streams/include/oauth.php

<?php /** @file */

/** 
 * OAuth-1 server
 * 
 */

define('REQUEST_TOKEN_DURATION', 300);
define('ACCESS_TOKEN_DURATION', 31536000);

require_once('library/OAuth1.php');


class ZotOAuth1DataStore extends OAuth1DataStore {

	function gen_token(){
		return md5(base64_encode(pack('N6', mt_rand(), mt_rand(), mt_rand(), mt_rand(), mt_rand(), uniqid())));
	}
	
	function lookup_consumer($consumer_key) {
		logger('consumer_key: ' . $consumer_key, LOGGER_DEBUG);

		$r = q("SELECT client_id, pw, redirect_uri FROM clients WHERE client_id = '%s'",
			dbesc($consumer_key)
		);

		if($r) {
			App::set_oauth_key($consumer_key);
			return new OAuth1Consumer($r[0]['client_id'],$r[0]['pw'],$r[0]['redirect_uri']);
		}
		return null;
	}

	function lookup_token($consumer, $token_type, $token) {

		logger(__function__ . ':' . $consumer . ', ' . $token_type . ', ' . $token, LOGGER_DEBUG);

		$r = q("SELECT id, secret, auth_scope, expires, uid  FROM tokens WHERE client_id = '%s' AND auth_scope = '%s' AND id = '%s'",
			dbesc($consumer->key),
			dbesc($token_type),
			dbesc($token)
		);

		if ($r) {
			$ot = new OAuth1Token($r[0]['id'],$r[0]['secret']);
			$ot->scope = $r[0]['auth_scope'];
			$ot->expires = $r[0]['expires'];
			$ot->uid = $r[0]['uid'];
			return $ot;
		}
		return null;
	}

	function lookup_nonce($consumer, $token, $nonce, $timestamp) {

		$r = q("SELECT id, secret FROM tokens WHERE client_id = '%s' AND id = '%s' AND expires = %d",
			dbesc($consumer->key),
			dbesc($nonce),
			intval($timestamp)
		);

		if ($r) {
			return new OAuth1Token($r[0]['id'],$r[0]['secret']);
		}
		return null;
	}

	function new_request_token($consumer, $callback = null) {

		logger(__function__ . ':' . $consumer . ', ' . $callback, LOGGER_DEBUG);

		$key = $this->gen_token();
		$sec = $this->gen_token();
		
		if ($consumer->key){
			$k = $consumer->key;
		}
		else {
			$k = $consumer;
		}

		$r = q("INSERT INTO tokens (id, secret, client_id, auth_scope, expires, uid) VALUES ('%s','%s','%s','%s', %d, 0)",
				dbesc($key),
				dbesc($sec),
				dbesc($k),
				'request',
				time()+intval(REQUEST_TOKEN_DURATION));

		if (! $r) {
			return null;
		}
		return new OAuth1Token($key,$sec);
	}

	function new_access_token($token, $consumer, $verifier = null) {

		logger(__function__ . ':' . $token . ', ' . $consumer .', ' . $verifier, LOGGER_DEBUG);
    
		// return a new access token attached to this consumer
		// for the user associated with this token if the request token
		// is authorized
		// should also invalidate the request token
	
		$ret = null;
	
		// get user for this verifier
		$uverifier = get_config("oauth", $verifier);
		logger(__function__ . ':' . $verifier . ', ' . $uverifier, LOGGER_DEBUG);
		if (is_null($verifier) || ($uverifier !== false)) {
		
			$key = $this->gen_token();
			$sec = $this->gen_token();

			$r = q("INSERT INTO tokens (id, secret, client_id, auth_scope, expires, uid) VALUES ('%s','%s','%s','%s', %d, %d)",
				dbesc($key),
				dbesc($sec),
				dbesc($consumer->key),
				'access',
				time()+intval(ACCESS_TOKEN_DURATION),
				intval($uverifier));

			if ($r) {
				$ret = new OAuth1Token($key,$sec);
			}
		}
		
		
		q("DELETE FROM tokens WHERE id='%s'", $token->key);
	
	
		if (! is_null($ret) && $uverifier !== false) {
			del_config('oauth', $verifier);
		}
		return $ret;
	}
}

class ZotOAuth1 extends OAuth1Server {

	function __construct() {
		parent::__construct(new ZotOAuth1DataStore());
		$this->add_signature_method(new OAuth1SignatureMethod_PLAINTEXT());
		$this->add_signature_method(new OAuth1SignatureMethod_HMAC_SHA1());
	}
	
	function loginUser($uid) {

		logger("ZotOAuth1::loginUser $uid");

		$r = q("SELECT * FROM channel WHERE channel_id = %d LIMIT 1",
			intval($uid)
		);
		if ($r) {
			$record = $r[0];
		}
		else {
			logger('ZotOAuth1::loginUser failure: ' . print_r($_SERVER,true), LOGGER_DEBUG);
			header('HTTP/1.0 401 Unauthorized');
			echo('This api requires login');
			killme();
		}

		$_SESSION['uid'] = $record['channel_id'];
		$_SESSION['addr'] = $_SERVER['REMOTE_ADDR'];

		$x = q("select * from account where account_id = %d limit 1",
			intval($record['channel_account_id'])
		);
		if ($x) {
			require_once('include/security.php');
			authenticate_success($x[0],null,true,false,true,true);
			$_SESSION['allow_api'] = true;
		}
	}
	
}
start formatting for Doxygen 2013-02-26 01:09:40 +00:00			`<?php /** @file */`
some major cleanup of api authentication stuff - still needs much more and this still may not solve #206 2015-12-11 00:39:46 +00:00
Initial work adding oauth to api 2011-10-20 13:57:35 +00:00			`/**`
minor fixes from upstream 2019-01-25 03:03:14 +00:00			`* OAuth-1 server`
Initial work adding oauth to api 2011-10-20 13:57:35 +00:00			`*`
			`*/`

oauth: authorize view, wrong verifier. 2011-11-02 08:54:07 +00:00			`define('REQUEST_TOKEN_DURATION', 300);`
			`define('ACCESS_TOKEN_DURATION', 31536000);`
Initial work adding oauth to api 2011-10-20 13:57:35 +00:00
cleanup 2019-05-15 05:16:49 +00:00			`require_once('library/OAuth1.php');`
Initial work adding oauth to api 2011-10-20 13:57:35 +00:00
some major cleanup of api authentication stuff - still needs much more and this still may not solve #206 2015-12-11 00:39:46 +00:00
remove the unqualified "OAuth" namespace from the project. We need to reference either OAuth1 or OAuth2. 2015-12-13 23:35:45 +00:00			`class ZotOAuth1DataStore extends OAuth1DataStore {`
some major cleanup of api authentication stuff - still needs much more and this still may not solve #206 2015-12-11 00:39:46 +00:00
			`function gen_token(){`
Initial work adding oauth to api 2011-10-20 13:57:35 +00:00			`return md5(base64_encode(pack('N6', mt_rand(), mt_rand(), mt_rand(), mt_rand(), mt_rand(), uniqid())));`
some major cleanup of api authentication stuff - still needs much more and this still may not solve #206 2015-12-11 00:39:46 +00:00			`}`
Initial work adding oauth to api 2011-10-20 13:57:35 +00:00
some major cleanup of api authentication stuff - still needs much more and this still may not solve #206 2015-12-11 00:39:46 +00:00			`function lookup_consumer($consumer_key) {`
			`logger('consumer_key: ' . $consumer_key, LOGGER_DEBUG);`
several oauth fixes - shred doesn't completely work yet, but it also doesn't completely NOT work, so at least there's some improvement 2013-09-17 04:35:52 +00:00
Implement permission checking for OAuth clients using the xperm table. Currently 'all' permissions are applied to OAuth clients which gives them the same rights as the channel owner and full access to API functions as the channel owner. However, individual permissions can now be created. These mirror the permission names from the normal permission table (although it isn't required that they do so). Lack of an xp_perm entry for the specified permission and lack of an 'all' override indicates permission denied. 2015-05-18 01:14:50 +00:00			`$r = q("SELECT client_id, pw, redirect_uri FROM clients WHERE client_id = '%s'",`
Initial work adding oauth to api 2011-10-20 13:57:35 +00:00			`dbesc($consumer_key)`
			`);`
several oauth fixes - shred doesn't completely work yet, but it also doesn't completely NOT work, so at least there's some improvement 2013-09-17 04:35:52 +00:00
Implement permission checking for OAuth clients using the xperm table. Currently 'all' permissions are applied to OAuth clients which gives them the same rights as the channel owner and full access to API functions as the channel owner. However, individual permissions can now be created. These mirror the permission names from the normal permission table (although it isn't required that they do so). Lack of an xp_perm entry for the specified permission and lack of an 'all' override indicates permission denied. 2015-05-18 01:14:50 +00:00			`if($r) {`
static App 2016-03-31 23:06:03 +00:00			`App::set_oauth_key($consumer_key);`
remove the unqualified "OAuth" namespace from the project. We need to reference either OAuth1 or OAuth2. 2015-12-13 23:35:45 +00:00			`return new OAuth1Consumer($r[0]['client_id'],$r[0]['pw'],$r[0]['redirect_uri']);`
Implement permission checking for OAuth clients using the xperm table. Currently 'all' permissions are applied to OAuth clients which gives them the same rights as the channel owner and full access to API functions as the channel owner. However, individual permissions can now be created. These mirror the permission names from the normal permission table (although it isn't required that they do so). Lack of an xp_perm entry for the specified permission and lack of an 'all' override indicates permission denied. 2015-05-18 01:14:50 +00:00			`}`
Initial work adding oauth to api 2011-10-20 13:57:35 +00:00			`return null;`
some major cleanup of api authentication stuff - still needs much more and this still may not solve #206 2015-12-11 00:39:46 +00:00			`}`
Initial work adding oauth to api 2011-10-20 13:57:35 +00:00
some major cleanup of api authentication stuff - still needs much more and this still may not solve #206 2015-12-11 00:39:46 +00:00			`function lookup_token($consumer, $token_type, $token) {`

cleanup 2019-05-15 05:16:49 +00:00			`logger(__function__ . ':' . $consumer . ', ' . $token_type . ', ' . $token, LOGGER_DEBUG);`
several oauth fixes - shred doesn't completely work yet, but it also doesn't completely NOT work, so at least there's some improvement 2013-09-17 04:35:52 +00:00
more removal of reserved words from DB schemas 2016-06-01 00:50:47 +00:00			`$r = q("SELECT id, secret, auth_scope, expires, uid FROM tokens WHERE client_id = '%s' AND auth_scope = '%s' AND id = '%s'",`
Initial work adding oauth to api 2011-10-20 13:57:35 +00:00			`dbesc($consumer->key),`
			`dbesc($token_type),`
			`dbesc($token)`
			`);`
several oauth fixes - shred doesn't completely work yet, but it also doesn't completely NOT work, so at least there's some improvement 2013-09-17 04:35:52 +00:00
cleanup 2019-05-15 05:16:49 +00:00			`if ($r) {`
			`$ot = new OAuth1Token($r[0]['id'],$r[0]['secret']);`
			`$ot->scope = $r[0]['auth_scope'];`
Initial work adding oauth to api 2011-10-20 13:57:35 +00:00			`$ot->expires = $r[0]['expires'];`
oauth: authorize 2011-11-07 16:36:41 +00:00			`$ot->uid = $r[0]['uid'];`
Initial work adding oauth to api 2011-10-20 13:57:35 +00:00			`return $ot;`
			`}`
			`return null;`
some major cleanup of api authentication stuff - still needs much more and this still may not solve #206 2015-12-11 00:39:46 +00:00			`}`
Initial work adding oauth to api 2011-10-20 13:57:35 +00:00
some major cleanup of api authentication stuff - still needs much more and this still may not solve #206 2015-12-11 00:39:46 +00:00			`function lookup_nonce($consumer, $token, $nonce, $timestamp) {`
several oauth fixes - shred doesn't completely work yet, but it also doesn't completely NOT work, so at least there's some improvement 2013-09-17 04:35:52 +00:00
Implement permission checking for OAuth clients using the xperm table. Currently 'all' permissions are applied to OAuth clients which gives them the same rights as the channel owner and full access to API functions as the channel owner. However, individual permissions can now be created. These mirror the permission names from the normal permission table (although it isn't required that they do so). Lack of an xp_perm entry for the specified permission and lack of an 'all' override indicates permission denied. 2015-05-18 01:14:50 +00:00			`$r = q("SELECT id, secret FROM tokens WHERE client_id = '%s' AND id = '%s' AND expires = %d",`
Initial work adding oauth to api 2011-10-20 13:57:35 +00:00			`dbesc($consumer->key),`
			`dbesc($nonce),`
			`intval($timestamp)`
			`);`
several oauth fixes - shred doesn't completely work yet, but it also doesn't completely NOT work, so at least there's some improvement 2013-09-17 04:35:52 +00:00
cleanup 2019-05-15 05:16:49 +00:00			`if ($r) {`
remove the unqualified "OAuth" namespace from the project. We need to reference either OAuth1 or OAuth2. 2015-12-13 23:35:45 +00:00			`return new OAuth1Token($r[0]['id'],$r[0]['secret']);`
cleanup 2019-05-15 05:16:49 +00:00			`}`
Initial work adding oauth to api 2011-10-20 13:57:35 +00:00			`return null;`
some major cleanup of api authentication stuff - still needs much more and this still may not solve #206 2015-12-11 00:39:46 +00:00			`}`

			`function new_request_token($consumer, $callback = null) {`

cleanup 2019-05-15 05:16:49 +00:00			`logger(__function__ . ':' . $consumer . ', ' . $callback, LOGGER_DEBUG);`
Initial work adding oauth to api 2011-10-20 13:57:35 +00:00
			`$key = $this->gen_token();`
			`$sec = $this->gen_token();`
oauth: authorize 2011-11-07 16:36:41 +00:00
			`if ($consumer->key){`
			`$k = $consumer->key;`
cleanup 2019-05-15 05:16:49 +00:00			`}`
			`else {`
oauth: authorize 2011-11-07 16:36:41 +00:00			`$k = $consumer;`
			`}`
several oauth fixes - shred doesn't completely work yet, but it also doesn't completely NOT work, so at least there's some improvement 2013-09-17 04:35:52 +00:00
not null violation oauth1 2018-05-21 20:37:55 +00:00			`$r = q("INSERT INTO tokens (id, secret, client_id, auth_scope, expires, uid) VALUES ('%s','%s','%s','%s', %d, 0)",`
Initial work adding oauth to api 2011-10-20 13:57:35 +00:00			`dbesc($key),`
			`dbesc($sec),`
oauth: authorize 2011-11-07 16:36:41 +00:00			`dbesc($k),`
Initial work adding oauth to api 2011-10-20 13:57:35 +00:00			`'request',`
avoid db compatibility issues 2015-05-24 16:26:12 +00:00			`time()+intval(REQUEST_TOKEN_DURATION));`
several oauth fixes - shred doesn't completely work yet, but it also doesn't completely NOT work, so at least there's some improvement 2013-09-17 04:35:52 +00:00
cleanup 2019-05-15 05:16:49 +00:00			`if (! $r) {`
some major cleanup of api authentication stuff - still needs much more and this still may not solve #206 2015-12-11 00:39:46 +00:00			`return null;`
cleanup 2019-05-15 05:16:49 +00:00			`}`
remove the unqualified "OAuth" namespace from the project. We need to reference either OAuth1 or OAuth2. 2015-12-13 23:35:45 +00:00			`return new OAuth1Token($key,$sec);`
some major cleanup of api authentication stuff - still needs much more and this still may not solve #206 2015-12-11 00:39:46 +00:00			`}`
Initial work adding oauth to api 2011-10-20 13:57:35 +00:00
some major cleanup of api authentication stuff - still needs much more and this still may not solve #206 2015-12-11 00:39:46 +00:00			`function new_access_token($token, $consumer, $verifier = null) {`

cleanup 2019-05-15 05:16:49 +00:00			`logger(__function__ . ':' . $token . ', ' . $consumer .', ' . $verifier, LOGGER_DEBUG);`
Initial work adding oauth to api 2011-10-20 13:57:35 +00:00
some major cleanup of api authentication stuff - still needs much more and this still may not solve #206 2015-12-11 00:39:46 +00:00			`// return a new access token attached to this consumer`
			`// for the user associated with this token if the request token`
			`// is authorized`
			`// should also invalidate the request token`

cleanup 2019-05-15 05:16:49 +00:00			`$ret = null;`
some major cleanup of api authentication stuff - still needs much more and this still may not solve #206 2015-12-11 00:39:46 +00:00
			`// get user for this verifier`
			`$uverifier = get_config("oauth", $verifier);`
cleanup 2019-05-15 05:16:49 +00:00			`logger(__function__ . ':' . $verifier . ', ' . $uverifier, LOGGER_DEBUG);`
			`if (is_null($verifier) \|\| ($uverifier !== false)) {`
Initial work adding oauth to api 2011-10-20 13:57:35 +00:00
some major cleanup of api authentication stuff - still needs much more and this still may not solve #206 2015-12-11 00:39:46 +00:00			`$key = $this->gen_token();`
			`$sec = $this->gen_token();`
several oauth fixes - shred doesn't completely work yet, but it also doesn't completely NOT work, so at least there's some improvement 2013-09-17 04:35:52 +00:00
more removal of reserved words from DB schemas 2016-06-01 00:50:47 +00:00			`$r = q("INSERT INTO tokens (id, secret, client_id, auth_scope, expires, uid) VALUES ('%s','%s','%s','%s', %d, %d)",`
Initial work adding oauth to api 2011-10-20 13:57:35 +00:00			`dbesc($key),`
			`dbesc($sec),`
oauth: authorize 2011-11-07 16:36:41 +00:00			`dbesc($consumer->key),`
Initial work adding oauth to api 2011-10-20 13:57:35 +00:00			`'access',`
one more 2015-05-24 16:30:31 +00:00			`time()+intval(ACCESS_TOKEN_DURATION),`
oauth: authorize 2011-11-07 16:36:41 +00:00			`intval($uverifier));`
several oauth fixes - shred doesn't completely work yet, but it also doesn't completely NOT work, so at least there's some improvement 2013-09-17 04:35:52 +00:00
cleanup 2019-05-15 05:16:49 +00:00			`if ($r) {`
			`$ret = new OAuth1Token($key,$sec);`
			`}`
some major cleanup of api authentication stuff - still needs much more and this still may not solve #206 2015-12-11 00:39:46 +00:00			`}`
Initial work adding oauth to api 2011-10-20 13:57:35 +00:00

some major cleanup of api authentication stuff - still needs much more and this still may not solve #206 2015-12-11 00:39:46 +00:00			`q("DELETE FROM tokens WHERE id='%s'", $token->key);`
oauth: authorize view, wrong verifier. 2011-11-02 08:54:07 +00:00

cleanup 2019-05-15 05:16:49 +00:00			`if (! is_null($ret) && $uverifier !== false) {`
			`del_config('oauth', $verifier);`
some major cleanup of api authentication stuff - still needs much more and this still may not solve #206 2015-12-11 00:39:46 +00:00			`}`
			`return $ret;`
oauth: authorize view, wrong verifier. 2011-11-02 08:54:07 +00:00			`}`
Initial work adding oauth to api 2011-10-20 13:57:35 +00:00			`}`

remove the unqualified "OAuth" namespace from the project. We need to reference either OAuth1 or OAuth2. 2015-12-13 23:35:45 +00:00			`class ZotOAuth1 extends OAuth1Server {`
Implement permission checking for OAuth clients using the xperm table. Currently 'all' permissions are applied to OAuth clients which gives them the same rights as the channel owner and full access to API functions as the channel owner. However, individual permissions can now be created. These mirror the permission names from the normal permission table (although it isn't required that they do so). Lack of an xp_perm entry for the specified permission and lack of an 'all' override indicates permission denied. 2015-05-18 01:14:50 +00:00
Initial work adding oauth to api 2011-10-20 13:57:35 +00:00			`function __construct() {`
remove the unqualified "OAuth" namespace from the project. We need to reference either OAuth1 or OAuth2. 2015-12-13 23:35:45 +00:00			`parent::__construct(new ZotOAuth1DataStore());`
			`$this->add_signature_method(new OAuth1SignatureMethod_PLAINTEXT());`
			`$this->add_signature_method(new OAuth1SignatureMethod_HMAC_SHA1());`
Initial work adding oauth to api 2011-10-20 13:57:35 +00:00			`}`
oauth: authorize 2011-11-07 16:36:41 +00:00
cleanup 2019-05-15 05:16:49 +00:00			`function loginUser($uid) {`
some major cleanup of api authentication stuff - still needs much more and this still may not solve #206 2015-12-11 00:39:46 +00:00
			`logger("ZotOAuth1::loginUser $uid");`

several oauth fixes - shred doesn't completely work yet, but it also doesn't completely NOT work, so at least there's some improvement 2013-09-17 04:35:52 +00:00			`$r = q("SELECT * FROM channel WHERE channel_id = %d LIMIT 1",`
oauth: authorize 2011-11-07 16:36:41 +00:00			`intval($uid)`
			`);`
cleanup 2019-05-15 05:16:49 +00:00			`if ($r) {`
oauth: authorize 2011-11-07 16:36:41 +00:00			`$record = $r[0];`
cleanup 2019-05-15 05:16:49 +00:00			`}`
			`else {`
some major cleanup of api authentication stuff - still needs much more and this still may not solve #206 2015-12-11 00:39:46 +00:00			`logger('ZotOAuth1::loginUser failure: ' . print_r($_SERVER,true), LOGGER_DEBUG);`
			`header('HTTP/1.0 401 Unauthorized');`
			`echo('This api requires login');`
			`killme();`
oauth: authorize 2011-11-07 16:36:41 +00:00			`}`
oauth wasn't logging in properly, also fixed api status_show to return last public post, not the last private post 2013-10-15 22:51:20 +00:00
several oauth fixes - shred doesn't completely work yet, but it also doesn't completely NOT work, so at least there's some improvement 2013-09-17 04:35:52 +00:00			`$_SESSION['uid'] = $record['channel_id'];`
oauth: authorize 2011-11-07 16:36:41 +00:00			`$_SESSION['addr'] = $_SERVER['REMOTE_ADDR'];`
some major cleanup of api authentication stuff - still needs much more and this still may not solve #206 2015-12-11 00:39:46 +00:00
oauth wasn't logging in properly, also fixed api status_show to return last public post, not the last private post 2013-10-15 22:51:20 +00:00			`$x = q("select * from account where account_id = %d limit 1",`
			`intval($record['channel_account_id'])`
			`);`
cleanup 2019-05-15 05:16:49 +00:00			`if ($x) {`
some major cleanup of api authentication stuff - still needs much more and this still may not solve #206 2015-12-11 00:39:46 +00:00			`require_once('include/security.php');`
sort out some of the authentication mess - with luck this may fix the DAV auth issue which I simply could not duplicate or find a reason for. 2016-07-21 00:55:40 +00:00			`authenticate_success($x[0],null,true,false,true,true);`
some major cleanup of api authentication stuff - still needs much more and this still may not solve #206 2015-12-11 00:39:46 +00:00			`$_SESSION['allow_api'] = true;`
oauth: authorize 2011-11-07 16:36:41 +00:00			`}`
			`}`

			`}`
some major cleanup of api authentication stuff - still needs much more and this still may not solve #206 2015-12-11 00:39:46 +00:00