aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--Zotlabs/Module/Authorize.php95
-rw-r--r--Zotlabs/Module/Oauth2testvehicle.php215
-rw-r--r--Zotlabs/Module/Token.php3
-rw-r--r--Zotlabs/Storage/ZotOauth2Pdo.php10
-rw-r--r--include/api_auth.php57
-rw-r--r--view/css/mod_oauth2testvehicle.css4
-rw-r--r--view/tpl/oauth2testvehicle.tpl21
-rwxr-xr-xview/tpl/oauth_authorize.tpl18
8 files changed, 372 insertions, 51 deletions
diff --git a/Zotlabs/Module/Authorize.php b/Zotlabs/Module/Authorize.php
index 254700b4e..c76dfb9df 100644
--- a/Zotlabs/Module/Authorize.php
+++ b/Zotlabs/Module/Authorize.php
@@ -4,59 +4,90 @@ namespace Zotlabs\Module;
use Zotlabs\Identity\OAuth2Storage;
-
class Authorize extends \Zotlabs\Web\Controller {
- function init() {
-
- // workaround for HTTP-auth in CGI mode
- if (x($_SERVER, 'REDIRECT_REMOTE_USER')) {
- $userpass = base64_decode(substr($_SERVER["REDIRECT_REMOTE_USER"], 6)) ;
- if(strlen($userpass)) {
- list($name, $password) = explode(':', $userpass);
- $_SERVER['PHP_AUTH_USER'] = $name;
- $_SERVER['PHP_AUTH_PW'] = $password;
- }
+ function get() {
+ if (!local_channel()) {
+ return login();
+ } else {
+ // TODO: Fully implement the dynamic client registration protocol:
+ // OpenID Connect Dynamic Client Registration 1.0 Client Metadata
+ // http://openid.net/specs/openid-connect-registration-1_0.html
+ $app = array(
+ 'name' => (x($_REQUEST, 'client_name') ? urldecode($_REQUEST['client_name']) : 'Unknown App'),
+ 'icon' => (x($_REQUEST, 'logo_uri') ? urldecode($_REQUEST['logo_uri']) : z_root() . '/images/icons/plugin.png'),
+ 'url' => (x($_REQUEST, 'client_uri') ? urldecode($_REQUEST['client_uri']) : ''),
+ );
+ $o .= replace_macros(get_markup_template('oauth_authorize.tpl'), array(
+ '$title' => '',
+ '$authorize' => 'Do you authorize the app <a style="float: none;" href="' . $app['url'] . '">' . $app['name'] . '</a> to access your channel data?',
+ '$app' => $app,
+ '$yes' => t('Allow'),
+ '$no' => t('Deny'),
+ '$client_id' => (x($_REQUEST, 'client_id') ? $_REQUEST['client_id'] : ''),
+ '$redirect_uri' => (x($_REQUEST, 'redirect_uri') ? $_REQUEST['redirect_uri'] : ''),
+ '$state' => (x($_REQUEST, 'state') ? $_REQUEST['state'] : ''),
+ ));
+ return $o;
}
+ }
- if (x($_SERVER, 'HTTP_AUTHORIZATION')) {
- $userpass = base64_decode(substr($_SERVER["HTTP_AUTHORIZATION"], 6)) ;
- if(strlen($userpass)) {
- list($name, $password) = explode(':', $userpass);
- $_SERVER['PHP_AUTH_USER'] = $name;
- $_SERVER['PHP_AUTH_PW'] = $password;
- }
+ function post() {
+ if (!local_channel()) {
+ return $this->get();
}
- $s = new \Zotlabs\Identity\OAuth2Server(new OAuth2Storage(\DBA::$dba->db));
+ $storage = new OAuth2Storage(\DBA::$dba->db);
+ $s = new \Zotlabs\Identity\OAuth2Server($storage);
+
+ // TODO: The automatic client registration protocol below should adhere more
+ // closely to "OAuth 2.0 Dynamic Client Registration Protocol" defined
+ // at https://tools.ietf.org/html/rfc7591
+
+ // If no client_id was provided, generate a new one.
+ if (x($_POST, 'client_id')) {
+ $client_id = $_POST['client_id'];
+ } else {
+ $client_id = $_POST['client_id'] = random_string(16);
+ }
+ // If no redirect_uri was provided, generate a fake one.
+ if (x($_POST, 'redirect_uri')) {
+ $redirect_uri = $_POST['redirect_uri'];
+ } else {
+ $redirect_uri = $_POST['redirect_uri'] = 'https://fake.example.com/oauth';
+ }
$request = \OAuth2\Request::createFromGlobals();
$response = new \OAuth2\Response();
- // validate the authorize request
- if (! $s->validateAuthorizeRequest($request, $response)) {
+ // If the client is not registered, add to the database
+ if (!$client = $storage->getClientDetails($client_id)) {
+ $client_secret = random_string(16);
+ // Client apps are registered per channel
+ $user_id = local_channel();
+ $storage->setClientDetails($client_id, $client_secret, $redirect_uri, 'authorization_code', null, $user_id);
+
+ }
+ if (!$client = $storage->getClientDetails($client_id)) {
+ // There was an error registering the client.
$response->send();
killme();
}
+ $response->setParameter('client_secret', $client['client_secret']);
- // display an authorization form
- if (empty($_POST)) {
-
- return '
-<form method="post">
- <label>Do You Authorize TestClient?</label><br />
- <input type="submit" name="authorized" value="yes">
- <input type="submit" name="authorized" value="no">
-</form>';
+ // validate the authorize request
+ if (!$s->validateAuthorizeRequest($request, $response)) {
+ $response->send();
+ killme();
}
// print the authorization code if the user has authorized your client
- $is_authorized = ($_POST['authorized'] === 'yes');
+ $is_authorized = ($_POST['authorize'] === 'allow');
$s->handleAuthorizeRequest($request, $response, $is_authorized, local_channel());
if ($is_authorized) {
// this is only here so that you get to see your code in the cURL request. Otherwise,
// we'd redirect back to the client
- $code = substr($response->getHttpHeader('Location'), strpos($response->getHttpHeader('Location'), 'code=')+5, 40);
+ $code = substr($response->getHttpHeader('Location'), strpos($response->getHttpHeader('Location'), 'code=') + 5, 40);
echo("SUCCESS! Authorization Code: $code");
}
diff --git a/Zotlabs/Module/Oauth2testvehicle.php b/Zotlabs/Module/Oauth2testvehicle.php
new file mode 100644
index 000000000..82e309f1c
--- /dev/null
+++ b/Zotlabs/Module/Oauth2testvehicle.php
@@ -0,0 +1,215 @@
+<?php
+
+namespace Zotlabs\Module;
+
+/**
+ * The OAuth2TestVehicle class is a way to test the registration of an OAuth2
+ * client app. It allows you to walk through the steps of registering a client,
+ * requesting an authorization code for that client, and then requesting an
+ * access token for use in authentication against the Hubzilla API endpoints.
+ */
+class OAuth2TestVehicle extends \Zotlabs\Web\Controller {
+
+ function init() {
+
+ // If there is a 'code' and 'state' parameter then this is a client app
+ // callback issued after the authorization code request
+ // TODO: Check state value and compare to original sent value
+ // "You should first compare this state value to ensure it matches the
+ // one you started with. You can typically store the state value in a
+ // cookie, and compare it when the user comes back. This ensures your
+ // redirection endpoint isn't able to be tricked into attempting to
+ // exchange arbitrary authorization codes."
+ $_SESSION['redirect_uri'] = 'http://hub.localhost/oauth2testvehicle';
+ $_SESSION['authorization_code'] = (x($_REQUEST, 'code') ? $_REQUEST['code'] : $_SESSION['authorization_code']);
+ $_SESSION['state'] = (x($_REQUEST, 'state') ? $_REQUEST['state'] : $_SESSION['state'] );
+ $_SESSION['client_id'] = (x($_REQUEST, 'client_id') ? $_REQUEST['client_id'] : $_SESSION['client_id'] );
+ $_SESSION['client_secret'] = (x($_REQUEST, 'client_secret') ? $_REQUEST['client_secret'] : $_SESSION['client_secret']);
+ $_SESSION['access_token'] = (x($_REQUEST, 'access_token') ? $_REQUEST['access_token'] : $_SESSION['access_token'] );
+ $_SESSION['api_response'] = (x($_SESSION, 'api_response') ? $_SESSION['api_response'] : '');
+ }
+ function get() {
+
+ $o .= replace_macros(get_markup_template('oauth2testvehicle.tpl'), array(
+ '$baseurl' => z_root(),
+ '$api_response' => $_SESSION['api_response'],
+ /*
+ endpoints => array(
+ array(
+ 'path_to_endpoint',
+ array(
+ array('field_name_1', 'value'),
+ array('field_name_2', 'value'),
+ ...
+ ),
+ 'submit_button_name',
+ 'Description of API action'
+ )
+ )
+ */
+ '$endpoints' => array(
+ array(
+ 'oauth2testvehicle',
+ array(
+ array(
+ 'action', 'delete_db'
+ )
+ ),
+ 'oauth2test_delete_db',
+ 'Delete the OAuth2 database tables',
+ 'POST',
+ ($_SESSION['success'] === 'delete_db'),
+ ),
+ array(
+ 'oauth2testvehicle',
+ array(
+ array(
+ 'action', 'create_db'
+ )
+ ),
+ 'oauth2test_create_db',
+ 'Create the OAuth2 database tables',
+ 'POST',
+ ($_SESSION['success'] === 'create_db'),
+ ),
+ array(
+ 'authorize',
+ array(
+ array('response_type', 'code'),
+ array('client_id', (x($_REQUEST, 'client_id') ? $_REQUEST['client_id'] : 'oauth2_test_app')),
+ array('redirect_uri', $_SESSION['redirect_uri']),
+ array('state', 'xyz'),
+ // OpenID Connect Dynamic Client Registration 1.0 Client Metadata
+ // http://openid.net/specs/openid-connect-registration-1_0.html
+ array('client_name', 'OAuth2 Test App'),
+ array('logo_uri', urlencode(z_root() . '/images/icons/plugin.png')),
+ array('client_uri', urlencode('https://client.example.com/website')),
+ array('application_type', 'web'), // would be 'native' for mobile app
+ ),
+ 'oauth_authorize',
+ 'Authorize a test client app',
+ 'GET',
+ (($_REQUEST['code'] && $_REQUEST['state']) ? true : false),
+ ),
+ array(
+ 'oauth2testvehicle',
+ array(
+ array('action', 'request_token'),
+ array('grant_type', 'authorization_code'),
+ array('code', $_SESSION['authorization_code']),
+ array('redirect_uri', $_SESSION['redirect_uri']),
+ array('client_id', ($_SESSION['client_id'] ? $_SESSION['client_id'] : 'oauth2_test_app')),
+ array('client_secret', $_SESSION['client_secret']),
+ ),
+ 'oauth_token_request',
+ 'Request a token',
+ 'POST',
+ ($_SESSION['success'] === 'request_token'),
+ ),
+ array(
+ 'oauth2testvehicle',
+ array(
+ array('action', 'api_files'),
+ array('access_token', $_SESSION['access_token']),
+ ),
+ 'oauth_api_files',
+ 'API: Get channel files',
+ 'POST',
+ ($_SESSION['success'] === 'api_files'),
+ )
+ )
+ ));
+ $_SESSION['success'] = '';
+ return $o;
+ }
+
+ function post() {
+
+ switch ($_POST['action']) {
+ case 'api_files':
+ $access_token = $_SESSION['access_token'];
+ $url = z_root() . '/api/z/1.0/files/';
+ $headers = [];
+ $headers[] = 'Authorization: Bearer ' . $access_token;
+ $post = z_fetch_url($url, false, 0, array(
+ 'custom' => 'GET',
+ 'headers' => $headers,
+ ));
+ logger(json_encode($post, JSON_PRETTY_PRINT), LOGGER_DEBUG);
+ $response = json_decode($post['body'], true);
+ $_SESSION['api_response'] = json_encode($response, JSON_PRETTY_PRINT);
+ break;
+ case 'request_token':
+ $grant_type = (x($_POST, 'grant_type') ? $_POST['grant_type'] : '');
+ $redirect_uri = (x($_POST, 'redirect_uri') ? $_POST['redirect_uri'] : '');
+ $client_id = (x($_POST, 'client_id') ? $_POST['client_id'] : '');
+ $code = (x($_POST, 'code') ? $_POST['code'] : '');
+ $client_secret = (x($_POST, 'client_secret') ? $_POST['client_secret'] : '');
+ $url = z_root() . '/token/';
+ $params = http_build_query(array(
+ 'grant_type' => $grant_type,
+ 'redirect_uri' => urlencode($redirect_uri),
+ 'client_id' => $client_id,
+ 'code' => $code,
+ ));
+ $post = z_post_url($url, $params, 0, array(
+ 'http_auth' => $client_id . ':' . $client_secret,
+ ));
+ logger(json_encode($post, JSON_PRETTY_PRINT), LOGGER_DEBUG);
+ $response = json_decode($post['body'], true);
+ logger(json_encode($response, JSON_PRETTY_PRINT), LOGGER_DEBUG);
+ if($response['access_token']) {
+ info('Access token received: ' . $response['access_token'] . EOL);
+ $_SESSION['success'] = 'request_token';
+ $_SESSION['access_token'] = $response['access_token'];
+ }
+ break;
+ case 'delete_db':
+ $status = true;
+ // Use the \OAuth2\Storage\Pdo class to create the OAuth2 tables
+ // by passing it the database connection
+ $pdo = \DBA::$dba->db;
+ $storage = new \Zotlabs\Storage\ZotOauth2Pdo($pdo);
+ foreach ($storage->getConfig() as $key => $table) {
+ $r = q("DROP TABLE %s;", dbesc($table));
+ if (!$r) {
+ $status = false;
+ }
+ }
+ if (!$status) {
+ notice('Errors encountered deleting database tables.' . EOL);
+ $_SESSION['success'] = '';
+ } else {
+ info('Database tables deleted successfully.' . EOL);
+ $_SESSION['success'] = 'delete_db';
+ }
+ break;
+
+ case 'create_db':
+ $status = true;
+ @include('.htconfig.php');
+ $pdo = \DBA::$dba->db;
+ $storage = new \Zotlabs\Storage\ZotOauth2Pdo($pdo);
+ foreach (explode(';', $storage->getBuildSql($db_data)) as $statement) {
+ try {
+ $result = $pdo->exec($statement);
+ } catch (\PDOException $e) {
+ $status = false;
+ }
+ }
+
+ if (!$status) {
+ notice('Errors encountered creating database tables.' . EOL);
+ $_SESSION['success'] = '';
+ } else {
+ info('Database tables created successfully.' . EOL);
+ $_SESSION['success'] = 'create_db';
+ }
+ break;
+
+ default:
+ break;
+ }
+ }
+
+}
diff --git a/Zotlabs/Module/Token.php b/Zotlabs/Module/Token.php
index f7c074233..32cf95c61 100644
--- a/Zotlabs/Module/Token.php
+++ b/Zotlabs/Module/Token.php
@@ -29,7 +29,8 @@ class Token extends \Zotlabs\Web\Controller {
}
$s = new \Zotlabs\Identity\OAuth2Server(new OAuth2Storage(\DBA::$dba->db));
- $s->handleTokenRequest(\OAuth2\Request::createFromGlobals())->send();
+ $request = \OAuth2\Request::createFromGlobals();
+ $s->handleTokenRequest($request)->send();
killme();
}
diff --git a/Zotlabs/Storage/ZotOauth2Pdo.php b/Zotlabs/Storage/ZotOauth2Pdo.php
new file mode 100644
index 000000000..b2c3ce228
--- /dev/null
+++ b/Zotlabs/Storage/ZotOauth2Pdo.php
@@ -0,0 +1,10 @@
+<?php
+
+namespace Zotlabs\Storage;
+
+class ZotOauth2Pdo extends \OAuth2\Storage\Pdo {
+ public function getConfig()
+ {
+ return $this->config;
+ }
+}
diff --git a/include/api_auth.php b/include/api_auth.php
index 5c0bcb317..e2f7ab155 100644
--- a/include/api_auth.php
+++ b/include/api_auth.php
@@ -14,25 +14,58 @@ function api_login(&$a){
// login with oauth
try {
- $oauth = new ZotOAuth1();
- $req = OAuth1Request::from_request();
+ // OAuth 2.0
+ $storage = new \Zotlabs\Identity\OAuth2Storage(\DBA::$dba->db);
+ $server = new \Zotlabs\Identity\OAuth2Server($storage);
+ $request = \OAuth2\Request::createFromGlobals();
+ if ($server->verifyResourceRequest($request)) {
+ $token = $server->getAccessTokenData($request);
+ $uid = $token['user_id'];
+ $r = q("SELECT * FROM channel WHERE channel_id = %d LIMIT 1",
+ intval($uid)
+ );
+ if (count($r)) {
+ $record = $r[0];
+ } else {
+ header('HTTP/1.0 401 Unauthorized');
+ echo('This api requires login');
+ killme();
+ }
+
+ $_SESSION['uid'] = $record['channel_id'];
+ $_SESSION['addr'] = $_SERVER['REMOTE_ADDR'];
+
+ $x = q("select * from account where account_id = %d LIMIT 1",
+ intval($record['channel_account_id'])
+ );
+ if ($x) {
+ require_once('include/security.php');
+ authenticate_success($x[0], null, true, false, true, true);
+ $_SESSION['allow_api'] = true;
+ call_hooks('logged_in', App::$user);
+ return;
+ }
+ } else {
+ // OAuth 1.0
+ $oauth = new ZotOAuth1();
+ $req = OAuth1Request::from_request();
- list($consumer,$token) = $oauth->verify_request($req);
+ list($consumer, $token) = $oauth->verify_request($req);
- if (!is_null($token)){
- $oauth->loginUser($token->uid);
+ if (!is_null($token)) {
+ $oauth->loginUser($token->uid);
- App::set_oauth_key($consumer->key);
+ App::set_oauth_key($consumer->key);
- call_hooks('logged_in', App::$user);
- return;
+ call_hooks('logged_in', App::$user);
+ return;
+ }
+ killme();
}
- killme();
- }
- catch(Exception $e) {
+ } catch (Exception $e) {
logger($e->getMessage());
}
-
+
// workarounds for HTTP-auth in CGI mode
foreach([ 'REDIRECT_REMOTE_USER', 'HTTP_AUTHORIZATION' ] as $head) {
diff --git a/view/css/mod_oauth2testvehicle.css b/view/css/mod_oauth2testvehicle.css
new file mode 100644
index 000000000..0ef2896b5
--- /dev/null
+++ b/view/css/mod_oauth2testvehicle.css
@@ -0,0 +1,4 @@
+.oath2test-form-box {
+ border: #ccc thin solid;
+ padding: 1em;
+} \ No newline at end of file
diff --git a/view/tpl/oauth2testvehicle.tpl b/view/tpl/oauth2testvehicle.tpl
new file mode 100644
index 000000000..ce46b58c0
--- /dev/null
+++ b/view/tpl/oauth2testvehicle.tpl
@@ -0,0 +1,21 @@
+<h1>OAuth 2.0 Test Vehicle</h1>
+
+{{foreach $endpoints as $ept}}
+<div class="oath2test-form-box">
+<form action="{{$baseurl}}/{{$ept.0}}/" method="{{$ept.4}}">
+ <h3>{{$ept.3}}</h3>
+ {{$baseurl}}/{{$ept.0}}/?{{foreach $ept.1 as $field}}{{$field.0}}={{$field.1}}&<input type="hidden" name="{{$field.0}}" value="{{$field.1}}" />{{/foreach}}
+ <br>
+ <button type="submit" name="{{$ept.2}}_submit" value="submit" class="btn btn-med" title="">Submit</button>
+ <span style="display: {{if $ept.5}}inline{{else}}none{{/if}}; font-size: 2em;">&nbsp;<i class="fa fa-check"></i></span>
+</form>
+ </div>
+{{/foreach}}
+<div>
+ <h3>API response</h3>
+ <pre style="display: inline-block; overflow-x: auto; white-space: nowrap; width: 100%;">
+ <code>
+ {{$api_response}}
+ </code>
+ </pre>
+</div> \ No newline at end of file
diff --git a/view/tpl/oauth_authorize.tpl b/view/tpl/oauth_authorize.tpl
index 2b7afa80e..72701ce52 100755
--- a/view/tpl/oauth_authorize.tpl
+++ b/view/tpl/oauth_authorize.tpl
@@ -2,9 +2,15 @@
<div class='oauthapp'>
<img src='{{$app.icon}}'>
- <h4>{{$app.name}}</h4>
-</div>
-<h3>{{$authorize}}</h3>
-<form method="POST">
-<div class="settings-submit-wrapper"><input class="settings-submit" type="submit" name="oauth_yes" value="{{$yes}}" /></div>
-</form>
+ <h3>{{$app.name}}</h3>
+ <p class="descriptive-paragraph">{{$authorize}}</p>
+ <form method="POST">
+ <div class="settings-submit-wrapper">
+ <input type="hidden" name="client_id" value="{{$client_id}}" />
+ <input type="hidden" name="redirect_uri" value="{{$redirect_uri}}" />
+ <input type="hidden" name="state" value="{{$state}}" />
+ <button class="btn btn-lg btn-danger" name="authorize" value="deny" type="submit">{{$no}}</button>
+ <button class="btn btn-lg btn-success" name="authorize" value="allow" type="submit">{{$yes}}</button>
+ </div>
+ </form>
+</div> \ No newline at end of file