add a human check to registrations

[authserver.git] / app / api.php

diff --git a/app/api.php b/app/api.php
index 4cdbe24e2416d0be92d516b197dd0425ad4abdc0..605a7d79d6ee735ad4fd672bfc4972631ab036ae 100644 (file)
--- a/app/api.php
+++ b/app/api.php
@@ -24,7 +24,12 @@ if (!count($errors)) {
   // Handle a request to a resource and authenticate the access token
   $token_OK = $server->verifyResourceRequest(OAuth2\Request::createFromGlobals());
   if (!$token_OK) {
-    $server->getResponse()->send();
+    $response = $server->getResponse();
+    if (!count($response->getParameters())) {
+      // We get an empty response if we don't get any auth header. Let's actually note that explicitly.
+      $response->setError($response->getStatusCode(), 'auth_missing', 'Authentication missing');
+    }
+    $response->send();
     if ($settings['piwik_enabled']) { $piwikTracker->doTrackPageView('API Request: Bad Token'); }
     exit();
   }
@@ -57,7 +62,7 @@ if (!count($errors)) {
   }
   elseif (array_key_exists('newclient', $_GET)) {
     if ($token['scope'] == 'clientreg') {
-      if (intval(@$token['user_id'])) {
+      if (intval($token['user_id'] ?? 0)) {
         $result = $db->prepare('SELECT `id`,`email` FROM `auth_users` WHERE `id` = :userid;');
         $result->execute(array(':userid' => $token['user_id']));
         $user = $result->fetch(PDO::FETCH_ASSOC);
@@ -67,8 +72,8 @@ if (!count($errors)) {
                                   'error_description' => 'The user the access token is connected to was not recognized.')));
         }
         else {
-          if (in_array($user['email'], $utils->client_reg_email_whitelist)) {
-            if (strlen(@$_GET['client_id']) >= 5) {
+          if (($utils->client_reg_email_whitelist === false) || (in_array($user['email'], $utils->client_reg_email_whitelist))) {
+            if (strlen($_GET['client_id'] ?? '') >= 5) {
               $result = $db->prepare('SELECT `client_id`,`user_id` FROM `oauth_clients` WHERE `client_id` = :clientid;');
               $result->execute(array(':clientid' => $_GET['client_id']));
               $client = $result->fetch(PDO::FETCH_ASSOC);
@@ -99,13 +104,13 @@ if (!count($errors)) {
                                           'error_description' => 'Unexpectedly failed to save new secret.')));
                 }
                 else {
-                  if (strlen(@$_GET['redirect_uri'])) {
+                  if (strlen($_GET['redirect_uri'] ?? '')) {
                     $result = $db->prepare('UPDATE `oauth_clients` SET `redirect_uri` = :rediruri WHERE `client_id` = :clientid;');
                     if (!$result->execute(array(':rediruri' => $_GET['redirect_uri'],':clientid' => $client['client_id']))) {
                       $utils->log('client_save_failure', 'client: '.$client['client_id'].', new redirect_uri: '.$_GET['redirect_uri'].' - '.$result->errorInfo()[2]);
                     }
                   }
-                  if (strlen(@$_GET['scope'])) {
+                  if (strlen($_GET['scope'] ?? '')) {
                     $result = $db->prepare('UPDATE `oauth_clients` SET `scope` = :scope WHERE `client_id` = :clientid;');
                     if (!$result->execute(array(':scope' => $_GET['scope'],':clientid' => $client['client_id']))) {
                       $utils->log('client_save_failure', 'client: '.$client['client_id'].', new scope: '.$_GET['scope'].' - '.$result->errorInfo()[2]);