/** * This function looks at the super-global variable $_SERVER and extracts the various * header variables needed for the HMAC PAM * * @return stdClass Containing all the values. * @throws APIException Detailing any error. * @access private */ function get_and_validate_api_headers() { $result = new stdClass(); $result->method = get_call_method(); // Only allow these methods if ($result->method != "GET" && $result->method != "POST") { throw new APIException(elgg_echo('APIException:NotGetOrPost')); } $result->api_key = $_SERVER['HTTP_X_ELGG_APIKEY']; if ($result->api_key == "") { throw new APIException(elgg_echo('APIException:MissingAPIKey')); } $result->hmac = $_SERVER['HTTP_X_ELGG_HMAC']; if ($result->hmac == "") { throw new APIException(elgg_echo('APIException:MissingHmac')); } $result->hmac_algo = $_SERVER['HTTP_X_ELGG_HMAC_ALGO']; if ($result->hmac_algo == "") { throw new APIException(elgg_echo('APIException:MissingHmacAlgo')); } $result->time = $_SERVER['HTTP_X_ELGG_TIME']; if ($result->time == "") { throw new APIException(elgg_echo('APIException:MissingTime')); } // Must have been sent within 25 hour period. // 25 hours is more than enough to handle server clock drift. // This values determines how long the HMAC cache needs to store previous // signatures. Heavy use of HMAC is better handled with a shorter sig lifetime. // See cache_hmac_check_replay() if ($result->time < time() - 90000 || $result->time > time() + 90000) { throw new APIException(elgg_echo('APIException:TemporalDrift')); } $result->nonce = $_SERVER['HTTP_X_ELGG_NONCE']; if ($result->nonce == "") { throw new APIException(elgg_echo('APIException:MissingNonce')); } if ($result->method == "POST") { $result->posthash = $_SERVER['HTTP_X_ELGG_POSTHASH']; if ($result->posthash == "") { throw new APIException(elgg_echo('APIException:MissingPOSTHash')); } $result->posthash_algo = $_SERVER['HTTP_X_ELGG_POSTHASH_ALGO']; if ($result->posthash_algo == "") { throw new APIException(elgg_echo('APIException:MissingPOSTAlgo')); } $result->content_type = $_SERVER['CONTENT_TYPE']; if ($result->content_type == "") { throw new APIException(elgg_echo('APIException:MissingContentType')); } } return $result; }
/** * This function looks at the super-global variable $_SERVER and extracts the various * header variables needed to pass to the validation functions after performing basic validation. * * @return stdClass Containing all the values. * @throws APIException Detailing any error. */ function get_and_validate_api_headers() { $result = new stdClass(); $result->method = get_call_method(); if ($result->method != "GET" && $result->method != "POST") { // Only allow these methods throw new APIException(elgg_echo('APIException:NotGetOrPost')); } $result->api_key = $_SERVER['HTTP_X_ELGG_APIKEY']; if ($result->api_key == "") { throw new APIException(elgg_echo('APIException:MissingAPIKey')); } $result->hmac = $_SERVER['HTTP_X_ELGG_HMAC']; if ($result->hmac == "") { throw new APIException(elgg_echo('APIException:MissingHmac')); } $result->hmac_algo = $_SERVER['HTTP_X_ELGG_HMAC_ALGO']; if ($result->hmac_algo == "") { throw new APIException(elgg_echo('APIException:MissingHmacAlgo')); } $result->time = $_SERVER['HTTP_X_ELGG_TIME']; if ($result->time == "") { throw new APIException(elgg_echo('APIException:MissingTime')); } if ($result->time < microtime(true) - 86400.0 || $result->time > microtime(true) + 86400.0) { // Basic timecheck, think about making this smaller if we get loads of users and the cache gets really big. throw new APIException(elgg_echo('APIException:TemporalDrift')); } $result->get_variables = get_parameters_for_method(get_input('method')); //$_SERVER['QUERY_STRING']; if ($result->get_variables == "") { throw new APIException(elgg_echo('APIException:NoQueryString')); } if ($result->method == "POST") { $result->posthash = $_SERVER['HTTP_X_ELGG_POSTHASH']; if ($result->posthash == "") { throw new APIException(elgg_echo('APIException:MissingPOSTHash')); } $result->posthash_algo = $_SERVER['HTTP_X_ELGG_POSTHASH_ALGO']; if ($result->posthash_algo == "") { throw new APIException(elgg_echo('APIException:MissingPOSTAlgo')); } $result->content_type = $_SERVER['CONTENT_TYPE']; if ($result->content_type == "") { throw new APIException(elgg_echo('APIException:MissingContentType')); } } return $result; }