From: Christian Weiske <cweiske@cweiske.de>
Date: Fri, 18 Aug 2017 21:15:42 +0000 (+0200)
Subject: Let token endpoint ignore "me" and take it from the code
X-Git-Tag: v1.0.0~12
X-Git-Url: https://git.cweiske.de/anoweco.git/commitdiff_plain/8911cee78b9daf64a63471b2b3db4fa36aa8084f?hp=a7c896fa2df30503cf5a2f5f44de59ff8dfea595

Let token endpoint ignore "me" and take it from the code

Resolves: https://github.com/cweiske/anoweco/issues/3
---

diff --git a/www/token.php b/www/token.php
index 6d417c6..abe14ed 100644
--- a/www/token.php
+++ b/www/token.php
@@ -83,7 +83,8 @@ if ($_SERVER['REQUEST_METHOD'] == 'GET') {
 
 } else if ($_SERVER['REQUEST_METHOD'] == 'POST') {
     //generate token
-    $me           = verifyUrlParameter($_POST, 'me');
+    //we ignore the "me" parameter; it's for proxies only
+    // see https://github.com/cweiske/anoweco/issues/3
     $redirect_uri = verifyUrlParameter($_POST, 'redirect_uri');
     $client_id    = verifyUrlParameter($_POST, 'client_id');
     $code         = verifyParameter($_POST, 'code');//auth token
@@ -93,16 +94,13 @@ if ($_SERVER['REQUEST_METHOD'] == 'GET') {
     parse_str(base64_decode($code), $codeParts);
     $emoji     = verifyParameter($codeParts, 'emoji');
     $signature = verifyParameter($codeParts, 'signature');
-    $codeMe    = verifyUrlParameter($codeParts, 'me');
+    $me        = verifyUrlParameter($codeParts, 'me');
     if ($emoji != '\360\237\222\251') {
         error('Auth token: Dog poo missing');
     }
     if ($signature != 'FIXME') {
         error('Auth token: Invalid signature');
     }
-    if ($me !== $codeMe) {
-        error('Auth token is not valid for the given "me"');
-    }
 
     //FIXME: check if state are set
     //FIXME: check auth endpoint if parameters are valid