function handle($args) {
parent::handle($args);
if (common_logged_in()) {
- common_user_error(_t('Already logged in.'));
+ common_user_error(_('Already logged in.'));
} else if ($_SERVER['REQUEST_METHOD'] == 'POST') {
- $this->start_openid_login();
+ $openid_url = $this->trimmed('openid_url');
+
+ # CSRF protection
+ $token = $this->trimmed('token');
+ if (!$token || $token != common_session_token()) {
+ $this->show_form(_('There was a problem with your session token. Try again, please.'), $openid_url);
+ return;
+ }
+
+ $result = oid_authenticate($openid_url,
+ 'finishopenidlogin');
+ if (is_string($result)) { # error message
+ $this->show_form($result, $openid_url);
+ }
} else {
- $this->show_form();
+ $openid_url = oid_get_last();
+ $this->show_form(NULL, $openid_url);
}
}
- function show_form($error=NULL) {
- common_show_header(_t('OpenID Login'));
+ function get_instructions() {
+ return _('Login with an [OpenID](%%doc.openid%%) account.');
+ }
+
+ function show_top($error=NULL) {
if ($error) {
common_element('div', array('class' => 'error'), $error);
} else {
- common_element('div', 'instructions',
- _t('Login with an OpenID account.'));
+ $instr = $this->get_instructions();
+ $output = common_markup_to_html($instr);
+ common_element_start('div', 'instructions');
+ common_raw($output);
+ common_element_end('div');
}
- common_element_start('form', array('method' => 'POST',
+ }
+
+ function show_form($error=NULL, $openid_url) {
+ common_show_header(_('OpenID Login'), NULL, $error, array($this, 'show_top'));
+ $formaction = common_local_url('openidlogin');
+ common_element_start('form', array('method' => 'post',
'id' => 'openidlogin',
- 'action' => common_local_url('openidlogin')));
- common_input('openid_url', _t('OpenID URL'));
- common_submit('submit', _t('Login'));
+ 'action' => $formaction));
+ common_hidden('token', common_session_token());
+ common_input('openid_url', _('OpenID URL'),
+ $openid_url,
+ _('Your OpenID URL'));
+ common_submit('submit', _('Login'));
common_element_end('form');
common_show_footer();
}
-
- function start_openid_login() {
- # XXX: form token in $_SESSION to prevent XSS
- # XXX: login throttle
- $openid_url = $this->trimmed('openid_url');
- if (!common_valid_http_url($openid_url)) {
- $this->show_form(_t('OpenID must be a valid URL.'));
- return;
- }
-
- $consumer = oid_consumer();
-
- if (!$consumer) {
- common_server_error(_t('Cannot instantiate OpenID consumer object.'));
- return;
- }
-
- common_ensure_session();
-
- $auth_request = $consumer->begin($openid_url);
-
- // Handle failure status return values.
- if (!$auth_request) {
- $this->show_form(_t('Not a valid OpenID.'));
- return;
- } else if (Auth_OpenID::isFailure($auth_request)) {
- $this->show_form(_t('OpenID failure: ') . $auth_request->message);
- return;
- }
-
- $sreg_request = Auth_OpenID_SRegRequest::build(// Required
- array(),
- // Optional
- array('nickname',
- 'email',
- 'fullname',
- 'language',
- 'timezone',
- 'postcode',
- 'country'));
-
- if ($sreg_request) {
- $auth_request->addExtension($sreg_request);
- }
-
- $trust_root = common_root_url();
- $process_url = common_local_url('finishopenidlogin');
-
- if ($auth_request->shouldSendRedirect()) {
- $redirect_url = $auth_request->redirectURL($trust_root,
- $process_url);
- if (!$redirect_url) {
- } else if (Auth_OpenID::isFailure($redirect_url)) {
- $this->show_form(_t('Could not redirect to server: ') . $redirect_url->message);
- return;
- } else {
- common_redirect($redirect_url);
- }
- } else {
- // Generate form markup and render it.
- $form_id = 'openid_message';
- $form_html = $auth_request->formMarkup($trust_root, $process_url,
- false, array('id' => $form_id));
-
- # XXX: This is cheap, but things choke if we don't escape ampersands
- # in the HTML attributes
-
- $form_html = preg_replace('/&/', '&', $form_html);
-
- // Display an error if the form markup couldn't be generated;
- // otherwise, render the HTML.
- if (Auth_OpenID::isFailure($form_html)) {
- $this->show_form(_t('Could not create OpenID form: ') . $form_html->message);
- } else {
- common_show_header(_t('OpenID Auto-Submit'));
- common_element('p', 'instructions',
- _t('This form should automatically submit itself. '.
- 'If not, click the submit button to go to your '.
- 'OpenID provider.'));
- common_raw($form_html);
- common_element('script', NULL,
- '$(document).ready(function() { ' .
- ' $("#'. $form_id .'").submit(); '.
- '});');
- common_show_footer();
- }
- }
- }
}
projects / quix0rs-gnu-social.git / blobdiff