git.cweiske.de
/
anoweco.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Support multipart/form-data content type
[anoweco.git]
/
www
/
token.php
diff --git
a/www/token.php
b/www/token.php
index 6d417c695817bafcfa22275f5508c2cc56fd9817..6a7fa81332960785cb0f4a5ef7e43b0b5728fd4e 100644
(file)
--- a/
www/token.php
+++ b/
www/token.php
@@
-47,7
+47,13
@@
if ($_SERVER['REQUEST_METHOD'] == 'GET') {
} else {
error('Authorization HTTP header missing');
}
} else {
error('Authorization HTTP header missing');
}
- list($bearer, $token) = explode(' ', $auth, 2);
+
+ $parts = explode(' ', $auth, 2);
+ if (count($parts) != 2) {
+ error('Authorization header must container "Bearer" and the token');
+ }
+
+ list($bearer, $token) = $parts;
if ($bearer !== 'Bearer') {
error('Authorization header must start with "Bearer"');
}
if ($bearer !== 'Bearer') {
error('Authorization header must start with "Bearer"');
}
@@
-83,7
+89,8
@@
if ($_SERVER['REQUEST_METHOD'] == 'GET') {
} else if ($_SERVER['REQUEST_METHOD'] == 'POST') {
//generate token
} else if ($_SERVER['REQUEST_METHOD'] == 'POST') {
//generate token
- $me = verifyUrlParameter($_POST, 'me');
+ //we ignore the "me" parameter; it's for proxies only
+ // see https://github.com/cweiske/anoweco/issues/3
$redirect_uri = verifyUrlParameter($_POST, 'redirect_uri');
$client_id = verifyUrlParameter($_POST, 'client_id');
$code = verifyParameter($_POST, 'code');//auth token
$redirect_uri = verifyUrlParameter($_POST, 'redirect_uri');
$client_id = verifyUrlParameter($_POST, 'client_id');
$code = verifyParameter($_POST, 'code');//auth token
@@
-93,16
+100,13
@@
if ($_SERVER['REQUEST_METHOD'] == 'GET') {
parse_str(base64_decode($code), $codeParts);
$emoji = verifyParameter($codeParts, 'emoji');
$signature = verifyParameter($codeParts, 'signature');
parse_str(base64_decode($code), $codeParts);
$emoji = verifyParameter($codeParts, 'emoji');
$signature = verifyParameter($codeParts, 'signature');
- $
codeMe
= verifyUrlParameter($codeParts, 'me');
+ $
me
= verifyUrlParameter($codeParts, 'me');
if ($emoji != '\360\237\222\251') {
error('Auth token: Dog poo missing');
}
if ($signature != 'FIXME') {
error('Auth token: Invalid signature');
}
if ($emoji != '\360\237\222\251') {
error('Auth token: Dog poo missing');
}
if ($signature != 'FIXME') {
error('Auth token: Invalid signature');
}
- if ($me !== $codeMe) {
- error('Auth token is not valid for the given "me"');
- }
//FIXME: check if state are set
//FIXME: check auth endpoint if parameters are valid
//FIXME: check if state are set
//FIXME: check auth endpoint if parameters are valid