simonkberg · November 16, 2012 13:47
diff --git a/gistfile1.php b/gistfile1.php
 <?php
 // Access with ?dev=true for debugging
 $signed_request = isset($_POST['signed_request']) ? $_POST['signed_request'] : false;
 $debug = isset($_GET['dev']);
 $secret = 'APP_SECRET';

 if(!$signed_request && !$debug) {

 	die('No direct access.');
 	
 } else if ($signed_request) {
 	
 	list($encoded_sig, $payload) = explode('.', $signed_request, 2);
 	$sig = base64_url_decode($encoded_sig);
 	$data = json_decode(base64_url_decode($payload), true);
 	$expected_sig = hash_hmac('sha256' , $payload, $secret, $raw = true);
 	
 	if (strtoupper($data['algorithm']) !== 'HMAC-SHA256' || $sig !== $expected_sig) {
 		die('Invalid request.');
 	}
 	
 }

 function base64_url_decode($input) {
  return base64_decode(strtr($input, '-_', '+/'));
 }
 ?>
	<?php
	// Access with ?dev=true for debugging
	$signed_request = isset($_POST['signed_request']) ? $_POST['signed_request'] : false;
	$debug = isset($_GET['dev']);
	$secret = 'APP_SECRET';

	if(!$signed_request && !$debug) {

	die('No direct access.');

	} else if ($signed_request) {

	list($encoded_sig, $payload) = explode('.', $signed_request, 2);
	$sig = base64_url_decode($encoded_sig);
	$data = json_decode(base64_url_decode($payload), true);
	$expected_sig = hash_hmac('sha256' , $payload, $secret, $raw = true);

	if (strtoupper($data['algorithm']) !== 'HMAC-SHA256' \|\| $sig !== $expected_sig) {
	die('Invalid request.');
	}

	}

	function base64_url_decode($input) {
	return base64_decode(strtr($input, '-_', '+/'));
	}
	?>