<?php
/**
- * @copyright Copyright (C) 2010-2021, the Friendica project
+ * @copyright Copyright (C) 2010-2023, the Friendica project
*
* @license GNU AGPL version 3 or any later version
*
namespace Friendica\Security;
use Friendica\Core\Logger;
+use Friendica\Core\Worker;
use Friendica\Database\Database;
use Friendica\Database\DBA;
+use Friendica\Model\Contact;
+use Friendica\Model\User;
+use Friendica\Module\BaseApi;
use Friendica\Util\DateTimeFormat;
+use GuzzleHttp\Psr7\Uri;
/**
* OAuth Server
*/
class OAuth
{
- const SCOPE_READ = 'read';
- const SCOPE_WRITE = 'write';
- const SCOPE_FOLLOW = 'follow';
- const SCOPE_PUSH = 'push';
-
/**
* @var bool|int
*/
protected static $current_token = [];
/**
- * Check if the provided scope does exist
- *
- * @param string $scope the requested scope (read, write, follow, push)
+ * Get current user id, returns 0 if not logged in
*
- * @return bool "true" if the scope is allowed
+ * @return int User ID
*/
- public static function isAllowedScope(string $scope)
+ public static function getCurrentUserID()
{
- $token = self::getCurrentApplicationToken();
-
- if (empty($token)) {
- Logger::notice('Empty application token');
- return false;
- }
-
- if (!isset($token[$scope])) {
- Logger::warning('The requested scope does not exist', ['scope' => $scope, 'application' => $token]);
- return false;
- }
-
- if (empty($token[$scope])) {
- Logger::warning('The requested scope is not allowed', ['scope' => $scope, 'application' => $token]);
- return false;
+ if (empty(self::$current_user_id)) {
+ $token = self::getCurrentApplicationToken();
+ if (!empty($token['uid'])) {
+ self::$current_user_id = $token['uid'];
+ } else {
+ self::$current_user_id = 0;
+ }
}
- return true;
+ return (int)self::$current_user_id;
}
/**
return self::$current_token;
}
- /**
- * Get current user id, returns 0 if not logged in
- *
- * @return int User ID
- */
- public static function getCurrentUserID()
- {
- if (empty(self::$current_user_id)) {
- $token = self::getCurrentApplicationToken();
- if (!empty($token['uid'])) {
- self::$current_user_id = $token['uid'];
- } else {
- self::$current_user_id = 0;
- }
- }
-
- return (int)self::$current_user_id;
- }
-
/**
* Get the user token via the Bearer token
*
{
$authorization = $_SERVER['HTTP_AUTHORIZATION'] ?? '';
+ if (empty($authorization)) {
+ // workaround for HTTP-auth in CGI mode
+ $authorization = $_SERVER['REDIRECT_REMOTE_USER'] ?? '';
+ }
+
if (substr($authorization, 0, 7) != 'Bearer ') {
return [];
}
$token = DBA::selectFirst('application-view', ['uid', 'id', 'name', 'website', 'created_at', 'read', 'write', 'follow', 'push'], $condition);
if (!DBA::isResult($token)) {
- Logger::warning('Token not found', $condition);
+ Logger::notice('Token not found', $condition);
return [];
}
Logger::debug('Token found', $token);
+
+ User::updateLastActivity($token['uid']);
+
+ // Regularly update suggestions
+ if (Contact\Relation::areSuggestionsOutdated($token['uid'])) {
+ Worker::add(Worker::PRIORITY_MEDIUM, 'UpdateSuggestions', $token['uid']);
+ }
+
return $token;
}
if (!empty($client_secret)) {
$condition['client_secret'] = $client_secret;
}
+
if (!empty($redirect_uri)) {
- $condition['redirect_uri'] = $redirect_uri;
+ $uri = new Uri($redirect_uri);
+ $redirect_uri = $uri->getScheme() . '://' . $uri->getHost() . $uri->getPath();
+ $condition = DBA::mergeConditions($condition, ["`redirect_uri` LIKE ?", '%' . $redirect_uri . '%']);
}
$application = DBA::selectFirst('application', [], $condition);
Logger::warning('Application not found', $condition);
return [];
}
+
+ // The redirect_uri could contain several URI that are separated by spaces.
+ if (($application['redirect_uri'] != $redirect_uri) && !in_array($redirect_uri, explode(' ', $application['redirect_uri']))) {
+ return [];
+ }
+
return $application;
}
'code' => $code,
'access_token' => $access_token,
'scopes' => $scope,
- 'read' => (stripos($scope, self::SCOPE_READ) !== false),
- 'write' => (stripos($scope, self::SCOPE_WRITE) !== false),
- 'follow' => (stripos($scope, self::SCOPE_FOLLOW) !== false),
- 'push' => (stripos($scope, self::SCOPE_PUSH) !== false),
- 'created_at' => DateTimeFormat::utcNow(DateTimeFormat::MYSQL)];
-
- foreach ([self::SCOPE_READ, self::SCOPE_WRITE, self::SCOPE_WRITE, self::SCOPE_PUSH] as $scope) {
+ 'read' => (stripos($scope, BaseApi::SCOPE_READ) !== false),
+ 'write' => (stripos($scope, BaseApi::SCOPE_WRITE) !== false),
+ 'follow' => (stripos($scope, BaseApi::SCOPE_FOLLOW) !== false),
+ 'push' => (stripos($scope, BaseApi::SCOPE_PUSH) !== false),
+ 'created_at' => DateTimeFormat::utcNow()
+ ];
+
+ foreach ([BaseApi::SCOPE_READ, BaseApi::SCOPE_WRITE, BaseApi::SCOPE_WRITE, BaseApi::SCOPE_PUSH] as $scope) {
if ($fields[$scope] && !$application[$scope]) {
Logger::warning('Requested token scope is not allowed for the application', ['token' => $fields, 'application' => $application]);
}
projects / friendica.git / blobdiff