public function processRequest() { if (isset($_POST['signed_request'])) { $this->processSignedRequest($_POST['signed_request']); return; } if (isset($_REQUEST["code"])) { if (!isset($_REQUEST['state'])) { throw new Exception("Invalid OAuth State"); } $state = json_decode($_REQUEST['state']); if (WorkbenchConfig::get()->value("loginCsrfEnabled")) { $_REQUEST['CSRF_TOKEN'] = $state->csrfToken; validateCsrfToken(); } $this->oauthProcessLogin($_REQUEST["code"], $state->host, $state->apiVersion, $state->startUrl); return; } if (WorkbenchConfig::get()->value("loginCsrfEnabled")) { if (!validateCsrfToken(false)) { $this->addError('This login method is not supported.'); return; } } if ($this->termsRequired && !isset($_POST['termsAccepted'])) { $this->addError("You must agree to terms of service."); return; } if (isset($_REQUEST['loginType']) && $_REQUEST['loginType'] == "oauth") { if (!isset($_POST["oauth_host"]) || !isset($_POST["api"])) { throw new Exception("Invalid parameters for Oauth login"); } $state = json_encode(array("host" => $_POST["oauth_host"], "apiVersion" => $_POST["oauth_apiVersion"], "csrfToken" => getCsrfToken(), "startUrl" => $this->startUrl)); $this->oauthRedirect($_POST["oauth_host"], $state); } else { $pw = isset($_REQUEST['pw']) ? $_REQUEST['pw'] : null; $sid = isset($_REQUEST['sid']) ? $_REQUEST['sid'] : null; $serverUrl = $this->buildServerUrl(); // special-cases for UI vs API logins if (isset($_POST['uiLogin'])) { $this->processRememberUserCookie(); } else { $_REQUEST['autoLogin'] = 1; } $this->processLogin($this->username, $pw, $serverUrl, $sid, $this->startUrl); } }
'; var langReportFailed = '<?php print cleanHtml($lang['report_builder_128']); ?> '; var langExportFailed = '<?php print cleanHtml($lang['report_builder_129']); ?> '; // Add CSRF token as javascript variable and add to every form on page // init_functions.php createCsrfToken() does not work on pages with defined('PLUGIN') // CSRF token is required for call to advanced logic checking in // Surveys/automated_invitations_check_logic.php from LongitudinalReports.js function saveReport() var redcap_csrf_token = '<?php echo getCsrfToken(); ?> '; $(function(){ appendCsrfTokenToForm(); }); </script> <?php // Tabs LongitudinalReports::renderTabs(); // Output content print $html; // If displaying the "add/edit report" table, do direct Print to page because $html might get very big if (isset($_GET['addedit'])) { LongitudinalReports::outputCreateReportTable($_GET['report_id']); } // Footer
function getStreamingConfig() { $streamingConfig["handshakeOnLoad"] = true; // TODO: make this configurable $streamingConfig["csrfToken"] = getCsrfToken(); // configs in "$streamingConfig["cometdConfig"]" are loaded into CometD in JS and need to match their format $streamingConfig["cometdConfig"]["logLevel"] = "info"; $streamingConfig["cometdConfig"]["appendMessageTypeToURL"] = false; $streamingConfig["cometdConfig"]["advice"]["timeout"] = (int) WorkbenchConfig::get()->valueOrElse("streamingAdviceTimeout", 25000); $streamingConfig["cometdConfig"]["advice"]["interval"] = 0; $streamingConfig["cometdConfig"]["advice"]["reconnect"] = "retry"; $streamingConfig["cometdConfig"]["url"] = "http" . (usingSslFromUserToWorkbench() ? "s" : "") . "://" . $_SERVER['HTTP_HOST'] . str_replace('\\', '/', dirname(htmlspecialchars($_SERVER['PHP_SELF']))) . (strlen(dirname(htmlspecialchars($_SERVER['PHP_SELF']))) == 1 ? "" : "/") . "cometdProxy.php"; return json_encode($streamingConfig); }
function getCsrfFormTag() { return "\n<input type='hidden' name='CSRF_TOKEN' value='" . getCsrfToken() . "'/>\n"; }