===== サンプル - cakephp - controller ===== Credit->get(); if($json === false) { $this->renderErrorJson($this->Credits->validationErrors); return; } $this->renderJson($json); } // callback public function callback() { // 処理の状態 $func = $_REQUEST['method']; // facebookアプリのsecret key $secret = Configure::read('mlbapi.facebook_secret'); // 暗号化情報をsecret_keyで解読 $request = $this->parse_signed_request($_REQUEST['signed_request'], $secret); // 暗号解読失敗 = 不正アクセス if ($request == null) { $this->renderErrorJson(array('request' => 'Illegal request error. ')); return; } // 状態と、解読情報で実処理へ $json = $this->Credit->creditOrder($func, $request); if($json === false) { $this->renderErrorJson($this->Credits->validationErrors); return; } $this->renderJson($json); } // you can find the following functions and more details // on http://developers.facebook.com/docs/authentication/canvas protected function parse_signed_request($signed_request, $secret) { list($encoded_sig, $payload) = explode('.', $signed_request, 2); // decode the data $sig = $this->base64_url_decode($encoded_sig); $data = json_decode($this->base64_url_decode($payload), true); if (strtoupper($data['algorithm']) !== 'HMAC-SHA256') { error_log('Unknown algorithm. Expected HMAC-SHA256'); return null; } // check signature $expected_sig = hash_hmac('sha256', $payload, $secret, $raw = true); if ($sig !== $expected_sig) { error_log('Bad Signed JSON signature!'); return null; } return $data; } protected function base64_url_decode($input) { return base64_decode(strtr($input, '-_', '+/')); } }