X-Git-Url: https://git.cweiske.de/anoweco.git/blobdiff_plain/ccb7bb3c75555c01e7dbc78e0b971abc86f3a59d..adde8658ef641287cabdd04fecd8f8ae694f325c:/www/token.php diff --git a/www/token.php b/www/token.php index bf10e70..6a7fa81 100644 --- a/www/token.php +++ b/www/token.php @@ -39,24 +39,44 @@ function getOptionalParameter($givenParams, $paramName, $default) if ($_SERVER['REQUEST_METHOD'] == 'GET') { //verify token - if (!isset($_SERVER['HTTP_AUTHORIZATION'])) { + if (isset($_SERVER['HTTP_AUTHORIZATION'])) { + $auth = $_SERVER['HTTP_AUTHORIZATION']; + } else if (isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION'])) { + //php-cgi has it there + $auth = $_SERVER['REDIRECT_HTTP_AUTHORIZATION']; + } else { error('Authorization HTTP header missing'); } - list($bearer, $token) = explode(' ', $_SERVER['HTTP_AUTHORIZATION'], 2); + + $parts = explode(' ', $auth, 2); + if (count($parts) != 2) { + error('Authorization header must container "Bearer" and the token'); + } + + list($bearer, $token) = $parts; if ($bearer !== 'Bearer') { error('Authorization header must start with "Bearer"'); } //FIXME: use real decryption - $data = json_decode($token); - if ($data === null) { - error('Invalid token'); + $encData = base64_decode($token); + if ($encData === false) { + error('Invalid token data'); } - $data = (array) $data; + parse_str($encData, $data); + $emoji = verifyParameter($data, 'emoji'); + $signature = verifyParameter($data, 'signature'); $me = verifyUrlParameter($data, 'me'); $client_id = verifyUrlParameter($data, 'client_id'); $scope = verifyParameter($data, 'scope'); + if ($emoji != '\360\237\222\251') { + error('Dog poo missing'); + } + if ($signature != 'FIXME') { + error('Invalid signature'); + } + header('HTTP/1.0 200 OK'); header('Content-type: application/x-www-form-urlencoded'); echo http_build_query( @@ -69,22 +89,40 @@ if ($_SERVER['REQUEST_METHOD'] == 'GET') { } else if ($_SERVER['REQUEST_METHOD'] == 'POST') { //generate token - $me = verifyUrlParameter($_POST, 'me'); + //we ignore the "me" parameter; it's for proxies only + // see https://github.com/cweiske/anoweco/issues/3 $redirect_uri = verifyUrlParameter($_POST, 'redirect_uri'); $client_id = verifyUrlParameter($_POST, 'client_id'); $code = verifyParameter($_POST, 'code');//auth token $state = getOptionalParameter($_POST, 'state', null); - //FIXME: check if code and state are set + + //verify auth code + parse_str(base64_decode($code), $codeParts); + $emoji = verifyParameter($codeParts, 'emoji'); + $signature = verifyParameter($codeParts, 'signature'); + $me = verifyUrlParameter($codeParts, 'me'); + if ($emoji != '\360\237\222\251') { + error('Auth token: Dog poo missing'); + } + if ($signature != 'FIXME') { + error('Auth token: Invalid signature'); + } + + //FIXME: check if state are set //FIXME: check auth endpoint if parameters are valid // and to get the scope $scope = 'post'; //FIXME: use real encryption - $access_token = '

"\'' . json_encode( - array( - 'me' => $me, - 'client_id' => $client_id, - 'scope' => $scope + $access_token = base64_encode( + http_build_query( + array( + 'emoji' => '\360\237\222\251', + 'me' => $me, + 'client_id' => $client_id, + 'scope' => $scope, + 'signature' => 'FIXME', + ) ) ); header('HTTP/1.0 200 OK');