X-Git-Url: https://git.cweiske.de/anoweco.git/blobdiff_plain/1074fe9f773f579e6b6f8e1950c7479fd40ce879..506949fa5639b8810a2437a9bffbe40165e4d8ae:/www/token.php diff --git a/www/token.php b/www/token.php index be9a264..abe14ed 100644 --- a/www/token.php +++ b/www/token.php @@ -39,10 +39,15 @@ function getOptionalParameter($givenParams, $paramName, $default) if ($_SERVER['REQUEST_METHOD'] == 'GET') { //verify token - if (!isset($_SERVER['HTTP_AUTHORIZATION'])) { + if (isset($_SERVER['HTTP_AUTHORIZATION'])) { + $auth = $_SERVER['HTTP_AUTHORIZATION']; + } else if (isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION'])) { + //php-cgi has it there + $auth = $_SERVER['REDIRECT_HTTP_AUTHORIZATION']; + } else { error('Authorization HTTP header missing'); } - list($bearer, $token) = explode(' ', $_SERVER['HTTP_AUTHORIZATION'], 2); + list($bearer, $token) = explode(' ', $auth, 2); if ($bearer !== 'Bearer') { error('Authorization header must start with "Bearer"'); } @@ -78,12 +83,26 @@ if ($_SERVER['REQUEST_METHOD'] == 'GET') { } else if ($_SERVER['REQUEST_METHOD'] == 'POST') { //generate token - $me = verifyUrlParameter($_POST, 'me'); + //we ignore the "me" parameter; it's for proxies only + // see https://github.com/cweiske/anoweco/issues/3 $redirect_uri = verifyUrlParameter($_POST, 'redirect_uri'); $client_id = verifyUrlParameter($_POST, 'client_id'); $code = verifyParameter($_POST, 'code');//auth token $state = getOptionalParameter($_POST, 'state', null); - //FIXME: check if code and state are set + + //verify auth code + parse_str(base64_decode($code), $codeParts); + $emoji = verifyParameter($codeParts, 'emoji'); + $signature = verifyParameter($codeParts, 'signature'); + $me = verifyUrlParameter($codeParts, 'me'); + if ($emoji != '\360\237\222\251') { + error('Auth token: Dog poo missing'); + } + if ($signature != 'FIXME') { + error('Auth token: Invalid signature'); + } + + //FIXME: check if state are set //FIXME: check auth endpoint if parameters are valid // and to get the scope $scope = 'post';