]> git.mxchange.org Git - quix0rs-gnu-social.git/blob - actions/remotesubscribe.php
64299e27a292f67d9753ae2a23f87b4fe736b1dd
[quix0rs-gnu-social.git] / actions / remotesubscribe.php
1 <?php
2 /*
3  * Laconica - a distributed open-source microblogging tool
4  * Copyright (C) 2008, Controlez-Vous, Inc.
5  *
6  * This program is free software: you can redistribute it and/or modify
7  * it under the terms of the GNU Affero General Public License as published by
8  * the Free Software Foundation, either version 3 of the License, or
9  * (at your option) any later version.
10  *
11  * This program is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14  * GNU Affero General Public License for more details.
15  *
16  * You should have received a copy of the GNU Affero General Public License
17  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
18  */
19
20 if (!defined('LACONICA')) { exit(1); }
21
22 require_once(INSTALLDIR.'/lib/omb.php');
23
24 class RemotesubscribeAction extends Action {
25
26         function handle($args) {
27
28                 parent::handle($args);
29
30                 if (common_logged_in()) {
31                         common_user_error(_t('You can use the local subscription!'));
32                     return;
33                 }
34
35                 if ($_SERVER['REQUEST_METHOD'] == 'POST') {
36                         $this->remote_subscription();
37                 } else {
38                         $this->show_form();
39                 }
40         }
41
42         function show_form($err=NULL) {
43                 $nickname = $this->trimmed('nickname');
44                 common_show_header(_t('Remote subscribe'));
45                 if ($err) {
46                         common_element('div', 'error', $err);
47                 }
48                 common_element_start('form', array('id' => 'remotesubscribe', 'method' => 'POST',
49                                                                                    'action' => common_local_url('remotesubscribe')));
50                 common_input('nickname', _t('User nickname'), $nickname);
51                 common_input('profile', _t('Profile URL'));
52                 common_submit('submit', _t('Subscribe'));
53                 common_element_end('form');
54                 common_show_footer();
55         }
56
57         function remote_subscription() {
58                 $user = $this->get_user();
59
60                 if (!$user) {
61                         $this->show_form(_t('No such user!'));
62                         return;
63                 }
64
65                 $profile = $this->trimmed('profile');
66
67                 if (!$profile) {
68                         $this->show_form(_t('No such user!'));
69                         return;
70                 }
71
72                 if (!Validate::uri($profile, array('allowed_schemes' => array('http', 'https')))) {
73                         $this->show_form(_t('Invalid profile URL (bad format)'));
74                         return;
75                 }
76
77                 $fetcher = Auth_Yadis_Yadis::getHTTPFetcher();
78                 $yadis = Auth_Yadis_Yadis::discover($profile, $fetcher);
79
80                 if (!$yadis || $yadis->failed) {
81                         $this->show_form(_t('Not a valid profile URL (no YADIS document).'));
82                         return;
83                 }
84
85         $xrds =& Auth_Yadis_XRDS::parseXRDS($yadis->response_text);
86
87                 if (!$xrds) {
88                         $this->show_form(_t('Not a valid profile URL (no XRDS defined).'));
89                         return;
90                 }
91
92                 $omb = $this->getOmb($xrds);
93
94                 if (!$omb) {
95                         $this->show_form(_t('Not a valid profile URL (incorrect services).'));
96                         return;
97                 }
98
99                 list($token, $secret) = $this->request_token($omb);
100
101                 if (!$token || !$secret) {
102                         $this->show_form(_t('Couldn\'t get a request token.'));
103                         return;
104                 }
105
106                 $this->request_authorization($user, $omb, $token, $secret);
107         }
108
109         function get_user() {
110                 $user = NULL;
111                 $nickname = $this->trimmed('nickname');
112                 if ($nickname) {
113                         $user = User::staticGet('nickname', $nickname);
114                 }
115                 return $user;
116         }
117
118         function getOmb($xrds) {
119
120             static $omb_endpoints = array(OMB_ENDPOINT_UPDATEPROFILE, OMB_ENDPOINT_POSTNOTICE);
121                 static $oauth_endpoints = array(OAUTH_ENDPOINT_REQUEST, OAUTH_ENDPOINT_AUTHORIZE,
122                                                                                 OAUTH_ENDPOINT_ACCESS);
123                 $omb = array();
124
125                 # XXX: the following code could probably be refactored to eliminate dupes
126
127                 $oauth_services = omb_get_services($xrds, OAUTH_DISCOVERY);
128
129                 if (!$oauth_services) {
130                         return NULL;
131                 }
132
133                 $oauth_service = $oauth_services[0];
134
135                 $oauth_xrd = $this->getXRD($oauth_service, $xrds);
136
137                 if (!$oauth_xrd) {
138                         return NULL;
139                 }
140
141                 if (!$this->addServices($oauth_xrd, $oauth_endpoints, $omb)) {
142                         return NULL;
143                 }
144
145                 $omb_services = omb_get_services($xrds, OMB_NAMESPACE);
146
147                 if (!$omb_services) {
148                         return NULL;
149                 }
150
151                 $omb_service = $omb_services[0];
152
153                 $omb_xrd = $this->getXRD($omb_service, $xrds);
154
155                 if (!$omb_xrd) {
156                         return NULL;
157                 }
158
159                 if (!$this->addServices($omb_xrd, $omb_endpoints, $omb)) {
160                         return NULL;
161                 }
162
163                 # XXX: check that we got all the services we needed
164
165                 foreach (array_merge($omb_endpoints, $oauth_endpoints) as $type) {
166                         if (!array_key_exists($type, $omb) || !$omb[$type]) {
167                                 return NULL;
168                         }
169                 }
170
171                 if (!omb_local_id($omb[OAUTH_ENDPOINT_REQUEST])) {
172                         return NULL;
173                 }
174
175                 return $omb;
176         }
177
178         function getXRD($main_service, $main_xrds) {
179                 $uri = omb_service_uri($main_service);
180                 if (strpos($uri, "#") !== 0) {
181                         # FIXME: more rigorous handling of external service definitions
182                         return NULL;
183                 }
184                 $id = substr($uri, 1);
185                 $nodes = $main_xrds->allXrdNodes;
186                 $parser = $main_xrds->parser;
187                 foreach ($nodes as $node) {
188                         $attrs = $parser->attributes($node);
189                         if (array_key_exists('xml:id', $attrs) &&
190                                 $attrs['xml:id'] == $id) {
191                                 # XXX: trick the constructor into thinking this is the only node
192                                 $bogus_nodes = array($node);
193                                 return new Auth_Yadis_XRDS($parser, $bogus_nodes);
194                         }
195                 }
196                 return NULL;
197         }
198
199         function addServices($xrd, $types, &$omb) {
200                 foreach ($types as $type) {
201                         $matches = omb_get_services($xrd, $type);
202                         if ($matches) {
203                                 $omb[$type] = $matches[0];
204                         } else {
205                                 # no match for type
206                                 return false;
207                         }
208                 }
209                 return true;
210         }
211
212         function request_token($omb) {
213                 $con = omb_oauth_consumer();
214
215                 $url = omb_service_uri($omb[OAUTH_ENDPOINT_REQUEST]);
216
217                 # XXX: Is this the right thing to do? Strip off GET params and make them
218                 # POST params? Seems wrong to me.
219
220                 $parsed = parse_url($url);
221                 $params = array();
222                 parse_str($parsed['query'], $params);
223
224                 $req = OAuthRequest::from_consumer_and_token($con, NULL, "POST", $url, $params);
225
226                 $listener = omb_local_id($omb[OAUTH_ENDPOINT_REQUEST]);
227
228                 if (!$listener) {
229                         return NULL;
230                 }
231
232                 $req->set_parameter('omb_listener', $listener);
233                 $req->set_parameter('omb_version', OMB_VERSION_01);
234
235                 # XXX: test to see if endpoint accepts this signature method
236
237                 $req->sign_request(omb_hmac_sha1(), $con, NULL);
238
239                 # We re-use this tool's fetcher, since it's pretty good
240
241                 $fetcher = Auth_Yadis_Yadis::getHTTPFetcher();
242                 
243                 $result = $fetcher->post($req->get_normalized_http_url(),
244                                                                  $req->to_postdata());
245
246                 if ($result->status != 200) {
247                         return NULL;
248                 }
249
250                 parse_str($result->body, $return);
251
252                 return array($return['oauth_token'], $return['oauth_token_secret']);
253         }
254
255         function request_authorization($user, $omb, $token, $secret) {
256                 global $config; # for license URL
257
258                 $con = omb_oauth_consumer();
259                 $tok = new OAuthToken($token, $secret);
260
261                 $url = omb_service_uri($omb[OAUTH_ENDPOINT_AUTHORIZE]);
262
263                 # XXX: Is this the right thing to do? Strip off GET params and make them
264                 # POST params? Seems wrong to me.
265
266                 $parsed = parse_url($url);
267                 $params = array();
268                 parse_str($parsed['query'], $params);
269
270                 $req = OAuthRequest::from_consumer_and_token($con, $tok, 'GET', $url, $params);
271
272                 # We send over a ton of information. This lets the other
273                 # server store info about our user, and it lets the current
274                 # user decide if they really want to authorize the subscription.
275
276                 $req->set_parameter('omb_version', OMB_VERSION_01);
277                 $req->set_parameter('omb_listener', omb_local_id($omb[OAUTH_ENDPOINT_REQUEST]));
278                 $req->set_parameter('omb_listenee', $user->uri);
279                 $req->set_parameter('omb_listenee_profile', common_profile_url($user->nickname));
280                 $req->set_parameter('omb_listenee_nickname', $user->nickname);
281                 $req->set_parameter('omb_listenee_license', $config['license']['url']);
282                 $profile = $user->getProfile();
283                 if ($profile->fullname) {
284                         $req->set_parameter('omb_listenee_fullname', $profile->fullname);
285                 }
286                 if ($profile->homepage) {
287                         $req->set_parameter('omb_listenee_homepage', $profile->homepage);
288                 }
289                 if ($profile->bio) {
290                         $req->set_parameter('omb_listenee_bio', $profile->bio);
291                 }
292                 if ($profile->location) {
293                         $req->set_parameter('omb_listenee_location', $profile->location);
294                 }
295                 $avatar = $profile->getAvatar(AVATAR_PROFILE_SIZE);
296                 if ($avatar) {
297                         $req->set_parameter('omb_listenee_avatar', $avatar->url);
298                 }
299
300                 # XXX: add a nonce to prevent replay attacks
301                 
302                 $req->set_parameter('oauth_callback', common_local_url('finishremotesubscribe'));
303
304                 # XXX: test to see if endpoint accepts this signature method
305
306                 $req->sign_request(omb_hmac_sha1(), $con, $tok);
307
308                 # store all our info here
309
310                 $omb['listenee'] = $user->nickname;
311                 $omb['token'] = $token;
312                 $omb['secret'] = $secret;
313                 # call doesn't work after bounce back so we cache; maybe serialization issue...?
314                 $omb['access_token_url'] = omb_service_uri($omb[OAUTH_ENDPOINT_ACCESS]);
315                 $omb['post_notice_url'] = omb_service_uri($omb[OMB_ENDPOINT_POSTNOTICE]);
316                 $omb['update_profile_url'] = omb_service_uri($omb[OMB_ENDPOINT_UPDATEPROFILE]);
317
318                 $_SESSION['oauth_authorization_request'] = $omb;
319
320                 # Redirect to authorization service
321
322                 common_redirect($req->to_url());
323                 return;
324         }
325         
326         function make_nonce() {
327                 return common_good_rand(16);
328         }
329 }