feat: Support securing requests

#67

README.md

@@ -36,6 +36,17 @@ php artisan vendor:publish --provider="Casperlaitw\LaravelFbMessenger\LaravelFbM
 
 ## Configuration 
 
+### Security
+
+Almost every API request with `access_token`, if you want to improved security in your app,
+you can use `appsecret_proof`. Please add `MESSENGER_APP_SECRET` to `.env` file and enable proof on all calls.
+*If you don't know how to get secret token and enabled proof, please checkout [Graph Api](https://developers.facebook.com/docs/graph-api/securing-requests)*
+
+`.env`
+```
+MESSENGER_APP_SECRET="APP SECRET TOKEN"
+```
+
 ### Token
 Add you token to `.env` file or modify `fb-messenger.php` config.
 

composer.json

@@ -45,5 +45,10 @@
     },
     "config": {
       "preferred-install": "dist"
+    },
+    "extra": {
+        "branch-alias": {
+            "dev-master": "1.4.x-dev"
+        }
     }
 }

config/fb-messenger.php

@@ -3,6 +3,7 @@
     'debug' => env('APP_DEBUG', false),
     'verify_token' => env('MESSENGER_VERIFY_TOKEN'),
     'app_token' => env('MESSENGER_APP_TOKEN'),
+    'app_secret' => env('MESSENGER_APP_SECRET', null),
     'auto_typing' => true,
     'handlers' => [
         Casperlaitw\LaravelFbMessenger\Contracts\DefaultHandler::class

src/Commands/BaseCommand.php

@@ -31,6 +31,9 @@ abstract class BaseCommand extends Command
     public function __construct(CommandHandler $handler, Repository $config)
     {
         parent::__construct();
-        $this->handler = $handler->createBot($config->get('fb-messenger.app_token'));
+        $this->handler = $handler->createBot(
+            $config->get('fb-messenger.app_token'),
+            $config->get('fb-messenger.app_secret')
+        );
     }
 }

src/Contracts/BaseHandler.php

@@ -26,12 +26,14 @@ abstract class BaseHandler implements HandlerInterface
      * Create bot to send API
      *
      * @param $token
+     * @param $secret
      *
      * @return $this
      */
-    public function createBot($token)
+    public function createBot($token, $secret = null)
     {
         $this->bot = new Bot($token);
+        $this->bot->setSecret($secret);
 
         return $this;
     }

src/Contracts/Bot.php

@@ -52,6 +52,11 @@ class Bot
      */
     private $debug = null;
 
+    /**
+     * @var null|string
+     */
+    private $secret;
+
     /**
      * FbBotApp constructor.
      * @param string $token
@@ -70,6 +75,15 @@ public function setDebug($debug)
         $this->debug = $debug;
     }
 
+    /**
+     * @param $secret
+     * @return $this
+     */
+    public function setSecret($secret)
+    {
+        $this->secret = hash_hmac('sha256', $this->token, $secret);
+    }
+
     /**
      * Request to API
      *
@@ -89,6 +103,10 @@ protected function call($url, $data, $type = self::TYPE_POST)
                 ],
             ];
 
+            if ($this->secret) {
+                $options['query']['appsecret_proof'] = $this->secret;
+            }
+
             switch ($type) {
                 case self::TYPE_DELETE:
                 case self::TYPE_POST:

tests/CommandTrait.php

@@ -21,6 +21,9 @@ private function getArtisan()
             ->shouldReceive('get')
             ->with('fb-messenger.app_token')
             ->andReturn(getenv('MESSENGER_APP_TOKEN'))
+            ->shouldReceive('get')
+            ->with('fb-messenger.app_secret')
+            ->andReturn(getenv('MESSENGER_APP_SECRET'))
             ->getMock();
 
         $response = m::mock(HandleMessageResponse::class)->makePartial();

tests/Contracts/BotTest.php

@@ -17,7 +17,7 @@ class BotTest extends TestCase
 {
     protected function setUp()
     {
-        parent::setUp(); // TODO: Change the autogenerated stub
+        parent::setUp();
         $this->bot = new Bot(getenv('MESSENGER_APP_TOKEN'));
     }
 
@@ -76,4 +76,15 @@ public function test_pusher_connect_fail()
             ->andReturn([]);
         $this->bot->send($message);
     }
+
+    public function test_securing_request()
+    {
+        $appSecret = 'test_app_secret';
+        $expected = hash_hmac('sha256', getenv('MESSENGER_APP_TOKEN'), $appSecret);
+        $this->bot->setSecret($appSecret);
+        $actual = $this->getPrivateProperty(Bot::class, 'secret')->getValue($this->bot);
+
+        $this->assertEquals($expected, $actual);
+
+    }
 }