Decoding fbinstant timestamp using get_signed_player_info() (SOLVED)

I want to get a server timestamp from Facebook Instant. The only method allowing this appears to be get_signed_player_info(). It returns a string like this:

Eii6e636mz5J47sfqAYEK40jYAwoFqi3x5bxHkPG4Q4.eyJhbGdvcml0aG0iOiJITUFDLVNIQTI1NiIsImlzc3VlZF9hdCI6MTUwMDM5ODY3NSwicGxheWVyX2lkIjoiMTI0OTUyNTMwMTc1MjIwMSIsInJlcXVlc3RfcGF5bG9hZCI6Im15X2ZpcnN0X3JlcXVlc3QifQ

Facebook says you need to decode it like this to be able to access the timestamp:

• Split the signature into two parts delimited by the ‘.’ character.
• Decode the first part (the encoded signature) with base64url encoding.
• Decode the second part (the response payload) with base64url encoding, which should be a string representation of a JSON object that has the following fields: ** algorithm - always equals to HMAC-SHA256 ** issued_at - a unix timestamp of when this response was issued. ** player_id - unique identifier of the player. ** request_payload - the requestPayload string you specified when calling FBInstant.player.getSignedPlayerInfoAsync.

How would I decode the second part with “base64url encoding”? I’ve tried to use this lua module, but it returns a garbled string, probably because it’s not “url safe”.

Turns out it was my splitting function that didn’t work properly! Once replaced, I’m able to get the timestamp just fine. Leaving this here For Shame ™.

Hmm, this should maybe be provided by the extension? Would you mind creating a ticket so that we can take a look at adding it to the extension?

I’m actually not sure if that would be a good idea. The main reason the get_signed_player_info() method exists seems to be to verify, on server side, that the player is genuine. The reason I’m using it is just to get the timestamp.

I suppose the string could be split and decoded by the extension, but maybe there is a (security) reason it comes in this format?