From: Christian Weiske Date: Wed, 11 Jun 2014 05:50:01 +0000 (+0200) Subject: improve security; add README X-Git-Tag: v0.1.1~3 X-Git-Url: https://git.cweiske.de/indieauth-openid.git/commitdiff_plain/6a2ffe2c4bbf557cff75894e1b09ae2aea7a1f2b improve security; add README --- diff --git a/.gitignore b/.gitignore index a994fbf..4a22837 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ data/tokens.sq3 +README.html diff --git a/README.rst b/README.rst new file mode 100644 index 0000000..c435028 --- /dev/null +++ b/README.rst @@ -0,0 +1,41 @@ +************************* +IndieAuth to OpenID proxy +************************* + +Proxies IndieAuth authorization requests to one's OpenID server. + +===== +Setup +===== + +1. Setup your webserver: make ``www/`` the root (document) directory of the + new virtual host +2. Make ``data/`` world-writable (or at least writable by the web server) +3. Modify your website and add the following to its ````:: + + + + +============ +Dependencies +============ + +* PDO::sqlite3 +* PEAR Libraries: + + * Net_URL2 + * OpenID + + +======= +License +======= +``indieauth-openid`` is licensed under the `AGPL v3`__ or later. + +__ http://www.gnu.org/licenses/agpl.html + + +====== +Author +====== +Written by Christian Weiske, cweiske@cweiske.de diff --git a/www/index.php b/www/index.php index 9906fd9..b74453a 100644 --- a/www/index.php +++ b/www/index.php @@ -1,14 +1,23 @@ + * @license http://www.gnu.org/licenses/agpl.html GNU AGPL v3 + * @link http://indiewebcamp.com/login-brainstorming + * @link http://indiewebcamp.com/authorization-endpoint + * @link http://indiewebcamp.com/auth-brainstorming + * @link https://indieauth.com/developers */ -//require_once __DIR__ . '/../src/init.php'; + +require_once 'Net/URL2.php'; require_once 'OpenID/RelyingParty.php'; require_once 'OpenID/Message.php'; require_once 'OpenID/Exception.php'; -require_once 'Net/URL2.php'; function loadDb() { @@ -83,6 +92,7 @@ function validate_token($code, $redirect_uri, $client_id, $state) function error($msg) { header('HTTP/1.0 400 Bad Request'); + header('Content-type: text/plain; charset=utf-8'); echo $msg . "\n"; exit(1); } @@ -108,12 +118,7 @@ function getBaseUrl() if (!isset($_SERVER['REQUEST_SCHEME'])) { $_SERVER['REQUEST_SCHEME'] = 'http'; } - $file = preg_replace('/#.*$/', '', $_SERVER['REQUEST_URI']); - if ($file == '') { - $file = ' /'; - } else if (substr($file, -1) != '/') { - $file = dirname($file); - } + $file = preg_replace('/[?#].*$/', '', $_SERVER['REQUEST_URI']); return $_SERVER['REQUEST_SCHEME'] . '://' . $_SERVER['HTTP_HOST'] . $file; @@ -133,6 +138,14 @@ if (isset($_GET['openid_mode']) && $_GET['openid_mode'] != '') { $message = new \OpenID_Message($queryString, \OpenID_Message::FORMAT_HTTP); $id = $message->get('openid.claimed_id'); + if ($id != $_SESSION['me']) { + error( + sprintf( + 'Given identity URL "%s" and claimed OpenID "%s" do not match', + $_SESSION['me'], $id + ) + ); + } try { $o = new \OpenID_RelyingParty($returnTo, $realm, $_SESSION['me']); $result = $o->verify(new \Net_URL2($returnTo . '?' . $queryString), $message); @@ -150,10 +163,10 @@ if (isset($_GET['openid_mode']) && $_GET['openid_mode'] != '') { header('Location: ' . $url->getURL()); exit(); } else { - error('Error logging in: ' . $result->getAssertionMethod()); + error('Error verifying OpenID login: ' . $result->getAssertionMethod()); } } catch (OpenID_Exception $e) { - error('Error logging in: ' . $e->getMessage()); + error('Error verifying OpenID login: ' . $e->getMessage()); } } @@ -165,7 +178,13 @@ if ($_SERVER['REQUEST_METHOD'] == 'GET') { if (isset($_GET['state'])) { $state = $_GET['state']; } - //FIXME: support "response_type"? + $response_type = 'id'; + if (isset($_GET['response_type'])) { + $response_type = $_GET['response_type']; + } + if ($response_type != 'id') { + error('unsupported response_type: ' . $response_type); + } $_SESSION['me'] = $me; $_SESSION['redirect_uri'] = $redirect_uri;