return true; } return false; } ini_set("display_errors", 1); if (!isset($_REQUEST['b64'])) { error_log("Missing b64 parameter"); die("Missing b64 parameter"); } // Make sure to add the file to the session id in case // multiple people are running this on the same server $b64 = $_REQUEST['b64']; session_id(md5($b64 . __FILE__)); session_start(); // For my application, We only allow application/xml $request_headers = OAuthUtil::get_headers(); $hct = isset($request_headers['Content-Type']) ? $request_headers['Content-Type'] : false; if (!$hct) { $hct = isset($request_headers['Content-type']) ? $request_headers['Content-type'] : false; } if (strpos($hct, 'application/xml') === false) { header('Content-Type: text/plain'); // print_r($request_headers); error_log("Must be content type xml, found " . $hct); die("Must be content type xml, found " . $hct); } header('Content-Type: application/xml; charset=utf-8'); // Get skeleton response $response = LTI::getPOXResponse(); // Pull out the key and secret from the parameter $b64dec = base64_decode($b64);
public static function handleOAuthBodyPOST($oauth_consumer_key, $oauth_consumer_secret) { $request_headers = OAuthUtil::get_headers(); // print_r($request_headers); // Must reject application/x-www-form-urlencoded if ($request_headers['Content-Type'] == 'application/x-www-form-urlencoded') { throw new \Exception("OAuth request body signing must not use application/x-www-form-urlencoded"); } $oauth_signature_method = false; if (@substr($request_headers['Authorization'], 0, 6) == "OAuth ") { $header_parameters = OAuthUtil::split_header($request_headers['Authorization']); // echo("HEADER PARMS=\n"); // print_r($header_parameters); $oauth_body_hash = $header_parameters['oauth_body_hash']; if (isset($header_parameters['oauth_signature_method'])) { $oauth_signature_method = $header_parameters['oauth_signature_method']; } // echo("OBH=".$oauth_body_hash."\n"); } if (!isset($oauth_body_hash)) { throw new \Exception("OAuth request body signing requires oauth_body_hash body"); } // Check the key and secret. $retval = self::verifyKeyAndSecret($oauth_consumer_key, $oauth_consumer_secret); if ($retval !== true) { throw new \Exception("OAuth signature failed: " . $retval[0]); } $postdata = file_get_contents('php://input'); // echo($postdata); if ($oauth_signature_method == 'HMAC-SHA256') { $hash = base64_encode(hash('sha256', $postdata, TRUE)); } else { $hash = base64_encode(sha1($postdata, TRUE)); } global $LastOAuthBodyHashInfo; $LastOAuthBodyHashInfo = "hdr_hash={$oauth_body_hash} body_len=" . strlen($postdata) . " body_hash={$hash} oauth_signature_method={$oauth_signature_method}"; if ($hash != $oauth_body_hash) { throw new \Exception("OAuth oauth_body_hash mismatch"); } return $postdata; }