public function getClientCredentials(RequestInterface $request, ResponseInterface $response = null)
{
if (!is_null($request->headers('PHP_AUTH_USER')) && !is_null($request->headers('PHP_AUTH_PW'))) {
return array('client_id' => $request->headers('PHP_AUTH_USER'), 'client_secret' => $request->headers('PHP_AUTH_PW'));
}
if ($this->config['allow_credentials_in_request_body']) {
// Using POST for HttpBasic authorization is not recommended, but is supported by specification
if (!is_null($request->request('client_id'))) {
return array('client_id' => $request->request('client_id'), 'client_secret' => $request->request('client_secret'));
}
}
if ($response) {
$message = $this->config['allow_credentials_in_request_body'] ? ' or body' : '';
$response->setError(400, 'invalid_client', 'Client credentials were not found in the headers' . $message);
}
return null;
}
/**
* This is a convenience function that can be used to get the token, which can then
* be passed to getAccessTokenData(). The constraints specified by the draft are
* attempted to be adheared to in this method.
*
* As per the Bearer spec (draft 8, section 2) - there are three ways for a client
* to specify the bearer token, in order of preference: Authorization Header,
* POST and GET.
*
* NB: Resource servers MUST accept tokens via the Authorization scheme
* (http://tools.ietf.org/html/rfc6750#section-2).
*
* @todo Should we enforce TLS/SSL in this function?
*
* @see http://tools.ietf.org/html/rfc6750#section-2.1
* @see http://tools.ietf.org/html/rfc6750#section-2.2
* @see http://tools.ietf.org/html/rfc6750#section-2.3
*
* Old Android version bug (at least with version 2.2)
* @see http://code.google.com/p/android/issues/detail?id=6684
*
*/
public function getAccessTokenParameter(RequestInterface $request, ResponseInterface $response)
{
$headers = $request->headers('AUTHORIZATION');
// echo ($headers."bearer");
/**
* Ensure more than one method is not used for including an
* access token
*
* @see http://tools.ietf.org/html/rfc6750#section-3.1
*/
$methodsUsed = !empty($headers) + (bool) $request->query($this->config['token_param_name']) + (bool) $request->request($this->config['token_param_name']);
// echo ($methodsUsed);
// echo ("<br>".$this->config['token_param_name']."<br>");
if ($methodsUsed > 1) {
$response->setError(400, 'invalid_request', 'Only one method may be used to authenticate at a time (Auth header, GET or POST)');
return null;
}
/**
* If no authentication is provided, set the status code
* to 401 and return no other error information
*
* @see http://tools.ietf.org/html/rfc6750#section-3.1
*/
if ($methodsUsed == 0) {
$response->setStatusCode(401);
// echo ("no auth");
return null;
}
// HEADER: Get the access token from the header
if (!empty($headers)) {
if (!preg_match('/' . $this->config['token_bearer_header_name'] . '\\s(\\S+)/i', $headers, $matches)) {
$response->setError(400, 'invalid_request', 'Malformed auth header');
return null;
}
return $matches[1];
}
if ($request->request($this->config['token_param_name'])) {
// // POST: Get the token from POST data
if (!in_array(strtolower($request->server('REQUEST_METHOD')), array('post', 'put'))) {
$response->setError(400, 'invalid_request', 'When putting the token in the body, the method must be POST or PUT', '#section-2.2');
return null;
}
$contentType = $request->server('CONTENT_TYPE');
if (false !== ($pos = strpos($contentType, ';'))) {
$contentType = substr($contentType, 0, $pos);
}
if ($contentType !== null && $contentType != 'application/x-www-form-urlencoded') {
// IETF specifies content-type. NB: Not all webservers populate this _SERVER variable
// @see http://tools.ietf.org/html/rfc6750#section-2.2
$response->setError(400, 'invalid_request', 'The content type for POST requests must be "application/x-www-form-urlencoded"');
return null;
}
return $request->request($this->config['token_param_name']);
}
// GET method
return $request->query($this->config['token_param_name']);
}
/**
* Internal function used to get the client credentials from HTTP basic
* auth or POST data.
*
* According to the spec (draft 20), the client_id can be provided in
* the Basic Authorization header (recommended) or via GET/POST.
*
* @return
* A list containing the client identifier and password, for example
* @code
* return array(
* "client_id" => CLIENT_ID, // REQUIRED the client id
* "client_secret" => CLIENT_SECRET, // REQUIRED the client secret
* );
* @endcode
*
* @link http://tools.ietf.org/html/rfc6749#section-2.3.1
*
* @ingroup oauth2_section_2
*/
public function getClientCredentials(RequestInterface $request, ResponseInterface $response = null)
{
if (!is_null($request->headers('PHP_AUTH_USER')) && !is_null($request->headers('PHP_AUTH_PW'))) {
return array('client_id' => $request->headers('PHP_AUTH_USER'), 'client_secret' => $request->headers('PHP_AUTH_PW'));
}
if ($this->config['allow_credentials_in_request_body']) {
// Using POST for HttpBasic authorization is not recommended, but is supported by specification
if (!is_null($request->request('client_id'))) {
/**
* client_secret can be null if the client's password is an empty string
* @link http://tools.ietf.org/html/rfc6749#section-2.3.1
*/
return array('client_id' => $request->request('client_id'), 'client_secret' => $request->request('client_secret', ''));
}
}
if ($response) {
$response->setError(400, 'invalid_client', 'Client credentials were not found in the headers or body');
}
return null;
}
/**
* This is a convenience function that can be used to get the token, which can then
* be passed to getAccessTokenData(). The constraints specified by the draft are
* attempted to be adheared to in this method.
*
* As per the Bearer spec (draft 8, section 2) - there are three ways for a client
* to specify the bearer token, in order of preference: Authorization Header,
* POST and GET.
*
* NB: Resource servers MUST accept tokens via the Authorization scheme
* (http://tools.ietf.org/html/rfc6750#section-2).
*
* @todo Should we enforce TLS/SSL in this function?
*
* @see http://tools.ietf.org/html/rfc6750#section-2.1
* @see http://tools.ietf.org/html/rfc6750#section-2.2
* @see http://tools.ietf.org/html/rfc6750#section-2.3
*
* Old Android version bug (at least with version 2.2)
* @see http://code.google.com/p/android/issues/detail?id=6684
*
*/
public function getAccessTokenParameter(RequestInterface $request, ResponseInterface $response)
{
$headers = $request->headers('AUTHORIZATION');
// Check that exactly one method was used
$methodsUsed = !empty($headers) + !is_null($request->query($this->config['token_param_name'])) + !is_null($request->request($this->config['token_param_name']));
if ($methodsUsed > 1) {
$response->setError(400, 'invalid_request', 'Only one method may be used to authenticate at a time (Auth header, GET or POST)');
return null;
}
if ($methodsUsed == 0) {
$response->setStatusCode(401);
return null;
}
// HEADER: Get the access token from the header
if (!empty($headers)) {
if (!preg_match('/' . $this->config['token_bearer_header_name'] . '\\s(\\S+)/', $headers, $matches)) {
$response->setError(400, 'invalid_request', 'Malformed auth header');
return null;
}
return $matches[1];
}
if ($request->request($this->config['token_param_name'])) {
// POST: Get the token from POST data
if (strtolower($request->server('REQUEST_METHOD')) != 'post') {
$response->setError(400, 'invalid_request', 'When putting the token in the body, the method must be POST');
return null;
}
$contentType = $request->server('CONTENT_TYPE');
if (false !== ($pos = strpos($contentType, ';'))) {
$contentType = substr($contentType, 0, $pos);
}
LogMessage($request->request('upload_image'));
LogMessage($contentType);
if (!$request->files['Filedata']) {
if ($contentType !== null && $contentType != 'application/x-www-form-urlencoded') {
// IETF specifies content-type. NB: Not all webservers populate this _SERVER variable
// @see http://tools.ietf.org/html/rfc6750#section-2.2
$response->setError(400, 'invalid_request', 'The content type for POST requests must be "application/x-www-form-urlencoded"');
return null;
}
}
return $request->request($this->config['token_param_name']);
}
// GET method
return $request->query($this->config['token_param_name']);
}
public function getAccessTokenParameter(RequestInterface $request, ResponseInterface $response)
{
$headers = $request->headers('AUTHORIZATION');
$methodsUsed = !empty($headers) + (bool) $request->query($this->config['token_param_name']) + (bool) $request->request($this->config['token_param_name']);
if ($methodsUsed > 1) {
$response->setError(400, 'invalid_request', 'Only one method may be used to authenticate at a time (Auth header, GET or POST)');
return null;
}
if ($methodsUsed == 0) {
$response->setStatusCode(401);
return null;
}
// HEADER: Get the access token from the header
if (!empty($headers)) {
if (!preg_match('/' . $this->config['token_bearer_header_name'] . '\\s(\\S+)/i', $headers, $matches)) {
$response->setError(400, 'invalid_request', 'Malformed auth header');
return null;
}
return $matches[1];
}
if ($request->request($this->config['token_param_name'])) {
// // POST: Get the token from POST data
if (!in_array(strtolower($request->server('REQUEST_METHOD')), array('post', 'put'))) {
$response->setError(400, 'invalid_request', 'When putting the token in the body, the method must be POST or PUT', '#section-2.2');
return null;
}
$contentType = $request->server('CONTENT_TYPE');
if (false !== ($pos = strpos($contentType, ';'))) {
$contentType = substr($contentType, 0, $pos);
}
if ($contentType !== null && $contentType != 'application/x-www-form-urlencoded') {
$response->setError(400, 'invalid_request', 'The content type for POST requests must be "application/x-www-form-urlencoded"');
return null;
}
return $request->request($this->config['token_param_name']);
}
return $request->query($this->config['token_param_name']);
}
/**
* Get tool data from request
*
* @return bool Result of test
*/
public function getToolSessionDataFromRequest(RequestInterface $request)
{
// get params via post vars
$toolSessionId = $request->request('sessionnum');
$toolSessionToken = $request->request('sessiontoken');
// use headers as backup method to post vars
if (!$toolSessionId && !$toolSessionToken) {
$toolSessionId = $request->headers('sessionnum');
$toolSessionToken = $request->headers('sessiontoken');
}
// return id & token
return compact('toolSessionId', 'toolSessionToken');
}
/**
* Validate request via client
*
* @param object $request Request object
* @param object $response Response object
* @return bool Result of auth
*/
public function validateRequest(RequestInterface $request, ResponseInterface $response)
{
// check HTTP basic auth headers for client id/secret
if (!is_null($request->headers('PHP_AUTH_USER')) && !is_null($request->headers('PHP_AUTH_PW'))) {
$clientData = array('client_id' => $request->headers('PHP_AUTH_USER'), 'client_secret' => $request->headers('PHP_AUTH_PW'));
}
// if we allow credentials via request body look there
if ($this->config['allow_credentials_in_request_body']) {
// check for client id in request
if (!is_null($request->request('client_id'))) {
$clientData = array('client_id' => $request->request('client_id'), 'client_secret' => $request->request('client_secret'));
}
}
// must have client id
if (!isset($clientData['client_id']) || $clientData['client_id'] == '') {
$message = $this->config['allow_credentials_in_request_body'] ? ' or body' : '';
$response->setError(400, 'invalid_client', 'Client credentials were not found in the headers' . $message);
return false;
}
// check to see if we have client secret
if (!isset($clientData['client_secret']) || $clientData['client_secret'] == '') {
// invalid if we dont have client secret and public clients are off
if (!$this->config['allow_public_clients']) {
$response->setError(400, 'invalid_client', 'client credentials are required');
return false;
}
// check storage if client is public client
if (!$this->storage->isPublicClient($clientData['client_id'])) {
$response->setError(400, 'invalid_client', 'This client is invalid or must authenticate using a client secret');
return false;
}
} elseif ($this->storage->checkClientCredentials($clientData['client_id'], $clientData['client_secret']) === false) {
$response->setError(400, 'invalid_client', 'The client credentials are invalid');
return false;
}
// store data locally
$this->clientData = $clientData;
return true;
}
