public function getSession(Request $request)
 {
     $session = $this->manager->driver();
     // check to see if the session id is in a "X-Session-Id" header
     $id = $request->header("X-Session-Id");
     if (is_null($id)) {
         // header is missing
         // check and see if it's in a cookie
         $id = $request->cookies->get($session->getName());
     }
     $session->setId($id);
     return $session;
 }
Example #2
0
 public function addSignatureToSymfonyRequest(\Symfony\Component\HttpFoundation\Request $request, $api_token, $secret)
 {
     $method = $request->getMethod();
     // build URL without parameters
     $url = $this->buildURLPrefix($request->getScheme(), $request->getHost(), $request->getPort()) . $request->getPathInfo();
     // get parameters
     if ($method == 'GET') {
         $parameters = $request->query->all();
     } else {
         $is_json = strpos($request->header('CONTENT_TYPE'), '/json');
         if ($is_json) {
             $parameters = json_decode($request->getContent(), true);
         } else {
             $parameters = $request->request->all();
         }
     }
     // get signature
     $signature_info = $this->createSignatureParameters($method, $url, $parameters, $api_token, $secret);
     // add http headers
     $request->headers->set('X-' . $this->auth_header_namespace . '-AUTH-API-TOKEN', $api_token);
     $request->headers->set('X-' . $this->auth_header_namespace . '-AUTH-NONCE', $signature_info['nonce']);
     $request->headers->set('X-' . $this->auth_header_namespace . '-AUTH-SIGNATURE', $signature_info['signature']);
     return $request;
 }
Example #3
0
 public function validateFromRequest(\Symfony\Component\HttpFoundation\Request $request)
 {
     // get the request headers
     $nonce = $request->headers->get('X-' . $this->auth_header_namespace . '-Auth-Nonce');
     $api_token = $request->headers->get('X-' . $this->auth_header_namespace . '-Auth-Api-Token');
     $signature = $request->headers->get('X-' . $this->auth_header_namespace . '-Auth-Signature');
     $signed_url = $request->headers->get('X-' . $this->auth_header_namespace . '-Auth-Signed-Url');
     if (!$nonce and !$api_token and !$signature) {
         throw new AuthorizationException("Missing authentication credentials");
     }
     if (!$nonce) {
         throw new AuthorizationException("Missing nonce");
     }
     if (!$api_token) {
         throw new AuthorizationException("Missing api_token");
     }
     if (!$signature) {
         throw new AuthorizationException("Missing signature");
     }
     // get the api_secret
     if ($this->api_secret_lookup_function and is_callable($this->api_secret_lookup_function)) {
         $api_secret = call_user_func($this->api_secret_lookup_function, $api_token);
     } else {
         $api_secret = null;
     }
     if (!$api_secret) {
         throw new AuthorizationException("Invalid API Token", "Failed to find api secret for token {$api_token}");
     }
     // build the method, url and parameters
     $method = $request->getMethod();
     // mangle URL if X-TOKENLY-AUTH-SIGNED-URL was provided
     if ($signed_url) {
         if ($this->signed_url_validation_function !== null and is_callable($this->signed_url_validation_function)) {
             $actual_url = $request->getSchemeAndHttpHost() . $request->getBaseUrl() . $request->getPathInfo();
             $signed_url_is_valid = call_user_func($this->signed_url_validation_function, $actual_url, $signed_url);
         } else {
             $signed_url_is_valid = false;
         }
         if (!$signed_url_is_valid) {
             throw new AuthorizationException("Invalid Signed URL", "The URL signed for this request was not valid");
         }
         $url = $signed_url;
     } else {
         $url = $request->getSchemeAndHttpHost() . $request->getBaseUrl() . $request->getPathInfo();
     }
     // overcome bad parameter encodings
     $parameter_sets_to_check = [];
     // get parameters
     if ($method == 'GET') {
         $parameters = $request->query->all();
         $parameter_sets_to_check[] = $parameters;
     } else {
         if ($method == 'DELETE' and $request->query->count() > 0) {
             // DELETE with query parameters
             $parameters = $request->query->all();
             $parameter_sets_to_check[] = $parameters;
         } else {
             $is_json = !!strpos($request->header('CONTENT_TYPE'), '/json');
             if ($is_json) {
                 $parameters = $request->getContent();
                 if (!strlen($parameters)) {
                     $parameters = '{}';
                     $parameter_sets_to_check[] = $parameters;
                 } else {
                     $parameter_sets_to_check[] = $parameters;
                     // try re-encoding the string
                     $re_encoded_parameters = json_encode(json_decode($parameters, true), JSON_UNESCAPED_SLASHES | JSON_FORCE_OBJECT);
                     if ($re_encoded_parameters !== $parameters) {
                         $parameter_sets_to_check[] = $re_encoded_parameters;
                     }
                 }
             } else {
                 $parameters = $request->request->all();
                 $parameter_sets_to_check[] = $parameters;
             }
         }
     }
     // validate the signature
     $files = $request->files->all();
     foreach ($parameter_sets_to_check as $parameter_set_to_check) {
         $is_valid = $this->validate($method, $url, $parameter_set_to_check, $files, $api_token, $nonce, $signature, $api_secret, $error_info);
         if ($is_valid) {
             return $is_valid;
         }
         if (!isset($first_error_info)) {
             $first_error_info = $error_info;
         }
     }
     // none were valid
     if ($first_error_info) {
         throw new AuthorizationException($first_error_info[0], $first_error_info[1]);
     }
     return false;
 }