function handleRequest(DevblocksHttpRequest $request) { $stack = $request->path; $db = DevblocksPlatform::getDatabaseService(); // **** BEGIN AUTH @($verb = $_SERVER['REQUEST_METHOD']); @($header_date = $_SERVER['HTTP_DATE']); @($header_signature = $_SERVER['HTTP_PORTSENSOR_AUTH']); @($this->_payload = $this->_getRawPost()); @(list($auth_worker_email, $auth_signature) = explode(":", $header_signature, 2)); $url_parts = parse_url(DevblocksPlatform::getWebPath()); $url_path = $url_parts['path']; $url_query = $this->_sortQueryString($_SERVER['QUERY_STRING']); $string_to_sign_prefix = "{$verb}\n{$header_date}\n{$url_path}\n{$url_query}\n{$this->_payload}"; if (!$this->_validateRfcDate($header_date)) { $this->_error("Access denied! (Invalid timestamp)"); } // if(strpos($auth_access_key,'@')) { // WORKER-LEVEL AUTH $results = DAO_Worker::getWhere(sprintf("%s = %s", DAO_Worker::EMAIL, $db->qstr($auth_worker_email))); if (empty($results)) { $this->_error("Access denied! (Invalid authentication)"); } else { $worker = array_shift($results); $this->setActiveWorker($worker); } if (null == $this->getActiveWorker()) { $this->_error("Access denied! (Invalid worker)"); } if (!$worker->hasPriv('plugin.usermeet.webapi')) { $this->_error("Access denied! (No permission)"); } $pass = $this->getActiveWorker()->pass; $string_to_sign = "{$string_to_sign_prefix}\n{$pass}\n"; $compare_hash = base64_encode(sha1($string_to_sign, true)); if (0 != strcmp($auth_signature, $compare_hash)) { $this->_error("Access denied! (Invalid password)"); } // **** END APP AUTH // Figure out our format by looking at the last path argument @(list($command, $format) = explode('.', array_pop($stack))); array_push($stack, $command); $this->_format = $format; // Call the verb as an action $method = strtolower($verb) . 'Action'; if (method_exists($this, $method)) { call_user_func(array(&$this, $method), $stack); } else { $this->_error("Invalid action."); } }
function handleRequest(DevblocksHttpRequest $request) { $stack = $request->path; $db = DevblocksPlatform::getDatabaseService(); // **** BEGIN AUTH @($verb = $_SERVER['REQUEST_METHOD']); @($header_date = $_SERVER['HTTP_DATE']); @($header_signature = $_SERVER['HTTP_CERB4_AUTH']); @($this->_payload = $this->_getRawPost()); @(list($auth_access_key, $auth_signature) = explode(":", $header_signature, 2)); $url_parts = parse_url(DevblocksPlatform::getWebPath()); $url_path = $url_parts['path']; $url_query = $this->_sortQueryString($_SERVER['QUERY_STRING']); $string_to_sign_prefix = "{$verb}\n{$header_date}\n{$url_path}\n{$url_query}\n{$this->_payload}"; if (!$this->_validateRfcDate($header_date)) { $this->_error("Access denied! (Invalid timestamp)"); } if (strpos($auth_access_key, '@')) { // WORKER-LEVEL AUTH $workers = DAO_Worker::getAll(); foreach ($workers as $worker) { /* @var $worker CerberusWorker */ if ($worker->email == $auth_access_key) { $this->setActiveWorker($worker); break; } } if (null == $this->getActiveWorker()) { $this->_error("Access denied! (Invalid worker)"); } $pass = $this->getActiveWorker()->pass; $string_to_sign = "{$string_to_sign_prefix}\n{$pass}\n"; $compare_hash = base64_encode(sha1($string_to_sign, true)); if (0 != strcmp($auth_signature, $compare_hash)) { $this->_error("Access denied! (Invalid password)"); } } else { // APP-LEVEL AUTH $stored_keychains = DAO_WebapiKey::getWhere(sprintf("%s = %s", DAO_WebapiKey::ACCESS_KEY, $db->qstr(str_replace(' ', '', $auth_access_key)))); /* @var $stored_keychain Model_WebApiKey */ if (!empty($stored_keychains)) { @($stored_keychain = array_shift($stored_keychains)); @($auth_secret_key = $stored_keychain->secret_key); @($auth_rights = $stored_keychain->rights); $string_to_sign = "{$string_to_sign_prefix}\n{$auth_secret_key}\n"; $compare_hash = base64_encode(sha1($string_to_sign, true)); if (0 != strcmp($auth_signature, $compare_hash)) { $this->_error("Access denied! (Invalid signature)"); } // Check that this IP is allowed to perform the VERB if (!$stored_keychain->isValidIp($_SERVER['REMOTE_ADDR'])) { $this->_error(sprintf("Access denied! (IP %s not authorized)", $_SERVER['REMOTE_ADDR'])); } } else { $this->_error("Access denied! (Unknown access key)"); } } // **** END APP AUTH // Figure out our format by looking at the last path argument @(list($command, $format) = explode('.', array_pop($stack))); array_push($stack, $command); $this->_format = $format; if (null != $this->getActiveWorker()) { $method = strtolower($verb) . 'WorkerAction'; if (method_exists($this, $method)) { call_user_func(array(&$this, $method), $stack); } } else { $method = strtolower($verb) . 'Action'; if (method_exists($this, $method)) { call_user_func(array(&$this, $method), $stack, $stored_keychain); } } }