// Should only fail for malicious attempts, ok to show a not as nice error message
if (!array_key_exists('state', $params)) {
$html = render('auth_error', array('title' => 'Auth Callback', 'error' => 'Missing state parameter', 'errorDescription' => 'No state parameter was provided in the request. This shouldn\'t happen. It is possible this is a malicious authorization attempt.'));
$app->response()->body($html);
return;
}
if ($params['state'] != $_SESSION['auth_state']) {
$html = render('auth_error', array('title' => 'Auth Callback', 'error' => 'Invalid state', 'errorDescription' => 'The state parameter provided did not match the state provided at the start of authorization. This is most likely caused by a malicious authorization attempt.'));
$app->response()->body($html);
return;
}
// Now the basic sanity checks have passed. Time to start providing more helpful messages when there is an error.
// An authorization code is in the query string, and we want to exchange that for an access token at the token endpoint.
// Discover the endpoints
$micropubEndpoint = IndieAuth\Client::discoverMicropubEndpoint($me);
$tokenEndpoint = IndieAuth\Client::discoverTokenEndpoint($me);
if ($tokenEndpoint) {
$token = IndieAuth\Client::getAccessToken($tokenEndpoint, $params['code'], $params['me'], buildRedirectURI(), clientID(), k($params, 'state'), true);
} else {
$token = array('auth' => false, 'response' => false);
}
$redirectToDashboardImmediately = false;
// If a valid access token was returned, store the token info in the session and they are signed in
if (k($token['auth'], array('me', 'access_token', 'scope'))) {
$_SESSION['auth'] = $token['auth'];
$_SESSION['me'] = $params['me'];
$user = ORM::for_table('users')->where('url', $me)->find_one();
if ($user) {
// Already logged in, update the last login date
$user->last_login = date('Y-m-d H:i:s');
// If they have logged in before and we already have an access token, then redirect to the dashboard now
