git.cweiske.de
/
indieauth-openid.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
93ca0e9
)
do not use state parameter on auth code verification
master
github/master
author
Christian Weiske
<cweiske@cweiske.de>
Fri, 28 Jul 2017 18:33:24 +0000
(20:33 +0200)
committer
Christian Weiske
<cweiske@cweiske.de>
Fri, 28 Jul 2017 18:33:24 +0000
(20:33 +0200)
www/index.php
patch
|
blob
|
history
diff --git
a/www/index.php
b/www/index.php
index ca89855e6f1a1aff899e8e16dd8e1faf228d7319..724c97c2b62498e739a963d8135bf58209d5a1c9 100644
(file)
--- a/
www/index.php
+++ b/
www/index.php
@@
-81,7
+81,7
@@
function create_token($me, $redirect_uri, $client_id, $state)
return $code;
}
return $code;
}
-function validate_token($code, $redirect_uri, $client_id
, $state
)
+function validate_token($code, $redirect_uri, $client_id)
{
$db = loadDb();
$stmt = $db->prepare(
{
$db = loadDb();
$stmt = $db->prepare(
@@
-89,7
+89,6
@@
function validate_token($code, $redirect_uri, $client_id, $state)
. ' code = :code'
. ' AND redirect_uri = :redirect_uri'
. ' AND client_id = :client_id'
. ' code = :code'
. ' AND redirect_uri = :redirect_uri'
. ' AND client_id = :client_id'
- . ' AND state = :state'
. ' AND created >= :created'
);
$stmt->execute(
. ' AND created >= :created'
);
$stmt->execute(
@@
-97,7
+96,6
@@
function validate_token($code, $redirect_uri, $client_id, $state)
':code' => $code,
':redirect_uri' => $redirect_uri,
':client_id' => $client_id,
':code' => $code,
':redirect_uri' => $redirect_uri,
':client_id' => $client_id,
- ':state' => (string) $state,
':created' => date('c', time() - 60)
)
);
':created' => date('c', time() - 60)
)
);
@@
-235,16
+233,12
@@
if ($_SERVER['REQUEST_METHOD'] == 'GET') {
} else if ($_SERVER['REQUEST_METHOD'] == 'POST') {
$redirect_uri = verifyUrlParameter($_POST, 'redirect_uri');
$client_id = verifyUrlParameter($_POST, 'client_id');
} else if ($_SERVER['REQUEST_METHOD'] == 'POST') {
$redirect_uri = verifyUrlParameter($_POST, 'redirect_uri');
$client_id = verifyUrlParameter($_POST, 'client_id');
- $state = null;
- if (isset($_POST['state'])) {
- $state = $_POST['state'];
- }
if (!isset($_POST['code'])) {
error('"code" parameter missing');
}
$token = $_POST['code'];
if (!isset($_POST['code'])) {
error('"code" parameter missing');
}
$token = $_POST['code'];
- $me = validate_token($token, $redirect_uri, $client_id
, $state
);
+ $me = validate_token($token, $redirect_uri, $client_id);
if ($me === false) {
error('Validating token failed');
}
if ($me === false) {
error('Validating token failed');
}