public function getSession(Request $request) { $session = $this->manager->driver(); // check to see if the session id is in a "X-Session-Id" header $id = $request->header("X-Session-Id"); if (is_null($id)) { // header is missing // check and see if it's in a cookie $id = $request->cookies->get($session->getName()); } $session->setId($id); return $session; }
public function addSignatureToSymfonyRequest(\Symfony\Component\HttpFoundation\Request $request, $api_token, $secret) { $method = $request->getMethod(); // build URL without parameters $url = $this->buildURLPrefix($request->getScheme(), $request->getHost(), $request->getPort()) . $request->getPathInfo(); // get parameters if ($method == 'GET') { $parameters = $request->query->all(); } else { $is_json = strpos($request->header('CONTENT_TYPE'), '/json'); if ($is_json) { $parameters = json_decode($request->getContent(), true); } else { $parameters = $request->request->all(); } } // get signature $signature_info = $this->createSignatureParameters($method, $url, $parameters, $api_token, $secret); // add http headers $request->headers->set('X-' . $this->auth_header_namespace . '-AUTH-API-TOKEN', $api_token); $request->headers->set('X-' . $this->auth_header_namespace . '-AUTH-NONCE', $signature_info['nonce']); $request->headers->set('X-' . $this->auth_header_namespace . '-AUTH-SIGNATURE', $signature_info['signature']); return $request; }
public function validateFromRequest(\Symfony\Component\HttpFoundation\Request $request) { // get the request headers $nonce = $request->headers->get('X-' . $this->auth_header_namespace . '-Auth-Nonce'); $api_token = $request->headers->get('X-' . $this->auth_header_namespace . '-Auth-Api-Token'); $signature = $request->headers->get('X-' . $this->auth_header_namespace . '-Auth-Signature'); $signed_url = $request->headers->get('X-' . $this->auth_header_namespace . '-Auth-Signed-Url'); if (!$nonce and !$api_token and !$signature) { throw new AuthorizationException("Missing authentication credentials"); } if (!$nonce) { throw new AuthorizationException("Missing nonce"); } if (!$api_token) { throw new AuthorizationException("Missing api_token"); } if (!$signature) { throw new AuthorizationException("Missing signature"); } // get the api_secret if ($this->api_secret_lookup_function and is_callable($this->api_secret_lookup_function)) { $api_secret = call_user_func($this->api_secret_lookup_function, $api_token); } else { $api_secret = null; } if (!$api_secret) { throw new AuthorizationException("Invalid API Token", "Failed to find api secret for token {$api_token}"); } // build the method, url and parameters $method = $request->getMethod(); // mangle URL if X-TOKENLY-AUTH-SIGNED-URL was provided if ($signed_url) { if ($this->signed_url_validation_function !== null and is_callable($this->signed_url_validation_function)) { $actual_url = $request->getSchemeAndHttpHost() . $request->getBaseUrl() . $request->getPathInfo(); $signed_url_is_valid = call_user_func($this->signed_url_validation_function, $actual_url, $signed_url); } else { $signed_url_is_valid = false; } if (!$signed_url_is_valid) { throw new AuthorizationException("Invalid Signed URL", "The URL signed for this request was not valid"); } $url = $signed_url; } else { $url = $request->getSchemeAndHttpHost() . $request->getBaseUrl() . $request->getPathInfo(); } // overcome bad parameter encodings $parameter_sets_to_check = []; // get parameters if ($method == 'GET') { $parameters = $request->query->all(); $parameter_sets_to_check[] = $parameters; } else { if ($method == 'DELETE' and $request->query->count() > 0) { // DELETE with query parameters $parameters = $request->query->all(); $parameter_sets_to_check[] = $parameters; } else { $is_json = !!strpos($request->header('CONTENT_TYPE'), '/json'); if ($is_json) { $parameters = $request->getContent(); if (!strlen($parameters)) { $parameters = '{}'; $parameter_sets_to_check[] = $parameters; } else { $parameter_sets_to_check[] = $parameters; // try re-encoding the string $re_encoded_parameters = json_encode(json_decode($parameters, true), JSON_UNESCAPED_SLASHES | JSON_FORCE_OBJECT); if ($re_encoded_parameters !== $parameters) { $parameter_sets_to_check[] = $re_encoded_parameters; } } } else { $parameters = $request->request->all(); $parameter_sets_to_check[] = $parameters; } } } // validate the signature $files = $request->files->all(); foreach ($parameter_sets_to_check as $parameter_set_to_check) { $is_valid = $this->validate($method, $url, $parameter_set_to_check, $files, $api_token, $nonce, $signature, $api_secret, $error_info); if ($is_valid) { return $is_valid; } if (!isset($first_error_info)) { $first_error_info = $error_info; } } // none were valid if ($first_error_info) { throw new AuthorizationException($first_error_info[0], $first_error_info[1]); } return false; }