Upgrade twig to version 3 for php 8.1

[anoweco.git] / www / token.php

diff --git a/www/token.php b/www/token.php
index be9a264ecd4855c981ab2f045d2fd79381859690..67d6bb19fde0aa3c1f26c643bd2658e42d01cbfb 100644 (file)
--- a/www/token.php
+++ b/www/token.php
@@ -1,5 +1,6 @@
 <?php
 header('HTTP/1.0 500 Internal Server Error');
+header("Access-Control-Allow-Origin: *");
 
 function error($msg)
 {
@@ -39,10 +40,21 @@ function getOptionalParameter($givenParams, $paramName, $default)
 
 if ($_SERVER['REQUEST_METHOD'] == 'GET') {
     //verify token
-    if (!isset($_SERVER['HTTP_AUTHORIZATION'])) {
+    if (isset($_SERVER['HTTP_AUTHORIZATION'])) {
+        $auth = $_SERVER['HTTP_AUTHORIZATION'];
+    } else if (isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION'])) {
+        //php-cgi has it there
+        $auth = $_SERVER['REDIRECT_HTTP_AUTHORIZATION'];
+    } else {
         error('Authorization HTTP header missing');
     }
-    list($bearer, $token) = explode(' ', $_SERVER['HTTP_AUTHORIZATION'], 2);
+
+    $parts = explode(' ', $auth, 2);
+    if (count($parts) != 2) {
+        error('Authorization header must container "Bearer" and the token');
+    }
+
+    list($bearer, $token) = $parts;
     if ($bearer !== 'Bearer') {
         error('Authorization header must start with "Bearer"');
     }
@@ -67,8 +79,8 @@ if ($_SERVER['REQUEST_METHOD'] == 'GET') {
     }
 
     header('HTTP/1.0 200 OK');
-    header('Content-type: application/x-www-form-urlencoded');
-    echo http_build_query(
+    header('Content-type: application/json');
+    echo json_encode(
         array(
             'me'        => $me,
             'client_id' => $client_id,
@@ -78,12 +90,26 @@ if ($_SERVER['REQUEST_METHOD'] == 'GET') {
 
 } else if ($_SERVER['REQUEST_METHOD'] == 'POST') {
     //generate token
-    $me           = verifyUrlParameter($_POST, 'me');
+    //we ignore the "me" parameter; it's for proxies only
+    // see https://github.com/cweiske/anoweco/issues/3
     $redirect_uri = verifyUrlParameter($_POST, 'redirect_uri');
     $client_id    = verifyUrlParameter($_POST, 'client_id');
     $code         = verifyParameter($_POST, 'code');//auth token
     $state        = getOptionalParameter($_POST, 'state', null);
-    //FIXME: check if code and state are set
+
+    //verify auth code
+    parse_str(base64_decode($code), $codeParts);
+    $emoji     = verifyParameter($codeParts, 'emoji');
+    $signature = verifyParameter($codeParts, 'signature');
+    $me        = verifyUrlParameter($codeParts, 'me');
+    if ($emoji != '\360\237\222\251') {
+        error('Auth token: Dog poo missing');
+    }
+    if ($signature != 'FIXME') {
+        error('Auth token: Invalid signature');
+    }
+
+    //FIXME: check if state are set
     //FIXME: check auth endpoint if parameters are valid
     //        and to get the scope
     $scope = 'post';
@@ -101,10 +127,11 @@ if ($_SERVER['REQUEST_METHOD'] == 'GET') {
         )
     );
     header('HTTP/1.0 200 OK');
-    header('Content-type: application/x-www-form-urlencoded');
-    echo http_build_query(
+    header('Content-type: application/json');
+    echo json_encode(
         array(
             'access_token' => $access_token,
+            'token_type' => 'Bearer',
             'me' => $me,
             'scope' => $scope
         )