X-Git-Url: https://git.cweiske.de/indieauth-openid.git/blobdiff_plain/384b14c3981a4b0f6d8a498d779dd3a45379e7c5..HEAD:/www/index.php diff --git a/www/index.php b/www/index.php index 9906fd9..724c97c 100644 --- a/www/index.php +++ b/www/index.php @@ -1,18 +1,50 @@ + * @license http://www.gnu.org/licenses/agpl.html GNU AGPL v3 + * @link http://indiewebcamp.com/login-brainstorming + * @link http://indiewebcamp.com/authorization-endpoint + * @link http://indiewebcamp.com/auth-brainstorming + * @link https://indieauth.com/developers */ -//require_once __DIR__ . '/../src/init.php'; +header('IndieAuth: authorization_endpoint'); +if (($_SERVER['REQUEST_METHOD'] == 'GET' || $_SERVER['REQUEST_METHOD'] == 'HEAD') + && count($_GET) == 0 +) { + include 'about.php'; + exit(); +} + +require_once 'Net/URL2.php'; +require_once 'OpenID.php'; require_once 'OpenID/RelyingParty.php'; require_once 'OpenID/Message.php'; require_once 'OpenID/Exception.php'; -require_once 'Net/URL2.php'; function loadDb() { - $db = new PDO('sqlite:' . __DIR__ . '/../data/tokens.sq3'); + $pharFile = \Phar::running(); + if ($pharFile == '') { + $dsn = 'sqlite:' . __DIR__ . '/../data/tokens.sq3'; + $cfgFilePath = __DIR__ . '/config.php'; + } else { + //remove phar:// from the path + $dir = dirname(substr($pharFile, 7)) . '/'; + $dsn = 'sqlite:' . $dir . '/tokens.sq3'; + $cfgFilePath = substr($pharFile, 7) . '.config.php'; + } + //allow overriding DSN + if (file_exists($cfgFilePath)) { + include $cfgFilePath; + } + + $db = new PDO($dsn); $db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); $db->exec("CREATE TABLE IF NOT EXISTS authtokens( code TEXT, @@ -49,7 +81,7 @@ function create_token($me, $redirect_uri, $client_id, $state) return $code; } -function validate_token($code, $redirect_uri, $client_id, $state) +function validate_token($code, $redirect_uri, $client_id) { $db = loadDb(); $stmt = $db->prepare( @@ -57,7 +89,6 @@ function validate_token($code, $redirect_uri, $client_id, $state) . ' code = :code' . ' AND redirect_uri = :redirect_uri' . ' AND client_id = :client_id' - . ' AND state = :state' . ' AND created >= :created' ); $stmt->execute( @@ -65,7 +96,6 @@ function validate_token($code, $redirect_uri, $client_id, $state) ':code' => $code, ':redirect_uri' => $redirect_uri, ':client_id' => $client_id, - ':state' => (string) $state, ':created' => date('c', time() - 60) ) ); @@ -83,6 +113,7 @@ function validate_token($code, $redirect_uri, $client_id, $state) function error($msg) { header('HTTP/1.0 400 Bad Request'); + header('Content-type: text/plain; charset=utf-8'); echo $msg . "\n"; exit(1); } @@ -108,12 +139,7 @@ function getBaseUrl() if (!isset($_SERVER['REQUEST_SCHEME'])) { $_SERVER['REQUEST_SCHEME'] = 'http'; } - $file = preg_replace('/#.*$/', '', $_SERVER['REQUEST_URI']); - if ($file == '') { - $file = ' /'; - } else if (substr($file, -1) != '/') { - $file = dirname($file); - } + $file = preg_replace('/[?#].*$/', '', $_SERVER['REQUEST_URI']); return $_SERVER['REQUEST_SCHEME'] . '://' . $_SERVER['HTTP_HOST'] . $file; @@ -133,6 +159,14 @@ if (isset($_GET['openid_mode']) && $_GET['openid_mode'] != '') { $message = new \OpenID_Message($queryString, \OpenID_Message::FORMAT_HTTP); $id = $message->get('openid.claimed_id'); + if (OpenID::normalizeIdentifier($id) != OpenID::normalizeIdentifier($_SESSION['me'])) { + error( + sprintf( + 'Given identity URL "%s" and claimed OpenID "%s" do not match', + $_SESSION['me'], $id + ) + ); + } try { $o = new \OpenID_RelyingParty($returnTo, $realm, $_SESSION['me']); $result = $o->verify(new \Net_URL2($returnTo . '?' . $queryString), $message); @@ -150,10 +184,12 @@ if (isset($_GET['openid_mode']) && $_GET['openid_mode'] != '') { header('Location: ' . $url->getURL()); exit(); } else { - error('Error logging in: ' . $result->getAssertionMethod()); + error('Error verifying OpenID login: ' . $result->getAssertionMethod()); } } catch (OpenID_Exception $e) { - error('Error logging in: ' . $e->getMessage()); + error('Error verifying OpenID login: ' . $e->getMessage()); + } catch (Exception $e) { + error(get_class($e) . ': ' . $e->getMessage()); } } @@ -165,7 +201,13 @@ if ($_SERVER['REQUEST_METHOD'] == 'GET') { if (isset($_GET['state'])) { $state = $_GET['state']; } - //FIXME: support "response_type"? + $response_type = 'id'; + if (isset($_GET['response_type'])) { + $response_type = $_GET['response_type']; + } + if ($response_type != 'id') { + error('unsupported response_type: ' . $response_type); + } $_SESSION['me'] = $me; $_SESSION['redirect_uri'] = $redirect_uri; @@ -174,30 +216,31 @@ if ($_SERVER['REQUEST_METHOD'] == 'GET') { try { $o = new \OpenID_RelyingParty($returnTo, $realm, $me); + //if you get timeouts (errors like + // OpenID error: Request timed out after 3 second(s) + //) then uncomment the following line which disables + // all timeouts: + //$o->setRequestOptions(array('follow_redirects' => true)); $authRequest = $o->prepare(); $url = $authRequest->getAuthorizeURL(); header("Location: $url"); exit(0); } catch (OpenID_Exception $e) { error('OpenID error: ' . $e->getMessage()); + } catch (Exception $e) { + error(get_class($e) . ': ' . $e->getMessage()); } } else if ($_SERVER['REQUEST_METHOD'] == 'POST') { $redirect_uri = verifyUrlParameter($_POST, 'redirect_uri'); $client_id = verifyUrlParameter($_POST, 'client_id'); - $state = null; - if (isset($_GET['state'])) { - $state = $_GET['state']; - } if (!isset($_POST['code'])) { error('"code" parameter missing'); } $token = $_POST['code']; - $me = validate_token($token, $redirect_uri, $client_id, $state); + $me = validate_token($token, $redirect_uri, $client_id); if ($me === false) { - header('HTTP/1.0 400 Bad Request'); - echo "Validating token failed\n"; - exit(1); + error('Validating token failed'); } header('Content-type: application/x-www-form-urlencoded'); echo 'me=' . urlencode($me);