X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=lib%2Fapiauth.php;h=25e2196cf2c4bc0e004d5eb930146961c35112ab;hb=f3b08461bd476d368d444d48025709fb6a111b7d;hp=501d3de10e0547804bf1e6cdd4eb6ae13b852f96;hpb=de5ff19713a990af197330dd8e4314de465ffe76;p=quix0rs-gnu-social.git diff --git a/lib/apiauth.php b/lib/apiauth.php index 501d3de10e..25e2196cf2 100644 --- a/lib/apiauth.php +++ b/lib/apiauth.php @@ -21,8 +21,15 @@ * * @category API * @package StatusNet + * @author Adrian Lang + * @author Brenda Wallace + * @author Craig Andrews + * @author Dan Moore + * @author Evan Prodromou + * @author mEDI + * @author Sarven Capadisli * @author Zach Copley - * @copyright 2009 StatusNet, Inc. + * @copyright 2009-2010 StatusNet, Inc. * @license http://www.fsf.org/licensing/licenses/agpl-3.0.html GNU Affero General Public License version 3.0 * @link http://status.net/ */ @@ -31,10 +38,182 @@ if (!defined('STATUSNET')) { exit(1); } -require_once INSTALLDIR.'/lib/twitterapi.php'; +require_once INSTALLDIR . '/lib/api.php'; +require_once INSTALLDIR . '/lib/apioauth.php'; -class ApiAuthAction extends TwitterapiAction +/** + * Actions extending this class will require auth + * + * @category API + * @package StatusNet + * @author Zach Copley + * @license http://www.fsf.org/licensing/licenses/agpl-3.0.html GNU Affero General Public License version 3.0 + * @link http://status.net/ + */ + +class ApiAuthAction extends ApiAction { + var $auth_user_nickname = null; + var $auth_user_password = null; + var $oauth_source = null; + + /** + * Take arguments for running, looks for an OAuth request, + * and outputs basic auth header if needed + * + * @param array $args $_REQUEST args + * + * @return boolean success flag + * + */ + + function prepare($args) + { + parent::prepare($args); + + // NOTE: $this->auth_user has to get set in prepare(), not handle(), + // because subclasses do stuff with it in their prepares. + + $oauthReq = $this->getOAuthRequest(); + + if (!$oauthReq) { + if ($this->requiresAuth()) { + $this->checkBasicAuthUser(true); + } else { + // Check to see if a basic auth user is there even + // if one's not required + $this->checkBasicAuthUser(false); + } + } else { + $this->checkOAuthRequest($oauthReq); + } + + // Reject API calls with the wrong access level + + if ($this->isReadOnly($args) == false) { + if ($this->access != self::READ_WRITE) { + $msg = _('API resource requires read-write access, ' . + 'but you only have read access.'); + $this->clientError($msg, 401, $this->format); + exit; + } + } + + return true; + } + + /** + * Determine whether the request is an OAuth request. + * This is to avoid doign any unnecessary DB lookups. + * + * @return mixed the OAuthRequest or false + */ + + function getOAuthRequest() + { + ApiOauthAction::cleanRequest(); + + $req = OAuthRequest::from_request(); + + $consumer = $req->get_parameter('oauth_consumer_key'); + $accessToken = $req->get_parameter('oauth_token'); + + // XXX: Is it good enough to assume it's not meant to be an + // OAuth request if there is no consumer or token? --Z + + if (empty($consumer) || empty($accessToken)) { + return false; + } + + return $req; + } + + /** + * Verifies the OAuth request signature, sets the auth user + * and access type (read-only or read-write) + * + * @param OAuthRequest $request the OAuth Request + * + * @return nothing + */ + + function checkOAuthRequest($request) + { + $datastore = new ApiStatusNetOAuthDataStore(); + $server = new OAuthServer($datastore); + $hmac_method = new OAuthSignatureMethod_HMAC_SHA1(); + + $server->add_signature_method($hmac_method); + + try { + + $server->verify_request($request); + + $consumer = $request->get_parameter('oauth_consumer_key'); + $access_token = $request->get_parameter('oauth_token'); + + $app = Oauth_application::getByConsumerKey($consumer); + + if (empty($app)) { + common_log(LOG_WARNING, + 'Couldn\'t find the OAuth app for consumer key: ' . + $consumer); + throw new OAuthException('No application for that consumer key.'); + } + + // set the source attr + + $this->oauth_source = $app->name; + + $appUser = Oauth_application_user::staticGet('token', $access_token); + + if (!empty($appUser)) { + + // If access_type == 0 we have either a request token + // or a bad / revoked access token + + if ($appUser->access_type != 0) { + + // Set the access level for the api call + + $this->access = ($appUser->access_type & Oauth_application::$writeAccess) + ? self::READ_WRITE : self::READ_ONLY; + + // Set the auth user + + if (Event::handle('StartSetApiUser', array(&$user))) { + $this->auth_user = User::staticGet('id', $appUser->profile_id); + Event::handle('EndSetApiUser', array($user)); + } + + $msg = "API OAuth authentication for user '%s' (id: %d) on behalf of " . + "application '%s' (id: %d) with %s access."; + + common_log(LOG_INFO, sprintf($msg, + $this->auth_user->nickname, + $this->auth_user->id, + $app->name, + $app->id, + ($this->access = self::READ_WRITE) ? + 'read-write' : 'read-only' + )); + } else { + throw new OAuthException('Bad access token.'); + } + } else { + + // Also should not happen + + throw new OAuthException('No user for that token.'); + } + + } catch (OAuthException $e) { + common_log(LOG_WARNING, 'API OAuthException - ' . $e->getMessage()); + $this->showAuthError(); + exit; + } + } + /** * Does this API resource require authentication? * @@ -46,70 +225,114 @@ class ApiAuthAction extends TwitterapiAction return true; } - function checkBasicAuthUser() + /** + * Check for a user specified via HTTP basic auth. If there isn't + * one, try to get one by outputting the basic auth header. + * + * @return boolean true or false + */ + + function checkBasicAuthUser($required = true) { $this->basicAuthProcessHeader(); - if (!isset($this->auth_user)) { - header('WWW-Authenticate: Basic realm="StatusNet API"'); + $realm = common_config('site', 'name') . ' API'; + + if (!isset($this->auth_user_nickname) && $required) { + header('WWW-Authenticate: Basic realm="' . $realm . '"'); // show error if the user clicks 'cancel' - $this->showBasicAuthError(); - return false; + $this->showAuthError(); + exit; } else { - $nickname = $this->auth_user; - $password = $this->auth_pw; - $this->auth_user = common_check_user($nickname, $password); - if (empty($this->auth_user)) { + $user = common_check_user($this->auth_user_nickname, + $this->auth_user_password); + + if (Event::handle('StartSetApiUser', array(&$user))) { + + if (!empty($user)) { + $this->auth_user = $user; + } + + Event::handle('EndSetApiUser', array($user)); + } + + // By default, basic auth users have rw access + + $this->access = self::READ_WRITE; + + if (empty($this->auth_user) && $required) { // basic authentication failed list($proxy, $ip) = common_client_ip(); - common_log(LOG_WARNING, - "Failed API auth attempt, nickname = $nickname, proxy = $proxy, ip = $ip."); - $this->showBasicAuthError(); - return false; + + $msg = sprintf(_('Failed API auth attempt, nickname = %1$s, ' . + 'proxy = %2$s, ip = %3$s'), + $this->auth_user_nickname, + $proxy, + $ip); + common_log(LOG_WARNING, $msg); + $this->showAuthError(); + exit; } } - return true; } + /** + * Read the HTTP headers and set the auth user. Decodes HTTP_AUTHORIZATION + * param to support basic auth when PHP is running in CGI mode. + * + * @return void + */ + function basicAuthProcessHeader() { - if (isset($_SERVER['AUTHORIZATION']) || isset($_SERVER['HTTP_AUTHORIZATION'])) { - $authorization_header = isset($_SERVER['HTTP_AUTHORIZATION'])? $_SERVER['HTTP_AUTHORIZATION'] : $_SERVER['AUTHORIZATION']; + if (isset($_SERVER['AUTHORIZATION']) + || isset($_SERVER['HTTP_AUTHORIZATION']) + ) { + $authorization_header = isset($_SERVER['HTTP_AUTHORIZATION']) + ? $_SERVER['HTTP_AUTHORIZATION'] : $_SERVER['AUTHORIZATION']; } if (isset($_SERVER['PHP_AUTH_USER'])) { - $this->auth_user = $_SERVER['PHP_AUTH_USER']; - $this->auth_pw = $_SERVER['PHP_AUTH_PW']; - } elseif (isset($authorization_header) && strstr(substr($authorization_header, 0, 5), 'Basic')) { - // decode the HTTP_AUTHORIZATION header on php-cgi server self + $this->auth_user_nickname = $_SERVER['PHP_AUTH_USER']; + $this->auth_user_password = $_SERVER['PHP_AUTH_PW']; + } elseif (isset($authorization_header) + && strstr(substr($authorization_header, 0, 5), 'Basic')) { + + // Decode the HTTP_AUTHORIZATION header on php-cgi server self // on fcgid server the header name is AUTHORIZATION $auth_hash = base64_decode(substr($authorization_header, 6)); - list($this->auth_user, $this->auth_pw) = explode(':', $auth_hash); + list($this->auth_user_nickname, + $this->auth_user_password) = explode(':', $auth_hash); + + // Set all to null on a empty basic auth request - // set all to null on a empty basic auth request - if ($this->auth_user == "") { - $this->auth_user = null; - $this->auth_pw = null; + if (empty($this->auth_user_nickname)) { + $this->auth_user_nickname = null; + $this->auth_password = null; } - } else { - $this->auth_user = null; - $this->auth_pw = null; } } - function showBasicAuthError() + /** + * Output an authentication error message. Use XML or JSON if one + * of those formats is specified, otherwise output plain text + * + * @return void + */ + + function showAuthError() { header('HTTP/1.1 401 Unauthorized'); $msg = 'Could not authenticate you.'; - if ($this->arg('format') == 'xml') { + if ($this->format == 'xml') { header('Content-Type: application/xml; charset=utf-8'); $this->startXML(); $this->elementStart('hash'); @@ -117,9 +340,10 @@ class ApiAuthAction extends TwitterapiAction $this->element('request', null, $_SERVER['REQUEST_URI']); $this->elementEnd('hash'); $this->endXML(); - } elseif ($this->arg('format') == 'json') { + } elseif ($this->format == 'json') { header('Content-Type: application/json; charset=utf-8'); - $error_array = array('error' => $msg, 'request' => $_SERVER['REQUEST_URI']); + $error_array = array('error' => $msg, + 'request' => $_SERVER['REQUEST_URI']); print(json_encode($error_array)); } else { header('Content-type: text/plain'); @@ -127,5 +351,4 @@ class ApiAuthAction extends TwitterapiAction } } - -} \ No newline at end of file +}