function api_auth_oauth2_has_auth(&$method, $key_row = null)
{
$access_token = api_auth_oauth2_get_access_token($method);
if (!$access_token) {
return array('ok' => 0, 'error' => 'Required access token missing', 'error_code' => 400);
}
$token_row = api_oauth2_access_tokens_get_by_token($access_token);
if (!$token_row) {
return array('ok' => 0, 'error' => 'Invalid access token', 'error_code' => 400);
}
if ($token_row['disabled']) {
return array('ok' => 0, 'error' => 'Access token is disabled', 'error_code' => 502);
}
if ($token_row['expires'] && $token_row['expires'] < time()) {
return array('ok' => 0, 'error' => 'Access token has expired', 'error_code' => 400);
}
# I find it singularly annoying that we have to do this here
# but OAuth gets what [redacted] wants. See also: notes in
# lib_api.php around ln 65 (20121026/straup)
$key_row = api_keys_get_by_id($token_row['api_key_id']);
$rsp = api_keys_utils_is_valid_key($key_row);
if (!$rsp['ok']) {
return $rsp;
}
if (isset($method['requires_perms'])) {
if ($token_row['perms'] < $method['requires_perms']) {
$perms_map = api_oauth2_access_tokens_permissions_map();
$required = $perms_map[$method['requires_perms']];
return array('ok' => 0, 'error' => "Insufficient permissions, method requires a token with '{$required}' permissions", 'error_code' => 403);
}
}
# Ensure user-iness - this may seem like a no-brainer until you think
# about how the site itself uses the API in the absence of a logged-in
# user (20130508/straup)
$ensure_user = 1;
$user = null;
if (!$token_row['user_id'] && $key_row && features_is_enabled("api_oauth2_tokens_null_users")) {
$key_role_id = $key_row['role_id'];
$roles_map = api_keys_roles_map('string keys');
$valid_roles = $GLOBALS['cfg']['api_oauth2_tokens_null_users_allowed_roles'];
$valid_roles_ids = array();
foreach ($valid_roles as $role) {
$valid_roles_ids[] = $roles_map[$role];
}
$ensure_user = $key_role_id && in_array($key_role_id, $valid_roles_ids) ? 0 : 1;
}
if ($ensure_user) {
$user = users_get_by_id($token_row['user_id']);
if (!$user || $user['deleted']) {
return array('ok' => 0, 'error' => 'Not a valid user', 'error_code' => 400);
}
}
#
return array('ok' => 1, 'access_token' => $token_row, 'api_key' => $key_row, 'user' => $user);
}
function api_auth_oauth2_has_auth(&$method, $key_row = null)
{
$access_token = api_auth_oauth2_get_access_token($method);
if (!$access_token) {
return array('ok' => 0, 'error' => 'Required access token missing', 'error_code' => 400);
}
$token_row = api_oauth2_access_tokens_get_by_token($access_token);
if (!$token_row) {
return array('ok' => 0, 'error' => 'Invalid access token', 'error_code' => 400);
}
if ($token_row['expires'] && $token_row['expires'] < time()) {
return array('ok' => 0, 'error' => 'Access token has expired', 'error_code' => 400);
}
# I find it singularly annoying that we have to do this here
# but OAuth gets what [redacted] wants. See also: notes in
# lib_api.php around ln 65 (20121026/straup)
$key_row = api_keys_get_by_id($token_row['api_key_id']);
$rsp = api_keys_utils_is_valid_key($key_row);
if (!$rsp['ok']) {
return $rsp;
}
if (isset($method['requires_perms'])) {
if ($token_row['perms'] < $method['requires_perms']) {
return array('ok' => 0, 'error' => 'Insufficient permissions', 'error_code' => 403);
}
}
# Ensure user-iness - this may seem like a no-brainer until you think
# about how the site itself uses the API in the absence of a logged-in
# user (20130508/straup)
$ensure_user = 1;
$user = null;
if (features_is_enabled("api_site_keys", "api_site_tokens")) {
# check that API key is a site key
$ensure_user = $token_row['user_id'] ? 1 : 0;
}
if ($ensure_user) {
$user = users_get_by_id($token_row['user_id']);
if (!$user || $user['deleted']) {
return array('ok' => 0, 'error' => 'Not a valid user', 'error_code' => 400);
}
}
#
return array('ok' => 1, 'access_token' => $token_row, 'api_key' => $key_row, 'user' => $user);
}
<?php
include "include/init.php";
loadlib("api_keys");
loadlib("api_oauth2_access_tokens");
features_ensure_enabled("api");
login_ensure_loggedin();
$more = array();
if ($page = get_int32("page")) {
$more['page'] = $page;
}
$rsp = api_oauth2_access_tokens_for_user($GLOBALS['cfg']['user'], $more);
$tokens = array();
foreach ($rsp['rows'] as $row) {
$row['app'] = api_keys_get_by_id($row['api_key_id']);
$tokens[] = $row;
}
$GLOBALS['smarty']->assign_by_ref("tokens", $tokens);
$perms_map = api_oauth2_access_tokens_permissions_map();
$GLOBALS['smarty']->assign_by_ref("permissions", $perms_map);
$GLOBALS['smarty']->display("page_api_oauth2_tokens.txt");
exit;
function api_oauth2_access_tokens_fetch_site_token($user = null)
{
$now = time();
$site_token = api_oauth2_access_tokens_get_site_token($user);
if ($site_token) {
$valid_key = 1;
$valid_token = 1;
$key = api_keys_get_by_id($site_token['api_key_id']);
if (!$key) {
$valid_key = 0;
} else {
if ($key['deleted']) {
$valid_key = 0;
} else {
if ($key['expires'] && $key['expires'] <= $now) {
$valid_key = 0;
} else {
if ($site_token['expires'] <= $now) {
$valid_token = 0;
} else {
$ttl_key = $key['expires'] - $now;
$ttl_token = $site_token['expires'] - $now;
if ($ttl_key < 300) {
$valid_key = 0;
}
if ($ttl_token < 300) {
$valid_token = 0;
}
}
}
}
}
if (!$valid_key || !$valid_token) {
$rsp = api_oauth2_access_tokens_delete($site_token);
$user_id = $user ? $user['id'] : 0;
$cache_key = "oauth2_access_token_site_{$user_id}";
cache_unset($cache_key);
$site_token = null;
}
}
# TO DO: error handling / reporting
if (!$site_token) {
$rsp = api_oauth2_access_tokens_create_site_token($user);
$site_token = $rsp['token'];
}
return $site_token;
}
