protected function handleAuth(AuthInterface $auth) { // Force Json presenter for this type of controller (so all replies are in JSON format) // and set its Callback property from the value in $getVars['callback'], then unset that // value from the array if it exists. $this->presenterClass = 'Json'; $this->presenter = new Json(); $this->presenter->SetCallback($this->request->Get('callback', '')); $getVars = $this->request->Get(); unset($getVars['callback']); switch ($this->request->Method) { case 'GET': try { /** @var \Fluxoft\Rebar\Auth\Reply $authReply */ $authReply = $auth->GetAuthenticatedUser($this->request); $this->set('auth', $authReply); } catch (UserNotFoundException $e) { $this->response->Status = 404; $this->set('error', $e->getMessage()); } catch (InvalidPasswordException $e) { $this->response->Status = 403; $this->set('error', $e->getMessage()); } catch (\Exception $e) { $this->response->Status = 500; $this->set('error', $e->getMessage()); } break; case 'POST': try { $body = json_decode($this->request->Body, true); if (!isset($body['credentials']) || !isset($body['credentials']['username']) || !isset($body['credentials']['password'])) { $this->response->Status = 400; $this->set('error', 'A credentials object is required to log in and must contain a username and password'); } else { $email = $body['credentials']['username']; $password = $body['credentials']['password']; $remember = isset($body['credentials']['remember']) ? $body['credentials']['remember'] : false; /** @var \Fluxoft\Rebar\Auth\Reply $authReply */ $authReply = $auth->Login($email, $password, $remember); $this->set('auth', $authReply); } } catch (UserNotFoundException $e) { $this->response->Status = 404; $this->set('error', $e->getMessage()); } catch (InvalidPasswordException $e) { $this->response->Status = 403; $this->set('error', $e->getMessage()); } catch (\Exception $e) { $this->response->Status = 500; $this->set('error', $e->getMessage()); } break; case 'DELETE': $auth->Logout($this->request); $this->set('auth', false); break; } }
public function Authorize($method) { $allowedMethods = array_map('strtoupper', $this->allowedMethods); // always allow OPTIONS requests if (!in_array('OPTIONS', $allowedMethods)) { array_push($allowedMethods, 'OPTIONS'); } // set CORS headers if configured if ($this->crossOriginEnabled) { $headers = $this->request->Headers; if (isset($headers['Origin'])) { $allowedHeaders = isset($headers['Access-Control-Request-Headers']) ? $headers['Access-Control-Request-Headers'] : ''; $origin = $headers['Origin']; if (in_array($origin, $this->crossOriginDomainsAllowed)) { $this->response->AddHeader('Access-Control-Allow-Origin', $origin); $this->response->AddHeader('Access-Control-Allow-Credentials', 'true'); $this->response->AddHeader('Access-Control-Allow-Methods', implode(',', $allowedMethods)); $this->response->AddHeader('Access-Control-Allow-Headers', $allowedHeaders); } else { throw new CrossOriginException(sprintf('The origin "%s" is not permitted.', $origin)); } } } if (!in_array($this->request->Method, $allowedMethods)) { throw new MethodNotAllowedException(sprintf('The %s method is not permitted here (118).', $this->request->Method)); } /* * Issue #30: Authorize any OPTIONS request. */ if (strtoupper($this->request->Method) === 'OPTIONS') { return true; } $authorized = true; if (isset($this->auth)) { if (!(in_array($method, $this->skipAuthentication) || in_array('*', $this->skipAuthentication))) { $requireAuth = false; // If requireAuthentication is empty, prevent access by default. if (empty($this->requireAuthentication)) { $requireAuth = true; } else { if (in_array($method, $this->requireAuthentication) || in_array('*', $this->requireAuthentication)) { $requireAuth = true; } } if ($requireAuth) { /** @var \Fluxoft\Rebar\Auth\Reply $authReply */ $authReply = $this->auth->GetAuthenticatedUser($this->request); if (!$authReply->Auth) { // method is limited and user is not authenticated throw new AccessDeniedException(sprintf('Access denied for %s', $method)); } } } } return $authorized; }