I know that in the last update of Facebook API, there exists the possibility of provide a appsecret_proof
that is the access token signed with the app_secret.
Now the problem is that, irregardless of the option that I set on my facebook app (enable\disable : Require AppSecret Proof for Server API calls
) I always get:
Invalid appsecret_proof provided in the API argument
I discovered that last version of php-facebook-sdk always inserts between parameters appsecret_proof
...
if (isset($params['access_token'])) {
$params['appsecret_proof'] = $this->getAppSecretProof($params['access_token']);
}
...
protected function getAppSecretProof($access_token) {
return hash_hmac('sha256', $access_token, $this->getAppSecret());
}
...
If I disable the check on my app, and comment the line that inserts the parameter, everything works fine, otherwise I get the error.
Now, where am I wrong?
I triple checked $access_token
, $this->getAppSecret()
and the doc, all seem correct.
Any clues?