/**
* Authenticate requests
*
* @return mixed
*/
public function authenticate()
{
if (!$this->_route) {
return;
}
JLoader::import('Hubzero.User.Profile');
JLoader::import('Hubzero.User.Helper');
JLoader::import('Hubzero.Oauth.Provider');
JLoader::import('Hubzero.User');
JLoader::import('Hubzero.Xml');
/*
* If CLI then we have to gather all query, post and header values
* into params for Oauth_Provider's constructor.
*/
$params = array();
if (php_sapi_name() == 'cli') {
$queryvars = $this->request->get('queryvars');
$postvars = $this->request->get('postdata');
if (!empty($queryvars)) {
foreach ($queryvars as $key => $value) {
if (isset($queryvars[$key])) {
$params[$key] = $queryvars[$key];
} else {
if (isset($postvars[$key])) {
$params[$key] = $postvars[$key];
}
}
}
}
if (!empty($postvars)) {
foreach ($postvars as $key => $value) {
if (isset($queryvars[$key])) {
$params[$key] = $queryvars[$key];
} else {
if (isset($postvars[$key])) {
$params[$key] = $postvars[$key];
}
}
}
}
if (empty($params)) {
return false;
}
}
/*
If request has a Basic Auth header Oauth will throw an exception if the header doesn't
conform to the OAuth protocol. We catch that (or any other) exception and proceed as
if there was no oauth data.
@TODO A better approach might be to inspect the Basic Auth header and see if it even
looks like OAuth was being attempted and throw an Oauth compliant error if it was.
*/
try {
$oauthp = new \Hubzero\Oauth\Provider($params);
$oauthp->setRequestTokenPath('/api/oauth/request_token');
$oauthp->setAccessTokenPath('/api/oauth/access_token');
$oauthp->setAuthorizePath('/api/oauth/authorize');
$result = $oauthp->validateRequest($this->request->get('request'), $this->request->get('method'));
if (is_array($result)) {
$this->response->setResponseProvides('application/x-www-form-urlencoded');
$this->response->setMessage($result['message'], $result['status'], $result['reason']);
return false;
}
$this->_provider = $oauthp;
$this->_authn['oauth_token'] = $oauthp->getToken();
$this->_authn['consumer_key'] = $oauthp->getConsumerKey();
} catch (Exception $e) {
$result = false;
}
$this->_authn['user_id'] = null;
if (isset($this->_authn['oauth_token']) && $this->_authn['oauth_token']) {
$data = $oauthp->getTokenData();
if (!empty($data->user_id)) {
$this->_authn['user_id'] = $data->user_id;
}
$this->_authn['session_id'] = null;
JFactory::getSession()->set('user', new JUser($data->user_id));
} else {
// well lets try to authenticate it with a session instead
$session_name = md5(self::getHash('site'));
$session_id = null;
if (!empty($_COOKIE[$session_name])) {
$session_id = $_COOKIE[$session_name];
}
$this->_authn['session_id'] = $session_id;
$this->_authn['user_id'] = null;
if (!empty($session_id)) {
$db = JFactory::getDBO();
$timeout = JFactory::getConfig()->getValue('config.timeout');
$query = "SELECT userid FROM `#__session` WHERE session_id=" . $db->Quote($session_id) . "AND " . " time + " . (int) $timeout . " <= NOW() AND client_id = 0;";
$db->setQuery($query);
$user_id = $db->loadResult();
if (!empty($user_id)) {
$this->_authn['user_id'] = $user_id;
}
}
// tool session authentication
$toolSessionId = JRequest::getInt('sessionnum', null, 'POST');
$toolSessionToken = JRequest::getCmd('sessiontoken', null, 'POST');
// use request headers as backup method to post vars
if (!$toolSessionId && !$toolSessionToken) {
$headers = apache_request_headers();
$toolSessionId = isset($headers['sessionnum']) ? $headers['sessionnum'] : null;
$toolSessionToken = isset($headers['sessiontoken']) ? $headers['sessiontoken'] : null;
}
// if we have a session id & token lets use those to authenticate
if ($toolSessionId && $toolSessionToken) {
// include neede libs
require_once PATH_CORE . DS . 'components' . DS . 'com_tools' . DS . 'helpers' . DS . 'utils.php';
// instantiate middleware database
$mwdb = \Components\Tools\Helpers\Utils::getMWDBO();
// attempt to load session from db
$query = "SELECT * FROM `session` WHERE `sessnum`= " . $mwdb->quote($toolSessionId) . " AND `sesstoken`=" . $mwdb->quote($toolSessionToken);
$mwdb->setQuery($query);
// only continue if a valid session was found
if ($session = $mwdb->loadObject()) {
// check users IP against the session execution host IP
if (JRequest::ip() == gethostbyname($session->exechost)) {
$profile = \Hubzero\User\User::oneByUsername($session->username);
$this->_authn['user_id'] = $profile->get('id');
}
}
}
}
$this->request->validApiKey = !empty($this->_authn['consumer_key']);
}
