Blog Not just another WordPress weblog


Building Facebook application with Kohana 3.0.9

After hearing a lot of good things about Kohana I started to look into it. I did a little history reading and realized it used to be an active fork of CodeIgniter but has changed entirely since version 3, or KO3. At the time of writing this blog, I have spent about 12 hours studying the HMVC framework, so I might be wrong but like always am not in doubt.

As this is my very first encounter with this framework, I decided to follow a series of very helpful tutorials. Currently version is the stable release, but I used the older 3.0.9. I do not see much difference other than how to handle view from the controller. Certainly I have to do more research on this!

Coming from using CodeIgniter for a long time my obvious interest was in the configuration side of things and I am very impressed with Kohana! The configuration was simple and less "variables" to configure.

As I was working with Facebook, my first concern was nice URLs! I had some serious trouble with this and wrote about my experience here. Kohana needed no configuration. Not only that, seems like the SEO friendly URL structure works very nicely with the GET!

Database configuration was ok, nothing special. Maybe it was a little confusing when I had to copy the config files from another location, “database.php” from “modules/database/config/” to “application/config/”.

For PHP syntax errors Kohana is giving me a 324 error and it is a little hard to debug. There might be some ways to enable proper error console.

The naming convention for controllers and models is very interesting, I can't tell if it is any better, but I had no issue so far. Using _ for finding proper location for classes is an old trick but it is done nicely here. Separating the class folder  from the views is a good point.

The before and after methods of the controller is amazing! My approach was using the constructor, but before method provides a good way of initializing my variables. I briefly looked into the template controller which seems to be very efficient. I am not using that controller however.

The most amazing thing about Kohana I think is the ease of  including 3rd party libraries! I created the "vendor/Facebook" folder under the application folder and just dropped the facebook.php file from the Facebook PHP SDK.  Here is the call to include the class

include Kohana::find_file('vendor/Facebook', 'facebook');
$this->facebook = new Facebook(array(
	'appId'  => $this->app_id,
	'secret' => $this->secret,
	'cookie' => true,

This sample application is good as fullwidth (720px) application and a smaller(520px) tab application. The difference is actually not on the CSS, but the way I am handling the permission dialog. From the application, I am redirecting the user to the Graph API authorization page. I could use the JavaScript API but the latter actually fires a browser pop-up window! I am using the JavaScript SDK for permission on the application installed in the tab however. Using this on application installed on a page tab gives a much smoother user experience.

Some interesting Facebook (new)issues I have discovered:

  1. If I am the admin to the page or developer for the application the permission mechanism doesnt work at all sometimes. Even after "liking" the page it is still showing that I have yet to "like" it.
  2. Almost the same thing happens with the permission. When I am the developer I have to keep providing the permission every time I am visiting the app.
  3. If I do not allow the application authorization, it keeps it to that state for a bit and do not let me fire the authorization window again. It does after a few minutes however!

Here is the zip file. The database file(fbkohana.sql) is also included here. I am using jQuery 1.4.4, which is also included in the "assets" folder. Please comment! Find my mistakes and do let me know.

Happy coding!


User ID from Facebook application installed on profile tab

Facebook platform does not give direct access to the user ID through a (Ajax or http form)post from an application installed on a profile tab(mainly fan page, Facebook removing user's profile tab soon). So application installed on a profile tab can not record user activity, can not get the user to permit the application either.

But, using the new OAuth 2.0 for canvas pages, it is pretty easy and efficient. This feature could be activated from the applications advanced settings. Once activated the platform sends only one POST variable called signed_request. I found the following code on the developer's forum. This code can re-generate the viewing user ID. If the ID is not present, the user never provided(added) the application!

function parse_signed_request($signed_request, $secret) {
 list($encoded_sig, $payload) = explode('.', $signed_request, 2); 
 // decode the data
 $sig = $this->base64_url_decode($encoded_sig);
 $data = json_decode($this->base64_url_decode($payload), true);
 if (strtoupper($data['algorithm']) !== 'HMAC-SHA256') {
  error_log('Unknown algorithm. Expected HMAC-SHA256');
  return null;
 // check sig
 $expected_sig = hash_hmac('sha256', $payload, $secret, $raw = true);
 if ($sig !== $expected_sig) {
  error_log('Bad Signed JSON signature!');
  return null;
 return $data;
function base64_url_decode($input) {
 return base64_decode(strtr($input, '-_', '+/'));