mark/indieauth
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: mark:develop
Branches Tags
mark:master
mark:develop
..
compare: mark:master
Branches Tags
mark:develop
mark:master

No commits in common. "develop" and "master" have entirely different histories.
develop ... master

1 changed files with 12 additions and 24 deletions
Show stats Expand all files Collapse all files

36
index.php
View file

@ -1,5 +1,5 @@
<?php <?php
/* Multi-user IndieAuth endpoint using server envvars from SSO /* Single user IndieAuth endpoint using server envvars from SSO
* Based on https://github.com/inklings-io/selfauth * Based on https://github.com/inklings-io/selfauth
*/ */
require_once 'functions.php'; require_once 'functions.php';
@ -16,31 +16,21 @@ if ( ! is_null($code) ){
if ( ! ( if ( ! (
is_string($code) && is_string($code) &&
is_string($redirect_uri) && is_string($redirect_uri) &&
is_string($client_id) is_string($client_id) &&
verify_signed_code( APP_KEY, USER_URL . $redirect_uri . $client_id, $code )
) ) { ) ) {
$error = 'Invalid request';
http_response_code(400);
include 'form.php';
die();
}
$code_parts = explode(':', $code, 3);
$suffix_parts = explode(':', base64_url_decode( $code_parts[2] ), 2 );
$user = $suffix_parts[0];
if ( ! verify_signed_code( APP_KEY, $user . $redirect_uri . $client_id, $code ) ) {
$error = 'Invalid code'; $error = 'Invalid code';
http_response_code(400); http_response_code(400);
include 'form.php'; include 'form.php';
die(); die();
} }
$response = array('me' => USER_URLS[$user]); $response = array('me' => USER_URL);
$code_parts = explode(':', $code, 3);
$accept_header = $_SERVER['HTTP_ACCEPT'] ?: '*/*'; $accept_header = $_SERVER['HTTP_ACCEPT'] ?: '*/*';
if ( '' !== $suffix_parts[1] ) { if ( '' !== $code_parts[2] ) {
$response['scope'] = $suffix_parts[1]; $response['scope'] = base64_url_decode($code_parts[2]);
} }
$json = get_q_value('application/json', $accept_header); $json = get_q_value('application/json', $accept_header);
@ -62,14 +52,13 @@ if ( ! is_null($code) ){
// No code submitted, // No code submitted,
// Check login // Check login
$user = $_SERVER["REMOTE_USER"]; if ( is_null($_SERVER["REMOTE_USER"]) ) {
if ( is_null($user) ) {
$error = 'Not logged in. Login on the <a href="https://auth.cool110.xyz/">SSO portal</a>'; $error = 'Not logged in. Login on the <a href="https://auth.cool110.xyz/">SSO portal</a>';
http_response_code(403); http_response_code(403);
include 'form.php'; include 'form.php';
die(); die();
} elseif ( ! array_key_exists( $user, USER_URLS ) ){ } elseif ( USER_NAME !== $_SERVER["REMOTE_USER"] ){
$error = 'Account not provisioned'; $error = 'This system is for ' . USER_NAME . ' only.';
http_response_code(403); http_response_code(403);
include 'form.php'; include 'form.php';
die(); die();
@ -119,8 +108,7 @@ if ( ! is_null($csrf_code) ) {
$scope = implode( ' ', $scope ); $scope = implode( ' ', $scope );
} }
$suffix = $user . ':' . $scope; $code = create_signed_code( APP_KEY, USER_URL . $redirect_uri . $client_id, 5 * 60, $scope );
$code = create_signed_code( APP_KEY, $user . $redirect_uri . $client_id, 5 * 60, $suffix );
$final_redir = $redirect_uri; $final_redir = $redirect_uri;
if ( strpos($redirect_uri, '?') === false ) { if ( strpos($redirect_uri, '?') === false ) {
@ -131,7 +119,7 @@ if ( ! is_null($csrf_code) ) {
$parameters = array( $parameters = array(
'code' => $code, 'code' => $code,
'me' => USER_URLS[$user] 'me' => USER_URL
); );
if ( ! is_null($state) ) { if ( ! is_null($state) ) {
$parameters['state'] = $state; $parameters['state'] = $state;