}
# Sort out the grant tokens
$grant_token = api_oauth2_grant_tokens_get_by_code($code);
if ($ok && !$grant_token) {
$error = "invalid_grant 1";
$ok = 0;
}
if ($ok && $grant_token['code'] != $code) {
$error = "invalid_grant 2";
$ok = 0;
}
if ($ok && $grant_token['api_key_id'] != $key_row['id']) {
$error = "invalid_client 3";
$ok = 0;
}
if ($ok && !api_oauth2_grant_tokens_is_timely($grant_token)) {
$error = "invalid_grant 4";
$ok = 0;
}
if ($ok) {
$user = users_get_by_id($grant_token['user_id']);
if (!$user || $user['deleted']) {
$error = "invalid_request 5";
$ok = 0;
}
}
if (!$ok) {
$rsp = array('error' => $error);
local_send_json($rsp);
exit;
}
$ok = 0;
}
if ($ok && request_str("redirect_uri") != $key_row['app_callback']) {
$GLOBALS['smarty']->assign("error", "invalid_callback");
$ok = 0;
}
if ($ok && request_str("response_type") != "code") {
$GLOBALS['smarty']->assign("error", "invalid_type");
$ok = 0;
}
# Do we already have a grant token for this user?
# And yes this is a repeat of the code below that should maybe be
# moved in to a function or something. But for now it's fine...
# (20121024/straup)
if ($ok && ($token = api_oauth2_grant_tokens_get_for_user_and_key($GLOBALS['cfg']['user'], $key_row))) {
if (api_oauth2_grant_tokens_is_timely($token)) {
$rsp_params = array('code' => $token['code']);
if ($state = get_str("state")) {
$rsp_params['state'] = $state;
}
$rsp_params = http_build_query($rsp_params);
$url = $key_row['app_callback'] . "?" . $rsp_params;
header("location: {$url}");
exit;
} else {
api_oauth2_grant_tokens_delete($token);
}
}
# Do we already have an access token (with the same perms) for this user?
if ($ok && ($token_row = api_oauth2_access_tokens_get_for_user_and_key($GLOBALS['cfg']['user'], $key_row))) {
$perms_map = api_oauth2_access_tokens_permissions_map("string keys");
