X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=lib%2Fapiauth.php;h=25e2196cf2c4bc0e004d5eb930146961c35112ab;hb=5aeed9e04110c34bca12e601836797afd5acadba;hp=ac5e997c78dfc9b96b96810a1bee61fcda410637;hpb=2494d3fa25a44b3cacf85c594683675ae9e6d0cb;p=quix0rs-gnu-social.git diff --git a/lib/apiauth.php b/lib/apiauth.php index ac5e997c78..25e2196cf2 100644 --- a/lib/apiauth.php +++ b/lib/apiauth.php @@ -55,12 +55,11 @@ class ApiAuthAction extends ApiAction { var $auth_user_nickname = null; var $auth_user_password = null; - var $access_token = null; var $oauth_source = null; - var $auth_user = null; /** - * Take arguments for running, and output basic auth header if needed + * Take arguments for running, looks for an OAuth request, + * and outputs basic auth header if needed * * @param array $args $_REQUEST args * @@ -72,32 +71,29 @@ class ApiAuthAction extends ApiAction { parent::prepare($args); - $this->consumer_key = $this->arg('oauth_consumer_key'); - $this->access_token = $this->arg('oauth_token'); - // NOTE: $this->auth_user has to get set in prepare(), not handle(), // because subclasses do stuff with it in their prepares. - if ($this->requiresAuth()) { - if (!empty($this->access_token)) { - $this->checkOAuthRequest(); + $oauthReq = $this->getOAuthRequest(); + + if (!$oauthReq) { + if ($this->requiresAuth()) { + $this->checkBasicAuthUser(true); } else { - $this->checkBasicAuthUser(); + // Check to see if a basic auth user is there even + // if one's not required + $this->checkBasicAuthUser(false); } } else { - - // Check to see if a basic auth user is there even - // if one's not required - - $this->checkBasicAuthUser(false); + $this->checkOAuthRequest($oauthReq); } // Reject API calls with the wrong access level if ($this->isReadOnly($args) == false) { if ($this->access != self::READ_WRITE) { - $msg = 'API resource requires read-write access, ' . - 'but you only have read access.'; + $msg = _('API resource requires read-write access, ' . + 'but you only have read access.'); $this->clientError($msg, 401, $this->format); exit; } @@ -106,12 +102,42 @@ class ApiAuthAction extends ApiAction return true; } - function handle($args) + /** + * Determine whether the request is an OAuth request. + * This is to avoid doign any unnecessary DB lookups. + * + * @return mixed the OAuthRequest or false + */ + + function getOAuthRequest() { - parent::handle($args); + ApiOauthAction::cleanRequest(); + + $req = OAuthRequest::from_request(); + + $consumer = $req->get_parameter('oauth_consumer_key'); + $accessToken = $req->get_parameter('oauth_token'); + + // XXX: Is it good enough to assume it's not meant to be an + // OAuth request if there is no consumer or token? --Z + + if (empty($consumer) || empty($accessToken)) { + return false; + } + + return $req; } - function checkOAuthRequest() + /** + * Verifies the OAuth request signature, sets the auth user + * and access type (read-only or read-write) + * + * @param OAuthRequest $request the OAuth Request + * + * @return nothing + */ + + function checkOAuthRequest($request) { $datastore = new ApiStatusNetOAuthDataStore(); $server = new OAuthServer($datastore); @@ -119,22 +145,19 @@ class ApiAuthAction extends ApiAction $server->add_signature_method($hmac_method); - ApiOauthAction::cleanRequest(); - try { - $req = OAuthRequest::from_request(); - $server->verify_request($req); + $server->verify_request($request); - $app = Oauth_application::getByConsumerKey($this->consumer_key); + $consumer = $request->get_parameter('oauth_consumer_key'); + $access_token = $request->get_parameter('oauth_token'); - if (empty($app)) { + $app = Oauth_application::getByConsumerKey($consumer); - // this should probably not happen + if (empty($app)) { common_log(LOG_WARNING, 'Couldn\'t find the OAuth app for consumer key: ' . - $this->consumer_key); - + $consumer); throw new OAuthException('No application for that consumer key.'); } @@ -142,11 +165,7 @@ class ApiAuthAction extends ApiAction $this->oauth_source = $app->name; - $appUser = Oauth_application_user::staticGet('token', - $this->access_token); - - // XXX: Check that app->id and appUser->application_id and consumer all - // match? + $appUser = Oauth_application_user::staticGet('token', $access_token); if (!empty($appUser)) { @@ -160,6 +179,8 @@ class ApiAuthAction extends ApiAction $this->access = ($appUser->access_type & Oauth_application::$writeAccess) ? self::READ_WRITE : self::READ_ONLY; + // Set the auth user + if (Event::handle('StartSetApiUser', array(&$user))) { $this->auth_user = User::staticGet('id', $appUser->profile_id); Event::handle('EndSetApiUser', array($user)); @@ -176,7 +197,6 @@ class ApiAuthAction extends ApiAction ($this->access = self::READ_WRITE) ? 'read-write' : 'read-only' )); - return true; } else { throw new OAuthException('Bad access token.'); } @@ -228,9 +248,14 @@ class ApiAuthAction extends ApiAction } else { + $user = common_check_user($this->auth_user_nickname, + $this->auth_user_password); + if (Event::handle('StartSetApiUser', array(&$user))) { - $this->auth_user = common_check_user($this->auth_user_nickname, - $this->auth_user_password); + + if (!empty($user)) { + $this->auth_user = $user; + } Event::handle('EndSetApiUser', array($user)); } @@ -239,18 +264,18 @@ class ApiAuthAction extends ApiAction $this->access = self::READ_WRITE; - if (empty($this->auth_user)) { + if (empty($this->auth_user) && $required) { // basic authentication failed list($proxy, $ip) = common_client_ip(); - common_log( - LOG_WARNING, - 'Failed API auth attempt, nickname = ' . - "$nickname, proxy = $proxy, ip = $ip." - ); - + $msg = sprintf(_('Failed API auth attempt, nickname = %1$s, ' . + 'proxy = %2$s, ip = %3$s'), + $this->auth_user_nickname, + $proxy, + $ip); + common_log(LOG_WARNING, $msg); $this->showAuthError(); exit; }