/**
* Handle a consumer's request to see if the end user is logged in
* @global array $known
* @global array $profile
* @global array $sreg
*/
function checkid($wait)
{
global $known, $profile, $sreg;
global $USERNAME;
// This is a user session
user_session();
// Get the options, use defaults as necessary
$return_to = isset($_REQUEST['openid_return_to']) ? $_REQUEST['openid_return_to'] : error_400('Missing return_to');
$identity = isset($_REQUEST['openid_identity']) ? $_REQUEST['openid_identity'] : error_get($return_to, 'Missing identity');
$assoc_handle = isset($_REQUEST['openid_assoc_handle']) ? $_REQUEST['openid_assoc_handle'] : null;
$trust_root = isset($_REQUEST['openid_trust_root']) ? $_REQUEST['openid_trust_root'] : $return_to;
$sreg_required = isset($_REQUEST['openid_sreg_required']) ? $_REQUEST['openid_sreg.required'] : '';
$sreg_optional = isset($_REQUEST['openid_sreg_optional']) ? $_REQUEST['openid_sreg.optional'] : '';
// determine the cancel url
$q = strpos($return_to, '?') ? '&' : '?';
$cancel_url = $return_to . $q . 'openid.mode=cancel';
// required and optional make no difference to us
$sreg_required .= ',' . $sreg_optional;
// do the trust_root analysis
if ($trust_root != $return_to) {
// the urls are not the same, be sure return decends from trust
if (!url_descends($return_to, $trust_root)) {
error_500('Invalid trust_root: "' . $trust_root . '"');
}
}
// transfer the user to the url accept mode if they're paranoid
if ($wait == 1 && isset($profile['paranoid']) && $profile['paranoid'] === true && (!isset($_SESSION['accepted_url']) || $_SESSION['accepted_url'] != $trust_root)) {
$_SESSION['cancel_accept_url'] = $cancel_url;
$_SESSION['post_accept_url'] = $profile['req_url'];
$_SESSION['unaccepted_url'] = $trust_root;
debug('Transferring to acceptance mode.');
debug('Cancel URL: ' . $_SESSION['cancel_accept_url']);
debug('Post URL: ' . $_SESSION['post_accept_url']);
$q = strpos($profile['idp_url'], '?') ? '&' : '?';
wrap_redirect($profile['idp_url'] . $q . 'openid.mode=accept');
}
// make sure i am this identifier
// if ($identity != $profile['idp_url']) {
// debug("Invalid identity: $identity");
// debug("IdP URL: " . $profile['idp_url']);
// error_get($return_to, "Invalid identity: '$identity'");
// }
// begin setting up return keys
$keys = array('mode' => 'id_res');
// if the user is not logged in, transfer to the authorization mode
if ($USERNAME == '' || $_SESSION['openid_auth'] === false || $USERNAME != $_SESSION['openid_user']) {
// users can only be logged in to one url at a time
$_SESSION['openid_user'] = null;
$_SESSION['auth_url'] = null;
if ($wait) {
unset($_SESSION['uniqid']);
$_SESSION['cancel_auth_url'] = $cancel_url;
$_SESSION['post_auth_url'] = $profile['req_url'];
debug('Transferring to authorization mode.');
debug('Cancel URL: ' . $_SESSION['cancel_auth_url']);
debug('Post URL: ' . $_SESSION['post_auth_url']);
$q = strpos($profile['idp_url'], '?') ? '&' : '?';
wrap_redirect($profile['idp_url'] . $q . 'openid.mode=authorize');
} else {
$keys['user_setup_url'] = $profile['idp_url'];
}
// the user is logged in
} else {
// remove the refresh URLs if set
unset($_SESSION['cancel_auth_url']);
unset($_SESSION['post_auth_url']);
// check the assoc handle
list($shared_secret, $expires) = secret($assoc_handle);
// if I can't verify the assoc_handle, or if it's expired
if ($shared_secret == false || is_numeric($expires) && $expires < time()) {
debug("Session expired or missing key: {$expires} < " . time());
if ($assoc_handle != null) {
$keys['invalidate_handle'] = $assoc_handle;
destroy_assoc_handle($assoc_handle);
}
$lifetime = time() + $profile['lifetime'];
list($assoc_handle, $shared_secret) = new_assoc($lifetime);
}
$keys['identity'] = $profile['idp_url'];
$keys['assoc_handle'] = $assoc_handle;
$keys['return_to'] = $return_to;
$fields = array_keys($keys);
$tokens = '';
foreach ($fields as $key) {
$tokens .= sprintf("%s:%s\n", $key, $keys[$key]);
}
// add sreg keys
foreach (explode(',', $sreg_required) as $key) {
if (!isset($sreg[$key])) {
continue;
}
$skey = 'sreg.' . $key;
$tokens .= sprintf("%s:%s\n", $skey, $sreg[$key]);
$keys[$skey] = $sreg[$key];
$fields[] = $skey;
}
$keys['signed'] = implode(',', $fields);
$keys['sig'] = base64_encode(hmac($shared_secret, $tokens));
}
wrap_keyed_redirect($return_to, $keys);
}
/**
* Handle a consumer's request to see if the end user is logged in
* @global array $known
* @global array $profile
* @global array $sreg
*/
function checkid($wait)
{
debug("checkid: wait? {$wait}");
global $known, $profile, $sreg;
// This is a user session
user_session();
// Get the options, use defaults as necessary
$return_to = @strlen($_REQUEST['openid_return_to']) ? $_REQUEST['openid_return_to'] : error_400('Missing return_to');
$identity = @strlen($_REQUEST['openid_identity']) ? $_REQUEST['openid_identity'] : error_get($return_to, 'Missing identity');
$assoc_handle = @strlen($_REQUEST['openid_assoc_handle']) ? $_REQUEST['openid_assoc_handle'] : null;
$trust_root = @strlen($_REQUEST['openid_trust_root']) ? $_REQUEST['openid_trust_root'] : $return_to;
$sreg_required = @strlen($_REQUEST['openid_sreg_required']) ? $_REQUEST['openid_sreg_required'] : '';
$sreg_optional = @strlen($_REQUEST['openid_sreg_optional']) ? $_REQUEST['openid_sreg_optional'] : '';
// required and optional make no difference to us
$sreg_required .= ',' . $sreg_optional;
// make sure i am this identifier
if ($identity != $profile['idp_url']) {
error_get($return_to, "Invalid identity: '{$identity}'");
}
// begin setting up return keys
$keys = array('mode' => 'id_res');
// if the user is not logged in, transfer to the authorization mode
if ($profile['authorized'] === false || $identity != $_SESSION['auth_url']) {
// users can only be logged in to one url at a time
$_SESSION['auth_username'] = null;
$_SESSION['auth_url'] = null;
if ($wait) {
unset($_SESSION['uniqid']);
$_SESSION['cancel_auth_url'] = $return_to;
$_SESSION['post_auth_url'] = $profile['req_url'];
debug('Transferring to authorization mode.');
debug('Cancel URL: ' . $_SESSION['cancel_auth_url']);
debug('Post URL: ' . $_SESSION['post_auth_url']);
$q = strpos($profile['idp_url'], '?') ? '&' : '?';
wrap_refresh($profile['idp_url'] . $q . 'openid.mode=authorize');
} else {
$keys['user_setup_url'] = $profile['idp_url'];
}
// the user is logged in
} else {
// remove the refresh URLs if set
unset($_SESSION['cancel_auth_url']);
unset($_SESSION['post_auth_url']);
// check the assoc handle
list($shared_secret, $expires) = secret($assoc_handle);
// if I can't verify the assoc_handle, or if it's expired
if ($shared_secret == false || is_numeric($expires) && $expires < time()) {
debug("Session expired or missing key: {$expires} < " . time());
if ($assoc_handle != null) {
$keys['invalidate_handle'] = $assoc_handle;
destroy_assoc_handle($assoc_handle);
}
$lifetime = time() + $profile['lifetime'];
list($assoc_handle, $shared_secret) = new_assoc($lifetime);
}
$keys['identity'] = $profile['idp_url'];
$keys['assoc_handle'] = $assoc_handle;
$keys['return_to'] = $return_to;
$fields = array_keys($keys);
$tokens = '';
foreach ($fields as $key) {
$tokens .= sprintf("%s:%s\n", $key, $keys[$key]);
}
// add sreg keys
foreach (explode(',', $sreg_required) as $key) {
if (!isset($sreg[$key])) {
continue;
}
$skey = 'sreg.' . $key;
$tokens .= sprintf("%s:%s\n", $skey, $sreg[$key]);
$keys[$skey] = $sreg[$key];
$fields[] = $skey;
}
$keys['signed'] = implode(',', $fields);
$keys['sig'] = base64_encode(hmac($shared_secret, $tokens));
}
wrap_location($return_to, $keys);
}
