public static function validateDeleteApprovalRequest(Request $request) { // REQUIRED client_id $clientId = $request->getUrl()->getQueryParameter('client_id'); if (is_null($clientId)) { throw new BadRequestException('missing client_id'); } if (false === InputValidation::clientId($clientId)) { throw new BadRequestException('invalid client_id'); } // REQUIRED response_type $responseType = $request->getUrl()->getQueryParameter('response_type'); if (is_null($responseType)) { throw new BadRequestException('missing response_type'); } if (false === InputValidation::responseType($responseType)) { throw new BadRequestException('invalid response_type'); } // REQUIRED scope $scope = $request->getUrl()->getQueryParameter('scope'); if (is_null($scope)) { throw new BadRequestException('missing scope'); } if (false === InputValidation::scope($scope)) { throw new BadRequestException('invalid scope'); } return array('client_id' => $clientId, 'response_type' => $responseType, 'scope' => $scope); }
public function __construct(Request $request) { $this->setClientId($request->getUrl()->getQueryParameter('client_id')); $this->setResponseType($request->getUrl()->getQueryParameter('response_type')); $this->setRedirectUri($request->getUrl()->getQueryParameter('redirect_uri')); $this->setScope($request->getUrl()->getQueryParameter('scope')); $this->setState($request->getUrl()->getQueryParameter('state')); }
public function __construct(ClientData $clientData, Request $request, $redirectUri, array $urlParams) { $clientType = $clientData->getType(); $urlParams['state'] = $request->getUrl()->getQueryParameter('state'); // remove empty parameters foreach ($urlParams as $key => $value) { if (empty($value)) { unset($urlParams[$key]); } } if ('token' === $clientType) { $separator = '#'; } else { $separator = false === strpos($redirectUri, '?') ? '?' : '&'; } parent::__construct(sprintf('%s%s%s', $redirectUri, $separator, http_build_query($urlParams)), 302); }
public function execute(Request $request, array $routeConfig) { // only relevant if the request comes from a browser if (false === mb_strpos($request->getHeader('Accept'), 'text/html')) { return; } // these methods do not require CSRF protection as they are not // supposed to have side effects on the server $safeMethods = ['GET', 'HEAD', 'OPTIONS']; if (!in_array($request->getMethod(), $safeMethods)) { $referrer = $request->getHeader('HTTP_REFERER'); $rootUrl = $request->getUrl()->getRootUrl(); if (null === $referrer) { throw new BadRequestException('HTTP_REFERER header missing'); } if (0 !== mb_strpos($referrer, $rootUrl)) { throw new BadRequestException('HTTP_REFERER has unexpected value'); } } }
public function getTokenIntrospection(Request $request, $tokenValue) { if (null === $tokenValue) { throw new BadRequestException('invalid_token', 'the token parameter is missing'); } // FIXME: validate token format $accessToken = $this->db->getAccessToken($tokenValue); if (false === $accessToken) { // token does not exist $tokenInfo = array('active' => false); } elseif ($this->io->getTime() > $accessToken['issue_time'] + $accessToken['expires_in']) { // token expired $tokenInfo = array('active' => false); } else { // token exists and did not expire $tokenInfo = array('active' => true, 'exp' => intval($accessToken['issue_time'] + $accessToken['expires_in']), 'iat' => intval($accessToken['issue_time']), 'scope' => $accessToken['scope'], 'iss' => $request->getUrl()->getHost(), 'client_id' => $accessToken['client_id'], 'sub' => $accessToken['resource_owner_id'], 'user_id' => $accessToken['resource_owner_id'], 'token_type' => 'bearer'); // as long as we have no RS registration we cannot set the audience... // $tokenInfo['aud'] => 'foo'; } $response = new JsonResponse(); $response->setHeaders(array('Cache-Control' => 'no-store', 'Pragma' => 'no-cache')); $response->setBody($tokenInfo); return $response; }
if (0 === strpos($dbDsn, 'sqlite:')) { // sqlite if (!file_exists(substr($dbDsn, 7))) { // sqlite file does not exist $initDb = true; } } $db = new PDO($dbDsn, $configReader->v('Db', 'username', false), $configReader->v('Db', 'password', false)); // only enable templateCache when in production mode if ('development' !== $serverMode) { $templateCache = $configReader->v('templateCache', false, sprintf('%s/data/tpl', dirname(__DIR__))); } else { $templateCache = null; } $templateManager = new TwigTemplateManager(array(dirname(__DIR__) . '/views', dirname(__DIR__) . '/config/views'), $templateCache); $templateManager->setDefault(array('rootFolder' => $request->getUrl()->getRoot(), 'serverMode' => $serverMode)); $md = new MetadataStorage($db); $approvalStorage = new PdoApprovalStorage($db); $authorizationCodeStorage = new PdoAuthorizationCodeStorage($db); $accessTokenStorage = new PdoAccessTokenStorage($db); if ($initDb) { $md->initDatabase(); $approvalStorage->initDatabase(); $authorizationCodeStorage->initDatabase(); $accessTokenStorage->initDatabase(); } $remoteStorage = new RemoteStorage($md, $document); $session = new Session('php-remote-storage', array('secure' => 'development' !== $serverMode)); $userAuth = new FormAuthentication(function ($userId) use($configReader) { $userList = $configReader->v('Users'); if (null === $userList || !array_key_exists($userId, $userList)) {
public function deleteDocument(Request $request, TokenInfo $tokenInfo) { $path = new Path($request->getUrl()->getPathInfo()); if ($path->getUserId() !== $tokenInfo->getUserId()) { throw new ForbiddenException('path does not match authorized subject'); } if (!$this->hasWriteScope($tokenInfo->getScope(), $path->getModuleName())) { throw new ForbiddenException('path does not match authorized scope'); } // need to get the version before the delete $documentVersion = $this->remoteStorage->getVersion($path); $ifMatch = $this->stripQuotes($request->getHeader('If-Match')); // if document does not exist, and we have If-Match header set we should // return a 412 instead of a 404 if (null !== $ifMatch && !in_array($documentVersion, $ifMatch)) { throw new PreconditionFailedException('version mismatch'); } if (null === $documentVersion) { throw new NotFoundException(sprintf('document "%s" not found', $path->getPath())); } $ifMatch = $this->stripQuotes($request->getHeader('If-Match')); if (null !== $ifMatch && !in_array($documentVersion, $ifMatch)) { throw new PreconditionFailedException('version mismatch'); } $x = $this->remoteStorage->deleteDocument($path, $ifMatch); $rsr = new Response(); $rsr->setHeader('ETag', '"' . $documentVersion . '"'); $rsr->setBody($x); return $rsr; }
public function postAuthorization(Request $request, UserInfoInterface $userInfo) { $authorizeRequest = new AuthorizeRequest($request); $clientId = $authorizeRequest->getClientId(); $responseType = $authorizeRequest->getResponseType(); $redirectUri = $authorizeRequest->getRedirectUri(); $scope = $authorizeRequest->getScope(); $state = $authorizeRequest->getState(); $clientData = $this->storage->getClient($clientId); if (false === $clientData) { throw new BadRequestException('client not registered'); } // if no redirect_uri is part of the query parameter, use the one from // the client registration if (null === $redirectUri) { $redirectUri = $clientData->getRedirectUri(); } if ('approve' !== $request->getPostParameter('approval')) { return new ClientResponse($clientData, $request, $redirectUri, array('error' => 'access_denied', 'error_description' => 'not authorized by resource owner')); } $this->addApproval($clientData, $userInfo->getUserId(), $scope); // redirect to self return new RedirectResponse($request->getUrl()->toString(), 302); }
public function deleteApproval(Request $request, UserInfoInterface $userInfo) { $id = $request->getUrl()->getQueryParameter('id'); $this->db->deleteApproval($id, $userInfo->getUserId()); return new RedirectResponse($request->getUrl()->getRootUrl() . 'approvals.php', 302); }
private function runService(Request $request) { // support method override when _METHOD is set in a form POST if ('POST' === $request->getMethod()) { $methodOverride = $request->getPostParameter('_METHOD'); if (null !== $methodOverride) { $request->setMethod($methodOverride); } } foreach ($this->routes as $route) { if (false !== ($availableRouteCallbackParameters = $route->isMatch($request->getMethod(), $request->getUrl()->getPathInfo()))) { return $this->executeCallback($request, $route, $availableRouteCallbackParameters); } } // figure out all supported methods by all routes $supportedMethods = []; foreach ($this->routes as $route) { $routeMethods = $route->getMethods(); foreach ($routeMethods as $method) { if (!in_array($method, $supportedMethods)) { $supportedMethods[] = $method; } } } // requested method supported, document is just not available if (in_array($request->getMethod(), $supportedMethods)) { throw new NotFoundException('url not found', $request->getUrl()->getRoot() . mb_substr($request->getUrl()->getPathInfo(), 1)); } // requested method net supported... throw new MethodNotAllowedException($request->getMethod(), $supportedMethods); }