Checking if we are authenticated - lsproc/Graph-API-test GitHub Wiki
Facebook uses 'Installed' as a synonym for authenticated as far as applications are concerned. If an app is not 'installed', it is not authenticated for that given user, and therefore can not access the Facebook graph API. We also do not have a user object, as we won't have permission for it (that is why we gain access to basic data when installing an app). Therefore, it becomes necessary to investigate whether we have been authenticated, or 'installed'.
Ensuring we are on Facebook
This whole problem is irrelevant if we are not logged into Facebook. To do this, we can simply inspect to see if we have the session data that Facebook provides to all apps when loaded through its canvas.
This is important, as if we are authenticated, we need to set the access token which is supplied by this session data. Without it, calls with the API will fail (with the exception of getUser as this can find the user simply from the session data). Therefore, it is a good opportunity to set the access token when inspecting the session data.
If the API's built in call for getting the session data is used, it will perform its own checks to ensure the data hasn't been affected by XSS flaws - if they have then null will be returned. In this code, this will give the same response as saying we are not on Facebook.
if (is_array($request_data) && array_key_exists('oauth_token', $request_data)) {
// We have session data and an access token, set it in the API.
$facebook->setAccessToken($request_data['oauth_token']);
} elseif (!is_array($request_data)) {
// If this is not an array, we don't have the session data we should have if we came from Facebook. So we probably aren't.
die('Not on Facebook');
}
// If we are here, then we are on Facebook but we don't have an access token. This means we are unauthenticated.
Seeing if we are authenticated
If you are using the JS api, this is easy as there is a call to see if we are authenticated. However, in the PHP API, which this sample code uses, then it is not possible to do this. The similar call in the PHP API, getLoginStatusUrl, will generate a URL which, when accessed, redirects you to either a specified URL or back to where you are, with parameters depending on the login status. This is not as useful as the JS API, as we cannot simply just see if we are logged in.
Luckily there is an alternative method. Because we do not have a user object when not installed, by checking the value of the getUser call, we can identify whether we are logged in or not.
$user = $facebook->getUser();
if ($user == 0) {
// We are not authenticated
// Facebook API calls will throw an exception if called.
} else {
// We are authenticated. The value of $user is the user's Facebook ID, which can be used if wanted.
// We can also now use the Facebook Graph API, i.e. do $facebook->api('/me'), to get details for
// the current user.
}
An alternative option would be to go on the basis of there being session data but no access token. This is functionally equivalent to the above - according to the Facebook documentation, the user_id parameter is only set when authenticated (the same time that oauth_token is set), so the existence of one infers the existence of the other. Considering that we need the access token to be set, it is a better choice to test on this instead - this is the method used in this example code.