lib/apiauth.php

   1 <?php
   2 /**
   3  * StatusNet, the distributed open-source microblogging tool
   4  *
   5  * Base class for API actions that require authentication
   6  *
   7  * PHP version 5
   8  *
   9  * LICENCE: This program is free software: you can redistribute it and/or modify
  10  * it under the terms of the GNU Affero General Public License as published by
  11  * the Free Software Foundation, either version 3 of the License, or
  12  * (at your option) any later version.
  13  *
  14  * This program is distributed in the hope that it will be useful,
  15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17  * GNU Affero General Public License for more details.
  18  *
  19  * You should have received a copy of the GNU Affero General Public License
  20  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  21  *
  22  * @category  API
  23  * @package   StatusNet
  24  * @author    Zach Copley <zach@status.net>
  25  * @copyright 2009 StatusNet, Inc.
  26  * @license   http://www.fsf.org/licensing/licenses/agpl-3.0.html GNU Affero General Public License version 3.0
  27  * @link      http://status.net/
  28  */
  29
  30 if (!defined('STATUSNET')) {
  31     exit(1);
  32 }
  33
  34 require_once INSTALLDIR.'/lib/twitterapi.php';
  35
  36 class ApiAuthAction extends TwitterapiAction
  37 {
  38     /**
  39      * Does this API resource require authentication?
  40      *
  41      * @return boolean true
  42      */
  43
  44     function requiresAuth()
  45     {
  46         return true;
  47     }
  48
  49     function checkBasicAuthUser()
  50     {
  51         $this->basicAuthProcessHeader();
  52
  53         if (!isset($this->auth_user)) {
  54             header('WWW-Authenticate: Basic realm="StatusNet API"');
  55
  56             // show error if the user clicks 'cancel'
  57
  58             $this->showBasicAuthError();
  59             return false;
  60
  61         } else {
  62             $nickname = $this->auth_user;
  63             $password = $this->auth_pw;
  64             $this->auth_user = common_check_user($nickname, $password);
  65
  66             if (empty($this->auth_user)) {
  67
  68                 // basic authentication failed
  69
  70                 list($proxy, $ip) = common_client_ip();
  71                 common_log(LOG_WARNING,
  72                     "Failed API auth attempt, nickname = $nickname, proxy = $proxy, ip = $ip.");
  73                 $this->showBasicAuthError();
  74                 return false;
  75             }
  76         }
  77         return true;
  78     }
  79
  80     function basicAuthProcessHeader()
  81     {
  82         if (isset($_SERVER['AUTHORIZATION']) || isset($_SERVER['HTTP_AUTHORIZATION'])) {
  83             $authorization_header = isset($_SERVER['HTTP_AUTHORIZATION'])? $_SERVER['HTTP_AUTHORIZATION'] : $_SERVER['AUTHORIZATION'];
  84         }
  85
  86         if (isset($_SERVER['PHP_AUTH_USER'])) {
  87             $this->auth_user = $_SERVER['PHP_AUTH_USER'];
  88             $this->auth_pw = $_SERVER['PHP_AUTH_PW'];
  89         } elseif (isset($authorization_header) && strstr(substr($authorization_header, 0, 5), 'Basic')) {
  90             // decode the HTTP_AUTHORIZATION header on php-cgi server self
  91             // on fcgid server the header name is AUTHORIZATION
  92
  93             $auth_hash = base64_decode(substr($authorization_header, 6));
  94             list($this->auth_user, $this->auth_pw) = explode(':', $auth_hash);
  95
  96             // set all to null on a empty basic auth request
  97             if ($this->auth_user == "") {
  98                 $this->auth_user = null;
  99                 $this->auth_pw = null;
 100             }
 101         } else {
 102             $this->auth_user = null;
 103             $this->auth_pw = null;
 104         }
 105     }
 106
 107     function showBasicAuthError()
 108     {
 109         header('HTTP/1.1 401 Unauthorized');
 110         $msg = 'Could not authenticate you.';
 111
 112         if ($this->arg('format') == 'xml') {
 113             header('Content-Type: application/xml; charset=utf-8');
 114             $this->startXML();
 115             $this->elementStart('hash');
 116             $this->element('error', null, $msg);
 117             $this->element('request', null, $_SERVER['REQUEST_URI']);
 118             $this->elementEnd('hash');
 119             $this->endXML();
 120         } elseif ($this->arg('format') == 'json') {
 121             header('Content-Type: application/json; charset=utf-8');
 122             $error_array = array('error' => $msg, 'request' => $_SERVER['REQUEST_URI']);
 123             print(json_encode($error_array));
 124         } else {
 125             header('Content-type: text/plain');
 126             print "$msg\n";
 127         }
 128     }
 129
 130
 131 }