mirror of
https://codeberg.org/streams/streams.git
synced 2024-09-19 16:35:19 +00:00
Successful OAuth2 sequence demonstrated with the test vehicle, including an authenticated API call using an access_token.
This commit is contained in:
parent
e3095ce6b2
commit
45e0fc6802
5 changed files with 137 additions and 82 deletions
|
@ -6,28 +6,6 @@ use Zotlabs\Identity\OAuth2Storage;
|
|||
|
||||
class Authorize extends \Zotlabs\Web\Controller {
|
||||
|
||||
function init() {
|
||||
|
||||
// workaround for HTTP-auth in CGI mode
|
||||
if (x($_SERVER, 'REDIRECT_REMOTE_USER')) {
|
||||
$userpass = base64_decode(substr($_SERVER["REDIRECT_REMOTE_USER"], 6));
|
||||
if (strlen($userpass)) {
|
||||
list($name, $password) = explode(':', $userpass);
|
||||
$_SERVER['PHP_AUTH_USER'] = $name;
|
||||
$_SERVER['PHP_AUTH_PW'] = $password;
|
||||
}
|
||||
}
|
||||
|
||||
if (x($_SERVER, 'HTTP_AUTHORIZATION')) {
|
||||
$userpass = base64_decode(substr($_SERVER["HTTP_AUTHORIZATION"], 6));
|
||||
if (strlen($userpass)) {
|
||||
list($name, $password) = explode(':', $userpass);
|
||||
$_SERVER['PHP_AUTH_USER'] = $name;
|
||||
$_SERVER['PHP_AUTH_PW'] = $password;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
function get() {
|
||||
if (!local_channel()) {
|
||||
return login();
|
||||
|
@ -37,7 +15,7 @@ class Authorize extends \Zotlabs\Web\Controller {
|
|||
// http://openid.net/specs/openid-connect-registration-1_0.html
|
||||
$app = array(
|
||||
'name' => (x($_REQUEST, 'client_name') ? urldecode($_REQUEST['client_name']) : 'Unknown App'),
|
||||
'icon' => (x($_REQUEST, 'logo_uri') ? urldecode($_REQUEST['logo_uri']) : '/images/icons/plugin.png'),
|
||||
'icon' => (x($_REQUEST, 'logo_uri') ? urldecode($_REQUEST['logo_uri']) : z_root() . '/images/icons/plugin.png'),
|
||||
'url' => (x($_REQUEST, 'client_uri') ? urldecode($_REQUEST['client_uri']) : ''),
|
||||
);
|
||||
$o .= replace_macros(get_markup_template('oauth_authorize.tpl'), array(
|
||||
|
@ -76,20 +54,26 @@ class Authorize extends \Zotlabs\Web\Controller {
|
|||
if (x($_POST, 'redirect_uri')) {
|
||||
$redirect_uri = $_POST['redirect_uri'];
|
||||
} else {
|
||||
$redirect_uri = $_POST['redirect_uri'] = 'https://fake.example.com';
|
||||
$redirect_uri = $_POST['redirect_uri'] = 'https://fake.example.com/oauth';
|
||||
}
|
||||
|
||||
$request = \OAuth2\Request::createFromGlobals();
|
||||
$response = new \OAuth2\Response();
|
||||
|
||||
// If the client is not registered, add to the database
|
||||
if (!$storage->getClientDetails($client_id)) {
|
||||
if (!$client = $storage->getClientDetails($client_id)) {
|
||||
$client_secret = random_string(16);
|
||||
// Client apps are registered per channel
|
||||
$user_id = local_channel();
|
||||
$storage->setClientDetails($client_id, $client_secret, $redirect_uri, 'authorization_code', null, $user_id);
|
||||
$response->setParameter('client_secret', $client_secret);
|
||||
|
||||
}
|
||||
if (!$client = $storage->getClientDetails($client_id)) {
|
||||
// There was an error registering the client.
|
||||
$response->send();
|
||||
killme();
|
||||
}
|
||||
$response->setParameter('client_secret', $client['client_secret']);
|
||||
|
||||
// validate the authorize request
|
||||
if (!$s->validateAuthorizeRequest($request, $response)) {
|
||||
|
|
|
@ -2,6 +2,12 @@
|
|||
|
||||
namespace Zotlabs\Module;
|
||||
|
||||
/**
|
||||
* The OAuth2TestVehicle class is a way to test the registration of an OAuth2
|
||||
* client app. It allows you to walk through the steps of registering a client,
|
||||
* requesting an authorization code for that client, and then requesting an
|
||||
* access token for use in authentication against the Hubzilla API endpoints.
|
||||
*/
|
||||
class OAuth2TestVehicle extends \Zotlabs\Web\Controller {
|
||||
|
||||
function init() {
|
||||
|
@ -14,17 +20,19 @@ class OAuth2TestVehicle extends \Zotlabs\Web\Controller {
|
|||
// cookie, and compare it when the user comes back. This ensures your
|
||||
// redirection endpoint isn't able to be tricked into attempting to
|
||||
// exchange arbitrary authorization codes."
|
||||
if ($_REQUEST['code'] && $_REQUEST['state']) {
|
||||
logger('Authorization callback invoked.', LOGGER_DEBUG);
|
||||
logger(json_encode($_REQUEST, JSON_PRETTY_PRINT), LOGGER_DEBUG);
|
||||
info('Authorization callback invoked.' . EOL);
|
||||
return $this->get();
|
||||
}
|
||||
$_SESSION['redirect_uri'] = 'http://hub.localhost/oauth2testvehicle';
|
||||
$_SESSION['authorization_code'] = (x($_REQUEST, 'code') ? $_REQUEST['code'] : $_SESSION['authorization_code']);
|
||||
$_SESSION['state'] = (x($_REQUEST, 'state') ? $_REQUEST['state'] : $_SESSION['state'] );
|
||||
$_SESSION['client_id'] = (x($_REQUEST, 'client_id') ? $_REQUEST['client_id'] : $_SESSION['client_id'] );
|
||||
$_SESSION['client_secret'] = (x($_REQUEST, 'client_secret') ? $_REQUEST['client_secret'] : $_SESSION['client_secret']);
|
||||
$_SESSION['access_token'] = (x($_REQUEST, 'access_token') ? $_REQUEST['access_token'] : $_SESSION['access_token'] );
|
||||
$_SESSION['api_response'] = (x($_SESSION, 'api_response') ? $_SESSION['api_response'] : '');
|
||||
}
|
||||
function get() {
|
||||
|
||||
|
||||
$o .= replace_macros(get_markup_template('oauth2testvehicle.tpl'), array(
|
||||
'$baseurl' => z_root(),
|
||||
'$api_response' => $_SESSION['api_response'],
|
||||
/*
|
||||
endpoints => array(
|
||||
array(
|
||||
|
@ -49,7 +57,8 @@ class OAuth2TestVehicle extends \Zotlabs\Web\Controller {
|
|||
),
|
||||
'oauth2test_delete_db',
|
||||
'Delete the OAuth2 database tables',
|
||||
'POST'
|
||||
'POST',
|
||||
($_SESSION['success'] === 'delete_db'),
|
||||
),
|
||||
array(
|
||||
'oauth2testvehicle',
|
||||
|
@ -60,58 +69,76 @@ class OAuth2TestVehicle extends \Zotlabs\Web\Controller {
|
|||
),
|
||||
'oauth2test_create_db',
|
||||
'Create the OAuth2 database tables',
|
||||
'POST'
|
||||
'POST',
|
||||
($_SESSION['success'] === 'create_db'),
|
||||
),
|
||||
array(
|
||||
'authorize',
|
||||
array(
|
||||
array('response_type', 'code'),
|
||||
array('client_id', urlencode('killer_app')),
|
||||
array('redirect_uri', 'http://hub.localhost/oauth2testvehicle'),
|
||||
array('client_id', (x($_REQUEST, 'client_id') ? $_REQUEST['client_id'] : 'oauth2_test_app')),
|
||||
array('redirect_uri', $_SESSION['redirect_uri']),
|
||||
array('state', 'xyz'),
|
||||
// OpenID Connect Dynamic Client Registration 1.0 Client Metadata
|
||||
// http://openid.net/specs/openid-connect-registration-1_0.html
|
||||
array('client_name', urlencode('Killer App')),
|
||||
array('logo_uri', urlencode('https://client.example.com/website/img/icon.png')),
|
||||
array('client_name', 'OAuth2 Test App'),
|
||||
array('logo_uri', urlencode(z_root() . '/images/icons/plugin.png')),
|
||||
array('client_uri', urlencode('https://client.example.com/website')),
|
||||
array('application_type', 'web'), // would be 'native' for mobile app
|
||||
),
|
||||
'oauth_authorize',
|
||||
'Authorize a test client app',
|
||||
'GET'
|
||||
'GET',
|
||||
(($_REQUEST['code'] && $_REQUEST['state']) ? true : false),
|
||||
),
|
||||
/*
|
||||
* POST https://api.authorization-server.com/token
|
||||
grant_type=authorization_code&
|
||||
code=AUTH_CODE_HERE&
|
||||
redirect_uri=REDIRECT_URI&
|
||||
client_id=CLIENT_ID
|
||||
*/
|
||||
array(
|
||||
'oauth2testvehicle',
|
||||
array(
|
||||
array('action', 'request_token'),
|
||||
array('grant_type', 'authorization_code'),
|
||||
array('code', (x($_REQUEST, 'code') ? $_REQUEST['code'] : 'no_authorization_code')),
|
||||
array('redirect_uri', 'http://hub.localhost/oauth2testvehicle'),
|
||||
array('client_id', urlencode('killer_app')),
|
||||
array('client_secret', (x($_REQUEST, 'client_secret') ? $_REQUEST['client_secret'] : 'no_client_secret')),
|
||||
array('code', $_SESSION['authorization_code']),
|
||||
array('redirect_uri', $_SESSION['redirect_uri']),
|
||||
array('client_id', ($_SESSION['client_id'] ? $_SESSION['client_id'] : 'oauth2_test_app')),
|
||||
array('client_secret', $_SESSION['client_secret']),
|
||||
),
|
||||
'oauth_token_request',
|
||||
'Request a token',
|
||||
'POST'
|
||||
'POST',
|
||||
($_SESSION['success'] === 'request_token'),
|
||||
),
|
||||
array(
|
||||
'oauth2testvehicle',
|
||||
array(
|
||||
array('action', 'api_files'),
|
||||
array('access_token', $_SESSION['access_token']),
|
||||
),
|
||||
'oauth_api_files',
|
||||
'API: Get channel files',
|
||||
'POST',
|
||||
($_SESSION['success'] === 'api_files'),
|
||||
)
|
||||
)
|
||||
));
|
||||
|
||||
$_SESSION['success'] = '';
|
||||
return $o;
|
||||
}
|
||||
|
||||
function post() {
|
||||
|
||||
//logger(json_encode($_POST, JSON_PRETTY_PRINT), LOGGER_DEBUG);
|
||||
|
||||
switch ($_POST['action']) {
|
||||
case 'api_files':
|
||||
$access_token = $_SESSION['access_token'];
|
||||
$url = z_root() . '/api/z/1.0/files/';
|
||||
$headers = [];
|
||||
$headers[] = 'Authorization: Bearer ' . $access_token;
|
||||
$post = z_fetch_url($url, false, 0, array(
|
||||
'custom' => 'GET',
|
||||
'headers' => $headers,
|
||||
));
|
||||
logger(json_encode($post, JSON_PRETTY_PRINT), LOGGER_DEBUG);
|
||||
$response = json_decode($post['body'], true);
|
||||
$_SESSION['api_response'] = json_encode($response, JSON_PRETTY_PRINT);
|
||||
break;
|
||||
case 'request_token':
|
||||
$grant_type = (x($_POST, 'grant_type') ? $_POST['grant_type'] : '');
|
||||
$redirect_uri = (x($_POST, 'redirect_uri') ? $_POST['redirect_uri'] : '');
|
||||
|
@ -119,19 +146,21 @@ class OAuth2TestVehicle extends \Zotlabs\Web\Controller {
|
|||
$code = (x($_POST, 'code') ? $_POST['code'] : '');
|
||||
$client_secret = (x($_POST, 'client_secret') ? $_POST['client_secret'] : '');
|
||||
$url = z_root() . '/token/?';
|
||||
$url .= 'grant_type=' . urlencode($grant_type);
|
||||
$url .= 'grant_type=' . $grant_type;
|
||||
$url .= '&redirect_uri=' . urlencode($redirect_uri);
|
||||
$url .= '&client_id=' . urlencode($client_id);
|
||||
$url .= '&code=' . urlencode($code);
|
||||
$url .= '&client_id=' . $client_id;
|
||||
$url .= '&code=' . $code;
|
||||
$post = z_fetch_url($url, false, 0, array(
|
||||
'custom' => 'POST',
|
||||
'http_auth' => $client_id . ':' . $client_secret,
|
||||
));
|
||||
//logger(json_encode($post, JSON_PRETTY_PRINT), LOGGER_DEBUG);
|
||||
logger(json_encode($post, JSON_PRETTY_PRINT), LOGGER_DEBUG);
|
||||
$response = json_decode($post['body'], true);
|
||||
logger(json_encode($response, JSON_PRETTY_PRINT), LOGGER_DEBUG);
|
||||
if($response['access_token']) {
|
||||
info('Access token received: ' . $response['access_token'] . EOL);
|
||||
$_SESSION['success'] = 'request_token';
|
||||
$_SESSION['access_token'] = $response['access_token'];
|
||||
}
|
||||
break;
|
||||
case 'delete_db':
|
||||
|
@ -140,26 +169,23 @@ class OAuth2TestVehicle extends \Zotlabs\Web\Controller {
|
|||
// by passing it the database connection
|
||||
$pdo = \DBA::$dba->db;
|
||||
$storage = new \Zotlabs\Storage\ZotOauth2Pdo($pdo);
|
||||
logger('Deleting existing database tables...', LOGGER_DEBUG);
|
||||
foreach ($storage->getConfig() as $key => $table) {
|
||||
logger('Deleting table ' . dbesc($table), LOGGER_DEBUG);
|
||||
$r = q("DROP TABLE %s;", dbesc($table));
|
||||
if (!$r) {
|
||||
logger('Errors encountered deleting database table ' . $table . '.', LOGGER_DEBUG);
|
||||
$status = false;
|
||||
}
|
||||
}
|
||||
if (!$status) {
|
||||
notice('Errors encountered deleting database tables.' . EOL);
|
||||
$_SESSION['success'] = '';
|
||||
} else {
|
||||
info('Database tables deleted successfully.' . EOL);
|
||||
$_SESSION['success'] = 'delete_db';
|
||||
}
|
||||
|
||||
break;
|
||||
|
||||
case 'create_db':
|
||||
$status = true;
|
||||
logger('Creating database tables...', LOGGER_DEBUG);
|
||||
@include('.htconfig.php');
|
||||
$pdo = \DBA::$dba->db;
|
||||
$storage = new \Zotlabs\Storage\ZotOauth2Pdo($pdo);
|
||||
|
@ -168,15 +194,17 @@ class OAuth2TestVehicle extends \Zotlabs\Web\Controller {
|
|||
$result = $pdo->exec($statement);
|
||||
} catch (\PDOException $e) {
|
||||
$status = false;
|
||||
logger('Error executing database statement: ' . $statement, LOGGER_DEBUG);
|
||||
}
|
||||
}
|
||||
|
||||
if (!$status) {
|
||||
notice('Errors encountered creating database tables.' . EOL);
|
||||
$_SESSION['success'] = '';
|
||||
} else {
|
||||
info('Database tables created successfully.' . EOL);
|
||||
$_SESSION['success'] = 'create_db';
|
||||
}
|
||||
break;
|
||||
|
||||
default:
|
||||
break;
|
||||
|
|
|
@ -14,25 +14,58 @@ function api_login(&$a){
|
|||
|
||||
// login with oauth
|
||||
try {
|
||||
$oauth = new ZotOAuth1();
|
||||
$req = OAuth1Request::from_request();
|
||||
// OAuth 2.0
|
||||
$storage = new \Zotlabs\Identity\OAuth2Storage(\DBA::$dba->db);
|
||||
$server = new \Zotlabs\Identity\OAuth2Server($storage);
|
||||
$request = \OAuth2\Request::createFromGlobals();
|
||||
if ($server->verifyResourceRequest($request)) {
|
||||
$token = $server->getAccessTokenData($request);
|
||||
$uid = $token['user_id'];
|
||||
$r = q("SELECT * FROM channel WHERE channel_id = %d LIMIT 1",
|
||||
intval($uid)
|
||||
);
|
||||
if (count($r)) {
|
||||
$record = $r[0];
|
||||
} else {
|
||||
header('HTTP/1.0 401 Unauthorized');
|
||||
echo('This api requires login');
|
||||
killme();
|
||||
}
|
||||
|
||||
list($consumer,$token) = $oauth->verify_request($req);
|
||||
$_SESSION['uid'] = $record['channel_id'];
|
||||
$_SESSION['addr'] = $_SERVER['REMOTE_ADDR'];
|
||||
|
||||
if (!is_null($token)){
|
||||
$oauth->loginUser($token->uid);
|
||||
$x = q("select * from account where account_id = %d LIMIT 1",
|
||||
intval($record['channel_account_id'])
|
||||
);
|
||||
if ($x) {
|
||||
require_once('include/security.php');
|
||||
authenticate_success($x[0], null, true, false, true, true);
|
||||
$_SESSION['allow_api'] = true;
|
||||
call_hooks('logged_in', App::$user);
|
||||
return;
|
||||
}
|
||||
} else {
|
||||
// OAuth 1.0
|
||||
$oauth = new ZotOAuth1();
|
||||
$req = OAuth1Request::from_request();
|
||||
|
||||
App::set_oauth_key($consumer->key);
|
||||
list($consumer, $token) = $oauth->verify_request($req);
|
||||
|
||||
call_hooks('logged_in', App::$user);
|
||||
return;
|
||||
if (!is_null($token)) {
|
||||
$oauth->loginUser($token->uid);
|
||||
|
||||
App::set_oauth_key($consumer->key);
|
||||
|
||||
call_hooks('logged_in', App::$user);
|
||||
return;
|
||||
}
|
||||
killme();
|
||||
}
|
||||
killme();
|
||||
}
|
||||
catch(Exception $e) {
|
||||
} catch (Exception $e) {
|
||||
logger($e->getMessage());
|
||||
}
|
||||
|
||||
|
||||
// workarounds for HTTP-auth in CGI mode
|
||||
|
||||
foreach([ 'REDIRECT_REMOTE_USER', 'HTTP_AUTHORIZATION' ] as $head) {
|
||||
|
|
|
@ -88,6 +88,8 @@ function z_fetch_url($url, $binary = false, $redirects = 0, $opts = array()) {
|
|||
$instance_headers[] = 'Cookie: PHPSESSID=' . session_id();
|
||||
}
|
||||
}
|
||||
logger('headers: ' . json_encode($instance_headers, JSON_PRETTY_PRINT));
|
||||
|
||||
if($instance_headers)
|
||||
@curl_setopt($ch, CURLOPT_HTTPHEADER, $instance_headers);
|
||||
|
||||
|
@ -143,7 +145,7 @@ function z_fetch_url($url, $binary = false, $redirects = 0, $opts = array()) {
|
|||
$base = $s;
|
||||
$curl_info = @curl_getinfo($ch);
|
||||
$http_code = $curl_info['http_code'];
|
||||
//logger('fetch_url:' . $http_code . ' data: ' . $s);
|
||||
logger('fetch_url:' . $http_code . ' data: ' . $s);
|
||||
$header = '';
|
||||
|
||||
// Pull out multiple headers, e.g. proxy and continuation headers
|
||||
|
|
|
@ -4,10 +4,18 @@
|
|||
<div class="oath2test-form-box">
|
||||
<form action="{{$baseurl}}/{{$ept.0}}/" method="{{$ept.4}}">
|
||||
<h3>{{$ept.3}}</h3>
|
||||
<p>{{$baseurl}}/{{$ept.0}}/?{{foreach $ept.1 as $field}}{{$field.0}}={{$field.1}}&<input type="hidden" name="{{$field.0}}" value="{{$field.1}}" />{{/foreach}}
|
||||
</p>
|
||||
{{$baseurl}}/{{$ept.0}}/?{{foreach $ept.1 as $field}}{{$field.0}}={{$field.1}}&<input type="hidden" name="{{$field.0}}" value="{{$field.1}}" />{{/foreach}}
|
||||
<br>
|
||||
<button type="submit" name="{{$ept.2}}_submit" value="submit" class="btn btn-med" title="">Submit</button>
|
||||
|
||||
<span style="display: {{if $ept.5}}inline{{else}}none{{/if}}; font-size: 2em;"> <i class="fa fa-check"></i></span>
|
||||
</form>
|
||||
</div>
|
||||
{{/foreach}}
|
||||
{{/foreach}}
|
||||
<div>
|
||||
<h3>API response</h3>
|
||||
<pre style="display: inline-block; overflow-x: auto; white-space: nowrap; width: 100%;">
|
||||
<code>
|
||||
{{$api_response}}
|
||||
</code>
|
||||
</pre>
|
||||
</div>
|
Loading…
Reference in a new issue