/** * Construct from the current request. Useful for checking the signature of a request. * When not supplied with any parameters this will use the current request. * * @param string uri might include parameters * @param string method GET, PUT, POST etc. * @param string parameters additional post parameters, urlencoded (RFC1738) * @param array headers headers for request * @param string body optional body of the OAuth request (POST or PUT) */ function __construct($uri = null, $method = null, $parameters = '', $headers = array(), $body = null) { if (is_object($_SERVER)) { // Tainted arrays - the normal stuff in anyMeta if (!$method) { $method = $_SERVER->REQUEST_METHOD->getRawUnsafe(); } if (empty($uri)) { $uri = $_SERVER->REQUEST_URI->getRawUnsafe(); } } else { // non anyMeta systems if (!$method) { $method = $_SERVER['REQUEST_METHOD']; } $proto = isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on' ? 'https' : 'http'; if (empty($uri)) { $uri = sprintf('%s://%s%s', $proto, $_SERVER['HTTP_HOST'], $_SERVER['REQUEST_URI']); } } $headers = OAuthRequestLogger::getAllHeaders(); $this->method = strtoupper($method); // If this is a post then also check the posted variables if (strcasecmp($method, 'POST') == 0) { /* // TODO: what to do with 'multipart/form-data'? if ($this->getRequestContentType() == 'multipart/form-data') { throw new OAuthException2('Unsupported POST content type, expected "application/x-www-form-urlencoded" got "'.@$_SERVER['CONTENT_TYPE'].'"'); } */ if ($this->getRequestContentType() == 'application/x-www-form-urlencoded') { // Get the posted body (when available) if (!isset($headers['X-OAuth-Test'])) { $parameters .= $this->getRequestBody(); } } else { $body = $this->getRequestBody(); } } else { if (strcasecmp($method, 'PUT') == 0) { $body = $this->getRequestBody(); } } $this->method = strtoupper($method); $this->headers = $headers; // Store the values, prepare for oauth $this->uri = $uri; $this->body = $body; $this->parseUri($parameters); $this->parseHeaders(); $this->transcodeParams(); }
/** * See if the current request is signed with OAuth * * @return boolean */ public static function requestIsSigned() { if (isset($_REQUEST['oauth_signature'])) { $signed = true; } else { $hs = OAuthRequestLogger::getAllHeaders(); if (isset($hs['Authorization']) && strpos($hs['Authorization'], 'oauth_signature') !== false) { $signed = true; } else { $signed = false; } } return $signed; }
/** * This method parses the $_REQUEST superglobal and looks for * the following information: * 1/ user authentication - username+password or token (wsusername, wspassword and wstoken parameters) * 2/ function name (wsfunction parameter) * 3/ function parameters (all other parameters except those above) * * @return void */ protected function parse_request() { // determine the request/response format if (isset($_REQUEST['alt']) && trim($_REQUEST['alt']) == 'json' || isset($_GET['alt']) && trim($_GET['alt']) == 'json' || isset($_SERVER['HTTP_ACCEPT']) && $_SERVER['HTTP_ACCEPT'] == 'application/json' || isset($_SERVER['HTTP_ACCEPT']) && $_SERVER['HTTP_ACCEPT'] == 'application/jsonrequest' || isset($_SERVER['CONTENT_TYPE']) && $_SERVER['CONTENT_TYPE'] == 'application/json' || isset($_SERVER['CONTENT_TYPE']) && $_SERVER['CONTENT_TYPE'] == 'application/jsonrequest') { $this->format = 'json'; } else { if (isset($_REQUEST['alt']) && trim($_REQUEST['alt']) == 'atom' || isset($_GET['alt']) && trim($_GET['alt']) == 'atom' || isset($_SERVER['HTTP_ACCEPT']) && $_SERVER['HTTP_ACCEPT'] == 'application/atom+xml' || $_SERVER['CONTENT_TYPE'] == 'application/atom+xml') { $this->format = 'atom'; } else { $this->format = 'xml'; } } unset($_REQUEST['alt']); $this->parameters = $_REQUEST; // if we should have one - setup the OAuth server handler if (webservice_protocol_is_enabled('oauth')) { OAuthStore::instance('Mahara'); $this->oauth_server = new OAuthServer(); $oauth_token = null; $headers = OAuthRequestLogger::getAllHeaders(); try { $oauth_token = $this->oauth_server->verifyExtended(); } catch (OAuthException2 $e) { // let all others fail if (isset($_REQUEST['oauth_token']) || preg_grep('/oauth/', array_values($headers))) { $this->auth = 'OAUTH'; throw $e; } } if ($oauth_token) { $this->authmethod = WEBSERVICE_AUTHMETHOD_OAUTH_TOKEN; $token = $this->oauth_server->getParam('oauth_token'); $store = OAuthStore::instance(); $secrets = $store->getSecretsForVerify($oauth_token['consumer_key'], $this->oauth_server->urldecode($token), 'access'); $this->oauth_token_details = $secrets; // the content type might be different for the OAuth client if (isset($headers['Content-Type']) && $headers['Content-Type'] == 'application/octet-stream' && $this->format != 'json') { $body = file_get_contents('php://input'); parse_str($body, $parameters); $this->parameters = array_merge($this->parameters, $parameters); } } } // make sure oauth parameters are gone foreach (array('oauth_nonce', 'oauth_timestamp', 'oauth_consumer_key', 'oauth_signature_method', 'oauth_version', 'oauth_token', 'oauth_signature') as $param) { if (isset($this->parameters[$param])) { unset($this->parameters[$param]); } } // merge parameters from JSON request body if there is one if ($this->format == 'json') { // get request body $values = (array) json_decode(@file_get_contents('php://input'), true); if (!empty($values)) { $this->parameters = array_merge($this->parameters, $values); } } if ($this->authmethod == WEBSERVICE_AUTHMETHOD_USERNAME) { $this->username = isset($this->parameters['wsusername']) ? trim($this->parameters['wsusername']) : null; unset($this->parameters['wsusername']); $this->password = isset($this->parameters['wspassword']) ? trim($this->parameters['wspassword']) : null; unset($this->parameters['wspassword']); } else { if ($this->authmethod == WEBSERVICE_AUTHMETHOD_PERMANENT_TOKEN) { // is some other form of token - what kind is it? $this->token = isset($this->parameters['wstoken']) ? trim($this->parameters['wstoken']) : null; unset($this->parameters['wstoken']); } } $this->functionname = isset($this->parameters['wsfunction']) ? trim($this->parameters['wsfunction']) : null; unset($this->parameters['wsfunction']); }