public function handleRequest(HttpRequest $request)
{
$response = NULL;
try {
$requestMethod = $request->getRequestMethod();
if ("GET" !== $requestMethod && "POST" !== $requestMethod) {
throw new TokenIntrospectionException("method_not_allowed", "invalid request method");
}
$parameters = "GET" === $requestMethod ? $request->getQueryParameters() : $request->getPostParameters();
$response = new HttpResponse(200, "application/json");
$response->setHeader('Cache-Control', 'no-store');
$response->setHeader('Pragma', 'no-cache');
$response->setContent(Json::enc($this->_introspectToken($parameters)));
} catch (TokenIntrospectionException $e) {
$response = new HttpResponse($e->getResponseCode(), "application/json");
$response->setContent(Json::enc(array("error" => $e->getMessage(), "error_description" => $e->getDescription())));
if ("method_not_allowed" === $e->getMessage()) {
$response->setHeader("Allow", "GET,POST");
}
if (NULL !== $this->_logger) {
$this->_logger->logFatal($e->getLogMessage(TRUE) . PHP_EOL . $request . PHP_EOL . $response);
}
}
return $response;
}
public function testHttpUriParametersWithPost()
{
$h = new HttpRequest("http://www.example.com/request?action=foo&method=bar", "POST");
$h->setPostParameters(array("id" => 5, "action" => "help"));
$this->assertEquals(array("action" => "foo", "method" => "bar"), $h->getQueryParameters());
$this->assertEquals(array("id" => 5, "action" => "help"), $h->getPostParameters());
$this->assertEquals(5, $h->getPostParameter("id"));
$this->assertEquals("help", $h->getPostParameter("action"));
}
public function handleRequest(HttpRequest $request)
{
$response = new HttpResponse(200);
try {
// hint the authentication layer about the user that wants to authenticate
// if this information is available as a parameter to the authorize endpoint
$resourceOwnerHint = $request->getQueryParameter("x_resource_owner_hint");
if (null !== $resourceOwnerHint) {
$this->_resourceOwner->setResourceOwnerHint($resourceOwnerHint);
}
switch ($request->getRequestMethod()) {
case "GET":
$result = $this->_handleAuthorize($this->_resourceOwner, $request->getQueryParameters());
if (AuthorizeResult::ASK_APPROVAL === $result->getAction()) {
$loader = new \Twig_Loader_Filesystem(dirname(dirname(__DIR__)) . DIRECTORY_SEPARATOR . "views");
$twig = new \Twig_Environment($loader);
$redirectUri = new Uri($result->getClient()->getRedirectUri());
$output = $twig->render("askAuthorization.twig", array('serviceName' => $this->_config->getValue('serviceName'), 'serviceLogoUri' => $this->_config->getValue('serviceLogoUri', FALSE), 'serviceLogoWidth' => $this->_config->getValue('serviceLogoWidth', FALSE), 'serviceLogoHeight' => $this->_config->getValue('serviceLogoHeight', FALSE), 'resourceOwnerId' => $this->_resourceOwner->getId(), 'sslEnabled' => "https" === $request->getRequestUri()->getScheme(), 'contactEmail' => $result->getClient()->getContactEmail(), 'scopes' => $result->getScope()->getScopeAsArray(), 'clientDomain' => $redirectUri->getHost(), 'clientName' => $result->getClient()->getName(), 'clientId' => $result->getClient()->getId(), 'clientDescription' => $result->getClient()->getDescription(), 'clientIcon' => $result->getClient()->getIcon(), 'redirectUri' => $redirectUri->getUri()));
$response->setContent($output);
} elseif (AuthorizeResult::REDIRECT === $result->getAction()) {
$response->setStatusCode(302);
$response->setHeader("Location", $result->getRedirectUri()->getUri());
} else {
// should never happen...
throw new \Exception("invalid authorize result");
}
break;
case "POST":
// CSRF protection, check the referrer, it should be equal to the
// request URI
$fullRequestUri = $request->getRequestUri()->getUri();
$referrerUri = $request->getHeader("HTTP_REFERER");
if ($fullRequestUri !== $referrerUri) {
throw new ResourceOwnerException("csrf protection triggered, referrer does not match request uri");
}
$result = $this->_handleApprove($this->_resourceOwner, $request->getQueryParameters(), $request->getPostParameters());
if (AuthorizeResult::REDIRECT !== $result->getAction()) {
// FIXME: this is dead code?
throw new ResourceOwnerException("approval not found");
}
$response->setStatusCode(302);
$response->setHeader("Location", $result->getRedirectUri()->getUri());
break;
default:
// method not allowed
$response->setStatusCode(405);
$response->setHeader("Allow", "GET, POST");
break;
}
} catch (ClientException $e) {
// tell the client about the error
$client = $e->getClient();
if ($client['type'] === "user_agent_based_application") {
$separator = "#";
} else {
$separator = FALSE === strpos($client['redirect_uri'], "?") ? "?" : "&";
}
$parameters = array("error" => $e->getMessage(), "error_description" => $e->getDescription());
if (NULL !== $e->getState()) {
$parameters['state'] = $e->getState();
}
$response->setStatusCode(302);
$response->setHeader("Location", $client['redirect_uri'] . $separator . http_build_query($parameters));
if (NULL !== $this->_logger) {
$this->_logger->logFatal($e->getLogMessage(TRUE) . PHP_EOL . $request . PHP_EOL . $response);
}
} catch (ResourceOwnerException $e) {
// tell resource owner about the error (through browser)
$response->setStatusCode(400);
$loader = new \Twig_Loader_Filesystem(dirname(dirname(__DIR__)) . DIRECTORY_SEPARATOR . "views");
$twig = new \Twig_Environment($loader);
$output = $twig->render("error.twig", array("statusCode" => $response->getStatusCode(), "statusReason" => $response->getStatusReason(), "errorMessage" => $e->getMessage()));
$response->setContent($output);
if (NULL !== $this->_logger) {
$this->_logger->logFatal($e->getMessage() . PHP_EOL . $request . PHP_EOL . $response);
}
}
return $response;
}