Compare commits
No commits in common. "develop" and "master" have entirely different histories.
36
index.php
36
index.php
|
@ -1,5 +1,5 @@
|
||||||
<?php
|
<?php
|
||||||
/* Multi-user IndieAuth endpoint using server envvars from SSO
|
/* Single user IndieAuth endpoint using server envvars from SSO
|
||||||
* Based on https://github.com/inklings-io/selfauth
|
* Based on https://github.com/inklings-io/selfauth
|
||||||
*/
|
*/
|
||||||
require_once 'functions.php';
|
require_once 'functions.php';
|
||||||
|
@ -16,31 +16,21 @@ if ( ! is_null($code) ){
|
||||||
if ( ! (
|
if ( ! (
|
||||||
is_string($code) &&
|
is_string($code) &&
|
||||||
is_string($redirect_uri) &&
|
is_string($redirect_uri) &&
|
||||||
is_string($client_id)
|
is_string($client_id) &&
|
||||||
|
verify_signed_code( APP_KEY, USER_URL . $redirect_uri . $client_id, $code )
|
||||||
) ) {
|
) ) {
|
||||||
$error = 'Invalid request';
|
|
||||||
http_response_code(400);
|
|
||||||
include 'form.php';
|
|
||||||
die();
|
|
||||||
}
|
|
||||||
|
|
||||||
$code_parts = explode(':', $code, 3);
|
|
||||||
$suffix_parts = explode(':', base64_url_decode( $code_parts[2] ), 2 );
|
|
||||||
$user = $suffix_parts[0];
|
|
||||||
|
|
||||||
if ( ! verify_signed_code( APP_KEY, $user . $redirect_uri . $client_id, $code ) ) {
|
|
||||||
$error = 'Invalid code';
|
$error = 'Invalid code';
|
||||||
http_response_code(400);
|
http_response_code(400);
|
||||||
include 'form.php';
|
include 'form.php';
|
||||||
die();
|
die();
|
||||||
}
|
}
|
||||||
|
|
||||||
$response = array('me' => USER_URLS[$user]);
|
$response = array('me' => USER_URL);
|
||||||
|
$code_parts = explode(':', $code, 3);
|
||||||
$accept_header = $_SERVER['HTTP_ACCEPT'] ?: '*/*';
|
$accept_header = $_SERVER['HTTP_ACCEPT'] ?: '*/*';
|
||||||
|
|
||||||
if ( '' !== $suffix_parts[1] ) {
|
if ( '' !== $code_parts[2] ) {
|
||||||
$response['scope'] = $suffix_parts[1];
|
$response['scope'] = base64_url_decode($code_parts[2]);
|
||||||
}
|
}
|
||||||
|
|
||||||
$json = get_q_value('application/json', $accept_header);
|
$json = get_q_value('application/json', $accept_header);
|
||||||
|
@ -62,14 +52,13 @@ if ( ! is_null($code) ){
|
||||||
|
|
||||||
// No code submitted,
|
// No code submitted,
|
||||||
// Check login
|
// Check login
|
||||||
$user = $_SERVER["REMOTE_USER"];
|
if ( is_null($_SERVER["REMOTE_USER"]) ) {
|
||||||
if ( is_null($user) ) {
|
|
||||||
$error = 'Not logged in. Login on the <a href="https://auth.cool110.xyz/">SSO portal</a>';
|
$error = 'Not logged in. Login on the <a href="https://auth.cool110.xyz/">SSO portal</a>';
|
||||||
http_response_code(403);
|
http_response_code(403);
|
||||||
include 'form.php';
|
include 'form.php';
|
||||||
die();
|
die();
|
||||||
} elseif ( ! array_key_exists( $user, USER_URLS ) ){
|
} elseif ( USER_NAME !== $_SERVER["REMOTE_USER"] ){
|
||||||
$error = 'Account not provisioned';
|
$error = 'This system is for ' . USER_NAME . ' only.';
|
||||||
http_response_code(403);
|
http_response_code(403);
|
||||||
include 'form.php';
|
include 'form.php';
|
||||||
die();
|
die();
|
||||||
|
@ -119,8 +108,7 @@ if ( ! is_null($csrf_code) ) {
|
||||||
$scope = implode( ' ', $scope );
|
$scope = implode( ' ', $scope );
|
||||||
}
|
}
|
||||||
|
|
||||||
$suffix = $user . ':' . $scope;
|
$code = create_signed_code( APP_KEY, USER_URL . $redirect_uri . $client_id, 5 * 60, $scope );
|
||||||
$code = create_signed_code( APP_KEY, $user . $redirect_uri . $client_id, 5 * 60, $suffix );
|
|
||||||
|
|
||||||
$final_redir = $redirect_uri;
|
$final_redir = $redirect_uri;
|
||||||
if ( strpos($redirect_uri, '?') === false ) {
|
if ( strpos($redirect_uri, '?') === false ) {
|
||||||
|
@ -131,7 +119,7 @@ if ( ! is_null($csrf_code) ) {
|
||||||
|
|
||||||
$parameters = array(
|
$parameters = array(
|
||||||
'code' => $code,
|
'code' => $code,
|
||||||
'me' => USER_URLS[$user]
|
'me' => USER_URL
|
||||||
);
|
);
|
||||||
if ( ! is_null($state) ) {
|
if ( ! is_null($state) ) {
|
||||||
$parameters['state'] = $state;
|
$parameters['state'] = $state;
|
||||||
|
|
Loading…
Reference in a new issue