nextcloud/apps/remoteStorage/auth.php

<?php

/**
* ownCloud
*
* Original:
* @author Frank Karlitschek
* @copyright 2012 Frank Karlitschek frank@owncloud.org
* 
* Adapted:
* @author Michiel de Jong, 2012
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU AFFERO GENERAL PUBLIC LICENSE
* License as published by the Free Software Foundation; either
* version 3 of the License, or any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.	See the
* GNU AFFERO GENERAL PUBLIC LICENSE for more details.
*
* You should have received a copy of the GNU Affero General Public
* License along with this library.	If not, see <http://www.gnu.org/licenses/>.
*
*/

header("X-Frame-Options: Sameorigin");

OCP\App::checkAppEnabled('remoteStorage');
require_once('Sabre/autoload.php');
require_once('lib_remoteStorage.php');
require_once('oauth_ro_auth.php');

ini_set('default_charset', 'UTF-8');
#ini_set('error_reporting', '');
@ob_clean();

foreach($_GET as $k => $v) {
  if($k=='userid'){
    $userId=$v;
  } else if($k=='redirect_uri'){
    $appUrlParts=explode('/', $v);
    $appUrl = htmlentities($appUrlParts[2]);//TODO: check if this is equal to client_id
  } else if($k=='scope'){
    $categories=htmlentities($v);
  }
}
$currUser = OCP\USER::getUser();
if($userId && $appUrl && $categories) {
  if($currUser == $userId) {
    if(isset($_POST['allow'])) {
      //TODO: check if this can be faked by editing the cookie in firebug!
      $token=OC_remoteStorage::createCategories($appUrl, $categories);
      header('Location: '.$_GET['redirect_uri'].'#access_token='.$token.'&token_type=bearer');
    } else if($existingToken = OC_remoteStorage::getTokenFor($appUrl, $categories)) {
      header('Location: '.$_GET['redirect_uri'].'#access_token='.$existingToken.'&token_type=bearer');
    } else {
      //params ok, logged in ok, but need to click Allow still:
	$appUrlParts = explode('/', $_GET['redirect_uri']);
	$host = $appUrlParts[2];
	$categories = explode(',', $_GET['scope']);
	OCP\Util::addStyle('', 'auth');
	OCP\Template::printGuestPage('remoteStorage', 'auth', array(
		'host' => $host,
		'categories' => $categories,
	));
	}//end 'need to click Allow still'
	} else {//login not ok
		if($currUser) {
			die('You are logged in as '.$currUser.' instead of '.htmlentities($userId));
		} else {
			// this will display the login page for us
			OCP\Util::checkLoggedIn();
		}
	}
} else {//params not ok
	die('please use e.g. '.OCP\Util::linkTo('remoteStorage', 'auth.php').'?userid=admin&redirect_uri=http://host/path&scope=...');
}
compliance with http://www.w3.org/community/unhosted/wiki/remoteStorage 2011-12-07 18:51:47 +04:00			`<?php`

			`/**`
			`* ownCloud`
			`*`
			`* Original:`
			`* @author Frank Karlitschek`
update copyright 2012-05-26 21:14:24 +04:00			`* @copyright 2012 Frank Karlitschek frank@owncloud.org`
compliance with http://www.w3.org/community/unhosted/wiki/remoteStorage 2011-12-07 18:51:47 +04:00			`*`
			`* Adapted:`
remoteStorage app version 0.5 2012-03-02 00:55:12 +04:00			`* @author Michiel de Jong, 2012`
compliance with http://www.w3.org/community/unhosted/wiki/remoteStorage 2011-12-07 18:51:47 +04:00			`*`
			`* This library is free software; you can redistribute it and/or`
			`* modify it under the terms of the GNU AFFERO GENERAL PUBLIC LICENSE`
			`* License as published by the Free Software Foundation; either`
			`* version 3 of the License, or any later version.`
			`*`
			`* This library is distributed in the hope that it will be useful,`
			`* but WITHOUT ANY WARRANTY; without even the implied warranty of`
remoteStorage app version 0.5 2012-03-02 00:55:12 +04:00			`* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
compliance with http://www.w3.org/community/unhosted/wiki/remoteStorage 2011-12-07 18:51:47 +04:00			`* GNU AFFERO GENERAL PUBLIC LICENSE for more details.`
			`*`
			`* You should have received a copy of the GNU Affero General Public`
remoteStorage app version 0.5 2012-03-02 00:55:12 +04:00			`* License along with this library. If not, see <http://www.gnu.org/licenses/>.`
compliance with http://www.w3.org/community/unhosted/wiki/remoteStorage 2011-12-07 18:51:47 +04:00			`*`
			`*/`

avoid clickjacking 2012-06-09 23:01:12 +04:00			`header("X-Frame-Options: Sameorigin");`
compliance with http://www.w3.org/community/unhosted/wiki/remoteStorage 2011-12-07 18:51:47 +04:00
port checkAppEnabled 2012-05-02 21:08:37 +04:00			`OCP\App::checkAppEnabled('remoteStorage');`
clean up auth dialog 2012-05-11 13:05:44 +04:00			`require_once('Sabre/autoload.php');`
compliance with http://www.w3.org/community/unhosted/wiki/remoteStorage 2011-12-07 18:51:47 +04:00			`require_once('lib_remoteStorage.php');`
			`require_once('oauth_ro_auth.php');`

			`ini_set('default_charset', 'UTF-8');`
			`#ini_set('error_reporting', '');`
			`@ob_clean();`

clean up auth dialog 2012-05-11 13:05:44 +04:00			`foreach($_GET as $k => $v) {`
			`if($k=='userid'){`
			`$userId=$v;`
			`} else if($k=='redirect_uri'){`
			`$appUrlParts=explode('/', $v);`
sanitize scope and host 2012-06-09 23:03:50 +04:00			`$appUrl = htmlentities($appUrlParts[2]);//TODO: check if this is equal to client_id`
clean up auth dialog 2012-05-11 13:05:44 +04:00			`} else if($k=='scope'){`
sanitize scope and host 2012-06-09 23:03:50 +04:00			`$categories=htmlentities($v);`
clean up auth dialog 2012-05-11 13:05:44 +04:00			`}`
			`}`
			`$currUser = OCP\USER::getUser();`
			`if($userId && $appUrl && $categories) {`
			`if($currUser == $userId) {`
			`if(isset($_POST['allow'])) {`
			`//TODO: check if this can be faked by editing the cookie in firebug!`
			`$token=OC_remoteStorage::createCategories($appUrl, $categories);`
			`header('Location: '.$_GET['redirect_uri'].'#access_token='.$token.'&token_type=bearer');`
			`} else if($existingToken = OC_remoteStorage::getTokenFor($appUrl, $categories)) {`
			`header('Location: '.$_GET['redirect_uri'].'#access_token='.$existingToken.'&token_type=bearer');`
			`} else {`
			`//params ok, logged in ok, but need to click Allow still:`
remoteStorage: split auth allow template 2012-08-07 21:31:19 +04:00			`$appUrlParts = explode('/', $_GET['redirect_uri']);`
			`$host = $appUrlParts[2];`
			`$categories = explode(',', $_GET['scope']);`
			`OCP\Util::addStyle('', 'auth');`
			`OCP\Template::printGuestPage('remoteStorage', 'auth', array(`
			`'host' => $host,`
			`'categories' => $categories,`
			`));`
			`}//end 'need to click Allow still'`
clean up auth dialog 2012-05-11 13:05:44 +04:00			`} else {//login not ok`
remoteStorage app version 0.5 2012-03-02 00:55:12 +04:00			`if($currUser) {`
sanitize when logged in as another user 2012-06-09 22:39:24 +04:00			`die('You are logged in as '.$currUser.' instead of '.htmlentities($userId));`
remoteStorage app version 0.5 2012-03-02 00:55:12 +04:00			`} else {`
remoteStorage: Use OCP\\Util for redirecting for login and generating link 2012-08-07 22:31:23 +04:00			`// this will display the login page for us`
			`OCP\Util::checkLoggedIn();`
remoteStorage app version 0.5 2012-03-02 00:55:12 +04:00			`}`
compliance with http://www.w3.org/community/unhosted/wiki/remoteStorage 2011-12-07 18:51:47 +04:00			`}`
clean up auth dialog 2012-05-11 13:05:44 +04:00			`} else {//params not ok`
remoteStorage: Use OCP\\Util for redirecting for login and generating link 2012-08-07 22:31:23 +04:00			`die('please use e.g. '.OCP\Util::linkTo('remoteStorage', 'auth.php').'?userid=admin&redirect_uri=http://host/path&scope=...');`
compliance with http://www.w3.org/community/unhosted/wiki/remoteStorage 2011-12-07 18:51:47 +04:00			`}`