public function processAccountData($access_token) { if ($access_token != NULL) { $token = $access_token['token']; /* Get profile_data */ $params = ['access_token' => $token, 'fields' => $this->api['config']['google']['fields']]; $profile_data = Protocol::get('https://www.googleapis.com/userinfo/v2/me', $params); if ($profile_data instanceof Response) { return $profile_data; } if ($profile_data != null && $profile_data['id'] != null) { if (!empty($access_token['account']) && $profile_data['email'] != $access_token['account']) { throw new BlimpHttpException(Response::HTTP_UNAUTHORIZED, "Invalid access_token"); } $id = hash_hmac('ripemd160', 'google-' . $profile_data['id'], 'obscure'); $dm = $this->api['dataaccess.mongoodm.documentmanager'](); $account = $dm->find('Blimp\\Accounts\\Documents\\Account', $id); if ($account != null) { $code = Response::HTTP_FOUND; } else { $code = Response::HTTP_CREATED; $account = new Account(); $account->setId($id); $account->setType('google'); } $resource_uri = '/accounts/' . $account->getId(); $secret = NULL; if ($account->getOwner() == NULL) { $bytes = openssl_random_pseudo_bytes(16); $hex = bin2hex($bytes); $secret = password_hash($hex, PASSWORD_DEFAULT); } $account->setBlimpSecret($secret); $account->setAuthData($access_token); $account->setProfileData($profile_data); $dm->persist($account); $dm->flush(); $response = new JsonResponse((object) ["uri" => $resource_uri, "secret" => $secret], $code); $response->headers->set('AccountUri', $resource_uri); $response->headers->set('AccountSecret', $secret); return $response; } else { throw new BlimpHttpException(Response::HTTP_NOT_FOUND, "Resource not found"); } } else { throw new BlimpHttpException(Response::HTTP_UNAUTHORIZED, "No access_token"); } }
public function process(Container $api, $data, $redirect_uri = null) { if (array_key_exists('account', $data)) { $account = $data['account']; } if (array_key_exists('token', $data)) { $token = $data['token']; } if (array_key_exists('scope', $data)) { $scope = $data['scope']; } if (empty($account)) { $this->error_code = Response::HTTP_BAD_REQUEST; $this->error = 'invalid_request'; $this->error_description = 'Missing account parameter.'; return false; } if (empty($token)) { $this->error_code = Response::HTTP_BAD_REQUEST; $this->error = 'invalid_request'; $this->error_description = 'Missing token parameter.'; return false; } $owner = $api['security.oauth.get_resource_owner']($account, null); if ($owner === null) { $this->error_code = Response::HTTP_BAD_REQUEST; $this->error = 'invalid_grant'; $this->error_description = 'Invalid resource owner credentials.'; return false; } $dm = $api['dataaccess.mongoodm.documentmanager'](); $account = $dm->getRepository('Blimp\\Accounts\\Documents\\Account')->find(substr($account, strrpos($account, '/') + 1)); if ($account === null) { $this->error_code = Response::HTTP_BAD_REQUEST; $this->error = 'invalid_grant'; $this->error_description = 'Invalid resource owner credentials.'; return false; } $params = ['access_token' => $token]; $token_data = \Blimp\Accounts\Oauth2\Protocol::get('https://www.googleapis.com/oauth2/v1/tokeninfo', $params, [], true); if ($token_data instanceof Response) { $this->error_code = Response::HTTP_BAD_REQUEST; $this->error = 'invalid_grant'; $this->error_description = 'Invalid resource owner credentials.'; return false; } if ($token_data['user_id'] !== $account->getProfileData()['id']) { $this->error_code = Response::HTTP_BAD_REQUEST; $this->error = 'invalid_grant'; $this->error_description = 'Invalid resource owner credentials.'; return false; } $this->profile = $owner->getProfile(); if (!empty($scope)) { $to_process_scope = explode(' ', $scope); } else { $to_process_scope = []; } $user_scopes = $owner->getScopes(); $this->real_scope = implode(' ', $api['security.oauth.get_scopes']($to_process_scope, $user_scopes)); if (empty($this->real_scope) xor empty($user_scopes)) { $this->error_code = Response::HTTP_BAD_REQUEST; $this->error = 'invalid_scope'; $this->error_description = 'The requested scope is invalid, unknown or malformed.'; return false; } return true; }