public function __invoke(RequestInterface $request, ResponseInterface $response, callable $next) { $host = $request->getUri()->getHost(); $scheme = $request->getUri()->getScheme(); $server_params = $request->getServerParams(); /* If rules say we should not authenticate call next and return. */ if (false === $this->shouldAuthenticate($request)) { return $next($request, $response); } /* HTTP allowed only if secure is false or server is in relaxed array. */ if ("https" !== $scheme && true === $this->options["secure"]) { if (!in_array($host, $this->options["relaxed"])) { $message = sprintf("Insecure use of middleware over %s denied by configuration.", strtoupper($scheme)); throw new \RuntimeException($message); } } /* Just in case. */ $user = false; $password = false; /* If using PHP in CGI mode. */ if (isset($server_params[$this->options["environment"]])) { if (preg_match("/Basic\\s+(.*)\$/i", $server_params[$this->options["environment"]], $matches)) { list($user, $password) = explode(":", base64_decode($matches[1])); } } else { if (isset($server_params["PHP_AUTH_USER"])) { $user = $server_params["PHP_AUTH_USER"]; } if (isset($server_params["PHP_AUTH_PW"])) { $password = $server_params["PHP_AUTH_PW"]; } } $params = array("user" => $user, "password" => $password); /* Check if user authenticates. */ if (false === $this->options["authenticator"]($params)) { return $this->error($request, $response, ["message" => "Authentication failed"])->withStatus(401)->withHeader("WWW-Authenticate", sprintf('Basic realm="%s"', $this->options["realm"])); } /* If callback returns false return with 401 Unauthorized. */ if (is_callable($this->options["callback"])) { if (false === $this->options["callback"]($request, $response, $params)) { return $this->error($request, $response, ["message" => "Callback returned false"])->withStatus(401)->withHeader("WWW-Authenticate", sprintf('Basic realm="%s"', $this->options["realm"])); } } /* Everything ok, call next middleware. */ return $next($request, $response); }
/** * Clone and modify a request with the given changes. * * The changes can be one of: * - method: (string) Changes the HTTP method. * - set_headers: (array) Sets the given headers. * - remove_headers: (array) Remove the given headers. * - body: (mixed) Sets the given body. * - uri: (UriInterface) Set the URI. * - query: (string) Set the query string value of the URI. * - version: (string) Set the protocol version. * * @param RequestInterface $request Request to clone and modify. * @param array $changes Changes to apply. * * @return RequestInterface */ function modify_request(RequestInterface $request, array $changes) { if (!$changes) { return $request; } $headers = $request->getHeaders(); if (!isset($changes['uri'])) { $uri = $request->getUri(); } else { // Remove the host header if one is on the URI if ($host = $changes['uri']->getHost()) { $changes['set_headers']['Host'] = $host; if ($port = $changes['uri']->getPort()) { $standardPorts = ['http' => 80, 'https' => 443]; $scheme = $changes['uri']->getScheme(); if (isset($standardPorts[$scheme]) && $port != $standardPorts[$scheme]) { $changes['set_headers']['Host'] .= ':' . $port; } } } $uri = $changes['uri']; } if (!empty($changes['remove_headers'])) { $headers = _caseless_remove($changes['remove_headers'], $headers); } if (!empty($changes['set_headers'])) { $headers = _caseless_remove(array_keys($changes['set_headers']), $headers); $headers = $changes['set_headers'] + $headers; } if (isset($changes['query'])) { $uri = $uri->withQuery($changes['query']); } if ($request instanceof ServerRequestInterface) { return new ServerRequest(isset($changes['method']) ? $changes['method'] : $request->getMethod(), $uri, $headers, isset($changes['body']) ? $changes['body'] : $request->getBody(), isset($changes['version']) ? $changes['version'] : $request->getProtocolVersion(), $request->getServerParams()); } return new Request(isset($changes['method']) ? $changes['method'] : $request->getMethod(), $uri, $headers, isset($changes['body']) ? $changes['body'] : $request->getBody(), isset($changes['version']) ? $changes['version'] : $request->getProtocolVersion()); }
public function generateSessionId(RequestInterface $request) { $sessid = ''; while (strlen($sessid) < 32) { $sessid .= mt_rand(0, mt_getrandmax()); } $keyPayload = uniqid($sessid, TRUE) . time(); if ($request instanceof ServerRequestInterface) { $server = $request->getServerParams(); $keyPayload .= isset($server['REMOTE_ADDR']) ? $server['REMOTE_ADDR'] : ''; } $sessid = sha1($keyPayload); return $sessid; }
/** * Fetch the access token * * @return string|null Base64 encoded JSON Web Token or null if not found. */ public function fetchToken(RequestInterface $request) { /* If using PHP in CGI mode and non standard environment */ $server_params = $request->getServerParams(); if (isset($server_params[$this->options["environment"]])) { $message = "Using token from environent"; $header = $server_params[$this->options["environment"]]; } else { $message = "Using token from request header"; $header = $request->getHeader("Authorization"); $header = isset($header[0]) ? $header[0] : ""; } if (preg_match("/Bearer\\s+(.*)\$/i", $header, $matches)) { $this->log(LogLevel::DEBUG, $message); return $matches[1]; } /* Bearer not found, try a cookie. */ $cookie_params = $request->getCookieParams(); if (isset($cookie_params[$this->options["cookie"]])) { $this->log(LogLevel::DEBUG, "Using token from cookie"); $this->log(LogLevel::DEBUG, $cookie_params[$this->options["cookie"]]); return $cookie_params[$this->options["cookie"]]; } /* If everything fails log and return false. */ $this->message = "Token not found"; $this->log(LogLevel::WARNING, $this->message); return false; }
/** * Fetch the access token * * @return string|null Base64 encoded JSON Web Token or null if not found. */ public function fetchToken(RequestInterface $request) { /* If using PHP in CGI mode and non standard environment */ $server_params = $request->getServerParams(); $header = ""; /* Check for each given environment */ foreach ((array) $this->options["environment"] as $environment) { if (isset($server_params[$environment])) { $message = "Using token from environment"; $header = $server_params[$environment]; } } /* Nothing in environment, try header instead */ if (empty($header)) { $message = "Using token from request header"; $headers = $request->getHeader("Authorization"); $header = isset($headers[0]) ? $headers[0] : ""; } /* Try apache_request_headers() as last resort */ if (empty($header) && function_exists("apache_request_headers")) { $headers = apache_request_headers(); $header = isset($headers["Authorization"]) ? $headers["Authorization"] : ""; } if (preg_match("/Bearer\\s+(.*)\$/i", $header, $matches)) { $this->log(LogLevel::DEBUG, $message); return $matches[1]; } /* Bearer not found, try a cookie. */ $cookie_params = $request->getCookieParams(); if (isset($cookie_params[$this->options["cookie"]])) { $this->log(LogLevel::DEBUG, "Using token from cookie"); $this->log(LogLevel::DEBUG, $cookie_params[$this->options["cookie"]]); return $cookie_params[$this->options["cookie"]]; } /* If everything fails log and return false. */ $this->message = "Token not found"; $this->log(LogLevel::WARNING, $this->message); return false; }