/** * Authenticate requests * * @return mixed */ public function authenticate() { if (!$this->_route) { return; } JLoader::import('Hubzero.User.Profile'); JLoader::import('Hubzero.User.Helper'); JLoader::import('Hubzero.Oauth.Provider'); JLoader::import('Hubzero.User'); JLoader::import('Hubzero.Xml'); /* * If CLI then we have to gather all query, post and header values * into params for Oauth_Provider's constructor. */ $params = array(); if (php_sapi_name() == 'cli') { $queryvars = $this->request->get('queryvars'); $postvars = $this->request->get('postdata'); if (!empty($queryvars)) { foreach ($queryvars as $key => $value) { if (isset($queryvars[$key])) { $params[$key] = $queryvars[$key]; } else { if (isset($postvars[$key])) { $params[$key] = $postvars[$key]; } } } } if (!empty($postvars)) { foreach ($postvars as $key => $value) { if (isset($queryvars[$key])) { $params[$key] = $queryvars[$key]; } else { if (isset($postvars[$key])) { $params[$key] = $postvars[$key]; } } } } if (empty($params)) { return false; } } /* If request has a Basic Auth header Oauth will throw an exception if the header doesn't conform to the OAuth protocol. We catch that (or any other) exception and proceed as if there was no oauth data. @TODO A better approach might be to inspect the Basic Auth header and see if it even looks like OAuth was being attempted and throw an Oauth compliant error if it was. */ try { $oauthp = new \Hubzero\Oauth\Provider($params); $oauthp->setRequestTokenPath('/api/oauth/request_token'); $oauthp->setAccessTokenPath('/api/oauth/access_token'); $oauthp->setAuthorizePath('/api/oauth/authorize'); $result = $oauthp->validateRequest($this->request->get('request'), $this->request->get('method')); if (is_array($result)) { $this->response->setResponseProvides('application/x-www-form-urlencoded'); $this->response->setMessage($result['message'], $result['status'], $result['reason']); return false; } $this->_provider = $oauthp; $this->_authn['oauth_token'] = $oauthp->getToken(); $this->_authn['consumer_key'] = $oauthp->getConsumerKey(); } catch (Exception $e) { $result = false; } $this->_authn['user_id'] = null; if (isset($this->_authn['oauth_token']) && $this->_authn['oauth_token']) { $data = $oauthp->getTokenData(); if (!empty($data->user_id)) { $this->_authn['user_id'] = $data->user_id; } $this->_authn['session_id'] = null; JFactory::getSession()->set('user', new JUser($data->user_id)); } else { // well lets try to authenticate it with a session instead $session_name = md5(self::getHash('site')); $session_id = null; if (!empty($_COOKIE[$session_name])) { $session_id = $_COOKIE[$session_name]; } $this->_authn['session_id'] = $session_id; $this->_authn['user_id'] = null; if (!empty($session_id)) { $db = JFactory::getDBO(); $timeout = JFactory::getConfig()->getValue('config.timeout'); $query = "SELECT userid FROM `#__session` WHERE session_id=" . $db->Quote($session_id) . "AND " . " time + " . (int) $timeout . " <= NOW() AND client_id = 0;"; $db->setQuery($query); $user_id = $db->loadResult(); if (!empty($user_id)) { $this->_authn['user_id'] = $user_id; } } // tool session authentication $toolSessionId = JRequest::getInt('sessionnum', null, 'POST'); $toolSessionToken = JRequest::getCmd('sessiontoken', null, 'POST'); // use request headers as backup method to post vars if (!$toolSessionId && !$toolSessionToken) { $headers = apache_request_headers(); $toolSessionId = isset($headers['sessionnum']) ? $headers['sessionnum'] : null; $toolSessionToken = isset($headers['sessiontoken']) ? $headers['sessiontoken'] : null; } // if we have a session id & token lets use those to authenticate if ($toolSessionId && $toolSessionToken) { // include neede libs require_once PATH_CORE . DS . 'components' . DS . 'com_tools' . DS . 'helpers' . DS . 'utils.php'; // instantiate middleware database $mwdb = \Components\Tools\Helpers\Utils::getMWDBO(); // attempt to load session from db $query = "SELECT * FROM `session` WHERE `sessnum`= " . $mwdb->quote($toolSessionId) . " AND `sesstoken`=" . $mwdb->quote($toolSessionToken); $mwdb->setQuery($query); // only continue if a valid session was found if ($session = $mwdb->loadObject()) { // check users IP against the session execution host IP if (JRequest::ip() == gethostbyname($session->exechost)) { $profile = \Hubzero\User\User::oneByUsername($session->username); $this->_authn['user_id'] = $profile->get('id'); } } } } $this->request->validApiKey = !empty($this->_authn['consumer_key']); }