/** * Check if the request signature corresponds to the one calculated for the request. * * @param OAuthRequest request * @param string base_string data to be signed, usually the base string, can be a request body * @param string consumer_secret * @param string token_secret * @param string signature from the request, still urlencoded * @return string */ public function verify(IOauthSignable $request, Secrets $secrets, $signature, $data = null) { $a = $request->oauthurldecode($signature); $b = $request->oauthurldecode($this->signature($request, $request->getSignatureBaseString(), $secrets, $data)); // We have to compare the decoded values $valA = base64_decode($a); $valB = base64_decode($b); // Crude binary comparison return rawurlencode($valA) == rawurlencode($valB); }
/** * Verify the request * * @param string token_type the kind of token needed, defaults to 'access' (false, 'access', 'request') * @exception OAuthException2 thrown when the request did not verify * @return Secrets * */ public function verifyExtended($token_type = self::TOKEN_TYPE_ACCESS) { $consumer_key = $this->request->get('oauth_consumer_key'); $token = $this->request->get('oauth_token'); //$user_id = false; $secrets = array(); //requestToken if ($consumer_key && ($token_type === false || $token)) { if (\is_array($token)) { $token = isset($token[0]) ? $token[0] : null; if ($token_type === false) { $token_type = self::TOKEN_TYPE_ACCESS; } } $secrets = $this->getCurrentSecrets($token_type); if (!$secrets) { throw new OauthException('The consumer_key "' . $consumer_key . '" token "' . $token . '" combination does not exist or is not enabled.'); } $this->store->checkServerNonce($this->request->oauthurldecode($consumer_key), $this->request->oauthurldecode($token), $this->request->getParam('oauth_timestamp', true), $this->request->getParam('oauth_nonce', true)); $oauth_sig = $this->request->get('oauth_signature'); if (empty($oauth_sig)) { throw new OauthException('Verification of signature failed (no oauth_signature in request).'); } //try { $this->request->verifySignature($secrets, $token_type); /*} catch (OauthException $e) { throw new OauthException('Verification of signature failed (signature base string was "'.$this->request->getSignatureBaseString().'").' . " with " . $secrets->consumer_secret." ".$secrets->token_secret." ".$token_type); }*/ // Check the optional body signature /*if ($this->request->get('xoauth_body_signature') && !($this->request->getContentType() == 'multipart/form-data')) { $method = $this->request->get('xoauth_body_signature_method'); if (empty($method)) { $method = $this->request->get('oauth_signature_method'); } try { $this->request->verifyDataSignature($secrets, $method, $this->request->get('xoauth_body_signature'), $this->request->getRequestBody()); } catch (OauthException $e) { //\Foundation\Utils\Logger::log("bad-body", $this->request->getMethod() . \var_export($this->request->getRequestBody(), true)); throw new OauthException('Verification of body signature failed.'); } }*/ // All ok - fetch the user associated with this request /*if ($secrets->account_id){ $user_id = $secrets->account_id; }*/ // Check if the consumer wants us to reset the ttl of this token /*$ttl = $this->request->getParam('xoauth_token_ttl', true); if (is_numeric($ttl)) { $this->store->updateConsumerAccessTokenTtl($this->urldecode($token), $ttl); //TODO urldecode - co to asi tak má dělat? }*/ } else { throw new OauthException('Can\'t verify request, missing oauth_consumer_key or oauth_token '); } return $secrets; }
/** * Check if the request signature is the same as the one calculated for the request. * * @param IOauthSignable request * @param string base_string * @param string consumer_secret * @param string token_secret * @param string signature * @return string */ public function verify(IOauthSignable $request, Secrets $secrets, $signature, $data = null) { $decoded_sig = base64_decode($request->oauthurldecode($signature)); // Fetch the public key cert based on the request $cert = $this->fetch_public_cert($request, $secrets); // Pull the public key ID from the certificate $publickeyid = openssl_get_publickey($cert); // Check the computed signature against the one passed in the query $ok = openssl_verify($data !== null ? $data : $request->getSignatureBaseString(), $decoded_sig, $publickeyid); // Release the key resource openssl_free_key($publickeyid); return $ok == 1; }
/** * Check if the request signature corresponds to the one calculated for the request. * * @param OAuthRequest request * @param string base_string data to be signed, usually the base string, can be a request body * @param string consumer_secret * @param string token_secret * @param string signature from the request, still urlencoded * @return string */ public function verify(IOauthSignable $request, Secrets $secrets, $signature, $data = null) { $a = $request->oauthurldecode($signature); $b = $request->oauthurldecode($this->signature($request, $secrets, $data)); return $request->oauthurldecode($a) == $request->oauthurldecode($b); }