サンプル - cakephp - controller

<?php
class CreditsController extends AppController {

    var $name = 'Credits';
    var $helpers = array('Js');
    var $components = array('RequestHandler');

    // アイテム一覧作成のために、アイテム情報取得
    public function get_items() {
        $json = $this->Credit->get();
        if($json === false) {
            $this->renderErrorJson($this->Credits->validationErrors);
            return;
        }
        $this->renderJson($json);
    }
    // callback
    public function callback() {
        // 処理の状態
        $func = $_REQUEST['method'];

        // facebookアプリのsecret key
        $secret = Configure::read('mlbapi.facebook_secret');

        // 暗号化情報をsecret_keyで解読
        $request = $this->parse_signed_request($_REQUEST['signed_request'], $secret);

        // 暗号解読失敗 = 不正アクセス
        if ($request == null) {
            $this->renderErrorJson(array('request' => 'Illegal request error. '));
            return;
        }

        // 状態と、解読情報で実処理へ
        $json = $this->Credit->creditOrder($func, $request);
        if($json === false) {
            $this->renderErrorJson($this->Credits->validationErrors);
            return;
        }
        $this->renderJson($json);
    }

    // you can find the following functions and more details
    // on http://developers.facebook.com/docs/authentication/canvas
    protected function parse_signed_request($signed_request, $secret) {
        list($encoded_sig, $payload) = explode('.', $signed_request, 2);
        // decode the data
        $sig  = $this->base64_url_decode($encoded_sig);
        $data = json_decode($this->base64_url_decode($payload), true);
        if (strtoupper($data['algorithm']) !== 'HMAC-SHA256') {
            error_log('Unknown algorithm. Expected HMAC-SHA256');
            return null;
        }
        // check signature
        $expected_sig = hash_hmac('sha256', $payload, $secret, $raw = true);
        if ($sig !== $expected_sig) {
            error_log('Bad Signed JSON signature!');
            return null;
        }
        return $data;
    }
    protected function base64_url_decode($input) {
        return base64_decode(strtr($input, '-_', '+/'));
    }
}