2 header('HTTP/1.0 500 Internal Server Error');
3 header("Access-Control-Allow-Origin: *");
7 header('HTTP/1.0 400 Bad Request');
8 header('Content-type: text/plain; charset=utf-8');
13 function verifyParameter($givenParams, $paramName)
15 if (!isset($givenParams[$paramName])) {
16 error('"' . $paramName . '" parameter missing');
18 return $givenParams[$paramName];
20 function verifyUrlParameter($givenParams, $paramName)
22 verifyParameter($givenParams, $paramName);
23 $url = parse_url($givenParams[$paramName]);
24 if (!isset($url['scheme'])) {
25 error('Invalid URL in "' . $paramName . '" parameter: scheme missing');
27 if (!isset($url['host'])) {
28 error('Invalid URL in "' . $paramName . '" parameter: host missing');
31 return $givenParams[$paramName];
33 function getOptionalParameter($givenParams, $paramName, $default)
35 if (!isset($givenParams[$paramName])) {
38 return $givenParams[$paramName];
41 if ($_SERVER['REQUEST_METHOD'] == 'GET') {
43 if (isset($_SERVER['HTTP_AUTHORIZATION'])) {
44 $auth = $_SERVER['HTTP_AUTHORIZATION'];
45 } else if (isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION'])) {
46 //php-cgi has it there
47 $auth = $_SERVER['REDIRECT_HTTP_AUTHORIZATION'];
49 error('Authorization HTTP header missing');
52 $parts = explode(' ', $auth, 2);
53 if (count($parts) != 2) {
54 error('Authorization header must container "Bearer" and the token');
57 list($bearer, $token) = $parts;
58 if ($bearer !== 'Bearer') {
59 error('Authorization header must start with "Bearer"');
62 //FIXME: use real decryption
63 $encData = base64_decode($token);
64 if ($encData === false) {
65 error('Invalid token data');
67 parse_str($encData, $data);
68 $emoji = verifyParameter($data, 'emoji');
69 $signature = verifyParameter($data, 'signature');
70 $me = verifyUrlParameter($data, 'me');
71 $client_id = verifyUrlParameter($data, 'client_id');
72 $scope = verifyParameter($data, 'scope');
74 if ($emoji != '\360\237\222\251') {
75 error('Dog poo missing');
77 if ($signature != 'FIXME') {
78 error('Invalid signature');
81 header('HTTP/1.0 200 OK');
82 header('Content-type: application/json');
86 'client_id' => $client_id,
91 } else if ($_SERVER['REQUEST_METHOD'] == 'POST') {
93 //we ignore the "me" parameter; it's for proxies only
94 // see https://github.com/cweiske/anoweco/issues/3
95 $redirect_uri = verifyUrlParameter($_POST, 'redirect_uri');
96 $client_id = verifyUrlParameter($_POST, 'client_id');
97 $code = verifyParameter($_POST, 'code');//auth token
98 $state = getOptionalParameter($_POST, 'state', null);
101 parse_str(base64_decode($code), $codeParts);
102 $emoji = verifyParameter($codeParts, 'emoji');
103 $signature = verifyParameter($codeParts, 'signature');
104 $me = verifyUrlParameter($codeParts, 'me');
105 if ($emoji != '\360\237\222\251') {
106 error('Auth token: Dog poo missing');
108 if ($signature != 'FIXME') {
109 error('Auth token: Invalid signature');
112 //FIXME: check if state are set
113 //FIXME: check auth endpoint if parameters are valid
114 // and to get the scope
117 //FIXME: use real encryption
118 $access_token = base64_encode(
121 'emoji' => '\360\237\222\251',
123 'client_id' => $client_id,
125 'signature' => 'FIXME',
129 header('HTTP/1.0 200 OK');
130 header('Content-type: application/json');
133 'access_token' => $access_token,
134 'token_type' => 'Bearer',