tags:

views:

5

answers:

1

Scenario

Facebook app which resides on User A's profile (in a tab called Welcome). User A can fill out a Welcome message and update the message.

User B comes to User A's profile, clicks on the Welcome tab and views the Welcome message written by User A.

I understand how to complete the majority of my application and imaging that I will produce the response based on a DB lookup of a field associated with User A's Facebook ID.

What I don't understand is how to grab the User ID value of the user who installed that instance of the APP (User A) or how to grab the User ID of the profile that User B is currently on (Which also happens to be User A).

Any ideas on how best to attack this?

A: 

Found the answer. When your application is installed as a tab then the profile of the user along with other parameters are passed in an encoded string. Here is an example of how I pulled the profile_id.

function getProfileID($post){
global $FB_secret;
$SR = $post['signed_request'];   
$PSR = parse_signed_request($SR,$FB_secret);
return $PSR['profile_id'];
}

function parse_signed_request($signed_request, $secret) {
  list($encoded_sig, $payload) = explode('.', $signed_request, 2); 

  // decode the data
  $sig = base64_url_decode($encoded_sig);
  $data = json_decode(base64_url_decode($payload), true);

  if (strtoupper($data['algorithm']) !== 'HMAC-SHA256') {
    error_log('Unknown algorithm. Expected HMAC-SHA256');
    return null;
  }

  // check sig
  $expected_sig = hash_hmac('sha256', $payload, $secret, $raw = true);
  if ($sig !== $expected_sig) {
    error_log('Bad Signed JSON signature!');
    return null;
  }

  return $data;
}

function base64_url_decode($input) {
  return base64_decode(strtr($input, '-_', '+/'));
}

Add those functions then add the following command somewhere:

$profile_user = getProfileID($_POST);

Please note that the script assumes that you will assign the secret key value to $FB_secret to work properly.

Joseph U.