Merge pull request #88 from facebook/gFosco.appsecret

Fosco Marotto · Fosco Marotto · commit 14bdf3355303 · 2014-05-20T22:26:30.000-07:00
Added appsecret_proof handling to FacebookRequest.
diff --git a/src/Facebook/FacebookRequest.php b/src/Facebook/FacebookRequest.php
@@ -184,6 +184,12 @@ public function __construct(
       && !isset($params["access_token"])) {
       $params["access_token"] = $session->getToken();
     }
+    if (FacebookSession::useAppSecretProof()
+      && !isset($params["appsecret_proof"])) {
+      $params["appsecret_proof"] = $this->getAppSecretProof(
+        $params["access_token"]
+      );
+    }
     $this->params = $params;
   }
 
@@ -251,6 +257,19 @@ public function execute() {
     return new FacebookResponse($this, $decodedResult, $result, $etagHit, $etagReceived);
   }
 
+
+  /**
+   * Generate and return the appsecret_proof value for an access_token
+   *
+   * @param string $token
+   *
+   * @return string
+   */
+  public function getAppSecretProof($token)
+  {
+    return hash_hmac('sha256', $token, FacebookSession::_getTargetAppSecret());
+  }
+
   /**
    * appendParamsToUrl - Gracefully appends params to the URL.
    *
diff --git a/src/Facebook/FacebookSession.php b/src/Facebook/FacebookSession.php
@@ -52,6 +52,11 @@ class FacebookSession
    */
   private $signedRequestData;
 
+  /**
+   * @var bool
+   */
+  private static $useAppSecretProof = false;
+
   /**
    * When creating a Session from an access_token, use:
    *   var $session = new FacebookSession($accessToken);
@@ -443,4 +448,24 @@ public static function _base64UrlDecode($input) {
     return base64_decode(strtr($input, '-_', '+/'));
   }
 
+  /**
+   * Enable or disable sending the appsecret_proof with requests.
+   *
+   * @param bool $on
+   */
+  public static function enableAppSecretProof($on = true)
+  {
+    static::$useAppSecretProof = ($on ? true : false);
+  }
+
+  /**
+   * Get whether or not appsecret_proof should be sent with requests.
+   *
+   * @return bool
+   */
+  public static function useAppSecretProof()
+  {
+    return static::$useAppSecretProof;
+  }
+
 }
diff --git a/tests/FacebookRequestTest.php b/tests/FacebookRequestTest.php
@@ -118,4 +118,24 @@ public function testGracefullyHandlesUrlAppending()
     $this->assertEquals('https://www.foo.com/?access_token=bar&foo=bar', $processed_url);
   }
 
+  public function testAppSecretProof()
+  {
+    FacebookSession::enableAppSecretProof(true);
+    $request = new FacebookRequest(
+      FacebookTestHelper::$testSession,
+      'GET',
+      '/me'
+    );
+    $this->assertTrue(isset($request->getParameters()['appsecret_proof']));
+
+
+    FacebookSession::enableAppSecretProof(false);
+    $request = new FacebookRequest(
+      FacebookTestHelper::$testSession,
+      'GET',
+      '/me'
+    );
+    $this->assertTrue(!isset($request->getParameters()['appsecret_proof']));
+  }
+
 }
