/**
* Construct from the current request. Useful for checking the signature of a request.
* When not supplied with any parameters this will use the current request.
*
* @param string uri might include parameters
* @param string method GET, PUT, POST etc.
* @param string parameters additional post parameters, urlencoded (RFC1738)
* @param array headers headers for request
* @param string body optional body of the OAuth request (POST or PUT)
*/
function __construct($uri = null, $method = null, $parameters = '', $headers = array(), $body = null)
{
if (is_object($_SERVER)) {
// Tainted arrays - the normal stuff in anyMeta
if (!$method) {
$method = $_SERVER->REQUEST_METHOD->getRawUnsafe();
}
if (empty($uri)) {
$uri = $_SERVER->REQUEST_URI->getRawUnsafe();
}
} else {
// non anyMeta systems
if (!$method) {
$method = $_SERVER['REQUEST_METHOD'];
}
$proto = isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on' ? 'https' : 'http';
if (empty($uri)) {
$uri = sprintf('%s://%s%s', $proto, $_SERVER['HTTP_HOST'], $_SERVER['REQUEST_URI']);
}
}
$headers = OAuthRequestLogger::getAllHeaders();
$this->method = strtoupper($method);
// If this is a post then also check the posted variables
if (strcasecmp($method, 'POST') == 0) {
/*
// TODO: what to do with 'multipart/form-data'?
if ($this->getRequestContentType() == 'multipart/form-data')
{
throw new OAuthException2('Unsupported POST content type, expected "application/x-www-form-urlencoded" got "'.@$_SERVER['CONTENT_TYPE'].'"');
}
*/
if ($this->getRequestContentType() == 'application/x-www-form-urlencoded') {
// Get the posted body (when available)
if (!isset($headers['X-OAuth-Test'])) {
$parameters .= $this->getRequestBody();
}
} else {
$body = $this->getRequestBody();
}
} else {
if (strcasecmp($method, 'PUT') == 0) {
$body = $this->getRequestBody();
}
}
$this->method = strtoupper($method);
$this->headers = $headers;
// Store the values, prepare for oauth
$this->uri = $uri;
$this->body = $body;
$this->parseUri($parameters);
$this->parseHeaders();
$this->transcodeParams();
}
/**
* See if the current request is signed with OAuth
*
* @return boolean
*/
public static function requestIsSigned()
{
if (isset($_REQUEST['oauth_signature'])) {
$signed = true;
} else {
$hs = OAuthRequestLogger::getAllHeaders();
if (isset($hs['Authorization']) && strpos($hs['Authorization'], 'oauth_signature') !== false) {
$signed = true;
} else {
$signed = false;
}
}
return $signed;
}
/**
* This method parses the $_REQUEST superglobal and looks for
* the following information:
* 1/ user authentication - username+password or token (wsusername, wspassword and wstoken parameters)
* 2/ function name (wsfunction parameter)
* 3/ function parameters (all other parameters except those above)
*
* @return void
*/
protected function parse_request()
{
// determine the request/response format
if (isset($_REQUEST['alt']) && trim($_REQUEST['alt']) == 'json' || isset($_GET['alt']) && trim($_GET['alt']) == 'json' || isset($_SERVER['HTTP_ACCEPT']) && $_SERVER['HTTP_ACCEPT'] == 'application/json' || isset($_SERVER['HTTP_ACCEPT']) && $_SERVER['HTTP_ACCEPT'] == 'application/jsonrequest' || isset($_SERVER['CONTENT_TYPE']) && $_SERVER['CONTENT_TYPE'] == 'application/json' || isset($_SERVER['CONTENT_TYPE']) && $_SERVER['CONTENT_TYPE'] == 'application/jsonrequest') {
$this->format = 'json';
} else {
if (isset($_REQUEST['alt']) && trim($_REQUEST['alt']) == 'atom' || isset($_GET['alt']) && trim($_GET['alt']) == 'atom' || isset($_SERVER['HTTP_ACCEPT']) && $_SERVER['HTTP_ACCEPT'] == 'application/atom+xml' || $_SERVER['CONTENT_TYPE'] == 'application/atom+xml') {
$this->format = 'atom';
} else {
$this->format = 'xml';
}
}
unset($_REQUEST['alt']);
$this->parameters = $_REQUEST;
// if we should have one - setup the OAuth server handler
if (webservice_protocol_is_enabled('oauth')) {
OAuthStore::instance('Mahara');
$this->oauth_server = new OAuthServer();
$oauth_token = null;
$headers = OAuthRequestLogger::getAllHeaders();
try {
$oauth_token = $this->oauth_server->verifyExtended();
} catch (OAuthException2 $e) {
// let all others fail
if (isset($_REQUEST['oauth_token']) || preg_grep('/oauth/', array_values($headers))) {
$this->auth = 'OAUTH';
throw $e;
}
}
if ($oauth_token) {
$this->authmethod = WEBSERVICE_AUTHMETHOD_OAUTH_TOKEN;
$token = $this->oauth_server->getParam('oauth_token');
$store = OAuthStore::instance();
$secrets = $store->getSecretsForVerify($oauth_token['consumer_key'], $this->oauth_server->urldecode($token), 'access');
$this->oauth_token_details = $secrets;
// the content type might be different for the OAuth client
if (isset($headers['Content-Type']) && $headers['Content-Type'] == 'application/octet-stream' && $this->format != 'json') {
$body = file_get_contents('php://input');
parse_str($body, $parameters);
$this->parameters = array_merge($this->parameters, $parameters);
}
}
}
// make sure oauth parameters are gone
foreach (array('oauth_nonce', 'oauth_timestamp', 'oauth_consumer_key', 'oauth_signature_method', 'oauth_version', 'oauth_token', 'oauth_signature') as $param) {
if (isset($this->parameters[$param])) {
unset($this->parameters[$param]);
}
}
// merge parameters from JSON request body if there is one
if ($this->format == 'json') {
// get request body
$values = (array) json_decode(@file_get_contents('php://input'), true);
if (!empty($values)) {
$this->parameters = array_merge($this->parameters, $values);
}
}
if ($this->authmethod == WEBSERVICE_AUTHMETHOD_USERNAME) {
$this->username = isset($this->parameters['wsusername']) ? trim($this->parameters['wsusername']) : null;
unset($this->parameters['wsusername']);
$this->password = isset($this->parameters['wspassword']) ? trim($this->parameters['wspassword']) : null;
unset($this->parameters['wspassword']);
} else {
if ($this->authmethod == WEBSERVICE_AUTHMETHOD_PERMANENT_TOKEN) {
// is some other form of token - what kind is it?
$this->token = isset($this->parameters['wstoken']) ? trim($this->parameters['wstoken']) : null;
unset($this->parameters['wstoken']);
}
}
$this->functionname = isset($this->parameters['wsfunction']) ? trim($this->parameters['wsfunction']) : null;
unset($this->parameters['wsfunction']);
}
