php - How to Create an anti-request forgery state token In google+ server side sign-up

Question

    <?php
     require_once '/google-api-php-client/src/Google_Client.php';
     require_once '/google-api-php-client/src/contrib/Google_PlusService.php';

     session_start();
     // Create a state token to prevent request forgery.
     // Store it in the session for later validation.
     $state = md5(rand());
     $app['session']->set('state', $state);
     // Set the client ID, token state, and application name in the HTML while
     // serving it.
     return $app['twig']->render('index.html', array(
      'CLIENT_ID' => CLIENT_ID,
      'STATE' => $state,
      'APPLICATION_NAME' => APPLICATION_NAME
     ));

      // Ensure that this is no request forgery going on, and that the user
     // sending us this connect request is the user that was supposed to.
    if ($request->get('state') != ($app['session']->get('state'))) {
    return new Response('Invalid state parameter', 401);
   }


    $code = $request->getContent();
    $gPlusId = $request->get['gplus_id'];
    // Exchange the OAuth 2.0 authorization code for user credentials.
    $client->authenticate($code);

    $token = json_decode($client->getAccessToken());
    // Verify the token
    $reqUrl = 'https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=' .
          $token->access_token;
    $req = new Google_HttpRequest($reqUrl);

    $tokenInfo = json_decode(
      $client::getIo()->authenticatedRequest($req)->getResponseBody());

     // If there was an error in the token info, abort.
    if ($tokenInfo->error) {
    return new Response($tokenInfo->error, 500);
    }
     // Make sure the token we got is for the intended user.
     if ($tokenInfo->userid != $gPlusId) {
      return new Response(
        "Token's user ID doesn't match given user ID", 401);
     }
    // Make sure the token we got is for our app.
    if ($tokenInfo->audience != CLIENT_ID) {
    return new Response(
        "Token's client ID does not match app's.", 401);
    }

    // Store the token in the session for later use.
    $app['session']->set('token', json_encode($token));
    $response = 'Succesfully connected with token: ' . print_r($token, true);
   ?>

This is my code.php.
I have taken this code from https://developers.google.com/+/web/signin/server-side-flow. I want to add google+ server side sign-up in to my application. so i decide to run the sample code. I am getting the error while i have run the code. I have already include the Google APIs client library for PHP. I am unable to use set and render function which are shown in the code

this is My index.html


    <!-- The top of file index.html -->
    <html itemscope itemtype="http://schema.org/Article">
    <head>
    <!-- BEGIN Pre-requisites -->
    <script src="//ajax.googleapis.com/ajax/libs/jquery/1.8.2/jquery.min.js">
    </script>
    <script type="text/javascript">
     (function () {
      var po = document.createElement('script');
      po.type = 'text/javascript';
      po.async = true;
      po.src = 'https://plus.google.com/js/client:plusone.js?onload=start';
      var s = document.getElementsByTagName('script')[0];
      s.parentNode.insertBefore(po, s);
    })();
  </script>
  <!-- END Pre-requisites -->
</head>
<!-- ... -->
</html>

<!-- Add where you want your sign-in button to render -->
<div id="signinButton">
  <span class="g-signin"
    data-scope="https://www.googleapis.com/auth/plus.login"
    data-clientid="YOUR_CLIENT_ID"
    data-redirecturi="postmessage"
    data-accesstype="offline"
    data-cookiepolicy="single_host_origin"
    data-callback="signInCallback">
  </span>
</div>
<div id="result"></div>

    <!-- Last part of BODY element in file index.html -->
   <script type="text/javascript">

      function signInCallback(authResult) {
      if (authResult['code']) {

      // Hide the sign-in button now that the user is authorized, for example:
     $('#signinButton').attr('style', 'display: none');

     // Send the code to the server
     $.ajax({
      type: 'POST',
      url: 'plus.php?storeToken',
      contentType: 'application/octet-stream; charset=utf-8',
      success: function(result) {
        // Handle or verify the server response if necessary.

        // Prints the list of people that the user has allowed the app to know
        // to the console.
        console.log(result);
        if (result['profile'] && result['people']){
          $('#results').html('Hello ' + result['profile']['displayName'] + '. You successfully made a server side call to people.get and people.list');
        } else {
          $('#results').html('Failed to make a server-side call. Check your configuration and console.');
        }
      },
      processData: false,
      data: authResult['code']
    });
    }  
     else if (authResult['error']) {
      // There was an error.
      // Possible error codes:
      //   "access_denied" - User denied access to your app
      //   "immediate_failed" - Could not automatially log in the user
      // console.log('There was an error: ' + authResult['error']);
    }
    }
  </script>

Answer 1

I believe the issue is with the documentation providing you incomplete code snippets (I've opened a bug about that). That particular sample relies on Symfony, which is what you're encountering with the missing variable/method.

The PHP Quickstart provides the full instructions to get this particular sample set up. You can also get the full source code from Github.

You don't have to use Symfony of course but if you choose to go with native PHP methods, you'd need to update the references to $request, $app, and other Symfony methods that the sample uses.