php - 检查用户是否喜欢页面的无缝方式

Question

因此，我在我的选项卡上使用了一个 iFrame，并且我正在执行其中一个“像路障”，用户需要喜欢该页面才能查看 secret 内容。有没有更好、更无缝的方式来做到这一点，然后必须征求许可？

我知道对于使用 FBML 构建的选项卡，它们不会请求许可，但我猜这是因为它不是 iframe。

谢谢!

Answer 1

当然可以!如 documentation 中所述，Facebook 将在 signed_request 中向您发送一些额外的详细信息:

When a user navigates to the Facebook Page, they will see your Page Tab added in the next available tab position. Broadly, a Page Tab is loaded in exactly the same way as a Canvas Page. When a user selects your Page Tab, you will received the signed_request parameter with one additional parameter, page. This parameter contains a JSON object with an id (the page id of the current page), admin (if the user is a admin of the page), and liked (if the user has liked the page). As with a Canvas Page, you will not receive all the user information accessible to your app in the signed_request until the user authorizes your app.

代码取 self 的 tutorial应该是这样的:

<?php
if(empty($_REQUEST["signed_request"])) {
    // no signed request where found which means
    // 1- this page was not accessed through a Facebook page tab
    // 2- a redirection was made, so the request is lost
    echo "signed_request was not found!";
} else {
    $app_secret = "APP_SECRET";
    $data = parse_signed_request($_REQUEST["signed_request"], $app_secret);
    if (empty($data["page"]["liked"])) {
        echo "You are not a fan!";
    } else {
        echo "Welcome back fan!";
    }
}

function parse_signed_request($signed_request, $secret) {
    list($encoded_sig, $payload) = explode('.', $signed_request, 2); 

    // decode the data
    $sig = base64_url_decode($encoded_sig);
    $data = json_decode(base64_url_decode($payload), true);

    if (strtoupper($data['algorithm']) !== 'HMAC-SHA256') {
        error_log('Unknown algorithm. Expected HMAC-SHA256');
        return null;
    }

    // check sig
    $expected_sig = hash_hmac('sha256', $payload, $secret, $raw = true);
    if ($sig !== $expected_sig) {
        error_log('Bad Signed JSON signature!');
        return null;
    }

    return $data;
}

function base64_url_decode($input) {
    return base64_decode(strtr($input, '-_', '+/'));
}
?>

更新代码:虽然以前的代码可以工作。我没有检查请求的有效性。这意味着有人可以篡改请求并向您发送虚假信息(比如将 admin 设置为 true!)。代码已更新，遵循 signed_request documentation方法。