/** * Partuza's implementation of the OAuth Lookup service. Partuza supports all currently existing forms of * OAuth signatures: 3 legged, 2 legged and body_hash's * * @param RequestItem $oauthRequest * @param string $appUrl * @param string $userId * @return SecurityToken or null */ public function getSecurityToken($oauthRequest, $appUrl, $userId, $contentType) { try { // Incomming requests with a POST body can either have an oauth_body_hash, or include the post body in the main oauth_signature; Also for either of these to be valid // we need to make sure it has a proper the content-type; So the below checks if it's a post, if so if the content-type is supported, and if so deals with the 2 // post body signature styles $includeRawPost = false; $acceptedContentTypes = array('application/atom+xml', 'application/xml', 'application/json'); if (isset($GLOBALS['HTTP_RAW_POST_DATA']) && !empty($GLOBALS['HTTP_RAW_POST_DATA'])) { if (!in_array($contentType, $acceptedContentTypes)) { // This is rather double (since the ApiServlet does the same check), but for us to do a meaninful processing of a post body, this has to be correct throw new Exception("Invalid Content-Type specified for this request, only 'application/atom+xml', 'application/xml' and 'application/json' are accepted"); } else { if (isset($_GET['oauth_body_hash'])) { // this request uses the oauth_body_hash spec extension. Check the body hash and if it fails return 'null' (oauth signature failure) // otherwise continue on to the regular oauth signature verification, without including the post body in the main oauth_signature calculation if (!$this->verifyBodyHash($GLOBALS['HTTP_RAW_POST_DATA'], $_GET['oauth_body_hash'])) { return null; } } else { // use the (somewhat oauth spec invalid) raw post body in the main oauth hash calculation $includeRawPost = $GLOBALS['HTTP_RAW_POST_DATA']; } } } $dataStore = new PartuzaOAuthDataStore(); if ($includeRawPost) { // if $includeRawPost has been set above, we need to include the post body in the main oauth_signature $oauthRequest->set_parameter($includeRawPost, ''); } $oauth_token = $oauthRequest->get_parameters('oauth_token'); if (!isset($oauth_token)) { // No oauth_token means this is a 2 legged OAuth request $ret = $this->verify2LeggedOAuth($oauthRequest, $userId, $appUrl, $dataStore); } else { // Otherwise it's a clasic 3 legged oauth request $ret = $this->verify3LeggedOAuth($oauthRequest, $userId, $appUrl, $dataStore); } if ($includeRawPost) { unset($oauthRequest->parameters[$includeRawPost]); } return $ret; } catch (OAuthException $e) { return null; } }