public function authenticate(SS_HTTPRequest $request) { $token = $this->getToken($request); $user = null; if (!Member::currentUserID() && !$this->allowPublicAccess || $token) { if (!$token) { throw new WebServiceException(403, "Missing token parameter"); } $user = $this->tokenAuthenticator->authenticate($token); if (!$user) { throw new WebServiceException(403, "Invalid user token"); } } else { if ($this->allowSecurityId && Member::currentUserID()) { // we check the SecurityID parameter for the current user $secParam = SecurityToken::inst()->getName(); $securityID = $request->requestVar($secParam); if ($securityID && $securityID != SecurityToken::inst()->getValue()) { throw new WebServiceException(403, "Invalid security ID"); } $user = Member::currentUser(); } } if (!$user && !$this->allowPublicAccess) { throw new WebServiceException(403, "Invalid request"); } // now, if we have an hmacValidator in place, use it if ($this->hmacValidator && $user) { if (!$this->hmacValidator->validateHmac($user, $request)) { throw new WebServiceException(403, "Invalid message"); } } return true; }
public function testAuthenticateUserToken() { $member = new Member(); $member->Email = "*****@*****.**"; $member->Password = "******"; $member->write(); $this->assertNotNull($member->Token); $this->assertNotNull($member->AuthPrivateKey); $token = $member->ID . ":" . $member->userToken(); // create an authenticator and see what we get back $tokenAuth = new TokenAuthenticator(); $user = $tokenAuth->authenticate($token); $this->assertEquals($member->ID, $user->ID); $token = "42:" . $member->userToken(); $user = $tokenAuth->authenticate($token); $this->assertNull($user); }