/**
* Partuza's implementation of the OAuth Lookup service. Partuza supports all currently existing forms of
* OAuth signatures: 3 legged, 2 legged and body_hash's
*
* @param RequestItem $oauthRequest
* @param string $appUrl
* @param string $userId
* @return SecurityToken or null
*/
public function getSecurityToken($oauthRequest, $appUrl, $userId, $contentType)
{
try {
// Incomming requests with a POST body can either have an oauth_body_hash, or include the post body in the main oauth_signature; Also for either of these to be valid
// we need to make sure it has a proper the content-type; So the below checks if it's a post, if so if the content-type is supported, and if so deals with the 2
// post body signature styles
$includeRawPost = false;
$acceptedContentTypes = array('application/atom+xml', 'application/xml', 'application/json');
if (isset($GLOBALS['HTTP_RAW_POST_DATA']) && !empty($GLOBALS['HTTP_RAW_POST_DATA'])) {
if (!in_array($contentType, $acceptedContentTypes)) {
// This is rather double (since the ApiServlet does the same check), but for us to do a meaninful processing of a post body, this has to be correct
throw new Exception("Invalid Content-Type specified for this request, only 'application/atom+xml', 'application/xml' and 'application/json' are accepted");
} else {
if (isset($_GET['oauth_body_hash'])) {
// this request uses the oauth_body_hash spec extension. Check the body hash and if it fails return 'null' (oauth signature failure)
// otherwise continue on to the regular oauth signature verification, without including the post body in the main oauth_signature calculation
if (!$this->verifyBodyHash($GLOBALS['HTTP_RAW_POST_DATA'], $_GET['oauth_body_hash'])) {
return null;
}
} else {
// use the (somewhat oauth spec invalid) raw post body in the main oauth hash calculation
$includeRawPost = $GLOBALS['HTTP_RAW_POST_DATA'];
}
}
}
$dataStore = new PartuzaOAuthDataStore();
if ($includeRawPost) {
// if $includeRawPost has been set above, we need to include the post body in the main oauth_signature
$oauthRequest->set_parameter($includeRawPost, '');
}
$oauth_token = $oauthRequest->get_parameters('oauth_token');
if (!isset($oauth_token)) {
// No oauth_token means this is a 2 legged OAuth request
$ret = $this->verify2LeggedOAuth($oauthRequest, $userId, $appUrl, $dataStore);
} else {
// Otherwise it's a clasic 3 legged oauth request
$ret = $this->verify3LeggedOAuth($oauthRequest, $userId, $appUrl, $dataStore);
}
if ($includeRawPost) {
unset($oauthRequest->parameters[$includeRawPost]);
}
return $ret;
} catch (OAuthException $e) {
return null;
}
}
/**
* ATutor's implementation of the OAuth Lookup service. ATutor supports all currently existing forms of
* OAuth signatures: 3 legged, 2 legged and body_hash's
*
* @param RequestItem $oauthRequest
* @param string $appUrl
* @param string $userId
* @return SecurityToken or null
*/
public function getSecurityToken($oauthRequest, $appUrl, $userId)
{
try {
// Incomming requests with a POST body can either have an oauth_body_hash, or include the post body in the main oauth_signature; Also for either of these to be valid
// we need to make sure it has a proper the content-type; So the below checks if it's a post, if so if the content-type is supported, and if so deals with the 2
// post body signature styles
$includeRawPost = false;
if (isset($GLOBALS['HTTP_RAW_POST_DATA']) && !empty($GLOBALS['HTTP_RAW_POST_DATA'])) {
if (isset($_GET['oauth_body_hash'])) {
// this request uses the oauth_body_hash spec extension. Check the body hash and if it fails return 'null' (oauth signature failure)
// otherwise continue on to the regular oauth signature verification, without including the post body in the main oauth_signature calculation
if (!$this->verifyBodyHash($GLOBALS['HTTP_RAW_POST_DATA'], $_GET['oauth_body_hash'])) {
return null;
}
} else {
// use the (somewhat oauth spec invalid) raw post body in the main oauth hash calculation
$includeRawPost = $GLOBALS['HTTP_RAW_POST_DATA'];
}
}
$dataStore = new ATutorOAuthDataStore();
if ($includeRawPost) {
// if $includeRawPost has been set above, we need to include the post body in the main oauth_signature
$oauthRequest->set_parameter($includeRawPost, '');
}
if (!isset($oauthRequest->parameters['oauth_token'])) {
// No oauth_token means this is a 2 legged OAuth request
$ret = $this->verify2LeggedOAuth($oauthRequest, $userId, $appUrl, $dataStore);
} else {
// Otherwise it's a clasic 3 legged oauth request
$ret = $this->verify3LeggedOAuth($oauthRequest, $userId, $appUrl, $dataStore);
}
if ($includeRawPost) {
unset($oauthRequest->parameters[$includeRawPost]);
}
return $ret;
} catch (OAuthException $e) {
return null;
}
}