public function execute($api_key, $callback_url, $params) { $admin_client = RingsideSocialUtils::getAdminClient(); // TODO: SECURITY: Possibly security hole. We're signing and giving the signed payload to any URL, just by using the API key, which is public. A 3rd-party could hijack the signed payload and implement an offline brute force attack on the secret key $app_props = $admin_client->admin_getAppProperties("application_id,application_name,api_key,secret_key,callback_url", null, null, $api_key); // From RingsideSocialServerRender: // Recreate Session if we have it if (array_key_exists('social_session_key', $params)) { $session_key = $params['social_session_key']; $network_session = new RingsideSocialSession($session_key); $uid = $network_session->getUserId(); if (null == $uid || strlen($uid) == 0) { setcookie('social_session_key', $network_session->getSessionKey()); $uid = $_REQUEST['uid']; $network_session->setUserId($uid); $network_session->setLoggedIn(true); } } else { if (isset($_COOKIE['PHPSESSID'])) { // Optimization if user is already logged into web front-end $network_session = new RingsideSocialSession($_COOKIE['PHPSESSID']); $uid = $network_session->getUserId(); } else { // Not logged in, so login via annonymous user $trust = new RingsideSocialApiTrust($request); $network_session = $trust->getAnonymousSession(); } } $ctx = self::buildCallContext($api_key, $network_session); $sig_params = $ctx->getParameters($app_props['secret_key']); $req_params = array_merge($params, $sig_params); // error_log("Ajax Proxy to $callback_url with params:".var_export($req_params, true)); $result = RingsideSocialUtils::get_request($callback_url, $req_params, $headers); echo str_replace('+', '+', $result); }
public function execute() { // TODO: This ONLY will work if API and Social tiers are co-located! $response = array(); // Finish the API session, because we need to start a social session session_regenerate_id(true); $_SESSION = array(); $network_session = new RingsideSocialSession(); $rest = RingsideSocialUtils::getAdminClient(); $session_key = $rest->auth_createAppSession($this->uid, RingsideSocialConfig::$apiKey, false); $network_session->addApiSessionKey(RingsideSocialConfig::$apiKey, $session_key); $network_session->setNetwork($this->user_network_key); //$network_session->addApiSessionKey($apiKey, $session_key); $network_session->setUserId($this->uid); // TODO: Do user identity mapping right now //$network_session->setPrincipalId($pid); //$network_session->setTrust($trust_key); //$network_session->setCallbackUrl($social_callback); $network_session->setLoggedIn(true); $response[self::RESPONSE_SOCIAL_SESSION]['session_id'] = $network_session->getSessionKey(); $response[self::RESPONSE_SOCIAL_SESSION]['initial_expiry'] = $network_session->getExpiry(); session_write_close(); return $response; }
public function execute($params) { $this->debug('Entering'); $this->debugVar($params); $network_session = null; /* foreach($params as $k => $v) { error_log("RingsideSocialServerRender: $k=$v"); } */ // Recreate Session if we have it error_log("Parameters for widget render are: " . var_export($params, true)); error_log("PHPSESSID=" . (isset($_COOKIE['PHPSESSID']) ? $_COOKIE['PHPSESSID'] : '<empty>')); if (array_key_exists('social_session_key', $params)) { $session_key = $params['social_session_key']; $network_session = new RingsideSocialSession($session_key); $uid = $network_session->getUserId(); if (null == $uid || strlen($uid) == 0) { setcookie('social_session_key', $network_session->getSessionKey()); $uid = $network_session->getUserId(); if (isset($_REQUEST['uid'])) { // TODO: SECURITY: I don't think we should just be able to override the uid. $uid = $_REQUEST['uid']; // TODO: SECURITY: This shouldn't be a valid way to log in. $network_session->setUserId($uid); $network_session->setLoggedIn(true); } } } else { if (isset($_COOKIE['PHPSESSID'])) { // Optimization if user is already logged into web front-end $network_session = new RingsideSocialSession($_COOKIE['PHPSESSID']); error_log("PHPSESSID says session is as follows: " . var_export($network_session, true)); $uid = $network_session->getUserId(); if (!isset($uid)) { // The user has a network session but is not logged in // Run as an anonymous user $trust = new RingsideSocialApiTrust($_REQUEST); $network_session = $trust->getAnonymousSession(); } } else { // Not logged in, so login via annonymous user $trust = new RingsideSocialApiTrust($_REQUEST); $network_session = $trust->getAnonymousSession(); } } $api_session_key = $network_session->getApiSessionKey($params['api_key']); if (null == $api_session_key) { $rest = RingsideSocialUtils::getAdminClient(); $app_props = $rest->admin_getAppProperties(array('secret_key'), null, null, $params['api_key'], $network_session->getNetwork()); error_log("Adding API key for " . $params['api_key'] . " to social session for user " . $network_session->getUserID()); RingsideSocialUtils::getApiSessionKey($params['api_key'], $app_props['secret_key'], $network_session); } else { error_log("Using API session key {$api_session_key} for user " . $network_session->getUserID()); } if (array_key_exists('method', $params)) { $method = $params['method']; if (strcasecmp($method, 'fbml') == 0 && array_key_exists('fbml', $params)) { $fbml = $params['fbml']; //error_log("fbml: $fbml"); $render = new RingsideSocialApiRenderFBML($params); $result = $render->render($network_session, $fbml); //error_log("content: ".$result['content']); return isset($result['content']) ? $result['content'] : $result['error']; } else { if (strcasecmp($method, 'app') == 0) { $social = new RingsideSocialClientLocal(RingsideWebConfig::$networkKey, null, $network_session->getSessionKey()); $inSession = $social->inSession(); error_log("User " . ($inSession ? 'is' : 'is not') . " in session"); if ($inSession) { $path = ''; if (array_key_exists('path', $params)) { $path = $params['path']; } $view = 'canvas'; if (array_key_exists('view', $params)) { $view = $params['view']; } //error_log("About to render: ".$params['app']." view: $view, path: $path"); $rest = RingsideSocialUtils::getAdminClient(); $app_props = $rest->admin_getAppProperties(array('application_id', 'canvas_url'), null, null, $params['api_key'], null, $network_session->getNetwork()); $domain_props = $rest->admin_getDomainProperties(array('resize_url'), null, $network_session->getNetwork()); $content = $social->render($view, $app_props['application_id'], $app_props['canvas_url'], $path); // TODO: Is this where error reporting should happen? //error_log("content: $content"); if (isset($domain_props['resize_url'])) { $content = "<html><head><script type=\"text/javascript\">\n function resizeIframe(id) {\n var iframe = document.getElementById( 'xdiframe' );\n var wrapper = document.getElementById( 'wrapper' );\n var height = Math.max( document.body.offsetHeight, document.body.scrollHeight );\n var width = Math.max( document.body.offsetWidth, document.body.scrollWidth );\n iframe.src = '{$domain_props['resize_url']}?height='+height+'&width='+width+'&id='+id;\n }\n</script></head><body onload=\"resizeIframe('if_" . $params['api_key'] . "');\">" . $content . "<iframe id='xdiframe' width='1' height='1' frameborder='0'/></body></html>"; } return $content; } else { echo "<error>User not Logged in!</error>"; } } } } else { error_log("No method specified for render request"); } }
/** * Creates a REST client for the session. * * @param string $social_session_key the session key generated by the social renderer when the application was rendered. * @return RingsideApiClientsRest the REST client */ private static function createRestClient(&$social_session_key) { if (empty($social_session_key)) { unset($social_session_key); } // error_log("Using session key $social_session_key"); $network_session = new RingsideSocialSession(isset($social_session_key) ? $social_session_key : null); if ($network_session->getUserId() == null) { // This is the Ringside user $network_session->setUserId(1); } $api_session_key = RingsideSocialUtils::getApiSessionKey(RingsideSocialConfig::$apiKey, RingsideSocialConfig::$secretKey, $network_session); // error_log("API session key is $api_session_key"); $social_session_key = $network_session->getSessionKey(); return new RingsideApiClientsRest(RingsideSocialConfig::$apiKey, RingsideSocialConfig::$secretKey, $api_session_key, RingsideApiClientsConfig::$serverUrl, RingsideApiClientsConfig::$webUrl, RingsideApiClientsConfig::$socialUrl); }
/** * Authorize the user against the api_key, app_id, or canvas_url * * This produces a SocialSession Object. * * Possible Params: * network_key * trust_key * api_key * canvas_url * auth_token * social_callback */ public function authorize() { $network_session = null; $network_key = $this->getParam('network_key'); $auth_token = $this->getParam('auth_token'); $social_callback = $this->getParam('social_callback'); $api_key = $this->getParam('api_key'); $canvas_url = $this->getParam('canvas_url'); $user_name = $this->getParam('user_name'); $trust_key = $this->getParam('trust_key'); if (!isset($trust_key)) { $trust_key = $socialApiKey; } $result = $this->getAppProperties(); if ($result) { $callback = isset($result['callback_url']) ? $result['callback_url'] : ''; $apiKey = isset($result['api_key']) ? $result['api_key'] : ''; $apiSecret = isset($result['secret_key']) ? $result['secret_key'] : ''; if (!isset($social_callback)) { $social_callback = $callback; } try { if (isset($apiKey) && isset($apiSecret)) { $auth_url = $this->getAuthUrl($trust_key); $fb = new RingsideApiClients($apiKey, $apiSecret, null, $auth_url); //public function __construct($api_key, $secret, $session_key = null, $url = null) { $result = $fb->do_get_session($auth_token); $session_key = $fb->api_client->session_key; $uid = $fb->api_client->users_getLoggedInUser(); $pids = $fb->api_client->users_mapToSubject(array($uid), $network_key, $result['application_id']); // RingsideSocialDbPrincipal::getPrincipalForSubject($uid, $network_key, $user_name, $trust_key); //if ( isset($pids) ) { // getPrincipalForSubject accepts and returns multiple IDs $pid = 0; if (isset($pids)) { $pid = $pids[0]; } // bool setcookie ( string $name [, string $value [, int $expire [, string $path [, string $domain [, bool $secure [, bool $httponly ]]]]]] ) $network_session = new RingsideSocialSession(); $network_session->setNetwork($network_key); $network_session->addApiSessionKey($apiKey, $session_key); $network_session->setUserId($uid); $network_session->setPrincipalId($pid); $network_session->setTrust($trust_key); $network_session->setCallbackUrl($social_callback); $network_session->setLoggedIn(true); $context = $this->getContext($fb->api_client, $network_session); if (strrpos($social_callback, '?') == 0) { return $social_callback . '?' . $context; } else { return $social_callback . '&' . $context; } //} else { // $this->error = "Unable to set Principle!"; //} } } catch (Exception $exception) { error_log("Exception : " . $exception->getMessage() . "\n" . $exception->getTraceAsString()); $this->error = "Exception : " . $exception->getMessage() . "\n" . $exception->getTraceAsString(); } } if (!isset($network_session)) { error_log("Application with api_key: {$api_key} or canvas_url: {$canvas_url} not found! Creating session and redirecting to {$social_callback}!"); $network_session = new RingsideSocialSession(null); $network_session->setNetwork($network_key); $network_session->setTrust($trust_key); $network_session->setCallbackUrl($social_callback); if (strrpos($social_callback, '?') == 0) { return $social_callback . "?social_session_key=" . $network_session->getSessionKey(); } else { return $social_callback . "?social_session_key=" . $network_session->getSessionKey(); } } }