array(
'http' => array(
'header' => array(
- 'Authorization: Bearer ' . $token
+ 'Authorization: Bearer ' . $token,
+ 'Accept: application/json',
),
'ignore_errors' => true,
),
);
}
- parse_str($res, $data);
+ $data = json_decode($res, true);
//FIXME: they spit out non-micropub json error responess
- verifyUrlParameter($data, 'me');
- verifyUrlParameter($data, 'client_id');
+ verifyParameter($data, 'me');
+ verifyParameter($data, 'client_id');
verifyParameter($data, 'scope');
return [$data['me'], $data['client_id'], $data['scope']];
function getTokenFromHeader()
{
- if (isset($_SERVER['HTTP_AUTHORIZATION'])) {
+ if (isset($_SERVER['HTTP_AUTHORIZATION'])
+ && $_SERVER['HTTP_AUTHORIZATION'] != ''
+ ) {
$auth = $_SERVER['HTTP_AUTHORIZATION'];
- } else if (isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION'])) {
+ } else if (isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION'])
+ && $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] != ''
+ ) {
//php-cgi has it there
$auth = $_SERVER['REDIRECT_HTTP_AUTHORIZATION'];
} else {
'Authorization HTTP header missing'
);
}
+ if (strpos($auth, ' ') === false) {
+ mpError(
+ 'HTTP/1.0 403 Forbidden', 'forbidden',
+ 'Authorization header must start with "Bearer "'
+ );
+ }
list($bearer, $token) = explode(' ', $auth, 2);
if ($bearer !== 'Bearer') {
mpError(
'HTTP/1.0 403 Forbidden', 'forbidden',
- 'Authorization header must start with "Bearer"'
+ 'Authorization header must start with "Bearer "'
);
}
return trim($token);
'Content-Type header missing.'
);
}
- $ctype = $_SERVER['CONTENT_TYPE'];
- if ($ctype == 'application/x-www-form-urlencoded') {
+ list($ctype) = explode(';', $_SERVER['CONTENT_TYPE'], 2);
+ $ctype = trim($ctype);
+ if ($ctype == 'application/x-www-form-urlencoded'
+ || $ctype == 'multipart/form-data'
+ ) {
if (!isset($_POST['action'])) {
$_POST['action'] = 'create';
}