public function handleRequest(HttpRequest $request)
 {
     $response = NULL;
     try {
         $requestMethod = $request->getRequestMethod();
         if ("GET" !== $requestMethod && "POST" !== $requestMethod) {
             throw new TokenIntrospectionException("method_not_allowed", "invalid request method");
         }
         $parameters = "GET" === $requestMethod ? $request->getQueryParameters() : $request->getPostParameters();
         $response = new HttpResponse(200, "application/json");
         $response->setHeader('Cache-Control', 'no-store');
         $response->setHeader('Pragma', 'no-cache');
         $response->setContent(Json::enc($this->_introspectToken($parameters)));
     } catch (TokenIntrospectionException $e) {
         $response = new HttpResponse($e->getResponseCode(), "application/json");
         $response->setContent(Json::enc(array("error" => $e->getMessage(), "error_description" => $e->getDescription())));
         if ("method_not_allowed" === $e->getMessage()) {
             $response->setHeader("Allow", "GET,POST");
         }
         if (NULL !== $this->_logger) {
             $this->_logger->logFatal($e->getLogMessage(TRUE) . PHP_EOL . $request . PHP_EOL . $response);
         }
     }
     return $response;
 }
Ejemplo n.º 2
0
 public function testHttpUriParametersWithPost()
 {
     $h = new HttpRequest("http://www.example.com/request?action=foo&method=bar", "POST");
     $h->setPostParameters(array("id" => 5, "action" => "help"));
     $this->assertEquals(array("action" => "foo", "method" => "bar"), $h->getQueryParameters());
     $this->assertEquals(array("id" => 5, "action" => "help"), $h->getPostParameters());
     $this->assertEquals(5, $h->getPostParameter("id"));
     $this->assertEquals("help", $h->getPostParameter("action"));
 }
Ejemplo n.º 3
0
 public function handleRequest(HttpRequest $request)
 {
     $response = new HttpResponse(200);
     try {
         // hint the authentication layer about the user that wants to authenticate
         // if this information is available as a parameter to the authorize endpoint
         $resourceOwnerHint = $request->getQueryParameter("x_resource_owner_hint");
         if (null !== $resourceOwnerHint) {
             $this->_resourceOwner->setResourceOwnerHint($resourceOwnerHint);
         }
         switch ($request->getRequestMethod()) {
             case "GET":
                 $result = $this->_handleAuthorize($this->_resourceOwner, $request->getQueryParameters());
                 if (AuthorizeResult::ASK_APPROVAL === $result->getAction()) {
                     $loader = new \Twig_Loader_Filesystem(dirname(dirname(__DIR__)) . DIRECTORY_SEPARATOR . "views");
                     $twig = new \Twig_Environment($loader);
                     $redirectUri = new Uri($result->getClient()->getRedirectUri());
                     $output = $twig->render("askAuthorization.twig", array('serviceName' => $this->_config->getValue('serviceName'), 'serviceLogoUri' => $this->_config->getValue('serviceLogoUri', FALSE), 'serviceLogoWidth' => $this->_config->getValue('serviceLogoWidth', FALSE), 'serviceLogoHeight' => $this->_config->getValue('serviceLogoHeight', FALSE), 'resourceOwnerId' => $this->_resourceOwner->getId(), 'sslEnabled' => "https" === $request->getRequestUri()->getScheme(), 'contactEmail' => $result->getClient()->getContactEmail(), 'scopes' => $result->getScope()->getScopeAsArray(), 'clientDomain' => $redirectUri->getHost(), 'clientName' => $result->getClient()->getName(), 'clientId' => $result->getClient()->getId(), 'clientDescription' => $result->getClient()->getDescription(), 'clientIcon' => $result->getClient()->getIcon(), 'redirectUri' => $redirectUri->getUri()));
                     $response->setContent($output);
                 } elseif (AuthorizeResult::REDIRECT === $result->getAction()) {
                     $response->setStatusCode(302);
                     $response->setHeader("Location", $result->getRedirectUri()->getUri());
                 } else {
                     // should never happen...
                     throw new \Exception("invalid authorize result");
                 }
                 break;
             case "POST":
                 // CSRF protection, check the referrer, it should be equal to the
                 // request URI
                 $fullRequestUri = $request->getRequestUri()->getUri();
                 $referrerUri = $request->getHeader("HTTP_REFERER");
                 if ($fullRequestUri !== $referrerUri) {
                     throw new ResourceOwnerException("csrf protection triggered, referrer does not match request uri");
                 }
                 $result = $this->_handleApprove($this->_resourceOwner, $request->getQueryParameters(), $request->getPostParameters());
                 if (AuthorizeResult::REDIRECT !== $result->getAction()) {
                     // FIXME: this is dead code?
                     throw new ResourceOwnerException("approval not found");
                 }
                 $response->setStatusCode(302);
                 $response->setHeader("Location", $result->getRedirectUri()->getUri());
                 break;
             default:
                 // method not allowed
                 $response->setStatusCode(405);
                 $response->setHeader("Allow", "GET, POST");
                 break;
         }
     } catch (ClientException $e) {
         // tell the client about the error
         $client = $e->getClient();
         if ($client['type'] === "user_agent_based_application") {
             $separator = "#";
         } else {
             $separator = FALSE === strpos($client['redirect_uri'], "?") ? "?" : "&";
         }
         $parameters = array("error" => $e->getMessage(), "error_description" => $e->getDescription());
         if (NULL !== $e->getState()) {
             $parameters['state'] = $e->getState();
         }
         $response->setStatusCode(302);
         $response->setHeader("Location", $client['redirect_uri'] . $separator . http_build_query($parameters));
         if (NULL !== $this->_logger) {
             $this->_logger->logFatal($e->getLogMessage(TRUE) . PHP_EOL . $request . PHP_EOL . $response);
         }
     } catch (ResourceOwnerException $e) {
         // tell resource owner about the error (through browser)
         $response->setStatusCode(400);
         $loader = new \Twig_Loader_Filesystem(dirname(dirname(__DIR__)) . DIRECTORY_SEPARATOR . "views");
         $twig = new \Twig_Environment($loader);
         $output = $twig->render("error.twig", array("statusCode" => $response->getStatusCode(), "statusReason" => $response->getStatusReason(), "errorMessage" => $e->getMessage()));
         $response->setContent($output);
         if (NULL !== $this->_logger) {
             $this->_logger->logFatal($e->getMessage() . PHP_EOL . $request . PHP_EOL . $response);
         }
     }
     return $response;
 }