jjkiers/OAuth
1
0
Fork 0
Code Issues 2 Pull Requests 1 Packages Projects Releases 1 Wiki Activity

Renamed namespace to JacobKiers

Browse Source
This commit is contained in:
Jacob Kiers
2013-02-08 10:32:26 +00:00
parent 81a1af738b
commit 204ec8b42f
20 changed files with 123 additions and 124 deletions
Download Patch File Download Diff File Expand all files Collapse all files

62
src/JacobKiers/OAuth/Client.php Normal file
View File

@@ -0,0 +1,62 @@
<?php
/**
* OAuth
*
* @package OAuth
* @author Andy Smith
* @author Gary Jones <gary@garyjones.co.uk>
* @license https://raw.github.com/jacobkiers/OAuth/master/LICENSE MIT
* @link https://github.com/jacobkiers/OAuth
*/
namespace JacobKiers\OAuth;
/**
* Client holds the properties of a single client / consumer.
*
* @package OAuth
* @author Gary Jones <gary@garyjones.co.uk>
*/
class Client extends Credential
{
/**
* URL to which authorized requests will redirect to.
*
* @var string
*/
protected $callback_url;
/**
* Constructs a new client object and populates the required parameters.
*
* @param string $key Client key / identifier.
* @param string $secret Client shared-secret.
* @param string $callback_url URL to which authorized request will redirect to.
*/
public function __construct($key, $secret, $callback_url = null)
{
$this->setKey($key);
$this->setSecret($secret);
$this->setCallbackUrl($callback_url);
}
/**
* Get the callback URL.
*
* @return string
*/
public function getCallbackUrl()
{
return $this->callback_url;
}
/**
* Set the callbackURL
*
* @param string $callback_url
*/
public function setCallbackUrl($callback_url)
{
$this->callback_url = $callback_url;
}
}

75
src/JacobKiers/OAuth/Credential.php Normal file
View File

@@ -0,0 +1,75 @@
<?php
/**
* OAuth
*
* @package OAuth
* @author Andy Smith
* @author Gary Jones <gary@garyjones.co.uk>
* @license https://raw.github.com/jacobkiers/OAuth/master/LICENSE MIT
* @link https://github.com/jacobkiers/OAuth
*/
namespace JacobKiers\OAuth;
/**
* Credential is the blueprint for all key + secret classes.
*
* @package OAuth
* @author Gary Jones <gary@garyjones.co.uk>
*/
abstract class Credential
{
/**
* The credential key.
*
* @var string
*/
protected $key;
/**
* The secret or shared-secret.
*
* @var string
*/
protected $secret;
/**
* Return the credential key.
*
* @return string Credential key.
*/
public function getKey()
{
return $this->key;
}
/**
* Set the credential key.
*
* @param string $key Credential identifier
*/
public function setKey($key)
{
$this->key = $key;
}
/**
* Return the credential secret
*
* @return string
*/
public function getSecret()
{
return $this->secret;
}
/**
* Set the credential key.
*
* @param string $key Credential identifier
*/
public function setSecret($secret)
{
$this->secret = $secret;
}
}

68
src/JacobKiers/OAuth/DataStore.php Normal file
View File

@@ -0,0 +1,68 @@
<?php
/**
* OAuth
*
* @package OAuth
* @author Andy Smith
* @author Gary Jones <gary@garyjones.co.uk>
* @license https://raw.github.com/jacobkiers/OAuth/master/LICENSE MIT
* @link https://github.com/jacobkiers/OAuth
*/
namespace JacobKiers\OAuth;
/**
* The actual implementation of validating and assigning tokens is left up to
* the system using this library.
*
* @package OAuth
* @author Gary Jones <gary@garyjones.co.uk>
*/
interface DataStore
{
/**
* Validate the client.
*
* @param string $client_key
*/
public function lookupClient($client_key);
/**
* Validate a token.
*
* @param JacobKiers\OAuth\Client $client
* @param JacobKiers\OAuth\Token $token
* @param string $token_type Request or access token
*/
public function lookupToken(Client $client, Token $token, $token_type);
/**
* Validate that a nonce has not been used with the same timestamp before.
*
* @param JacobKiers\OAuth\Client $client
* @param JacobKiers\OAuth\Token $token
* @param string $nonce
* @param int $timestamp
*/
public function lookupNonce(Client $client, Token $token, $nonce, $timestamp);
/**
* Return a new token attached to this client.
*
* @param JacobKiers\OAuth\Client $client
* @param string $callback URI to store as the post-authorization callback.
*/
public function newRequestToken(Client $client, $callback = null);
/**
* Return a new access token attached to this consumer for the user
* associated with this token if the request token is authorized.
*
* Should also invalidate the request token.
*
* @param JacobKiers\OAuth\Client $client
* @param JacobKiers\OAuth\Token $token
* @param string $verifier
*/
public function newAccessToken(Client $client, Token $token, $verifier = null);
}

62
src/JacobKiers/OAuth/HmacSha1.php Normal file
View File

@@ -0,0 +1,62 @@
<?php
/**
* OAuth
*
* @package OAuth
* @author Andy Smith
* @author Gary Jones <gary@garyjones.co.uk>
* @license https://raw.github.com/jacobkiers/OAuth/master/LICENSE MIT
* @link https://github.com/jacobkiers/OAuth
*/
namespace JacobKiers\OAuth;
/**
* The HMAC-SHA1 signature method.
*
* The HMAC-SHA1 signature method. uses the HMAC-SHA1 signature algorithm as defined in [RFC2104]
* where the Signature Base String is the text and the key is the concatenated values (each first
* encoded per Parameter Encoding) of the Consumer Secret and Token Secret, separated by an '&'
* character (ASCII code 38) even if empty.
* - Chapter 9.2 ("HMAC-SHA1")
*
* @package OAuth
* @author Andy Smith
*/
class HmacSha1 extends SignatureMethod
{
/**
* Return the name of the Signature Method.
*
* @return string
*/
public function getName()
{
return 'HMAC-SHA1';
}
/**
* Build up the signature.
*
* oauth_signature is set to the concatenated encoded values of the Client Secret and
* Token Secret, separated by a '&' character (ASCII code 38), even if either secret is
* empty. The result MUST be encoded again.
* - Chapter 9.4.1 ("Generating Signatures")
*
* Please note that the second encoding MUST NOT happen in the SignatureMethod, as
* OAuthRequest handles this!
*
* @param JacobKiers\OAuth\Request $request
* @param JacobKiers\OAuth\Client $client
* @param JacobKiers\OAuth\Token $token
*
* @return string
*/
public function buildSignature(Request $request, Client $client, Token $token = null)
{
$base_string = $request->getSignatureBaseString();
$key = $this->getSignatureKey($client, $token);
return base64_encode(hash_hmac('sha1', $base_string, $key, true));
}
}

35
src/JacobKiers/OAuth/NullToken.php Normal file
View File

@@ -0,0 +1,35 @@
<?php
/**
* OAuth
*
* @package OAuth
* @author Andy Smith
* @author Gary Jones <gary@garyjones.co.uk>
* @license https://raw.github.com/jacobkiers/OAuth/master/LICENSE MIT
* @link https://github.com/jacobkiers/OAuth
*/
namespace JacobKiers\OAuth;
/**
* Token holds the properties of a single token.
*
* This class deals with both temporary (request) and token (access) credntials.
*
* @package OAuth
* @author Gary Jones <gary@garyjones.co.uk>
*/
class NullToken extends Token
{
/**
* Constructs a new client object and populates the required parameters.
*
* @param string $key Client key / identifier.
* @param string $secret Client shared-secret.
*/
public function __construct()
{
$this->setKey('');
$this->setSecret('');
}
}

22
src/JacobKiers/OAuth/OAuthException.php Normal file
View File

@@ -0,0 +1,22 @@
<?php
/**
* OAuth
*
* @package OAuth
* @author Andy Smith
* @author Gary Jones <gary@garyjones.co.uk>
* @license https://raw.github.com/jacobkiers/OAuth/master/LICENSE MIT
* @link https://github.com/jacobkiers/OAuth
*/
namespace JacobKiers\OAuth;
/**
* Generic exception class.
*
* @package OAuth
* @author Andy Smith
*/
class OAuthException extends \Exception
{
}

57
src/JacobKiers/OAuth/PlainText.php Normal file
View File

@@ -0,0 +1,57 @@
<?php
/**
* OAuth
*
* @package OAuth
* @author Andy Smith
* @author Gary Jones <gary@garyjones.co.uk>
* @license https://raw.github.com/jacobkiers/OAuth/master/LICENSE MIT
* @link https://github.com/jacobkiers/OAuth
*/
namespace JacobKiers\OAuth;
/**
* PLAINTEXT signature method.
*
* The PLAINTEXT method does not provide any security protection and SHOULD only be used
* over a secure channel such as HTTPS. It does not use the Signature Base String.
* - Chapter 9.4 ("PLAINTEXT")
*
* @package OAuth
* @author Andy Smith
*/
class PlainText extends SignatureMethod
{
/**
* Return the name of the Signature Method.
*
* @return string
*/
public function getName()
{
return 'PLAINTEXT';
}
/**
* Build up the signature.
*
* oauth_signature is set to the concatenated encoded values of the Client Secret and
* Token Secret, separated by a '&' character (ASCII code 38), even if either secret is
* empty. The result MUST be encoded again.
* - Chapter 9.4.1 ("Generating Signatures")
*
* Please note that the second encoding MUST NOT happen in the SignatureMethod, as
* OAuthRequest handles this!
*
* @param JacobKiers\OAuth\Request $request
* @param JacobKiers\OAuth\Client $client
* @param JacobKiers\OAuth\Token $token
*
* @return string
*/
public function buildSignature(Request $request, Client $client, Token $token = null)
{
return $this->getSignatureKey($client, $token);
}
}

419
src/JacobKiers/OAuth/Request.php Normal file
View File

@@ -0,0 +1,419 @@
<?php
/**
* OAuth
*
* @package OAuth
* @author Andy Smith
* @author Gary Jones <gary@garyjones.co.uk>
* @license https://raw.github.com/jacobkiers/OAuth/master/LICENSE MIT
* @link https://github.com/jacobkiers/OAuth
*/
namespace JacobKiers\OAuth;
/**
* Handle an OAuth request.
*
* @package OAuth
* @author Andy Smith
*/
class Request
{
/**
* HTTP parameters.
*
* @var array
*/
protected $parameters;
/**
* HTTP method - likely GET or POST.
*
* @var string HTTP method.
*/
protected $http_method;
/**
* The URL the request was made to.
*
* @var string Request URL.
*/
protected $http_url;
/**
* OAuth version.
*
* @var string
*/
public static $version = '1.0';
/**
* Stream of POSTed file.
*
* @var string
*/
public static $POST_INPUT = 'php://input';
/**
* Construct a Request object.
*
* @param string $http_method Request HTTP method.
* @param string $http_url Request URL.
* @param array $parameters HTTP parameters.
*/
public function __construct($http_method, $http_url, array $parameters = null)
{
$parameters = ($parameters) ? $parameters : array();
$this->parameters = array_merge(Util::parseParameters(parse_url($http_url, PHP_URL_QUERY)), $parameters);
$this->http_method = $http_method;
$this->http_url = $http_url;
}
/**
* a
*/
/**
* Attempt to build up a request from what was passed to the server.
*
* @param string $http_method Request HTTP method.
* @param string $http_url Request URL.
* @param array $parameters HTTP parameters.
*
* @return JacobKiers\OAuth\Request
*/
public static function fromRequest($http_method = null, $http_url = null, $parameters = null)
{
$scheme = (!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != 'on') ? 'http' : 'https';
$http_url = ($http_url) ? $http_url : $scheme .
'://' . $_SERVER['HTTP_HOST'] .
':' .
$_SERVER['SERVER_PORT'] .
$_SERVER['REQUEST_URI'];
$http_method = ($http_method) ? $http_method : $_SERVER['REQUEST_METHOD'];
// We weren't handed any parameters, so let's find the ones relevant to
// this request.
// If you run XML-RPC or similar you should use this to provide your own
// parsed parameter-list
if (!$parameters) {
// Find request headers
$request_headers = Util::getHeaders();
// Parse the query-string to find GET parameters
$parameters = Util::parseParameters($_SERVER['QUERY_STRING']);
// It's a POST request of the proper content-type, so parse POST
// parameters and add those overriding any duplicates from GET
if ('POST' == $http_method
&& isset($request_headers['Content-Type'])
&& strstr($request_headers['Content-Type'], 'application/x-www-form-urlencoded')
) {
$post_data = Util::parseParameters(
file_get_contents(self::$POST_INPUT)
);
$parameters = array_merge($parameters, $post_data);
}
// We have a Authorization-header with OAuth data. Parse the header
// and add those overriding any duplicates from GET or POST
if (isset($request_headers['Authorization']) &&
substr($request_headers['Authorization'], 0, 6) == 'OAuth ') {
$header_parameters = Util::splitHeader(
$request_headers['Authorization']
);
$parameters = array_merge($parameters, $header_parameters);
}
}
return new Request($http_method, $http_url, $parameters);
}
/**
* Helper function to set up the request.
*
* @param JacobKiers\OAuth\Client $client
* @param JacobKiers\OAuth\Token $token
* @param string $http_method
* @param string $http_url
* @param array $parameters
*
* @return JacobKiers\OAuth\Request
*/
public static function fromClientAndToken(
Client $client,
Token $token,
$http_method,
$http_url,
array $parameters = null
) {
$parameters = ($parameters) ? $parameters : array();
$defaults = array(
'oauth_version' => Request::$version,
'oauth_nonce' => Request::generateNonce(),
'oauth_timestamp' => Request::generateTimestamp(),
'oauth_consumer_key' => $client->getKey());
if ($token) {
$defaults['oauth_token'] = $token->getKey();
}
$parameters = array_merge($defaults, $parameters);
return new Request($http_method, $http_url, $parameters);
}
/**
* Add additional parameter to Request.
*
* @param string $name
* @param string $value
* @param bool $allow_duplicates
*/
public function setParameter($name, $value, $allow_duplicates = true)
{
if ($allow_duplicates && isset($this->parameters[$name])) {
// We have already added parameter(s) with this name, so add to the list
if (is_scalar($this->parameters[$name])) {
// This is the first duplicate, so transform scalar (string)
// into an array so we can add the duplicates
$this->parameters[$name] = array($this->parameters[$name]);
}
$this->parameters[$name][] = $value;
} else {
$this->parameters[$name] = $value;
}
}
/**
* Get single request parameter by name.
*
* @param string $name
*
* @return string
*/
public function getParameter($name)
{
return isset($this->parameters[$name]) ? $this->parameters[$name] : null;
}
/**
* Get all request parameters.
*
* @return array
*/
public function getParameters()
{
return $this->parameters;
}
/**
* Unset single request parameter by name.
*
* @param string $name
*/
public function unsetParameter($name)
{
unset($this->parameters[$name]);
}
/**
* The request parameters, sorted and concatenated into a normalized string.
*
* @return string
*/
public function getSignableParameters()
{
// Grab all parameters
$params = $this->getParameters();
// Remove oauth_signature if present
// Ref: Spec: 9.1.1 ("The oauth_signature parameter MUST be excluded.")
if (isset($params['oauth_signature'])) {
unset($params['oauth_signature']);
}
return Util::buildHttpQuery($params);
}
/**
* Returns the base string of this request
*
* The base string defined as the method, the url
* and the parameters (normalized), each urlencoded
* and the concated with &.
*/
public function getSignatureBaseString()
{
$parts = array(
$this->getNormalizedHttpMethod(),
$this->getNormalizedHttpUrl(),
$this->getSignableParameters()
);
$encoded_parts = Util::urlencodeRfc3986($parts);
return implode('&', $encoded_parts);
}
/**
* Uppercases the HTTP method.
*
* @return string
*/
public function getNormalizedHttpMethod()
{
return strtoupper($this->http_method);
}
/**
* Parses the url and rebuilds it to be
* scheme://host/path
*
* @return string URL
*/
public function getNormalizedHttpUrl()
{
$parts = parse_url($this->http_url);
$scheme = (isset($parts['scheme'])) ? $parts['scheme'] : 'http';
$port = (isset($parts['port'])) ? $parts['port'] : '';
if (isset($parts['host'])) {
// parse_url in PHP 5.4.8 includes the port in the host, so we need to strip it.
$host_and_maybe_port = explode(':', $parts['host']);
$host = $host_and_maybe_port[0];
} else {
$host = '';
}
// For PHP 5.4+, use:
// $host = (isset($parts['host'])) ? explode(':', $parts['host'])[0] : '';
$path = (isset($parts['path'])) ? $parts['path'] : '';
if ($port) {
if (('https' == $scheme && $port != '443')
|| ('http' == $scheme && $port != '80')) {
$host = "$host:$port";
}
}
return "$scheme://$host$path";
}
/**
* Builds a URL usable for a GET request.
*
* @return string
*/
public function toUrl()
{
$post_data = $this->toPostdata();
$out = $this->getNormalizedHttpUrl();
if ($post_data) {
$out .= '?' . $post_data;
}
return $out;
}
/**
* Builds the data one would send in a POST request.
*
* @return string
*/
public function toPostdata()
{
return Util::buildHttpQuery($this->getParameters());
}
/**
* Builds the Authorization: header.
*
* @param string $realm Authorization realm.
*
* @return string
*
* @throws JacobKiers\OAuth\OAuthException
*/
public function toHeader($realm = null)
{
$first = true;
if ($realm) {
$out = 'Authorization: OAuth realm="' . Util::urlencodeRfc3986($realm) . '"';
$first = false;
} else {
$out = 'Authorization: OAuth';
}
$total = array();
foreach ($this->parameters as $k => $v) {
if (substr($k, 0, 5) != 'oauth') {
continue;
}
if (is_array($v)) {
throw new OAuthException('Arrays not supported in headers');
}
$out .= ($first) ? ' ' : ',';
$out .= Util::urlencodeRfc3986($k) .
'="' .
Util::urlencodeRfc3986($v) .
'"';
$first = false;
}
return $out;
}
/**
* Return request object cast as string.
*
* @return string
*/
public function __toString()
{
return $this->toUrl();
}
/**
* Build signature and add it as parameter.
*
* @param string $signature_method
* @param JacobKiers\OAuth\Client $client
* @param JacobKiers\OAuth\Token $token
*/
public function signRequest($signature_method, Client $client, Token $token)
{
$this->setParameter('oauth_signature_method', $signature_method->getName(), false);
$signature = $this->buildSignature($signature_method, $client, $token);
$this->setParameter('oauth_signature', $signature, false);
}
/**
* Build signature.
*
* @param string $signature_method
* @param JacobKiers\OAuth\Client $client
* @param JacobKiers\OAuth\Token $token
*
* @return string
*/
public function buildSignature($signature_method, Client $client, Token $token)
{
return $signature_method->buildSignature($this, $client, $token);
}
/**
* Get current time.
*
* @return int Timestamp.
*/
private static function generateTimestamp()
{
return time();
}
/**
* Generate nonce.
*
* @return string 32-character hexadecimal number.
*/
private static function generateNonce()
{
return md5(microtime() . mt_rand()); // md5s look nicer than numbers
}
}

116
src/JacobKiers/OAuth/RsaSha1.php Normal file
View File

@@ -0,0 +1,116 @@
<?php
/**
* OAuth
*
* @package OAuth
* @author Andy Smith
* @author Gary Jones <gary@garyjones.co.uk>
* @license https://raw.github.com/jacobkiers/OAuth/master/LICENSE MIT
* @link https://github.com/jacobkiers/OAuth
*/
namespace JacobKiers\OAuth;
/**
* The RSA-SHA1 signature method.
*
* The RSA-SHA1 signature method uses the RSASSA-PKCS1-v1_5 signature algorithm as defined in
* [RFC3447] section 8.2 (more simply known as PKCS#1), using SHA-1 as the hash function for
* EMSA-PKCS1-v1_5. It is assumed that the Client has provided its RSA public key in a
* verified way to the Service Provider, in a manner which is beyond the scope of this
* specification.
* - Chapter 9.3 ("RSA-SHA1")
*
* @package OAuth
* @author Andy Smith
*/
abstract class RsaSha1 extends SignatureMethod
{
/**
* Return the name of the Signature Method.
*
* @return string
*/
public function getName()
{
return 'RSA-SHA1';
}
/**
* Up to the SP to implement this lookup of keys. Possible ideas are:
* (1) do a lookup in a table of trusted certs keyed off of client
* (2) fetch via http using a url provided by the requester
* (3) some sort of specific discovery code based on request
*
* Either way should return a string representation of the certificate
*
*/
abstract protected function fetchPublicCert(&$request);
/**
* Up to the SP to implement this lookup of keys. Possible ideas are:
* (1) do a lookup in a table of trusted certs keyed off of client
*
* Either way should return a string representation of the certificate
*/
abstract protected function fetchPrivateCert(&$request);
/**
* Build up the signature.
*
* @param JacobKiers\OAuth\Request $request
* @param JacobKiers\OAuth\Client $client
* @param JacobKiers\OAuth\Token $token
*
* @return string
*/
public function buildSignature(Request $request, Client $client, Token $token = null)
{
$base_string = $request->getSignatureBaseString();
// Fetch the private key cert based on the request
$cert = $this->fetchPrivateCert($request);
// Pull the private key ID from the certificate
$privatekeyid = openssl_get_privatekey($cert);
// Sign using the key
$ok = openssl_sign($base_string, $signature, $privatekeyid);
// Release the key resource
openssl_free_key($privatekeyid);
return base64_encode($signature);
}
/**
* Verifies that a given signature is correct.
*
* @param JacobKiers\OAuth\Request $request
* @param JacobKiers\OAuth\Consumer $client
* @param JacobKiers\OAuth\Token $token
* @param string $signature
*
* @return bool
*/
public function checkSignature(Request $request, Client $client, Token $token, $signature)
{
$base_string = $request->getSignatureBaseString();
$decoded_sig = base64_decode($signature);
// Fetch the public key cert based on the request
$cert = $this->fetchPublicCert($request);
// Pull the public key ID from the certificate
$publickeyid = openssl_get_publickey($cert);
// Check the computed signature against the one passed in the query
$ok = openssl_verify($base_string, $decoded_sig, $publickeyid);
// Release the key resource
openssl_free_key($publickeyid);
return $ok == 1;
}
}

315
src/JacobKiers/OAuth/Server.php Normal file
View File

@@ -0,0 +1,315 @@
<?php
/**
* OAuth
*
* @package OAuth
* @author Andy Smith
* @author Gary Jones <gary@garyjones.co.uk>
* @license https://raw.github.com/jacobkiers/OAuth/master/LICENSE MIT
* @link https://github.com/jacobkiers/OAuth
*/
namespace JacobKiers\OAuth;
/**
* OAuth server.
*
* @package OAuth
* @author Andy Smith
*/
class Server
{
/**
* Limit to which timestamp is accepted, in seconds.
*
* Requests older than now - this value, are rejected as possible replay attack.
*
* @var int
*/
protected $timestamp_threshold = 300; // 5 minutes
/**
* OAuth version.
*
* @var string
*/
protected $version = '1.0';
/**
* Supported signature methods.
*
* @var array
*/
protected $signature_methods = array();
/**
* Data store object reference.
*
* @var JacobKiers\OAuth\DataStore
*/
protected $data_store;
/**
* Construct OAuth server instance.
*
* @param JacobKiers\OAuth\DataStore $data_store
*/
public function __construct(DataStore $data_store)
{
$this->data_store = $data_store;
}
/**
* Add a supported signature method.
*
* @param JacobKiers\OAuth\SignatureMethod $signature_method
*/
public function addSignatureMethod(SignatureMethod $signature_method)
{
$this->signature_methods[$signature_method->getName()] =
$signature_method;
}
// high level functions
/**
* Process a temporary credential (request_token) request.
*
* Returns the request token on success
*
* @param JacobKiers\OAuth\Request $request
*
* @return JacobKiers\OAuth\Token
*/
public function fetchRequestToken(Request &$request)
{
$this->getVersion($request);
$client = $this->getClient($request);
// no token required for the initial token request
$token = new NullToken;
$this->checkSignature($request, $client, $token);
// Rev A change
$callback = $request->getParameter('oauth_callback');
return $this->data_store->newRequestToken($client, $callback);
}
/**
* Process a post-authorization token (access_token) request.
*
* Returns the access token on success.
*
* @param JacobKiers\OAuth\Request $request
*
* @return JacobKiers\OAuth\Token
*/
public function fetchAccessToken(Request &$request)
{
$this->getVersion($request);
$client = $this->getClient($request);
// requires authorized request token
$token = $this->getToken($request, $client, 'request');
$this->checkSignature($request, $client, $token);
// Rev A change
$verifier = $request->getParameter('oauth_verifier');
return $this->data_store->newAccessToken($token, $client, $verifier);
}
/**
* Verify an api call, checks all the parameters.
*
* @param JacobKiers\OAuth\Request $request
*
* @return array Client and Token
*/
public function verifyRequest(Request &$request)
{
$this->getVersion($request);
$client = $this->getClient($request);
$token = $this->getToken($request, $client, 'access');
$this->checkSignature($request, $client, $token);
return array($client, $token);
}
// Internals from here
/**
* Check that version is 1.0.
*
* @param JacobKiers\OAuth\Request $request
*
* @return string
*
* @throws JacobKiers\OAuth\OAuthException
*/
private function getVersion(Request &$request)
{
$version = $request->getParameter('oauth_version');
if (!$version) {
// Service Providers MUST assume the protocol version to be 1.0 if this parameter is not present.
// Chapter 7.0 ("Accessing Protected Ressources")
$version = '1.0';
}
if ($version !== $this->version) {
throw new OAuthException("OAuth version '$version' not supported");
}
return $version;
}
/**
* Get the signature method name, and if it is supported.
*
* @param JacobKiers\OAuth\Request $request
*
* @return string Signature method name.
*
* @throws JacobKiers\OAuth\OAuthException
*/
private function getSignatureMethod(Request $request)
{
$signature_method = $request instanceof Request ? $request->getParameter('oauth_signature_method') : null;
if (!$signature_method) {
// According to chapter 7 ("Accessing Protected Resources") the signature-method
// parameter is required, and we can't just fallback to PLAINTEXT
throw new OAuthException('No signature method parameter. This parameter is required');
}
if (!in_array($signature_method, array_keys($this->signature_methods))) {
throw new OAuthException(
"Signature method '$signature_method' not supported, try one of the following: " .
implode(", ", array_keys($this->signature_methods))
);
}
return $this->signature_methods[$signature_method];
}
/**
* Try to find the client for the provided request's client key.
*
* @param JacobKiers\OAuth\Request $request
*
* @return JacobKiers\OAuth\Client
*
* @throws JacobKiers\OAuth\OAuthException
*/
private function getClient(Request $request)
{
$client_key = $request instanceof Request ? $request->getParameter('oauth_consumer_key') : null;
if (!$client_key) {
throw new OAuthException('Invalid client key');
}
$client = $this->data_store->lookupClient($client_key);
if (!$client) {
throw new OAuthException('Invalid client');
}
return $client;
}
/**
* Try to find the token for the provided request's token key.
*
* @param JacobKiers\OAuth\Request $request
* @param JacobKiers\OAuth\Client $client
* @param string $token_type
*
* @return JacobKiers\OAuth\Token
*
* @throws JacobKiers\OAuth\OAuthException
*/
private function getToken(Request $request, Client $client, $token_type = 'access')
{
$token_field = $request instanceof Request ? $request->getParameter('oauth_token') : null;
$token = $this->data_store->lookupToken($client, $token_type, $token_field);
if (!$token) {
throw new OAuthException("Invalid $token_type token: $token_field");
}
return $token;
}
/**
* All-in-one function to check the signature on a request.
*
* Should determine the signature method appropriately
*
* @param JacobKiers\OAuth\Request $request
* @param JacobKiers\OAuth\Client $client
* @param JacobKiers\OAuth\Token $token
*
* @throws JacobKiers\OAuth\OAuthException
*/
private function checkSignature(Request $request, Client $client, Token $token)
{
// this should probably be in a different method
$timestamp = $request instanceof Request ? $request->getParameter('oauth_timestamp') : null;
$nonce = $request instanceof Request ? $request->getParameter('oauth_nonce') : null;
$this->checkTimestamp($timestamp);
$this->checkNonce($client, $token, $nonce, $timestamp);
$signature_method = $this->getSignatureMethod($request);
$signature = $request->getParameter('oauth_signature');
$valid_sig = $signature_method->checkSignature($request, $client, $token, $signature);
if (!$valid_sig) {
throw new OAuthException('Invalid signature');
}
}
/**
* Check that the timestamp is new enough
*
* @param int $timestamp
*
* @throws JacobKiers\OAuth\OAuthException
*/
private function checkTimestamp($timestamp)
{
if (!$timestamp) {
throw new OAuthException('Missing timestamp parameter. The parameter is required');
}
// verify that timestamp is recentish
$now = time();
if (abs($now - $timestamp) > $this->timestamp_threshold) {
throw new OAuthException("Expired timestamp, yours $timestamp, ours $now");
}
}
/**
* Check that the nonce is not repeated
*
* @param JacobKiers\OAuth\Client $client
* @param JacobKiers\OAuth\Token $token
* @param string $nonce
* @param int $timestamp
*
* @throws JacobKiers\OAuth\OAuthException
*/
private function checkNonce(Client $client, Token $token, $nonce, $timestamp)
{
if (!$nonce) {
throw new OAuthException('Missing nonce parameter. The parameter is required');
}
// verify that the nonce is uniqueish
$found = $this->data_store->lookupNonce($client, $token, $nonce, $timestamp);
if ($found) {
throw new OAuthException('Nonce already used: ' . $nonce);
}
}
}

81
src/JacobKiers/OAuth/SignatureMethod.php Normal file
View File

@@ -0,0 +1,81 @@
<?php
/**
* OAuth
*
* @package OAuth
* @author Andy Smith
* @author Gary Jones <gary@garyjones.co.uk>
* @license https://raw.github.com/jacobkiers/OAuth/master/LICENSE MIT
* @link https://github.com/jacobkiers/OAuth
*/
namespace JacobKiers\OAuth;
/**
* A class for implementing a Signature Method.
*
* See section 9 ("Signing Requests") in the spec
*
* @package OAuth
* @author Andy Smith
* @author Gary Jones <gary@garyjones.co.uk>
*/
abstract class SignatureMethod
{
/**
* Return the name of the Signature Method (ie HMAC-SHA1).
*
* @return string
*/
abstract public function getName();
/**
* Build up the signature.
*
* NOTE: The output of this function MUST NOT be urlencoded.
* the encoding is handled in OAuthRequest when the final
* request is serialized.
*
* @param JacobKiers\OAuth\Request $request
* @param JacobKiers\OAuth\Client $client
* @param JacobKiers\OAuth\Token $token
*
* @return string
*/
abstract public function buildSignature(Request $request, Client $client, Token $token = null);
/**
* Get the signature key, made up of client and optionally token shared secrets.
*
* @param JacobKiers\OAuth\Client $client
* @param JacobKiers\OAuth\Token $token
*
* @return string
*/
public function getSignatureKey(Client $client, Token $token = null)
{
$key_parts = array(
$client->getSecret(),
($token) ? $token->getSecret() : '',
);
$key_parts = Util::urlencodeRfc3986($key_parts);
return implode('&', $key_parts);
}
/**
* Verifies that a given signature is correct.
*
* @param JacobKiers\OAuth\Request $request
* @param JacobKiers\OAuth\Consumer $client
* @param JacobKiers\OAuth\Token $token
* @param string $signature
*
* @return bool
*/
public function checkSignature(Request $request, Client $client, Token $token, $signature)
{
$built = $this->buildSignature($request, $client, $token);
return $built == $signature;
}
}

47
src/JacobKiers/OAuth/Token.php Normal file
View File

@@ -0,0 +1,47 @@
<?php
/**
* OAuth
*
* @package OAuth
* @author Andy Smith
* @author Gary Jones <gary@garyjones.co.uk>
* @license https://raw.github.com/jacobkiers/OAuth/master/LICENSE MIT
* @link https://github.com/jacobkiers/OAuth
*/
namespace JacobKiers\OAuth;
/**
* Token holds the properties of a single token.
*
* This class deals with both temporary (request) and token (access) credentials.
*
* @package OAuth
* @author Gary Jones <gary@garyjones.co.uk>
*/
class Token extends Credential
{
/**
* Constructs a new client object and populates the required parameters.
*
* @param string $key Client key / identifier.
* @param string $secret Client shared-secret.
*/
public function __construct($key, $secret)
{
$this->setKey($key);
$this->setSecret($secret);
}
/**
* Generates the basic string serialization of a token that a server
* would respond to request_token and access_token calls with.
*
* @return string
*/
public function toString()
{
return 'oauth_token=' . Util::urlencodeRfc3986($this->key) .
'&oauth_token_secret=' . Util::urlencodeRfc3986($this->secret);
}
}

210
src/JacobKiers/OAuth/Util.php Normal file
View File

@@ -0,0 +1,210 @@
<?php
/**
* OAuth
*
* @package OAuth
* @author Andy Smith
* @author Gary Jones <gary@garyjones.co.uk>
* @license https://raw.github.com/jacobkiers/OAuth/master/LICENSE MIT
* @link https://github.com/jacobkiers/OAuth
*/
namespace JacobKiers\OAuth;
/**
* Group of static utility methods.
*
* @package OAuth
* @author Andy Smith
*/
class Util
{
/**
* Encode a string according to RFC 3986.
*
* @param string $input
*
* @return string Encoded string.
*/
public static function urlencodeRfc3986($input)
{
if (is_array($input)) {
return array_map(array('JacobKiers\OAuth\Util', 'urlencodeRfc3986'), $input);
} elseif (is_scalar($input)) {
return str_replace('+', ' ', str_replace('%7E', '~', rawurlencode($input)));
} else {
return '';
}
}
/**
* Decode a string.
*
* This decode function isn't taking into consideration the above modifications to the encoding process.
* However, this method doesn't seem to be used anywhere so leaving it as is.
*
* @param string $string
*
* @return string Decoded string.
*/
public static function urldecodeRfc3986($string)
{
return urldecode($string);
}
/**
* Utility function for turning the Authorization: header into parameters.
*
* Has to do some unescaping. Can filter out any non-oauth parameters if needed (default behaviour).
*
* May 28th, 2010 - method updated to tjerk.meesters for a speed improvement.
* see http://code.google.com/p/oauth/issues/detail?id=163
*
* @param string $header
* @param bool $only_allow_oauth_parameters
*
* @return array
*/
public static function splitHeader($header, $only_allow_oauth_parameters = true)
{
$params = array();
$regex = '/(' . ($only_allow_oauth_parameters ? 'oauth_' : '') . '[a-z_-]*)=(:?"([^"]*)"|([^,]*))/';
if (preg_match_all($regex, $header, $matches)) {
foreach ($matches[1] as $i => $h) {
$params[$h] = Util::urldecodeRfc3986(empty($matches[3][$i]) ? $matches[4][$i] : $matches[3][$i]);
}
if (isset($params['realm'])) {
unset($params['realm']);
}
}
return $params;
}
/**
* Helper to try to sort out headers for people who aren't running apache
*
* @return array
*/
public static function getHeaders()
{
$out = array();
if (function_exists('apache_request_headers')) {
// we need this to get the actual Authorization: header
// because apache tends to tell us it doesn't exist
$headers = apache_request_headers();
// sanitize the output of apache_request_headers because
// we always want the keys to be Cased-Like-This and arh()
// returns the headers in the same case as they are in the
// request
foreach ($headers as $key => $value) {
$key = str_replace(' ', '-', ucwords(strtolower(str_replace('-', ' ', $key))));
$out[$key] = $value;
}
} else {
// otherwise we don't have apache and are just going to have to hope
// that $_SERVER actually contains what we need
if (isset($_SERVER['CONTENT_TYPE'])) {
$out['Content-Type'] = $_SERVER['CONTENT_TYPE'];
}
if (isset($_ENV['CONTENT_TYPE'])) {
$out['Content-Type'] = $_ENV['CONTENT_TYPE'];
}
foreach ($_SERVER as $key => $value) {
if (substr($key, 0, 5) == "HTTP_") {
// this is chaos, basically it is just there to capitalize the first
// letter of every word that is not an initial HTTP and strip HTTP
// code from przemek
$key = str_replace(' ', '-', ucwords(strtolower(str_replace('_', ' ', substr($key, 5)))));
$out[$key] = $value;
}
}
}
return $out;
}
/**
* Pull key=value querystring into an array.
*
* This function takes a input like a=b&a=c&d=e and returns the parsed
* parameters like this
* array('a' => array('b','c'), 'd' => 'e')
*
* @param string $input
*
* @return array
*/
public static function parseParameters($input)
{
if (!isset($input) || !$input) {
return array();
}
$pairs = explode('&', $input);
$parsed_parameters = array();
foreach ($pairs as $pair) {
$split = explode('=', $pair, 2);
$parameter = Util::urldecodeRfc3986($split[0]);
$value = isset($split[1]) ? Util::urldecodeRfc3986($split[1]) : '';
if (isset($parsed_parameters[$parameter])) {
// We have already recieved parameter(s) with this name, so add to the list
// of parameters with this name
if (is_scalar($parsed_parameters[$parameter])) {
// This is the first duplicate, so transform scalar (string) into an array
// so we can add the duplicates
$parsed_parameters[$parameter] = array($parsed_parameters[$parameter]);
}
$parsed_parameters[$parameter][] = $value;
} else {
$parsed_parameters[$parameter] = $value;
}
}
return $parsed_parameters;
}
/**
* Build query string from parameters, with correct encoding.
*
* @param array $params
*
* @return string
*/
public static function buildHttpQuery(array $params)
{
if (!$params) {
return '';
}
// Urlencode both keys and values
$keys = Util::urlencodeRfc3986(array_keys($params));
$values = Util::urlencodeRfc3986(array_values($params));
$params = array_combine($keys, $values);
// Parameters are sorted by name, using lexicographical byte value ordering.
// Ref: Spec: 9.1.1 (1)
uksort($params, 'strcmp');
$pairs = array();
foreach ($params as $parameter => $value) {
if (is_array($value)) {
// If two or more parameters share the same name, they are sorted by their value
// Ref: Spec: 9.1.1 (1)
// June 12th, 2010 - changed to sort because of issue 164 by hidetaka
sort($value, SORT_STRING);
foreach ($value as $duplicate_value) {
$pairs[] = $parameter . '=' . $duplicate_value;
}
} else {
$pairs[] = $parameter . '=' . $value;
}
}
// For each parameter, the name is separated from the corresponding value by an '=' character (ASCII code 61)
// Each name-value pair is separated by an '&' character (ASCII code 38)
return implode('&', $pairs);
}
}