From a7c896fa2df30503cf5a2f5f44de59ff8dfea595 Mon Sep 17 00:00:00 2001
From: Christian Weiske <cweiske@cweiske.de>
Date: Fri, 18 Aug 2017 22:37:57 +0200
Subject: [PATCH] Verify if auth token "me" and given "me" match in token
 handout

Part of https://github.com/cweiske/anoweco/issues/3
---
 www/token.php | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/www/token.php b/www/token.php
index 667fc7b..6d417c6 100644
--- a/www/token.php
+++ b/www/token.php
@@ -88,7 +88,23 @@ if ($_SERVER['REQUEST_METHOD'] == 'GET') {
     $client_id    = verifyUrlParameter($_POST, 'client_id');
     $code         = verifyParameter($_POST, 'code');//auth token
     $state        = getOptionalParameter($_POST, 'state', null);
-    //FIXME: check if code and state are set
+
+    //verify auth code
+    parse_str(base64_decode($code), $codeParts);
+    $emoji     = verifyParameter($codeParts, 'emoji');
+    $signature = verifyParameter($codeParts, 'signature');
+    $codeMe    = verifyUrlParameter($codeParts, 'me');
+    if ($emoji != '\360\237\222\251') {
+        error('Auth token: Dog poo missing');
+    }
+    if ($signature != 'FIXME') {
+        error('Auth token: Invalid signature');
+    }
+    if ($me !== $codeMe) {
+        error('Auth token is not valid for the given "me"');
+    }
+
+    //FIXME: check if state are set
     //FIXME: check auth endpoint if parameters are valid
     //        and to get the scope
     $scope = 'post';
-- 
2.30.2