<?php
header('HTTP/1.0 500 Internal Server Error');
+header("Access-Control-Allow-Origin: *");
function error($msg)
{
} else {
error('Authorization HTTP header missing');
}
- list($bearer, $token) = explode(' ', $auth, 2);
+
+ $parts = explode(' ', $auth, 2);
+ if (count($parts) != 2) {
+ error('Authorization header must container "Bearer" and the token');
+ }
+
+ list($bearer, $token) = $parts;
if ($bearer !== 'Bearer') {
error('Authorization header must start with "Bearer"');
}
}
header('HTTP/1.0 200 OK');
- header('Content-type: application/x-www-form-urlencoded');
- echo http_build_query(
+ header('Content-type: application/json');
+ echo json_encode(
array(
'me' => $me,
'client_id' => $client_id,
} else if ($_SERVER['REQUEST_METHOD'] == 'POST') {
//generate token
- $me = verifyUrlParameter($_POST, 'me');
+ //we ignore the "me" parameter; it's for proxies only
+ // see https://github.com/cweiske/anoweco/issues/3
$redirect_uri = verifyUrlParameter($_POST, 'redirect_uri');
$client_id = verifyUrlParameter($_POST, 'client_id');
$code = verifyParameter($_POST, 'code');//auth token
$state = getOptionalParameter($_POST, 'state', null);
- //FIXME: check if code and state are set
+
+ //verify auth code
+ parse_str(base64_decode($code), $codeParts);
+ $emoji = verifyParameter($codeParts, 'emoji');
+ $signature = verifyParameter($codeParts, 'signature');
+ $me = verifyUrlParameter($codeParts, 'me');
+ if ($emoji != '\360\237\222\251') {
+ error('Auth token: Dog poo missing');
+ }
+ if ($signature != 'FIXME') {
+ error('Auth token: Invalid signature');
+ }
+
+ //FIXME: check if state are set
//FIXME: check auth endpoint if parameters are valid
// and to get the scope
$scope = 'post';
)
);
header('HTTP/1.0 200 OK');
- header('Content-type: application/x-www-form-urlencoded');
- echo http_build_query(
+ header('Content-type: application/json');
+ echo json_encode(
array(
'access_token' => $access_token,
+ 'token_type' => 'Bearer',
'me' => $me,
'scope' => $scope
)