better handle missing auth header, set explicit response types to not get warnings...

diff --git a/app/api.php b/app/api.php
index 10d43edd0d1461cb9119f1b08616642e245124b5..0efc179417910781b9d425af8c775126dead0bce 100644 (file)
--- a/app/api.php
+++ b/app/api.php
@@ -24,7 +24,12 @@ if (!count($errors)) {
   // Handle a request to a resource and authenticate the access token
   $token_OK = $server->verifyResourceRequest(OAuth2\Request::createFromGlobals());
   if (!$token_OK) {
   // Handle a request to a resource and authenticate the access token
   $token_OK = $server->verifyResourceRequest(OAuth2\Request::createFromGlobals());
   if (!$token_OK) {

-    $server->getResponse()->send();
+    $response = $server->getResponse();
+    if (!count($response->getParameters())) {
+      // We get an empty response if we don't get any auth header. Let's actually note that explicitly.
+      $response->setError($response->getStatusCode(), 'auth_missing', 'Authentication missing');
+    }
+    $response->send();

     if ($settings['piwik_enabled']) { $piwikTracker->doTrackPageView('API Request: Bad Token'); }
     exit();
   }
     if ($settings['piwik_enabled']) { $piwikTracker->doTrackPageView('API Request: Bad Token'); }
     exit();
   }

diff --git a/app/authutils.php-class b/app/authutils.php-class
index df41e7123beb93b72426d36d222c7d2f7b4a73b9..440a153140b3c92fb594492cfe5c5a4b5450e9d6 100755 (executable)
--- a/app/authutils.php-class
+++ b/app/authutils.php-class
@@ -503,6 +503,12 @@ class AuthUtils {
     // Add the "Refresh Token" grant type (required to get longer-living resource access by generating new access tokens)
     $server->addGrantType(new OAuth2\GrantType\RefreshToken($oauth2_storage, array('always_issue_new_refresh_token' => true)));
 
     // Add the "Refresh Token" grant type (required to get longer-living resource access by generating new access tokens)
     $server->addGrantType(new OAuth2\GrantType\RefreshToken($oauth2_storage, array('always_issue_new_refresh_token' => true)));
 

+    // Add 'token' response type (mirroring what getDefaultResponseTypes is doing).
+    $server->addResponseType(new OAuth2\ResponseType\AccessToken($oauth2_storage, $oauth2_storage, $oauth2_config));
+
+    // Add 'code' response type (mirroring what getDefaultResponseTypes is doing).
+    $server->addResponseType(new OAuth2\ResponseType\AuthorizationCode($oauth2_storage));
+

     return $server;
   }
 
     return $server;
   }
 


@@ -610,7 +616,7 @@ class AuthUtils {
     $table->addColumn('logged_in', 'boolean', array('notnull' => true, 'default' => false));
     $table->addColumn('time_created', 'datetime', array('notnull' => true, 'default' => 'CURRENT_TIMESTAMP'));
     $table->addColumn('time_expire', 'datetime', array('notnull' => true, 'default' => 'CURRENT_TIMESTAMP'));
     $table->addColumn('logged_in', 'boolean', array('notnull' => true, 'default' => false));
     $table->addColumn('time_created', 'datetime', array('notnull' => true, 'default' => 'CURRENT_TIMESTAMP'));
     $table->addColumn('time_expire', 'datetime', array('notnull' => true, 'default' => 'CURRENT_TIMESTAMP'));

-    $table->addColumn('saved_redirect', 'string', array('length' => 255, 'notnull' => true, 'default' => ''));
+    $table->addColumn('saved_redirect', 'string', array('length' => 2000, 'notnull' => true, 'default' => ''));

     $table->setPrimaryKey(array('id'), 'id');
     $table->addIndex(array('sesskey'), 'sesskey');
     $table->addIndex(array('time_expire'), 'time_expire');
     $table->setPrimaryKey(array('id'), 'id');
     $table->addIndex(array('sesskey'), 'sesskey');
     $table->addIndex(array('time_expire'), 'time_expire');