function __construct($message) { Exception::__construct($message); OAuthRequestLogger::addNote('OAuthException2: ' . $message); if ($debug) { echo message; } }
/** * Verify the request if it seemed to be signed. * * @param string token_type the kind of token needed, defaults to 'access' * @exception OAuthException thrown when the request did not verify * @return boolean true when signed, false when not signed */ public function verifyIfSigned($token_type = 'access') { if ($this->getParam('oauth_consumer_key')) { OAuthRequestLogger::start($this); $this->verify($token_type); $signed = true; OAuthRequestLogger::flush(); } else { $signed = false; } return $signed; }
/** * Construct from the current request. Useful for checking the signature of a request. * When not supplied with any parameters this will use the current request. * * @param string uri might include parameters * @param string method GET, PUT, POST etc. * @param string parameters additional post parameters, urlencoded (RFC1738) * @param array headers headers for request * @param string body optional body of the OAuth request (POST or PUT) */ function __construct($uri = null, $method = null, $parameters = '', $headers = array(), $body = null) { if (is_object($_SERVER)) { // Tainted arrays - the normal stuff in anyMeta if (!$method) { $method = $_SERVER->REQUEST_METHOD->getRawUnsafe(); } if (empty($uri)) { $uri = $_SERVER->REQUEST_URI->getRawUnsafe(); } } else { // non anyMeta systems if (!$method) { $method = $_SERVER['REQUEST_METHOD']; } $proto = isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on' ? 'https' : 'http'; if (empty($uri)) { $uri = sprintf('%s://%s%s', $proto, $_SERVER['HTTP_HOST'], $_SERVER['REQUEST_URI']); } } $headers = OAuthRequestLogger::getAllHeaders(); $this->method = strtoupper($method); // If this is a post then also check the posted variables if (strcasecmp($method, 'POST') == 0) { /* // TODO: what to do with 'multipart/form-data'? if ($this->getRequestContentType() == 'multipart/form-data') { throw new OAuthException2('Unsupported POST content type, expected "application/x-www-form-urlencoded" got "'.@$_SERVER['CONTENT_TYPE'].'"'); } */ if ($this->getRequestContentType() == 'application/x-www-form-urlencoded') { // Get the posted body (when available) if (!isset($headers['X-OAuth-Test'])) { $parameters .= $this->getRequestBody(); } } else { $body = $this->getRequestBody(); } } else { if (strcasecmp($method, 'PUT') == 0) { $body = $this->getRequestBody(); } } $this->method = strtoupper($method); $this->headers = $headers; // Store the values, prepare for oauth $this->uri = $uri; $this->body = $body; $this->parseUri($parameters); $this->parseHeaders(); $this->transcodeParams(); }
public function xauthAccessToken($user_id) { OAuthRequestLogger::start($this); try { $options = array(); $ttl = $this->getParam('xoauth_token_ttl', false); if ($ttl) { $options['token_ttl'] = $ttl; } // Create a request token $store = OAuthStore::instance(); $token = $store->addConsumerRequestToken($this->getParam('oauth_consumer_key', true), $options); $verifier = $store->authorizeConsumerRequestToken($token['token'], $user_id, $referrer_host); if ($verifier) { $options['verifier'] = $verifier; } $token = $store->exchangeConsumerRequestForAccessToken($token['token'], $options); $result = 'oauth_token=' . $this->urlencode($token['token']) . '&oauth_token_secret=' . $this->urlencode($token['token_secret']); if (!empty($token['token_ttl'])) { $result .= '&xoauth_token_ttl=' . $this->urlencode($token['token_ttl']); } header('HTTP/1.1 200 OK'); header('Content-Length: ' . strlen($result)); header('Content-Type: application/x-www-form-urlencoded'); echo $result; } catch (OAuthException2 $e) { header('HTTP/1.1 401 Access Denied'); header('Content-Type: text/plain'); echo "OAuth Verification Failed: " . $e->getMessage(); } OAuthRequestLogger::flush(); exit; }
/** * Open and close a curl session passing all the options to the curl libs * * @param array opts the curl options. * @exception OAuthException2 when temporary file for PUT operation could not be created * @return string the result of the curl action */ protected function curl_raw($opts = array()) { if (isset($opts[CURLOPT_HTTPHEADER])) { $header = $opts[CURLOPT_HTTPHEADER]; } else { $header = array(); } $ch = curl_init(); $method = $this->getMethod(); $url = $this->getRequestUrl(); $header[] = $this->getAuthorizationHeader(); $query = $this->getQueryString(); $body = $this->getBody(); $has_content_type = false; foreach ($header as $h) { if (strncasecmp($h, 'Content-Type:', 13) == 0) { $has_content_type = true; } } if (!is_null($body)) { if ($method == 'TRACE') { throw new OAuthException2('A body can not be sent with a TRACE operation'); } // PUT and POST allow a request body if (!empty($query)) { $url .= '?' . $query; } // Make sure that the content type of the request is ok if (!$has_content_type) { $header[] = 'Content-Type: application/octet-stream'; $has_content_type = true; } // When PUTting, we need to use an intermediate file (because of the curl implementation) if ($method == 'PUT') { /* if (version_compare(phpversion(), '5.2.0') >= 0) { // Use the data wrapper to create the file expected by the put method $put_file = fopen('data://application/octet-stream;base64,'.base64_encode($body)); } */ $put_file = @tmpfile(); if (!$put_file) { throw new OAuthException2('Could not create tmpfile for PUT operation'); } fwrite($put_file, $body); fseek($put_file, 0); curl_setopt($ch, CURLOPT_PUT, true); curl_setopt($ch, CURLOPT_INFILE, $put_file); curl_setopt($ch, CURLOPT_INFILESIZE, strlen($body)); } else { curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, $body); } } else { // a 'normal' request, no body to be send if ($method == 'POST') { if (!$has_content_type) { $header[] = 'Content-Type: application/x-www-form-urlencoded'; $has_content_type = true; } curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, $query); } else { if (!empty($query)) { $url .= '?' . $query; } if ($method != 'GET') { curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method); } } } curl_setopt($ch, CURLOPT_HTTPHEADER, $header); curl_setopt($ch, CURLOPT_USERAGENT, 'anyMeta/OAuth 1.0 - ($LastChangedRevision: 134 $)'); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_HEADER, true); curl_setopt($ch, CURLOPT_TIMEOUT, 30); foreach ($opts as $k => $v) { if ($k != CURLOPT_HTTPHEADER) { curl_setopt($ch, $k, $v); } } curl_setopt($ch, CURLOPT_HEADER, true); $txt = curl_exec($ch); if ($txt === false) { $error = curl_error($ch); curl_close($ch); throw new OAuthException2('CURL error: ' . $error); } curl_close($ch); if (!empty($put_file)) { fclose($put_file); } // Tell the logger what we requested and what we received back $data = $method . " {$url}\n" . implode("\n", $header); if (is_string($body)) { $data .= "\n\n" . $body; } else { if ($method == 'POST') { $data .= "\n\n" . $query; } } OAuthRequestLogger::setSent($data, $body); OAuthRequestLogger::setReceived($txt); return $txt; }
/** * Exchange a request token for an access token. * The exchange is only succesful iff the request token has been authorized. * * Never returns, calls exit() when token is exchanged or when error is returned. */ public function accessToken() { OAuthRequestLogger::start($this); try { $this->verify('request'); $options = array(); $ttl = $this->getParam('xoauth_token_ttl', false); if ($ttl) { $options['token_ttl'] = $ttl; } $store = OAuthStore::instance(); $token = $store->exchangeConsumerRequestForAccessToken($this->getParam('oauth_token', true), $options); $result = 'oauth_token=' . $this->urlencode($token['token']) . '&oauth_token_secret=' . $this->urlencode($token['token_secret']); if (!empty($token['token_ttl'])) { $result .= '&xoauth_token_ttl=' . $this->urlencode($token['token_ttl']); } header('HTTP/1.1 200 OK'); header('Content-Length: ' . strlen($result)); header('Content-Type: application/x-www-form-urlencoded'); echo $result; } catch (OAuthException $e) { header('HTTP/1.1 401 Access Denied'); header('Content-Type: text/plain'); echo "OAuth Verification Failed: " . $e->getMessage(); } OAuthRequestLogger::flush(); exit; }
function __construct($message) { Exception::__construct($message); OAuthRequestLogger::addNote('OAuthException: ' . $message); die("<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?>\n" . '<api_error>' . $message . '</api_error>'); }
function __construct($message) { Exception::__construct($message); OAuthRequestLogger::addNote('OAuthException: ' . $message); }
/** * Set the reply we received * * @param string request */ static function setReceived($reply) { OAuthRequestLogger::$received = $reply; }
/** * Try to fetch an XRDS file at the given location. Sends an accept header preferring the xrds file. * * @param string uri * @return array (head,body), false on an error */ protected static function curl($uri) { $ch = curl_init(); curl_setopt($ch, CURLOPT_HTTPHEADER, array('Accept: application/xrds+xml, */*;q=0.1')); curl_setopt($ch, CURLOPT_USERAGENT, 'anyMeta/OAuth 1.0 - (OAuth Discovery $LastChangedRevision: 45 $)'); curl_setopt($ch, CURLOPT_URL, $uri); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_HEADER, true); curl_setopt($ch, CURLOPT_TIMEOUT, 30); $txt = curl_exec($ch); curl_close($ch); // Tell the logger what we requested and what we received back $data = "GET {$uri}"; OAuthRequestLogger::setSent($data, ""); OAuthRequestLogger::setReceived($txt); return $txt; }
public function access_protected_resource() { global $CONFIG, $THEME_DIR, $USER, $CAT_LIST; global $cpg_udb; // Needed for "lastcomby" meta album in picture list try { $result = $this->verify('access'); if ($result != null) { define('API_CALL', true); $superCage = Inspekt::makeSuperCage(); $matches = $superCage->post->getMatched('function', '/^[a-z]+$/'); switch ($matches[0]) { case 'upload': require 'db_input.php'; break; case 'alblist': define('IN_COPPERMINE', true); require 'include/init.inc.php'; pub_user_albums(); upload_form_alb_list('', ''); break; case 'piclist': define('IN_COPPERMINE', true); require 'include/init.inc.php'; if ($superCage->post->getInt('album')) { pub_user_albums(); upload_form_alb_list('', ''); } else { if ($album = $superCage->post->getAlpha('album')) { $allowed = array('lastcom', 'lastcomby', 'lastup', 'lastupby', 'topn', 'toprated', 'lasthits'); if (!in_array($album, $allowed)) { new OAuthException("Valid meta album names for this function are: 'lastcom', 'lastcomby', 'lastup', 'lastupby', 'topn', 'toprated', and 'lasthits'"); } $USER['uid'] = USER_ID; require 'thumbnails.php'; } else { // No album provided new OAuthException('No album provided via HTTP POST'); } } break; case 'search': define('IN_COPPERMINE', true); require 'include/init.inc.php'; require 'thumbnails.php'; break; case 'catlist': define('IN_COPPERMINE', true); require 'include/init.inc.php'; api_cat_list(); break; default: throw new OAuthException('No function specified via HTTP POST'); } } } catch (OAuthException $e) { header('HTTP/1.1 401 Access Denied'); header('Content-Type: text/xml'); throw new OAuthException($e->getMessage()); } OAuthRequestLogger::flush(); exit; }
/** * Exchange a request token for an access token. * The exchange is only succesful if the request token has been authorized. */ public function accessToken() { OAuthRequestLogger::start($this); try { $this->verify('request'); $store = OAuthStore::instance(); $token = $store->exchangeConsumerRequestForAccessToken($this->getParam('oauth_token', true)); $result = "<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?>\n" . '<access_token>oauth_token=' . $this->urlencode($token['token']) . '&oauth_token_secret=' . $this->urlencode($token['token_secret']) . '</access_token>'; header('HTTP/1.1 200 OK'); header('Content-Length: ' . strlen($result)); //header('Content-Type: application/x-www-form-urlencoded'); echo $result; } catch (OAuthException $e) { header('HTTP/1.1 401 Access Denied'); header('Content-Type: text/xml'); throw new OAuthException($e->getMessage()); } OAuthRequestLogger::flush(); exit; }
/** * This method parses the $_REQUEST superglobal and looks for * the following information: * 1/ user authentication - username+password or token (wsusername, wspassword and wstoken parameters) * 2/ function name (wsfunction parameter) * 3/ function parameters (all other parameters except those above) * * @return void */ protected function parse_request() { // determine the request/response format if (isset($_REQUEST['alt']) && trim($_REQUEST['alt']) == 'json' || isset($_GET['alt']) && trim($_GET['alt']) == 'json' || isset($_SERVER['HTTP_ACCEPT']) && $_SERVER['HTTP_ACCEPT'] == 'application/json' || isset($_SERVER['HTTP_ACCEPT']) && $_SERVER['HTTP_ACCEPT'] == 'application/jsonrequest' || isset($_SERVER['CONTENT_TYPE']) && $_SERVER['CONTENT_TYPE'] == 'application/json' || isset($_SERVER['CONTENT_TYPE']) && $_SERVER['CONTENT_TYPE'] == 'application/jsonrequest') { $this->format = 'json'; } else { if (isset($_REQUEST['alt']) && trim($_REQUEST['alt']) == 'atom' || isset($_GET['alt']) && trim($_GET['alt']) == 'atom' || isset($_SERVER['HTTP_ACCEPT']) && $_SERVER['HTTP_ACCEPT'] == 'application/atom+xml' || $_SERVER['CONTENT_TYPE'] == 'application/atom+xml') { $this->format = 'atom'; } else { $this->format = 'xml'; } } unset($_REQUEST['alt']); $this->parameters = $_REQUEST; // if we should have one - setup the OAuth server handler if (webservice_protocol_is_enabled('oauth')) { OAuthStore::instance('Mahara'); $this->oauth_server = new OAuthServer(); $oauth_token = null; $headers = OAuthRequestLogger::getAllHeaders(); try { $oauth_token = $this->oauth_server->verifyExtended(); } catch (OAuthException2 $e) { // let all others fail if (isset($_REQUEST['oauth_token']) || preg_grep('/oauth/', array_values($headers))) { $this->auth = 'OAUTH'; throw $e; } } if ($oauth_token) { $this->authmethod = WEBSERVICE_AUTHMETHOD_OAUTH_TOKEN; $token = $this->oauth_server->getParam('oauth_token'); $store = OAuthStore::instance(); $secrets = $store->getSecretsForVerify($oauth_token['consumer_key'], $this->oauth_server->urldecode($token), 'access'); $this->oauth_token_details = $secrets; // the content type might be different for the OAuth client if (isset($headers['Content-Type']) && $headers['Content-Type'] == 'application/octet-stream' && $this->format != 'json') { $body = file_get_contents('php://input'); parse_str($body, $parameters); $this->parameters = array_merge($this->parameters, $parameters); } } } // make sure oauth parameters are gone foreach (array('oauth_nonce', 'oauth_timestamp', 'oauth_consumer_key', 'oauth_signature_method', 'oauth_version', 'oauth_token', 'oauth_signature') as $param) { if (isset($this->parameters[$param])) { unset($this->parameters[$param]); } } // merge parameters from JSON request body if there is one if ($this->format == 'json') { // get request body $values = (array) json_decode(@file_get_contents('php://input'), true); if (!empty($values)) { $this->parameters = array_merge($this->parameters, $values); } } if ($this->authmethod == WEBSERVICE_AUTHMETHOD_USERNAME) { $this->username = isset($this->parameters['wsusername']) ? trim($this->parameters['wsusername']) : null; unset($this->parameters['wsusername']); $this->password = isset($this->parameters['wspassword']) ? trim($this->parameters['wspassword']) : null; unset($this->parameters['wspassword']); } else { if ($this->authmethod == WEBSERVICE_AUTHMETHOD_PERMANENT_TOKEN) { // is some other form of token - what kind is it? $this->token = isset($this->parameters['wstoken']) ? trim($this->parameters['wstoken']) : null; unset($this->parameters['wstoken']); } } $this->functionname = isset($this->parameters['wsfunction']) ? trim($this->parameters['wsfunction']) : null; unset($this->parameters['wsfunction']); }