function __construct($message)
{
Exception::__construct($message);
OAuthRequestLogger::addNote('OAuthException2: ' . $message);
if ($debug) {
echo message;
}
}
/**
* Verify the request if it seemed to be signed.
*
* @param string token_type the kind of token needed, defaults to 'access'
* @exception OAuthException thrown when the request did not verify
* @return boolean true when signed, false when not signed
*/
public function verifyIfSigned($token_type = 'access')
{
if ($this->getParam('oauth_consumer_key')) {
OAuthRequestLogger::start($this);
$this->verify($token_type);
$signed = true;
OAuthRequestLogger::flush();
} else {
$signed = false;
}
return $signed;
}
/**
* Construct from the current request. Useful for checking the signature of a request.
* When not supplied with any parameters this will use the current request.
*
* @param string uri might include parameters
* @param string method GET, PUT, POST etc.
* @param string parameters additional post parameters, urlencoded (RFC1738)
* @param array headers headers for request
* @param string body optional body of the OAuth request (POST or PUT)
*/
function __construct($uri = null, $method = null, $parameters = '', $headers = array(), $body = null)
{
if (is_object($_SERVER)) {
// Tainted arrays - the normal stuff in anyMeta
if (!$method) {
$method = $_SERVER->REQUEST_METHOD->getRawUnsafe();
}
if (empty($uri)) {
$uri = $_SERVER->REQUEST_URI->getRawUnsafe();
}
} else {
// non anyMeta systems
if (!$method) {
$method = $_SERVER['REQUEST_METHOD'];
}
$proto = isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on' ? 'https' : 'http';
if (empty($uri)) {
$uri = sprintf('%s://%s%s', $proto, $_SERVER['HTTP_HOST'], $_SERVER['REQUEST_URI']);
}
}
$headers = OAuthRequestLogger::getAllHeaders();
$this->method = strtoupper($method);
// If this is a post then also check the posted variables
if (strcasecmp($method, 'POST') == 0) {
/*
// TODO: what to do with 'multipart/form-data'?
if ($this->getRequestContentType() == 'multipart/form-data')
{
throw new OAuthException2('Unsupported POST content type, expected "application/x-www-form-urlencoded" got "'.@$_SERVER['CONTENT_TYPE'].'"');
}
*/
if ($this->getRequestContentType() == 'application/x-www-form-urlencoded') {
// Get the posted body (when available)
if (!isset($headers['X-OAuth-Test'])) {
$parameters .= $this->getRequestBody();
}
} else {
$body = $this->getRequestBody();
}
} else {
if (strcasecmp($method, 'PUT') == 0) {
$body = $this->getRequestBody();
}
}
$this->method = strtoupper($method);
$this->headers = $headers;
// Store the values, prepare for oauth
$this->uri = $uri;
$this->body = $body;
$this->parseUri($parameters);
$this->parseHeaders();
$this->transcodeParams();
}
public function xauthAccessToken($user_id)
{
OAuthRequestLogger::start($this);
try {
$options = array();
$ttl = $this->getParam('xoauth_token_ttl', false);
if ($ttl) {
$options['token_ttl'] = $ttl;
}
// Create a request token
$store = OAuthStore::instance();
$token = $store->addConsumerRequestToken($this->getParam('oauth_consumer_key', true), $options);
$verifier = $store->authorizeConsumerRequestToken($token['token'], $user_id, $referrer_host);
if ($verifier) {
$options['verifier'] = $verifier;
}
$token = $store->exchangeConsumerRequestForAccessToken($token['token'], $options);
$result = 'oauth_token=' . $this->urlencode($token['token']) . '&oauth_token_secret=' . $this->urlencode($token['token_secret']);
if (!empty($token['token_ttl'])) {
$result .= '&xoauth_token_ttl=' . $this->urlencode($token['token_ttl']);
}
header('HTTP/1.1 200 OK');
header('Content-Length: ' . strlen($result));
header('Content-Type: application/x-www-form-urlencoded');
echo $result;
} catch (OAuthException2 $e) {
header('HTTP/1.1 401 Access Denied');
header('Content-Type: text/plain');
echo "OAuth Verification Failed: " . $e->getMessage();
}
OAuthRequestLogger::flush();
exit;
}
/**
* Open and close a curl session passing all the options to the curl libs
*
* @param array opts the curl options.
* @exception OAuthException2 when temporary file for PUT operation could not be created
* @return string the result of the curl action
*/
protected function curl_raw($opts = array())
{
if (isset($opts[CURLOPT_HTTPHEADER])) {
$header = $opts[CURLOPT_HTTPHEADER];
} else {
$header = array();
}
$ch = curl_init();
$method = $this->getMethod();
$url = $this->getRequestUrl();
$header[] = $this->getAuthorizationHeader();
$query = $this->getQueryString();
$body = $this->getBody();
$has_content_type = false;
foreach ($header as $h) {
if (strncasecmp($h, 'Content-Type:', 13) == 0) {
$has_content_type = true;
}
}
if (!is_null($body)) {
if ($method == 'TRACE') {
throw new OAuthException2('A body can not be sent with a TRACE operation');
}
// PUT and POST allow a request body
if (!empty($query)) {
$url .= '?' . $query;
}
// Make sure that the content type of the request is ok
if (!$has_content_type) {
$header[] = 'Content-Type: application/octet-stream';
$has_content_type = true;
}
// When PUTting, we need to use an intermediate file (because of the curl implementation)
if ($method == 'PUT') {
/*
if (version_compare(phpversion(), '5.2.0') >= 0)
{
// Use the data wrapper to create the file expected by the put method
$put_file = fopen('data://application/octet-stream;base64,'.base64_encode($body));
}
*/
$put_file = @tmpfile();
if (!$put_file) {
throw new OAuthException2('Could not create tmpfile for PUT operation');
}
fwrite($put_file, $body);
fseek($put_file, 0);
curl_setopt($ch, CURLOPT_PUT, true);
curl_setopt($ch, CURLOPT_INFILE, $put_file);
curl_setopt($ch, CURLOPT_INFILESIZE, strlen($body));
} else {
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $body);
}
} else {
// a 'normal' request, no body to be send
if ($method == 'POST') {
if (!$has_content_type) {
$header[] = 'Content-Type: application/x-www-form-urlencoded';
$has_content_type = true;
}
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $query);
} else {
if (!empty($query)) {
$url .= '?' . $query;
}
if ($method != 'GET') {
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);
}
}
}
curl_setopt($ch, CURLOPT_HTTPHEADER, $header);
curl_setopt($ch, CURLOPT_USERAGENT, 'anyMeta/OAuth 1.0 - ($LastChangedRevision: 134 $)');
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_TIMEOUT, 30);
foreach ($opts as $k => $v) {
if ($k != CURLOPT_HTTPHEADER) {
curl_setopt($ch, $k, $v);
}
}
curl_setopt($ch, CURLOPT_HEADER, true);
$txt = curl_exec($ch);
if ($txt === false) {
$error = curl_error($ch);
curl_close($ch);
throw new OAuthException2('CURL error: ' . $error);
}
curl_close($ch);
if (!empty($put_file)) {
fclose($put_file);
}
// Tell the logger what we requested and what we received back
$data = $method . " {$url}\n" . implode("\n", $header);
if (is_string($body)) {
$data .= "\n\n" . $body;
} else {
if ($method == 'POST') {
$data .= "\n\n" . $query;
}
}
OAuthRequestLogger::setSent($data, $body);
OAuthRequestLogger::setReceived($txt);
return $txt;
}
/**
* Exchange a request token for an access token.
* The exchange is only succesful iff the request token has been authorized.
*
* Never returns, calls exit() when token is exchanged or when error is returned.
*/
public function accessToken()
{
OAuthRequestLogger::start($this);
try {
$this->verify('request');
$options = array();
$ttl = $this->getParam('xoauth_token_ttl', false);
if ($ttl) {
$options['token_ttl'] = $ttl;
}
$store = OAuthStore::instance();
$token = $store->exchangeConsumerRequestForAccessToken($this->getParam('oauth_token', true), $options);
$result = 'oauth_token=' . $this->urlencode($token['token']) . '&oauth_token_secret=' . $this->urlencode($token['token_secret']);
if (!empty($token['token_ttl'])) {
$result .= '&xoauth_token_ttl=' . $this->urlencode($token['token_ttl']);
}
header('HTTP/1.1 200 OK');
header('Content-Length: ' . strlen($result));
header('Content-Type: application/x-www-form-urlencoded');
echo $result;
} catch (OAuthException $e) {
header('HTTP/1.1 401 Access Denied');
header('Content-Type: text/plain');
echo "OAuth Verification Failed: " . $e->getMessage();
}
OAuthRequestLogger::flush();
exit;
}
function __construct($message)
{
Exception::__construct($message);
OAuthRequestLogger::addNote('OAuthException: ' . $message);
die("<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?>\n" . '<api_error>' . $message . '</api_error>');
}
function __construct($message)
{
Exception::__construct($message);
OAuthRequestLogger::addNote('OAuthException: ' . $message);
}
/**
* Set the reply we received
*
* @param string request
*/
static function setReceived($reply)
{
OAuthRequestLogger::$received = $reply;
}
/**
* Try to fetch an XRDS file at the given location. Sends an accept header preferring the xrds file.
*
* @param string uri
* @return array (head,body), false on an error
*/
protected static function curl($uri)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Accept: application/xrds+xml, */*;q=0.1'));
curl_setopt($ch, CURLOPT_USERAGENT, 'anyMeta/OAuth 1.0 - (OAuth Discovery $LastChangedRevision: 45 $)');
curl_setopt($ch, CURLOPT_URL, $uri);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_TIMEOUT, 30);
$txt = curl_exec($ch);
curl_close($ch);
// Tell the logger what we requested and what we received back
$data = "GET {$uri}";
OAuthRequestLogger::setSent($data, "");
OAuthRequestLogger::setReceived($txt);
return $txt;
}
public function access_protected_resource()
{
global $CONFIG, $THEME_DIR, $USER, $CAT_LIST;
global $cpg_udb;
// Needed for "lastcomby" meta album in picture list
try {
$result = $this->verify('access');
if ($result != null) {
define('API_CALL', true);
$superCage = Inspekt::makeSuperCage();
$matches = $superCage->post->getMatched('function', '/^[a-z]+$/');
switch ($matches[0]) {
case 'upload':
require 'db_input.php';
break;
case 'alblist':
define('IN_COPPERMINE', true);
require 'include/init.inc.php';
pub_user_albums();
upload_form_alb_list('', '');
break;
case 'piclist':
define('IN_COPPERMINE', true);
require 'include/init.inc.php';
if ($superCage->post->getInt('album')) {
pub_user_albums();
upload_form_alb_list('', '');
} else {
if ($album = $superCage->post->getAlpha('album')) {
$allowed = array('lastcom', 'lastcomby', 'lastup', 'lastupby', 'topn', 'toprated', 'lasthits');
if (!in_array($album, $allowed)) {
new OAuthException("Valid meta album names for this function are: 'lastcom', 'lastcomby', 'lastup', 'lastupby', 'topn', 'toprated', and 'lasthits'");
}
$USER['uid'] = USER_ID;
require 'thumbnails.php';
} else {
// No album provided
new OAuthException('No album provided via HTTP POST');
}
}
break;
case 'search':
define('IN_COPPERMINE', true);
require 'include/init.inc.php';
require 'thumbnails.php';
break;
case 'catlist':
define('IN_COPPERMINE', true);
require 'include/init.inc.php';
api_cat_list();
break;
default:
throw new OAuthException('No function specified via HTTP POST');
}
}
} catch (OAuthException $e) {
header('HTTP/1.1 401 Access Denied');
header('Content-Type: text/xml');
throw new OAuthException($e->getMessage());
}
OAuthRequestLogger::flush();
exit;
}
/**
* Exchange a request token for an access token.
* The exchange is only succesful if the request token has been authorized.
*/
public function accessToken()
{
OAuthRequestLogger::start($this);
try {
$this->verify('request');
$store = OAuthStore::instance();
$token = $store->exchangeConsumerRequestForAccessToken($this->getParam('oauth_token', true));
$result = "<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?>\n" . '<access_token>oauth_token=' . $this->urlencode($token['token']) . '&oauth_token_secret=' . $this->urlencode($token['token_secret']) . '</access_token>';
header('HTTP/1.1 200 OK');
header('Content-Length: ' . strlen($result));
//header('Content-Type: application/x-www-form-urlencoded');
echo $result;
} catch (OAuthException $e) {
header('HTTP/1.1 401 Access Denied');
header('Content-Type: text/xml');
throw new OAuthException($e->getMessage());
}
OAuthRequestLogger::flush();
exit;
}
/**
* This method parses the $_REQUEST superglobal and looks for
* the following information:
* 1/ user authentication - username+password or token (wsusername, wspassword and wstoken parameters)
* 2/ function name (wsfunction parameter)
* 3/ function parameters (all other parameters except those above)
*
* @return void
*/
protected function parse_request()
{
// determine the request/response format
if (isset($_REQUEST['alt']) && trim($_REQUEST['alt']) == 'json' || isset($_GET['alt']) && trim($_GET['alt']) == 'json' || isset($_SERVER['HTTP_ACCEPT']) && $_SERVER['HTTP_ACCEPT'] == 'application/json' || isset($_SERVER['HTTP_ACCEPT']) && $_SERVER['HTTP_ACCEPT'] == 'application/jsonrequest' || isset($_SERVER['CONTENT_TYPE']) && $_SERVER['CONTENT_TYPE'] == 'application/json' || isset($_SERVER['CONTENT_TYPE']) && $_SERVER['CONTENT_TYPE'] == 'application/jsonrequest') {
$this->format = 'json';
} else {
if (isset($_REQUEST['alt']) && trim($_REQUEST['alt']) == 'atom' || isset($_GET['alt']) && trim($_GET['alt']) == 'atom' || isset($_SERVER['HTTP_ACCEPT']) && $_SERVER['HTTP_ACCEPT'] == 'application/atom+xml' || $_SERVER['CONTENT_TYPE'] == 'application/atom+xml') {
$this->format = 'atom';
} else {
$this->format = 'xml';
}
}
unset($_REQUEST['alt']);
$this->parameters = $_REQUEST;
// if we should have one - setup the OAuth server handler
if (webservice_protocol_is_enabled('oauth')) {
OAuthStore::instance('Mahara');
$this->oauth_server = new OAuthServer();
$oauth_token = null;
$headers = OAuthRequestLogger::getAllHeaders();
try {
$oauth_token = $this->oauth_server->verifyExtended();
} catch (OAuthException2 $e) {
// let all others fail
if (isset($_REQUEST['oauth_token']) || preg_grep('/oauth/', array_values($headers))) {
$this->auth = 'OAUTH';
throw $e;
}
}
if ($oauth_token) {
$this->authmethod = WEBSERVICE_AUTHMETHOD_OAUTH_TOKEN;
$token = $this->oauth_server->getParam('oauth_token');
$store = OAuthStore::instance();
$secrets = $store->getSecretsForVerify($oauth_token['consumer_key'], $this->oauth_server->urldecode($token), 'access');
$this->oauth_token_details = $secrets;
// the content type might be different for the OAuth client
if (isset($headers['Content-Type']) && $headers['Content-Type'] == 'application/octet-stream' && $this->format != 'json') {
$body = file_get_contents('php://input');
parse_str($body, $parameters);
$this->parameters = array_merge($this->parameters, $parameters);
}
}
}
// make sure oauth parameters are gone
foreach (array('oauth_nonce', 'oauth_timestamp', 'oauth_consumer_key', 'oauth_signature_method', 'oauth_version', 'oauth_token', 'oauth_signature') as $param) {
if (isset($this->parameters[$param])) {
unset($this->parameters[$param]);
}
}
// merge parameters from JSON request body if there is one
if ($this->format == 'json') {
// get request body
$values = (array) json_decode(@file_get_contents('php://input'), true);
if (!empty($values)) {
$this->parameters = array_merge($this->parameters, $values);
}
}
if ($this->authmethod == WEBSERVICE_AUTHMETHOD_USERNAME) {
$this->username = isset($this->parameters['wsusername']) ? trim($this->parameters['wsusername']) : null;
unset($this->parameters['wsusername']);
$this->password = isset($this->parameters['wspassword']) ? trim($this->parameters['wspassword']) : null;
unset($this->parameters['wspassword']);
} else {
if ($this->authmethod == WEBSERVICE_AUTHMETHOD_PERMANENT_TOKEN) {
// is some other form of token - what kind is it?
$this->token = isset($this->parameters['wstoken']) ? trim($this->parameters['wstoken']) : null;
unset($this->parameters['wstoken']);
}
}
$this->functionname = isset($this->parameters['wsfunction']) ? trim($this->parameters['wsfunction']) : null;
unset($this->parameters['wsfunction']);
}
