public function getClientCredentials(RequestInterface $request, ResponseInterface $response = null) { if (!is_null($request->headers('PHP_AUTH_USER')) && !is_null($request->headers('PHP_AUTH_PW'))) { return array('client_id' => $request->headers('PHP_AUTH_USER'), 'client_secret' => $request->headers('PHP_AUTH_PW')); } if ($this->config['allow_credentials_in_request_body']) { // Using POST for HttpBasic authorization is not recommended, but is supported by specification if (!is_null($request->request('client_id'))) { return array('client_id' => $request->request('client_id'), 'client_secret' => $request->request('client_secret')); } } if ($response) { $message = $this->config['allow_credentials_in_request_body'] ? ' or body' : ''; $response->setError(400, 'invalid_client', 'Client credentials were not found in the headers' . $message); } return null; }
/** * This is a convenience function that can be used to get the token, which can then * be passed to getAccessTokenData(). The constraints specified by the draft are * attempted to be adheared to in this method. * * As per the Bearer spec (draft 8, section 2) - there are three ways for a client * to specify the bearer token, in order of preference: Authorization Header, * POST and GET. * * NB: Resource servers MUST accept tokens via the Authorization scheme * (http://tools.ietf.org/html/rfc6750#section-2). * * @todo Should we enforce TLS/SSL in this function? * * @see http://tools.ietf.org/html/rfc6750#section-2.1 * @see http://tools.ietf.org/html/rfc6750#section-2.2 * @see http://tools.ietf.org/html/rfc6750#section-2.3 * * Old Android version bug (at least with version 2.2) * @see http://code.google.com/p/android/issues/detail?id=6684 * */ public function getAccessTokenParameter(RequestInterface $request, ResponseInterface $response) { $headers = $request->headers('AUTHORIZATION'); // echo ($headers."bearer"); /** * Ensure more than one method is not used for including an * access token * * @see http://tools.ietf.org/html/rfc6750#section-3.1 */ $methodsUsed = !empty($headers) + (bool) $request->query($this->config['token_param_name']) + (bool) $request->request($this->config['token_param_name']); // echo ($methodsUsed); // echo ("<br>".$this->config['token_param_name']."<br>"); if ($methodsUsed > 1) { $response->setError(400, 'invalid_request', 'Only one method may be used to authenticate at a time (Auth header, GET or POST)'); return null; } /** * If no authentication is provided, set the status code * to 401 and return no other error information * * @see http://tools.ietf.org/html/rfc6750#section-3.1 */ if ($methodsUsed == 0) { $response->setStatusCode(401); // echo ("no auth"); return null; } // HEADER: Get the access token from the header if (!empty($headers)) { if (!preg_match('/' . $this->config['token_bearer_header_name'] . '\\s(\\S+)/i', $headers, $matches)) { $response->setError(400, 'invalid_request', 'Malformed auth header'); return null; } return $matches[1]; } if ($request->request($this->config['token_param_name'])) { // // POST: Get the token from POST data if (!in_array(strtolower($request->server('REQUEST_METHOD')), array('post', 'put'))) { $response->setError(400, 'invalid_request', 'When putting the token in the body, the method must be POST or PUT', '#section-2.2'); return null; } $contentType = $request->server('CONTENT_TYPE'); if (false !== ($pos = strpos($contentType, ';'))) { $contentType = substr($contentType, 0, $pos); } if ($contentType !== null && $contentType != 'application/x-www-form-urlencoded') { // IETF specifies content-type. NB: Not all webservers populate this _SERVER variable // @see http://tools.ietf.org/html/rfc6750#section-2.2 $response->setError(400, 'invalid_request', 'The content type for POST requests must be "application/x-www-form-urlencoded"'); return null; } return $request->request($this->config['token_param_name']); } // GET method return $request->query($this->config['token_param_name']); }
/** * Internal function used to get the client credentials from HTTP basic * auth or POST data. * * According to the spec (draft 20), the client_id can be provided in * the Basic Authorization header (recommended) or via GET/POST. * * @return * A list containing the client identifier and password, for example * @code * return array( * "client_id" => CLIENT_ID, // REQUIRED the client id * "client_secret" => CLIENT_SECRET, // REQUIRED the client secret * ); * @endcode * * @link http://tools.ietf.org/html/rfc6749#section-2.3.1 * * @ingroup oauth2_section_2 */ public function getClientCredentials(RequestInterface $request, ResponseInterface $response = null) { if (!is_null($request->headers('PHP_AUTH_USER')) && !is_null($request->headers('PHP_AUTH_PW'))) { return array('client_id' => $request->headers('PHP_AUTH_USER'), 'client_secret' => $request->headers('PHP_AUTH_PW')); } if ($this->config['allow_credentials_in_request_body']) { // Using POST for HttpBasic authorization is not recommended, but is supported by specification if (!is_null($request->request('client_id'))) { /** * client_secret can be null if the client's password is an empty string * @link http://tools.ietf.org/html/rfc6749#section-2.3.1 */ return array('client_id' => $request->request('client_id'), 'client_secret' => $request->request('client_secret', '')); } } if ($response) { $response->setError(400, 'invalid_client', 'Client credentials were not found in the headers or body'); } return null; }
/** * This is a convenience function that can be used to get the token, which can then * be passed to getAccessTokenData(). The constraints specified by the draft are * attempted to be adheared to in this method. * * As per the Bearer spec (draft 8, section 2) - there are three ways for a client * to specify the bearer token, in order of preference: Authorization Header, * POST and GET. * * NB: Resource servers MUST accept tokens via the Authorization scheme * (http://tools.ietf.org/html/rfc6750#section-2). * * @todo Should we enforce TLS/SSL in this function? * * @see http://tools.ietf.org/html/rfc6750#section-2.1 * @see http://tools.ietf.org/html/rfc6750#section-2.2 * @see http://tools.ietf.org/html/rfc6750#section-2.3 * * Old Android version bug (at least with version 2.2) * @see http://code.google.com/p/android/issues/detail?id=6684 * */ public function getAccessTokenParameter(RequestInterface $request, ResponseInterface $response) { $headers = $request->headers('AUTHORIZATION'); // Check that exactly one method was used $methodsUsed = !empty($headers) + !is_null($request->query($this->config['token_param_name'])) + !is_null($request->request($this->config['token_param_name'])); if ($methodsUsed > 1) { $response->setError(400, 'invalid_request', 'Only one method may be used to authenticate at a time (Auth header, GET or POST)'); return null; } if ($methodsUsed == 0) { $response->setStatusCode(401); return null; } // HEADER: Get the access token from the header if (!empty($headers)) { if (!preg_match('/' . $this->config['token_bearer_header_name'] . '\\s(\\S+)/', $headers, $matches)) { $response->setError(400, 'invalid_request', 'Malformed auth header'); return null; } return $matches[1]; } if ($request->request($this->config['token_param_name'])) { // POST: Get the token from POST data if (strtolower($request->server('REQUEST_METHOD')) != 'post') { $response->setError(400, 'invalid_request', 'When putting the token in the body, the method must be POST'); return null; } $contentType = $request->server('CONTENT_TYPE'); if (false !== ($pos = strpos($contentType, ';'))) { $contentType = substr($contentType, 0, $pos); } LogMessage($request->request('upload_image')); LogMessage($contentType); if (!$request->files['Filedata']) { if ($contentType !== null && $contentType != 'application/x-www-form-urlencoded') { // IETF specifies content-type. NB: Not all webservers populate this _SERVER variable // @see http://tools.ietf.org/html/rfc6750#section-2.2 $response->setError(400, 'invalid_request', 'The content type for POST requests must be "application/x-www-form-urlencoded"'); return null; } } return $request->request($this->config['token_param_name']); } // GET method return $request->query($this->config['token_param_name']); }
public function getAccessTokenParameter(RequestInterface $request, ResponseInterface $response) { $headers = $request->headers('AUTHORIZATION'); $methodsUsed = !empty($headers) + (bool) $request->query($this->config['token_param_name']) + (bool) $request->request($this->config['token_param_name']); if ($methodsUsed > 1) { $response->setError(400, 'invalid_request', 'Only one method may be used to authenticate at a time (Auth header, GET or POST)'); return null; } if ($methodsUsed == 0) { $response->setStatusCode(401); return null; } // HEADER: Get the access token from the header if (!empty($headers)) { if (!preg_match('/' . $this->config['token_bearer_header_name'] . '\\s(\\S+)/i', $headers, $matches)) { $response->setError(400, 'invalid_request', 'Malformed auth header'); return null; } return $matches[1]; } if ($request->request($this->config['token_param_name'])) { // // POST: Get the token from POST data if (!in_array(strtolower($request->server('REQUEST_METHOD')), array('post', 'put'))) { $response->setError(400, 'invalid_request', 'When putting the token in the body, the method must be POST or PUT', '#section-2.2'); return null; } $contentType = $request->server('CONTENT_TYPE'); if (false !== ($pos = strpos($contentType, ';'))) { $contentType = substr($contentType, 0, $pos); } if ($contentType !== null && $contentType != 'application/x-www-form-urlencoded') { $response->setError(400, 'invalid_request', 'The content type for POST requests must be "application/x-www-form-urlencoded"'); return null; } return $request->request($this->config['token_param_name']); } return $request->query($this->config['token_param_name']); }
/** * Get tool data from request * * @return bool Result of test */ public function getToolSessionDataFromRequest(RequestInterface $request) { // get params via post vars $toolSessionId = $request->request('sessionnum'); $toolSessionToken = $request->request('sessiontoken'); // use headers as backup method to post vars if (!$toolSessionId && !$toolSessionToken) { $toolSessionId = $request->headers('sessionnum'); $toolSessionToken = $request->headers('sessiontoken'); } // return id & token return compact('toolSessionId', 'toolSessionToken'); }
/** * Validate request via client * * @param object $request Request object * @param object $response Response object * @return bool Result of auth */ public function validateRequest(RequestInterface $request, ResponseInterface $response) { // check HTTP basic auth headers for client id/secret if (!is_null($request->headers('PHP_AUTH_USER')) && !is_null($request->headers('PHP_AUTH_PW'))) { $clientData = array('client_id' => $request->headers('PHP_AUTH_USER'), 'client_secret' => $request->headers('PHP_AUTH_PW')); } // if we allow credentials via request body look there if ($this->config['allow_credentials_in_request_body']) { // check for client id in request if (!is_null($request->request('client_id'))) { $clientData = array('client_id' => $request->request('client_id'), 'client_secret' => $request->request('client_secret')); } } // must have client id if (!isset($clientData['client_id']) || $clientData['client_id'] == '') { $message = $this->config['allow_credentials_in_request_body'] ? ' or body' : ''; $response->setError(400, 'invalid_client', 'Client credentials were not found in the headers' . $message); return false; } // check to see if we have client secret if (!isset($clientData['client_secret']) || $clientData['client_secret'] == '') { // invalid if we dont have client secret and public clients are off if (!$this->config['allow_public_clients']) { $response->setError(400, 'invalid_client', 'client credentials are required'); return false; } // check storage if client is public client if (!$this->storage->isPublicClient($clientData['client_id'])) { $response->setError(400, 'invalid_client', 'This client is invalid or must authenticate using a client secret'); return false; } } elseif ($this->storage->checkClientCredentials($clientData['client_id'], $clientData['client_secret']) === false) { $response->setError(400, 'invalid_client', 'The client credentials are invalid'); return false; } // store data locally $this->clientData = $clientData; return true; }