<?php
/**
+ * IndieAuth to OpenID proxy.
+ * Proxies IndieAuth authorization requests to one's OpenID server
*
- * @link http://indiewebcamp.com/login-brainstorming
- * @link https://indieauth.com/developers
+ * PHP version 5
+ *
+ * @package indieauth-openid
+ * @author Christian Weiske <cweiske@cweiske.de>
+ * @license http://www.gnu.org/licenses/agpl.html GNU AGPL v3
+ * @link http://indiewebcamp.com/login-brainstorming
+ * @link http://indiewebcamp.com/authorization-endpoint
+ * @link http://indiewebcamp.com/auth-brainstorming
+ * @link https://indieauth.com/developers
*/
-//require_once __DIR__ . '/../src/init.php';
+header('IndieAuth: authorization_endpoint');
+if (($_SERVER['REQUEST_METHOD'] == 'GET' || $_SERVER['REQUEST_METHOD'] == 'HEAD')
+ && count($_GET) == 0
+) {
+ include 'about.php';
+ exit();
+}
+
+require_once 'Net/URL2.php';
+require_once 'OpenID.php';
require_once 'OpenID/RelyingParty.php';
require_once 'OpenID/Message.php';
require_once 'OpenID/Exception.php';
-require_once 'Net/URL2.php';
function loadDb()
{
- $db = new PDO('sqlite:' . __DIR__ . '/../data/tokens.sq3');
+ $pharFile = \Phar::running();
+ if ($pharFile == '') {
+ $dsn = 'sqlite:' . __DIR__ . '/../data/tokens.sq3';
+ $cfgFilePath = __DIR__ . '/config.php';
+ } else {
+ //remove phar:// from the path
+ $dir = dirname(substr($pharFile, 7)) . '/';
+ $dsn = 'sqlite:' . $dir . '/tokens.sq3';
+ $cfgFilePath = substr($pharFile, 7) . '.config.php';
+ }
+ //allow overriding DSN
+ if (file_exists($cfgFilePath)) {
+ include $cfgFilePath;
+ }
+
+ $db = new PDO($dsn);
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$db->exec("CREATE TABLE IF NOT EXISTS authtokens(
code TEXT,
return $code;
}
-function validate_token($code, $redirect_uri, $client_id, $state)
+function validate_token($code, $redirect_uri, $client_id)
{
$db = loadDb();
$stmt = $db->prepare(
. ' code = :code'
. ' AND redirect_uri = :redirect_uri'
. ' AND client_id = :client_id'
- . ' AND state = :state'
. ' AND created >= :created'
);
$stmt->execute(
':code' => $code,
':redirect_uri' => $redirect_uri,
':client_id' => $client_id,
- ':state' => (string) $state,
':created' => date('c', time() - 60)
)
);
function error($msg)
{
header('HTTP/1.0 400 Bad Request');
+ header('Content-type: text/plain; charset=utf-8');
echo $msg . "\n";
exit(1);
}
if (!isset($_SERVER['REQUEST_SCHEME'])) {
$_SERVER['REQUEST_SCHEME'] = 'http';
}
- $file = preg_replace('/#.*$/', '', $_SERVER['REQUEST_URI']);
- if ($file == '') {
- $file = ' /';
- } else if (substr($file, -1) != '/') {
- $file = dirname($file);
- }
+ $file = preg_replace('/[?#].*$/', '', $_SERVER['REQUEST_URI']);
return $_SERVER['REQUEST_SCHEME'] . '://'
. $_SERVER['HTTP_HOST']
. $file;
$message = new \OpenID_Message($queryString, \OpenID_Message::FORMAT_HTTP);
$id = $message->get('openid.claimed_id');
+ if (OpenID::normalizeIdentifier($id) != OpenID::normalizeIdentifier($_SESSION['me'])) {
+ error(
+ sprintf(
+ 'Given identity URL "%s" and claimed OpenID "%s" do not match',
+ $_SESSION['me'], $id
+ )
+ );
+ }
try {
$o = new \OpenID_RelyingParty($returnTo, $realm, $_SESSION['me']);
$result = $o->verify(new \Net_URL2($returnTo . '?' . $queryString), $message);
header('Location: ' . $url->getURL());
exit();
} else {
- error('Error logging in: ' . $result->getAssertionMethod());
+ error('Error verifying OpenID login: ' . $result->getAssertionMethod());
}
} catch (OpenID_Exception $e) {
- error('Error logging in: ' . $e->getMessage());
+ error('Error verifying OpenID login: ' . $e->getMessage());
+ } catch (Exception $e) {
+ error(get_class($e) . ': ' . $e->getMessage());
}
}
if (isset($_GET['state'])) {
$state = $_GET['state'];
}
- //FIXME: support "response_type"?
+ $response_type = 'id';
+ if (isset($_GET['response_type'])) {
+ $response_type = $_GET['response_type'];
+ }
+ if ($response_type != 'id') {
+ error('unsupported response_type: ' . $response_type);
+ }
$_SESSION['me'] = $me;
$_SESSION['redirect_uri'] = $redirect_uri;
try {
$o = new \OpenID_RelyingParty($returnTo, $realm, $me);
+ //if you get timeouts (errors like
+ // OpenID error: Request timed out after 3 second(s)
+ //) then uncomment the following line which disables
+ // all timeouts:
+ //$o->setRequestOptions(array('follow_redirects' => true));
$authRequest = $o->prepare();
$url = $authRequest->getAuthorizeURL();
header("Location: $url");
exit(0);
} catch (OpenID_Exception $e) {
error('OpenID error: ' . $e->getMessage());
+ } catch (Exception $e) {
+ error(get_class($e) . ': ' . $e->getMessage());
}
} else if ($_SERVER['REQUEST_METHOD'] == 'POST') {
$redirect_uri = verifyUrlParameter($_POST, 'redirect_uri');
$client_id = verifyUrlParameter($_POST, 'client_id');
- $state = null;
- if (isset($_GET['state'])) {
- $state = $_GET['state'];
- }
if (!isset($_POST['code'])) {
error('"code" parameter missing');
}
$token = $_POST['code'];
- $me = validate_token($token, $redirect_uri, $client_id, $state);
+ $me = validate_token($token, $redirect_uri, $client_id);
if ($me === false) {
- header('HTTP/1.0 400 Bad Request');
- echo "Validating token failed\n";
- exit(1);
+ error('Validating token failed');
}
header('Content-type: application/x-www-form-urlencoded');
echo 'me=' . urlencode($me);
git.cweiske.de / indieauth-openid.git / blobdiff