From b680cefdce8176a439a74c4cf348ac73e7c03995 Mon Sep 17 00:00:00 2001 From: Robert Kaiser Date: Fri, 28 Oct 2016 17:44:49 +0200 Subject: [PATCH] check session and login in authorize request --- authorize.php | 118 ++++++++++++++++++++++++++++++++------------------ 1 file changed, 76 insertions(+), 42 deletions(-) diff --git a/authorize.php b/authorize.php index 68e3b94..45f0b03 100644 --- a/authorize.php +++ b/authorize.php @@ -11,55 +11,89 @@ // Include the common auth system files (including the OAuth2 Server object). require_once(__DIR__.'/authsystem.inc.php'); +// Start HTML document as a DOM object. +extract(ExtendedDocument::initHTML5()); // sets $document, $html, $head, $title, $body +$document->formatOutput = true; // we want a nice output +$style = $head->appendElement('link'); +$style->setAttribute('rel', 'stylesheet'); +$style->setAttribute('href', 'authsystem.css'); +$head->appendJSFile('authsystem.js'); + $errors = $utils->checkForSecureConnection(); -$request = OAuth2\Request::createFromGlobals(); -$response = new OAuth2\Response(); +if (!count($errors)) { + $session = $utils->initSession(); // Read session or create new session and set cookie. + $user = array('id' => 0, 'email' => ''); + $pagetype = 'default'; + if (is_null($session)) { + $errors[] = _('The session system is not working. Please contact KaiRo.at and tell the team about this.'); + } + elseif ($session['logged_in']) { + // We are logged in, process authorization request. + $request = OAuth2\Request::createFromGlobals(); + $response = new OAuth2\Response(); -// Validate the authorize request. -if (!$server->validateAuthorizeRequest($request, $response)) { - $response->send(); - exit(); -} + // Validate the authorize request. + if (!$server->validateAuthorizeRequest($request, $response)) { + $response->send(); + exit(); + } -// Display an authorization form. -if (empty($_POST)) { - // Start HTML document as a DOM object. - extract(ExtendedDocument::initHTML5()); // sets $document, $html, $head, $title, $body - $document->formatOutput = true; // we want a nice output - $style = $head->appendElement('link'); - $style->setAttribute('rel', 'stylesheet'); - $style->setAttribute('href', 'authsystem.css'); - $head->appendJSFile('authsystem.js'); - $title->appendText('Authorization Request | KaiRo.at'); - $h1 = $body->appendElement('h1', 'KaiRo.at Authentication Server'); + // Display an authorization form. + if (empty($_POST)) { + $title->appendText('Authorization Request | KaiRo.at'); + $h1 = $body->appendElement('h1', 'KaiRo.at Authentication Server'); - $para = $body->appendElement('p', _('This login system does not work without JavaScript. Please activate JavaScript for this site to log in.')); - $para->setAttribute('id', 'jswarning'); - $para->setAttribute('class', 'warn'); + $para = $body->appendElement('p', _('This login system does not work without JavaScript. Please activate JavaScript for this site to log in.')); + $para->setAttribute('id', 'jswarning'); + $para->setAttribute('class', 'warn'); - $form = $body->appendForm('', 'POST', 'authform'); - $form->setAttribute('id', 'authform'); - $form->appendElement('p', sprintf(_('Do you authorize %s to access %s?'), $request->query['client_id'], $request->query['scope'])); - $submit = $form->appendInputSubmit(_('yes')); - $submit->setAttribute('name', 'authorized'); - $form->appendText(' '); - $submit = $form->appendInputSubmit(_('no')); - $submit->setAttribute('name', 'authorized'); - // Send HTML to client. - print($document->saveHTML()); - exit(); + $para = $body->appendElement('p', sprintf(_('Hi %s!'), $user['email'])); + $para->setAttribute('class', 'userwelcome'); + + $form = $body->appendForm('', 'POST', 'authform'); + $form->setAttribute('id', 'authform'); + $form->appendElement('p', sprintf(_('Do you authorize %s to access %s?'), $request->query['client_id'], $request->query['scope'])); + $submit = $form->appendInputSubmit(_('yes')); + $submit->setAttribute('name', 'authorized'); + $form->appendText(' '); + $submit = $form->appendInputSubmit(_('no')); + $submit->setAttribute('name', 'authorized'); + } + else { + // Handle authorize request, forwarding code in GET parameters if the user has authorized your client. + $is_authorized = ($_POST['authorized'] === 'yes'); + $server->handleAuthorizeRequest($request, $response, $is_authorized); + /* For testing only + if ($is_authorized) { + // this is only here so that you get to see your code in the cURL request. Otherwise, we'd redirect back to the client + $code = substr($response->getHttpHeader('Location'), strpos($response->getHttpHeader('Location'), 'code=')+5, 40); + exit("SUCCESS! Authorization Code: $code"); + } + */ + $response->send(); + exit(); + } + } + else { + // Display login/register form. + $para = $body->appendElement('p', _('You need to log in or register to continue.')); + $para->setAttribute('class', 'logininfo'); + } } -// Handle authorize request, forwarding code in GET parameters if the user has authorized your client. -$is_authorized = ($_POST['authorized'] === 'yes'); -$server->handleAuthorizeRequest($request, $response, $is_authorized); -/* For testing only -if ($is_authorized) { - // this is only here so that you get to see your code in the cURL request. Otherwise, we'd redirect back to the client - $code = substr($response->getHttpHeader('Location'), strpos($response->getHttpHeader('Location'), 'code=')+5, 40); - exit("SUCCESS! Authorization Code: $code"); +if (count($errors)) { + $body->appendElement('p', ((count($errors) <= 1) + ?_('The following error was detected') + :_('The following errors were detected')).':'); + $list = $body->appendElement('ul'); + $list->setAttribute('class', 'flat warn'); + foreach ($errors as $msg) { + $item = $list->appendElement('li', $msg); + } + $body->appendButton(_('Back'), 'history.back();'); } -*/ -$response->send(); + +// Send HTML to client. +print($document->saveHTML()); ?> -- 2.43.0