/**
* This method checks if the information passed
* to the method is valid and if it is indeed
* one of our partners. If so return true.
*
* @param string $partnerID The partner ID
* @param string $partnerKey The partner Key
* @return bool If it is a valid partner or not.
*/
public function isPartner($partnerID, $partnerKey)
{
// IP Validation should happen here.
$model = Frapi_Model_Partner::isPartner($partnerID, $partnerKey);
header('WWW-Authenticate: Basic realm="API Authentication"');
if ($model === false) {
throw new Frapi_Error(Frapi_Error::ERROR_INVALID_PARTNER_ID_NAME, Frapi_Error::ERROR_INVALID_PARTNER_ID_MSG, Frapi_Error::ERROR_INVALID_PARTNER_ID_NO);
}
return true;
}
/**
* Authorize the request
*
* This method is used to authorize the request. It fetches the
* digest information from the request, decomposes it and finds out
* the relevant information for authenticating the users.
*
* This method also makes use of Frapi_Model_Partner::isPartnerHandle()
* to validate whether or not a user is a real user. If not then we bail
* early.
*
* @link http://www.peej.co.uk/projects/phphttpdigest.html
*
* @return mixed Either the username of the user making the request or we
* return access to $this->send() which will pop up the authentication
* challenge once again.
*/
public function authorize()
{
if (!isset($_SERVER['PHP_AUTH_DIGEST'])) {
return $this->send();
}
$authorization = $_SERVER['PHP_AUTH_DIGEST'];
if (preg_match('/username="******"]+)"/', $authorization, $username) && preg_match('/nonce="([^"]+)"/', $authorization, $nonce) && preg_match('/response="([^"]+)"/', $authorization, $response) && preg_match('/opaque="([^"]+)"/', $authorization, $opaque) && preg_match('/uri="([^"]+)"/', $authorization, $uri)) {
$username = $username[1];
$requestURI = $_SERVER['REQUEST_URI'];
$_SERVER['X_FRAPI_AUTH_USER'] = $username;
if (strpos($requestURI, '?') !== false) {
$requestURI = substr($requestURI, 0, strlen($uri[1]));
}
$users = Frapi_Model_Partner::isPartnerHandle($username);
if ($users === false) {
return $this->send();
}
if ($this->getOpaque() == $opaque[1] && $requestURI == $uri[1] && $this->getNonce() == $nonce[1]) {
$passphrase = hash('md5', "{$username}:{$this->realm}:{$users['api_key']}");
if ($this->passwordsHashed) {
$a1 = $passphrase;
} else {
$a1 = md5($username . ':' . $this->realm . ':' . $passphrase);
}
$a2 = md5($_SERVER['REQUEST_METHOD'] . ':' . $requestURI);
if (preg_match('/qop="?([^,\\s"]+)/', $authorization, $qop) && preg_match('/nc=([^,\\s"]+)/', $authorization, $nc) && preg_match('/cnonce="([^"]+)"/', $authorization, $cnonce)) {
$expectedResponse = md5($a1 . ':' . $nonce[1] . ':' . $nc[1] . ':' . $cnonce[1] . ':' . $qop[1] . ':' . $a2);
} else {
$expectedResponse = md5($a1 . ':' . $nonce[1] . ':' . $a2);
}
if ($response[1] == $expectedResponse) {
return $username;
}
}
return $this->send();
}
return $this->send();
}
/**
* Authorize the request
*
* This method is used to authorize the request. It fetches the
* digest information from the request, decomposes it and finds out
* the relevant information for authenticating the users.
*
* This method also makes use of Frapi_Model_Partner::isPartnerHandle()
* to validate whether or not a user is a real user. If not then we bail
* early.
*
* @link http://www.peej.co.uk/projects/phphttpdigest.html
*
* @return mixed Either the username of the user making the request or we
* return access to $this->send() which will pop up the authentication
* challenge once again.
*/
public function authorize()
{
if (!isset($_SERVER['PHP_AUTH_DIGEST'])) {
return $this->send();
}
if ($this->_parseDigest($_SERVER['PHP_AUTH_DIGEST'])) {
$users = Frapi_Model_Partner::isPartnerHandle($this->digest['username']);
if ($users === false) {
return $this->send();
}
return $this->_validateResponse($users['api_key']);
}
return $this->send();
}
public function testIsPartnerExpectFalse()
{
$partner = Frapi_Model_Partner::isPartner('email', 'key');
$this->assertFalse($partner);
}
