From 81f3103ee00e9d292b931b7b23d44346d5d30c4e Mon Sep 17 00:00:00 2001
From: a-sansara <dev@pluie.org>
Date: Mon, 13 Mar 2017 15:52:28 +0100
Subject: [PATCH] reject empty token on isValid & check + fix missing headers

---
 src/MetaTech/PwsAuth/Authenticator.php | 27 +++++++++++++++-----------
 1 file changed, 16 insertions(+), 11 deletions(-)

diff --git a/src/MetaTech/PwsAuth/Authenticator.php b/src/MetaTech/PwsAuth/Authenticator.php
index 5e53f97..948021d 100644
--- a/src/MetaTech/PwsAuth/Authenticator.php
+++ b/src/MetaTech/PwsAuth/Authenticator.php
@@ -52,9 +52,9 @@ class Authenticator
      * @param       Pluie\Auth\Token     $token
      * @return      bool
      */
-    public function isValid(Token $token)
+    public function isValid(Token $token = null)
     {
-        return $token->getType() == $this->config['type'] && $this->checkObfuscatePart($token);
+        return !is_null($token) && $token->getType() == $this->config['type'] && $this->checkObfuscatePart($token);
     }
 
     /*!
@@ -153,9 +153,9 @@ class Authenticator
      * @param       str                  $login
      * @return      bool
      */
-    public function check(Token $token, $login)
+    public function check(Token $token = null, $login = '')
     {
-        return !is_null($token) && $this->deobfuscate($token->getValue()) == $this->sign($token->getDate(), $login, $token->getIdent());
+        return !is_null($token) && !empty($login) && $this->deobfuscate($token->getValue()) == $this->sign($token->getDate(), $login, $token->getIdent());
     }
 
     /*!
@@ -220,13 +220,18 @@ class Authenticator
             if (is_null($headers)) {
                 $headers = apache_request_headers();
             }
-            $tokenValue = $headers[$this->config['header']['auth']]  ?: '';
-            $ident      = $headers[$this->config['header']['ident']] ?: '';
-            if (preg_match('/(?P<type>[a-z\d]+) (?P<date>\d{'.self::DATE_LENGTH.'})(?P<id>[a-z\d]+)/i', $tokenValue, $rs)) {
-                $date       = Tool::formatDate($rs['date'], self::DATE_FORMAT, Tool::TIMESTAMP_SQLDATETIME);
-                $tokenValue = substr($rs['id'], 0, -$this->config['hash']['noise.length']);
-                $noise      = substr($rs['id'], -$this->config['hash']['noise.length']);
-                $token      = new Token($rs['type'], $ident, $date, $tokenValue, $noise);
+            if (isset($headers[$this->config['header']['auth']]) && isset($headers[$this->config['header']['ident']])) {
+                $tokenValue = $headers[$this->config['header']['auth']];
+                $ident      = $headers[$this->config['header']['ident']];
+                if (preg_match('/(?P<type>[a-z\d]+) (?P<date>\d{'.self::DATE_LENGTH.'})(?P<id>[a-z\d]+)/i', $tokenValue, $rs)) {
+                    $date       = Tool::formatDate($rs['date'], self::DATE_FORMAT, Tool::TIMESTAMP_SQLDATETIME);
+                    $tokenValue = substr($rs['id'], 0, -$this->config['hash']['noise.length']);
+                    $noise      = substr($rs['id'], -$this->config['hash']['noise.length']);
+                    $token      = new Token($rs['type'], $ident, $date, $tokenValue, $noise);
+                }
+            }
+            else {
+                throw new \Exception('missing required headers');
             }
         }
         catch(\Exception $e) {