X-Git-Url: https://git.cweiske.de/anoweco.git/blobdiff_plain/fd760dceff0278836fd05fd4bd314218dc33db34..adde8658ef641287cabdd04fecd8f8ae694f325c:/www/token.php

diff --git a/www/token.php b/www/token.php
index 667fc7b..6a7fa81 100644
--- a/www/token.php
+++ b/www/token.php
@@ -47,7 +47,13 @@ if ($_SERVER['REQUEST_METHOD'] == 'GET') {
     } else {
         error('Authorization HTTP header missing');
     }
-    list($bearer, $token) = explode(' ', $auth, 2);
+
+    $parts = explode(' ', $auth, 2);
+    if (count($parts) != 2) {
+        error('Authorization header must container "Bearer" and the token');
+    }
+
+    list($bearer, $token) = $parts;
     if ($bearer !== 'Bearer') {
         error('Authorization header must start with "Bearer"');
     }
@@ -83,12 +89,26 @@ if ($_SERVER['REQUEST_METHOD'] == 'GET') {
 
 } else if ($_SERVER['REQUEST_METHOD'] == 'POST') {
     //generate token
-    $me           = verifyUrlParameter($_POST, 'me');
+    //we ignore the "me" parameter; it's for proxies only
+    // see https://github.com/cweiske/anoweco/issues/3
     $redirect_uri = verifyUrlParameter($_POST, 'redirect_uri');
     $client_id    = verifyUrlParameter($_POST, 'client_id');
     $code         = verifyParameter($_POST, 'code');//auth token
     $state        = getOptionalParameter($_POST, 'state', null);
-    //FIXME: check if code and state are set
+
+    //verify auth code
+    parse_str(base64_decode($code), $codeParts);
+    $emoji     = verifyParameter($codeParts, 'emoji');
+    $signature = verifyParameter($codeParts, 'signature');
+    $me        = verifyUrlParameter($codeParts, 'me');
+    if ($emoji != '\360\237\222\251') {
+        error('Auth token: Dog poo missing');
+    }
+    if ($signature != 'FIXME') {
+        error('Auth token: Invalid signature');
+    }
+
+    //FIXME: check if state are set
     //FIXME: check auth endpoint if parameters are valid
     //        and to get the scope
     $scope = 'post';