X-Git-Url: https://git-public.kairo.at/?a=blobdiff_plain;f=app%2Fapi.php;h=0efc179417910781b9d425af8c775126dead0bce;hb=720d53da6d399740b96b90ef554b739959d64f83;hp=4cdbe24e2416d0be92d516b197dd0425ad4abdc0;hpb=426f76b2a5fa23ffba2f9ebf70ea8a384e733d23;p=authserver.git

diff --git a/app/api.php b/app/api.php
index 4cdbe24..0efc179 100644
--- a/app/api.php
+++ b/app/api.php
@@ -24,7 +24,12 @@ if (!count($errors)) {
   // Handle a request to a resource and authenticate the access token
   $token_OK = $server->verifyResourceRequest(OAuth2\Request::createFromGlobals());
   if (!$token_OK) {
-    $server->getResponse()->send();
+    $response = $server->getResponse();
+    if (!count($response->getParameters())) {
+      // We get an empty response if we don't get any auth header. Let's actually note that explicitly.
+      $response->setError($response->getStatusCode(), 'auth_missing', 'Authentication missing');
+    }
+    $response->send();
     if ($settings['piwik_enabled']) { $piwikTracker->doTrackPageView('API Request: Bad Token'); }
     exit();
   }
@@ -67,7 +72,7 @@ if (!count($errors)) {
                                   'error_description' => 'The user the access token is connected to was not recognized.')));
         }
         else {
-          if (in_array($user['email'], $utils->client_reg_email_whitelist)) {
+          if (($utils->client_reg_email_whitelist === false) || (in_array($user['email'], $utils->client_reg_email_whitelist))) {
             if (strlen(@$_GET['client_id']) >= 5) {
               $result = $db->prepare('SELECT `client_id`,`user_id` FROM `oauth_clients` WHERE `client_id` = :clientid;');
               $result->execute(array(':clientid' => $_GET['client_id']));