X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=lib%2Fapiauth.php;h=8b0a3da17bb61abb449673f0a429b078588ca0fe;hb=698f5c7a20d5792b629404ce513d2fa2c2bab907;hp=32502399f9f836bbd2d0607440a72200e14f4cd1;hpb=ddb656fcd2a3233b26e28987d2f3425944908d30;p=quix0rs-gnu-social.git diff --git a/lib/apiauth.php b/lib/apiauth.php index 32502399f9..8b0a3da17b 100644 --- a/lib/apiauth.php +++ b/lib/apiauth.php @@ -30,10 +30,29 @@ * @author Sarven Capadisli * @author Zach Copley * @copyright 2009-2010 StatusNet, Inc. + * @copyright 2009 Free Software Foundation, Inc http://www.fsf.org * @license http://www.fsf.org/licensing/licenses/agpl-3.0.html GNU Affero General Public License version 3.0 * @link http://status.net/ */ +/* External API usage documentation. Please update when you change how this method works. */ + +/*! @page authentication Authentication + + StatusNet supports HTTP Basic Authentication and OAuth for API calls. + + @warning Currently, users who have created accounts without setting a + password via OpenID, Facebook Connect, etc., cannot use the API until + they set a password with their account settings panel. + + @section HTTP Basic Auth + + + + @section OAuth + +*/ + if (!defined('STATUSNET')) { exit(1); } @@ -49,12 +68,10 @@ require_once INSTALLDIR . '/lib/apioauth.php'; * @license http://www.fsf.org/licensing/licenses/agpl-3.0.html GNU Affero General Public License version 3.0 * @link http://status.net/ */ - class ApiAuthAction extends ApiAction { var $auth_user_nickname = null; var $auth_user_password = null; - var $oauth_source = null; /** * Take arguments for running, looks for an OAuth request, @@ -65,7 +82,6 @@ class ApiAuthAction extends ApiAction * @return boolean success flag * */ - function prepare($args) { parent::prepare($args); @@ -91,6 +107,7 @@ class ApiAuthAction extends ApiAction if ($this->isReadOnly($args) == false) { if ($this->access != self::READ_WRITE) { + // TRANS: Client error 401. $msg = _('API resource requires read-write access, ' . 'but you only have read access.'); $this->clientError($msg, 401, $this->format); @@ -107,7 +124,6 @@ class ApiAuthAction extends ApiAction * * @return mixed the OAuthRequest or false */ - function getOAuthRequest() { ApiOauthAction::cleanRequest(); @@ -135,7 +151,6 @@ class ApiAuthAction extends ApiAction * * @return nothing */ - function checkOAuthRequest($request) { $datastore = new ApiStatusNetOAuthDataStore(); @@ -145,7 +160,6 @@ class ApiAuthAction extends ApiAction $server->add_signature_method($hmac_method); try { - $server->verify_request($request); $consumer = $request->get_parameter('oauth_consumer_key'); @@ -157,29 +171,26 @@ class ApiAuthAction extends ApiAction common_log(LOG_WARNING, 'Couldn\'t find the OAuth app for consumer key: ' . $consumer); - throw new OAuthException('No application for that consumer key.'); + // TRANS: OAuth exception thrown when no application is found for a given consumer key. + throw new OAuthException(_('No application for that consumer key.')); } // set the source attr - $this->oauth_source = $app->name; + $this->source = $app->name; $appUser = Oauth_application_user::staticGet('token', $access_token); if (!empty($appUser)) { - // If access_type == 0 we have either a request token // or a bad / revoked access token if ($appUser->access_type != 0) { - // Set the access level for the api call - $this->access = ($appUser->access_type & Oauth_application::$writeAccess) ? self::READ_WRITE : self::READ_ONLY; // Set the auth user - if (Event::handle('StartSetApiUser', array(&$user))) { $this->auth_user = User::staticGet('id', $appUser->profile_id); Event::handle('EndSetApiUser', array($user)); @@ -197,18 +208,18 @@ class ApiAuthAction extends ApiAction 'read-write' : 'read-only' )); } else { - throw new OAuthException('Bad access token.'); + // TRANS: OAuth exception given when an incorrect access token was given for a user. + throw new OAuthException(_('Bad access token.')); } } else { - // Also should not happen - - throw new OAuthException('No user for that token.'); + // TRANS: OAuth exception given when no user was found for a given token (no token was found). + throw new OAuthException(_('No user for that token.')); } } catch (OAuthException $e) { common_log(LOG_WARNING, 'API OAuthException - ' . $e->getMessage()); - $this->showAuthError(); + $this->clientError($e->getMessage(), 401, $this->format); exit; } } @@ -218,7 +229,6 @@ class ApiAuthAction extends ApiAction * * @return boolean true */ - function requiresAuth() { return true; @@ -230,7 +240,6 @@ class ApiAuthAction extends ApiAction * * @return boolean true or false */ - function checkBasicAuthUser($required = true) { $this->basicAuthProcessHeader(); @@ -245,8 +254,8 @@ class ApiAuthAction extends ApiAction header('WWW-Authenticate: Basic realm="' . $realm . '"'); // show error if the user clicks 'cancel' - - $this->showAuthError(); + // TRANS: Client error thrown when authentication fails becaus a user clicked "Cancel". + $this->clientError(_("Could not authenticate you."), 401, $this->format); exit; } else { @@ -264,22 +273,21 @@ class ApiAuthAction extends ApiAction } // By default, basic auth users have rw access - $this->access = self::READ_WRITE; - if (empty($this->auth_user) && $required) { + if (empty($this->auth_user) && ($required || isset($_SERVER['PHP_AUTH_USER']))) { // basic authentication failed - list($proxy, $ip) = common_client_ip(); - $msg = sprintf(_('Failed API auth attempt, nickname = %1$s, ' . - 'proxy = %2$s, ip = %3$s'), + $msg = sprintf( 'Failed API auth attempt, nickname = %1$s, ' . + 'proxy = %2$s, ip = %3$s', $this->auth_user_nickname, $proxy, $ip); common_log(LOG_WARNING, $msg); - $this->showAuthError(); + // TRANS: Client error thrown when authentication fails. + $this->clientError(_("Could not authenticate you."), 401, $this->format); exit; } } @@ -291,14 +299,17 @@ class ApiAuthAction extends ApiAction * * @return void */ - function basicAuthProcessHeader() { - if (isset($_SERVER['AUTHORIZATION']) - || isset($_SERVER['HTTP_AUTHORIZATION']) - ) { - $authorization_header = isset($_SERVER['HTTP_AUTHORIZATION']) - ? $_SERVER['HTTP_AUTHORIZATION'] : $_SERVER['AUTHORIZATION']; + $authHeaders = array('AUTHORIZATION', + 'HTTP_AUTHORIZATION', + 'REDIRECT_HTTP_AUTHORIZATION'); // rewrite for CGI + $authorization_header = null; + foreach ($authHeaders as $header) { + if (isset($_SERVER[$header])) { + $authorization_header = $_SERVER[$header]; + break; + } } if (isset($_SERVER['PHP_AUTH_USER'])) { @@ -309,7 +320,6 @@ class ApiAuthAction extends ApiAction // Decode the HTTP_AUTHORIZATION header on php-cgi server self // on fcgid server the header name is AUTHORIZATION - $auth_hash = base64_decode(substr($authorization_header, 6)); list($this->auth_user_nickname, $this->auth_user_password) = explode(':', $auth_hash); @@ -322,36 +332,4 @@ class ApiAuthAction extends ApiAction } } } - - /** - * Output an authentication error message. Use XML or JSON if one - * of those formats is specified, otherwise output plain text - * - * @return void - */ - - function showAuthError() - { - header('HTTP/1.1 401 Unauthorized'); - $msg = 'Could not authenticate you.'; - - if ($this->format == 'xml') { - header('Content-Type: application/xml; charset=utf-8'); - $this->startXML(); - $this->elementStart('hash'); - $this->element('error', null, $msg); - $this->element('request', null, $_SERVER['REQUEST_URI']); - $this->elementEnd('hash'); - $this->endXML(); - } elseif ($this->format == 'json') { - header('Content-Type: application/json; charset=utf-8'); - $error_array = array('error' => $msg, - 'request' => $_SERVER['REQUEST_URI']); - print(json_encode($error_array)); - } else { - header('Content-type: text/plain'); - print "$msg\n"; - } - } - }