()

isVideoPost(string $path, string $method) : boolean

Return true if this is video post.

Parameters

string $path

The path

string $method

The http method (default 'GET')

Returns

boolean —

true if this is video post

_graph()

_graph(string $path, string $method, array $params) : mixed

Invoke the Graph API.

Parameters

string $path

The path (required)

string $method

The http method (default 'GET')

array $params

The query/post data

Throws

\FacebookApiException

Returns

mixed —

The decoded response object

_oauthRequest()

_oauthRequest(string $url, array $params) : string

Make a OAuth Request.

Parameters

string $url

The path (required)

array $params

The query/post data

Throws

\FacebookApiException

Returns

string —

The decoded response object

getAppSecretProof()

getAppSecretProof(string $access_token) : string

Generate a proof of App Secret This is required for all API calls originating from a server It is a sha256 hash of the access_token made using the app secret

Parameters

string $access_token

The access_token to be hashed (required)

Returns

string —

The sha256 hash of the access_token

makeRequest()

makeRequest(string $url, array $params, \CurlHandler $ch) : string

Makes an HTTP request. This method can be overridden by subclasses if developers want to do fancier things or use something other than curl to make the request.

Parameters

string $url

The URL to make the request to

array $params

The parameters to use for the POST body

\CurlHandler $ch

Initialized curl handle

Returns

string —

The response text

parseSignedRequest()

parseSignedRequest(string $signed_request) : array

Parses a signed_request and validates the signature.

Parameters

string $signed_request

A signed token

Returns

array —

The payload inside it or null if the sig is wrong

makeSignedRequest()

makeSignedRequest(array $data) : string

Makes a signed_request blob using the given data.

Parameters

array $data

The data array.

Returns

string —

The signed request.

getApiUrl()

getApiUrl(string $method) : string

Build the URL for api given parameters.

Parameters

string $method

The method name.

Returns

string —

The URL for the given parameters

getUrl()

getUrl(string $name, string $path, array $params) : string

Build the URL for given domain alias, path and parameters.

Parameters

string $name

The name of the domain

string $path

Optional path (without a leading slash)

array $params

Optional query parameters

Returns

string —

The URL for the given parameters

getHttpHost()

getHttpHost() : string

Returns the HTTP Host

Returns

string —

The HTTP Host

getHttpProtocol()

getHttpProtocol() : string

Returns the HTTP Protocol

Returns

string —

The HTTP Protocol

getBaseDomain()

getBaseDomain() : string

Returns the base domain used for the cookie.

Returns

string —

The base domain

getCurrentUrl()

getCurrentUrl() : string

Returns the Current URL, stripping it of known FB parameters that should not persist.

Returns

string —

The current URL

shouldRetainParam()

shouldRetainParam(string $param) : boolean

Returns true if and only if the key or key/value pair should be retained as part of the query string. This amounts to a brute-force search of the very small list of Facebook-specific params that should be stripped out.

Parameters

string $param

A key or key/value pair within a URL's query (e.g.

                 'foo=a', 'foo=', or 'foo'.

Returns

boolean

throwAPIException()

throwAPIException(array $result)

Analyzes the supplied result to see if it was thrown because the access token is no longer valid. If that is the case, then we destroy the session.

Parameters

array $result

A record storing the error message returned

                 by a failed API call.

errorLog()

errorLog(string $msg)

Prints to the error log if you aren't in command line mode.

Parameters

string $msg

Log message

base64UrlDecode()

base64UrlDecode(string $input) : string

Base64 encoding that doesn't need to be urlencode()ed.

Exactly the same as base64_encode except it uses

  • instead of + _ instead of / No padded =

Parameters

string $input

base64UrlEncoded input

Returns

string —

The decoded string

base64UrlEncode()

base64UrlEncode(string $input) : string

Base64 encoding that doesn't need to be urlencode()ed.

Exactly the same as base64_encode except it uses

  • instead of + _ instead of /

Parameters

string $input

The input to encode

Returns

string —

The base64Url encoded input, as a string.

getMetadataCookie()

getMetadataCookie() : array

Parses the metadata cookie that our Javascript API set

Returns

array —

an array mapping key to value

isAllowedDomain()

isAllowedDomain(string $big, string $small) : boolean

Finds whether the given domain is allowed or not

Parameters

string $big

The value to be checked against $small

string $small

The input string

Returns

boolean —

Returns TRUE if $big matches $small

endsWith()

endsWith(string $big, string $small) : boolean

Checks if $big string ends with $small string

Parameters

string $big

The value to be checked against $small

string $small

The input string

Returns

boolean —

TRUE if $big ends with $small

setPersistentData()

setPersistentData( $key,  $value) : void

Stores the given ($key, $value) pair, so that future calls to getPersistentData($key) return $value. This call may be in another request.

Parameters

$key
$value

getPersistentData()

getPersistentData( $key,  $default) : mixed

Get the data for $key, persisted by BaseFacebook::setPersistentData()

Parameters

$key
$default

Returns

mixed

clearPersistentData()

clearPersistentData( $key) : void

Clear the data with $key from the persistent storage

Parameters

$key

clearAllPersistentData()

clearAllPersistentData() : void

Clear all data from the persistent storage

initSharedSession()

initSharedSession()

Initiates Shared Session

deleteSharedSessionCookie()

deleteSharedSessionCookie()

Deletes Shared session cookie

getSharedSessionCookieName()

getSharedSessionCookieName() : string

Returns the Shared session cookie name

Returns

string —

The Shared session cookie name

constructSessionVariableName()

constructSessionVariableName(string $key) : string

Constructs and returns the name of the session key.

Parameters

string $key

The key for which the session variable name to construct.

Returns

string —

The name of the session key.