/** * Authorize the request * * This method is used to authorize the request. It fetches the * digest information from the request, decomposes it and finds out * the relevant information for authenticating the users. * * This method also makes use of Frapi_Model_Partner::isPartnerHandle() * to validate whether or not a user is a real user. If not then we bail * early. * * @link http://www.peej.co.uk/projects/phphttpdigest.html * * @return mixed Either the username of the user making the request or we * return access to $this->send() which will pop up the authentication * challenge once again. */ public function authorize() { if (!isset($_SERVER['PHP_AUTH_DIGEST'])) { return $this->send(); } $authorization = $_SERVER['PHP_AUTH_DIGEST']; if (preg_match('/username="******"]+)"/', $authorization, $username) && preg_match('/nonce="([^"]+)"/', $authorization, $nonce) && preg_match('/response="([^"]+)"/', $authorization, $response) && preg_match('/opaque="([^"]+)"/', $authorization, $opaque) && preg_match('/uri="([^"]+)"/', $authorization, $uri)) { $username = $username[1]; $requestURI = $_SERVER['REQUEST_URI']; $_SERVER['X_FRAPI_AUTH_USER'] = $username; if (strpos($requestURI, '?') !== false) { $requestURI = substr($requestURI, 0, strlen($uri[1])); } $users = Frapi_Model_Partner::isPartnerHandle($username); if ($users === false) { return $this->send(); } if ($this->getOpaque() == $opaque[1] && $requestURI == $uri[1] && $this->getNonce() == $nonce[1]) { $passphrase = hash('md5', "{$username}:{$this->realm}:{$users['api_key']}"); if ($this->passwordsHashed) { $a1 = $passphrase; } else { $a1 = md5($username . ':' . $this->realm . ':' . $passphrase); } $a2 = md5($_SERVER['REQUEST_METHOD'] . ':' . $requestURI); if (preg_match('/qop="?([^,\\s"]+)/', $authorization, $qop) && preg_match('/nc=([^,\\s"]+)/', $authorization, $nc) && preg_match('/cnonce="([^"]+)"/', $authorization, $cnonce)) { $expectedResponse = md5($a1 . ':' . $nonce[1] . ':' . $nc[1] . ':' . $cnonce[1] . ':' . $qop[1] . ':' . $a2); } else { $expectedResponse = md5($a1 . ':' . $nonce[1] . ':' . $a2); } if ($response[1] == $expectedResponse) { return $username; } } return $this->send(); } return $this->send(); }
/** * Authorize the request * * This method is used to authorize the request. It fetches the * digest information from the request, decomposes it and finds out * the relevant information for authenticating the users. * * This method also makes use of Frapi_Model_Partner::isPartnerHandle() * to validate whether or not a user is a real user. If not then we bail * early. * * @link http://www.peej.co.uk/projects/phphttpdigest.html * * @return mixed Either the username of the user making the request or we * return access to $this->send() which will pop up the authentication * challenge once again. */ public function authorize() { if (!isset($_SERVER['PHP_AUTH_DIGEST'])) { return $this->send(); } if ($this->_parseDigest($_SERVER['PHP_AUTH_DIGEST'])) { $users = Frapi_Model_Partner::isPartnerHandle($this->digest['username']); if ($users === false) { return $this->send(); } return $this->_validateResponse($users['api_key']); } return $this->send(); }