2 header('HTTP/1.0 500 Internal Server Error');
6 header('HTTP/1.0 400 Bad Request');
7 header('Content-type: text/plain; charset=utf-8');
12 function verifyParameter($givenParams, $paramName)
14 if (!isset($givenParams[$paramName])) {
15 error('"' . $paramName . '" parameter missing');
17 return $givenParams[$paramName];
19 function verifyUrlParameter($givenParams, $paramName)
21 verifyParameter($givenParams, $paramName);
22 $url = parse_url($givenParams[$paramName]);
23 if (!isset($url['scheme'])) {
24 error('Invalid URL in "' . $paramName . '" parameter: scheme missing');
26 if (!isset($url['host'])) {
27 error('Invalid URL in "' . $paramName . '" parameter: host missing');
30 return $givenParams[$paramName];
32 function getOptionalParameter($givenParams, $paramName, $default)
34 if (!isset($givenParams[$paramName])) {
37 return $givenParams[$paramName];
40 if ($_SERVER['REQUEST_METHOD'] == 'GET') {
42 if (isset($_SERVER['HTTP_AUTHORIZATION'])) {
43 $auth = $_SERVER['HTTP_AUTHORIZATION'];
44 } else if (isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION'])) {
45 //php-cgi has it there
46 $auth = $_SERVER['REDIRECT_HTTP_AUTHORIZATION'];
48 error('Authorization HTTP header missing');
51 $parts = explode(' ', $auth, 2);
52 if (count($parts) != 2) {
53 error('Authorization header must container "Bearer" and the token');
56 list($bearer, $token) = $parts;
57 if ($bearer !== 'Bearer') {
58 error('Authorization header must start with "Bearer"');
61 //FIXME: use real decryption
62 $encData = base64_decode($token);
63 if ($encData === false) {
64 error('Invalid token data');
66 parse_str($encData, $data);
67 $emoji = verifyParameter($data, 'emoji');
68 $signature = verifyParameter($data, 'signature');
69 $me = verifyUrlParameter($data, 'me');
70 $client_id = verifyUrlParameter($data, 'client_id');
71 $scope = verifyParameter($data, 'scope');
73 if ($emoji != '\360\237\222\251') {
74 error('Dog poo missing');
76 if ($signature != 'FIXME') {
77 error('Invalid signature');
80 header('HTTP/1.0 200 OK');
81 header('Content-type: application/x-www-form-urlencoded');
82 echo http_build_query(
85 'client_id' => $client_id,
90 } else if ($_SERVER['REQUEST_METHOD'] == 'POST') {
92 //we ignore the "me" parameter; it's for proxies only
93 // see https://github.com/cweiske/anoweco/issues/3
94 $redirect_uri = verifyUrlParameter($_POST, 'redirect_uri');
95 $client_id = verifyUrlParameter($_POST, 'client_id');
96 $code = verifyParameter($_POST, 'code');//auth token
97 $state = getOptionalParameter($_POST, 'state', null);
100 parse_str(base64_decode($code), $codeParts);
101 $emoji = verifyParameter($codeParts, 'emoji');
102 $signature = verifyParameter($codeParts, 'signature');
103 $me = verifyUrlParameter($codeParts, 'me');
104 if ($emoji != '\360\237\222\251') {
105 error('Auth token: Dog poo missing');
107 if ($signature != 'FIXME') {
108 error('Auth token: Invalid signature');
111 //FIXME: check if state are set
112 //FIXME: check auth endpoint if parameters are valid
113 // and to get the scope
116 //FIXME: use real encryption
117 $access_token = base64_encode(
120 'emoji' => '\360\237\222\251',
122 'client_id' => $client_id,
124 'signature' => 'FIXME',
128 header('HTTP/1.0 200 OK');
129 header('Content-type: application/x-www-form-urlencoded');
130 echo http_build_query(
132 'access_token' => $access_token,