function start()
{
$config = $this->f3->get('config');
$limiter = new RateLimiter('webfinger');
if (!$limiter->throttle()) {
header('Retry-After: ' . $limiter->getInterval());
// We never display a log for rate limit errors
$this->f3->status(429);
$this->fatalError($this->t('Client has been blocked from making further requests'));
}
$this->logger->log(LogLevel::INFO, 'SimpleID\\Protocols\\WebFinger->start');
if (!$this->f3->exists('GET.resource') || $this->f3->get('GET.resource') == '') {
$this->logger->log(LogLevel::NOTICE, 'resource parameter missing or empty');
$this->f3->status(400);
$this->fatalError($this->t('resource parameter missing or empty'));
return;
}
$resource = $this->f3->get('GET.resource');
$this->logger->log(LogLevel::INFO, 'Requested resource URI: ' . $resource);
$jrd = $this->getJRD($resource);
if ($jrd == NULL) {
$limiter->penalize();
// Stop $remote_addr from querying again
$this->f3->status(404);
$this->fatalError($this->t('Resource not found'));
return;
}
$jrd = $this->fixJRDAliases($jrd, $resource);
if (isset($_GET['rel'])) {
$jrd = $this->filterJRDRels($jrd, $_GET['rel']);
}
header('Content-Type: application/jrd+json');
header('Content-Disposition: inline; filename=webfinger.json');
header('Access-Control-Allow-Origin: ' . $config['webfinger_access_control_allow_origin']);
if ($this->f3->get('VERB') == 'HEAD') {
return;
}
print json_encode($jrd);
}
/**
* Registration endpoint
*/
public function register()
{
$rand = new Random();
$response = new Response();
$this->checkHttps('error');
$this->logger->log(LogLevel::DEBUG, 'SimpleID\\Protocols\\Connect\\ConnectClientRegistrationModule->register');
// Access token OR rate limit
if (!$this->isTokenAuthorized(self::CLIENT_REGISTRATION_INIT_SCOPE)) {
$limiter = new RateLimiter('connect_register');
if (!$limiter->throttle()) {
header('Retry-After: ' . $limiter->getInterval());
// We never display a log for rate limit errors
$response->setError('invalid_request', 'client has been blocked from making further requests')->renderJSON(429);
return;
}
}
if (!$this->f3->exists('BODY')) {
$response->setError('invalid_request')->renderJSON();
return;
}
$request = json_decode($this->f3->get('BODY'), true);
if ($request == null) {
$response->setError('invalid_request', 'unable to parse body')->renderJSON();
return;
}
if (!isset($request['redirect_uris'])) {
$response->setError('invalid_redirect_uri', 'redirect_uris missing')->renderJSON();
return;
}
// Verify redirect_uri based on application_type
$application_type = isset($request['application_type']) ? $request['application_type'] : 'web';
$grant_types = isset($request['grant_types']) ? $request['grant_types'] : array('authorization_code');
foreach ($request['redirect_uris'] as $redirect_uri) {
$parts = parse_url($redirect_uri);
if (isset($parts['fragment'])) {
$response->setError('invalid_redirect_uri', 'redirect_uris cannot contain a fragment')->renderJSON();
return;
}
if ($application_type == 'web' && in_array('implicit', $grant_types)) {
if (strtolower($parts['scheme']) != 'https' || strtolower($parts['host']) == 'localhost' && $parts['host'] == '127.0.0.1') {
$response->setError('invalid_redirect_uri', 'implicit grant type must use https URIs')->renderJSON();
return;
}
} elseif ($application_type == 'native') {
// Native Clients MUST only register redirect_uris using custom URI schemes or URLs using the http: scheme with localhost as the hostname.
// Authorization Servers MAY place additional constraints on Native Clients.
// Authorization Servers MAY reject Redirection URI values using the http scheme, other than the localhost case for Native Clients.
// The Authorization Server MUST verify that all the registered redirect_uris conform to these constraints. This prevents sharing a Client ID across different types of Clients.
if (strtolower($parts['scheme']) == 'http' && (strtolower($parts['host']) != 'localhost' || $parts['host'] != '127.0.0.1') || strtolower($parts['scheme']) == 'https') {
$response->setError('invalid_redirect_uri', 'native clients cannot use https URIs')->renderJSON();
return;
}
}
}
// Verify sector_identifier_url
$subject_type = isset($request['subject_type']) ? $request['subject_type'] : 'public';
if (isset($request['sector_identifier_uri'])) {
if (!$this->verifySectorIdentifier($request['sector_identifier_uri'], $request['redirect_uris'])) {
$response->setError('invalid_client_metadata', 'cannot verify sector_identifier_uri')->renderJSON();
return;
}
}
$client = new ConnectDynamicClient();
$client_id = $client->getStoreID();
// Map data
foreach ($request as $name => $value) {
$parts = explode('#', $name, 2);
$client_path = isset(self::$metadata_map[$parts[0]]) ? self::$metadata_map[$parts[0]] : 'connect.' . $parts[0];
if (isset($parts[1])) {
$client_path .= '#' . $locale;
}
$client->pathSet($client_path, $value);
}
$client->fetchJWKs();
$response->loadData($request);
$response->loadData(array('client_id' => $client->getStoreID(), 'registration_client_uri' => $this->getCanonicalURL('connect/client/' . $client->getStoreID()), 'client_id_issued_at' => time()));
if ($client['oauth']['token_endpoint_auth_method'] != 'none') {
$client->pathSet('oauth.client_secret', $rand->secret());
$response['client_secret'] = $client['oauth']['client_secret'];
$response['client_secret_expires_at'] = 0;
}
$store = StoreManager::instance();
$store->saveClient($client);
$this->logger->log(LogLevel::INFO, 'Created dynamic client: ' . $client_id);
$auth = new Authorization($client, $client, self::CLIENT_REGISTRATION_ACCESS_SCOPE);
$store->saveAuth($auth);
$token = $auth->issueAccessToken(array(self::CLIENT_REGISTRATION_ACCESS_SCOPE));
$response['registration_access_token'] = $token['access_token'];
$this->f3->status(201);
$response->renderJSON();
}
