Example #1
0
 /**
  * {@inheritdoc}
  */
 public function checkAccessToken(EventInterface $event)
 {
     $request = $event->getRequest();
     $response = $event->getResponse();
     $query = $request->query;
     $eventName = $event->getName();
     if (($eventName === 'image.get' || $eventName === 'image.head') && $this->isWhitelisted($request)) {
         // All transformations in the request are whitelisted. Skip the access token check
         return;
     }
     // If the response has a short URL header, we can skip the access token check
     if ($response->headers->has('X-Imbo-ShortUrl')) {
         return;
     }
     if (!$query->has('accessToken')) {
         throw new RuntimeException('Missing access token', 400);
     }
     $token = $query->get('accessToken');
     // First the the raw un-encoded URI, then the URI as is
     $uris = array($request->getRawUri(), $request->getUriAsIs());
     $privateKeys = $event->getUserLookup()->getPrivateKeys($request->getPublicKey()) ?: [];
     foreach ($uris as $uri) {
         // Remove the access token from the query string as it's not used to generate the HMAC
         $uri = rtrim(preg_replace('/(?<=(\\?|&))accessToken=[^&]+&?/', '', $uri), '&?');
         foreach ($privateKeys as $privateKey) {
             $correctToken = hash_hmac('sha256', $uri, $privateKey);
             if ($correctToken === $token) {
                 return;
             }
         }
     }
     throw new RuntimeException('Incorrect access token', 400);
 }
Example #2
0
 /**
  * Load stats
  *
  * @param EventInterface $event An event instance
  */
 public function loadStats(EventInterface $event)
 {
     $response = $event->getResponse();
     $database = $event->getDatabase();
     $userLookup = $event->getUserLookup();
     $publicKeys = $userLookup->getPublicKeys();
     $users = array();
     foreach ($publicKeys as $key) {
         $users[$key] = array('numImages' => $database->getNumImages($key), 'numBytes' => $database->getNumBytes($key));
     }
     $statsModel = new Model\Stats();
     $statsModel->setUsers($users);
     $response->setModel($statsModel);
 }
Example #3
0
 /**
  * {@inheritdoc}
  */
 public function authenticate(EventInterface $event)
 {
     $response = $event->getResponse();
     $request = $event->getRequest();
     // Whether or not the authentication info is in the request headers
     $fromHeaders = $request->headers->has('x-imbo-authenticate-timestamp') && $request->headers->has('x-imbo-authenticate-signature');
     // Fetch timestamp header, fallback to query param
     $timestamp = $request->headers->get('x-imbo-authenticate-timestamp', $request->query->get('timestamp'));
     if (!$timestamp) {
         $exception = new RuntimeException('Missing authentication timestamp', 400);
         $exception->setImboErrorCode(Exception::AUTH_MISSING_PARAM);
     } else {
         if (!$this->timestampIsValid($timestamp)) {
             $exception = new RuntimeException('Invalid timestamp: ' . $timestamp, 400);
             $exception->setImboErrorCode(Exception::AUTH_INVALID_TIMESTAMP);
         } else {
             if ($this->timestampHasExpired($timestamp)) {
                 $exception = new RuntimeException('Timestamp has expired: ' . $timestamp, 400);
                 $exception->setImboErrorCode(Exception::AUTH_TIMESTAMP_EXPIRED);
             }
         }
     }
     if (isset($exception)) {
         throw $exception;
     }
     // Fetch signature header, fallback to query param
     $signature = $request->headers->get('x-imbo-authenticate-signature', $request->query->get('signature'));
     if (!$signature) {
         $exception = new RuntimeException('Missing authentication signature', 400);
         $exception->setImboErrorCode(Exception::AUTH_MISSING_PARAM);
     }
     if (isset($exception)) {
         throw $exception;
     }
     $publicKey = $request->getPublicKey();
     $privateKeys = $event->getUserLookup()->getPrivateKeys($publicKey, UserLookupInterface::MODE_READ_WRITE) ?: [];
     $url = $request->getRawUri();
     if (!$fromHeaders) {
         // Remove the signature and timestamp from the query parameters as they are not used
         // when generating the HMAC
         $url = rtrim(preg_replace('/(?<=(\\?|&))(signature|timestamp)=[^&]+&?/', '', $url), '&?');
     }
     // Add the URL used for auth to the response headers
     $response->headers->set('X-Imbo-AuthUrl', $url);
     if (!$this->signatureIsValid($request->getMethod(), $url, $publicKey, $privateKeys, $timestamp, $signature)) {
         $exception = new RuntimeException('Signature mismatch', 400);
         $exception->setImboErrorCode(Exception::AUTH_SIGNATURE_MISMATCH);
         throw $exception;
     }
 }