mirror of
https://code.mensbeam.com/MensBeam/Arsse.git
synced 2025-01-10 18:02:40 +00:00
Complete IndieAuth authorizer
This commit is contained in:
parent
d8c484d387
commit
dd3e143212
2 changed files with 39 additions and 1 deletions
|
@ -6,10 +6,18 @@
|
|||
declare(strict_types=1);
|
||||
namespace JKingWeb\Arsse\Misc;
|
||||
|
||||
use function GuzzleHttp\Psr7\parse_header;
|
||||
|
||||
/**
|
||||
* A collection of functions for manipulating URLs
|
||||
*/
|
||||
class URL {
|
||||
|
||||
/** Returns whether a URL is absolute i.e. has a scheme */
|
||||
public static function absolute(string $url): bool {
|
||||
return (bool) strlen((string) parse_url($url, \PHP_URL_SCHEME));
|
||||
}
|
||||
|
||||
/** Normalizes a URL
|
||||
*
|
||||
* Normalizations performed are:
|
||||
|
@ -137,4 +145,24 @@ class URL {
|
|||
$out = ($absolute ? "/" : "").$out.($index ? "/" : "");
|
||||
return str_replace("//", "/", $out);
|
||||
}
|
||||
|
||||
/** Appends data to a URL's query component
|
||||
*
|
||||
* @param string $url The input URL
|
||||
* @param string $data The data to append. This should already be escaped where necessary and not start with any delimiter
|
||||
* @param string $glue The query subcomponent delimiter, usually "&". If the URL has no query, "?" will be prepended instead
|
||||
*/
|
||||
public function queryAppend(string $url, string $data, string $glue = "&"): string {
|
||||
$insPos = strpos($url, "#");
|
||||
$insPos = $insPos === false ? strlen($url) : $insPos;
|
||||
$hasQuery = strpos($url, "?") !== false;
|
||||
$glue = $hasQuery ? $glue : "?";
|
||||
if ($hasQuery && $insPos > 0) {
|
||||
if ($url[$insPos - 1] === $glue) {
|
||||
// if the URL already has excess glue, use it
|
||||
$glue = "";
|
||||
}
|
||||
}
|
||||
return substr($url, 0, $insPos).$glue.$data.substr($url, $insPos);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -8,6 +8,7 @@ namespace JKingWeb\Arsse\REST\Microsub;
|
|||
|
||||
use JKingWeb\Arsse\Arsse;
|
||||
use JKingWeb\Arsse\Misc\URL;
|
||||
use JKingWeb\Arsse\Misc\Date;
|
||||
use Psr\Http\Message\ServerRequestInterface;
|
||||
use Psr\Http\Message\ResponseInterface;
|
||||
use Zend\Diactoros\Response\HtmlResponse as Response;
|
||||
|
@ -75,7 +76,16 @@ class Auth extends \JKingWeb\Arsse\REST\AbstractHandler {
|
|||
if ($user !== $id || URL::normalize($query['me']) !== $url) {
|
||||
return new EmptyResponse(403);
|
||||
} else {
|
||||
// redirect
|
||||
$redir = URL::normalize(rawurldecode($query['redirect_uri']));
|
||||
$state = $query['state'] ?? "";
|
||||
// check that the redirect URL is an absolute one
|
||||
if (!URL::absolute($redir)) {
|
||||
return new EmptyResponse(400);
|
||||
}
|
||||
// issue an authorization code and build the redirect URL
|
||||
$code = Arsse::$db->tokenCreate($id, "microsub.auth", null, Date::add("PT2M"));
|
||||
$next = URL::queryAppend($redir, "code=$code&state=$state");
|
||||
return new EmptyResponse(302, ["Location: $next"]);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue