meta-tech/pws-auth
meta-tech/pws-auth
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

reject empty token on isValid & check + fix missing headers

Browse Source
This commit is contained in:
a-sansara 2017-03-13 15:52:28 +01:00
parent 6b0f2a350d
commit 81f3103ee0
1 changed files with 16 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
src/MetaTech/PwsAuth/Authenticator.php
View File

@ -52,9 +52,9 @@ class Authenticator
* @param Pluie\Auth\Token $token * @param Pluie\Auth\Token $token
* @return bool * @return bool
*/ */
public function isValid(Token $token) public function isValid(Token $token = null)
{ {
return $token->getType() == $this->config['type'] && $this->checkObfuscatePart($token); return !is_null($token) && $token->getType() == $this->config['type'] && $this->checkObfuscatePart($token);
} }
/*! /*!
@ -153,9 +153,9 @@ class Authenticator
* @param str $login * @param str $login
* @return bool * @return bool
*/ */
public function check(Token $token, $login) public function check(Token $token = null, $login = '')
{ {
return !is_null($token) && $this->deobfuscate($token->getValue()) == $this->sign($token->getDate(), $login, $token->getIdent()); return !is_null($token) && !empty($login) && $this->deobfuscate($token->getValue()) == $this->sign($token->getDate(), $login, $token->getIdent());
} }
/*! /*!
@ -220,8 +220,9 @@ class Authenticator
if (is_null($headers)) { if (is_null($headers)) {
$headers = apache_request_headers(); $headers = apache_request_headers();
} }
$tokenValue = $headers[$this->config['header']['auth']] ?: ''; if (isset($headers[$this->config['header']['auth']]) && isset($headers[$this->config['header']['ident']])) {
$ident = $headers[$this->config['header']['ident']] ?: ''; $tokenValue = $headers[$this->config['header']['auth']];
$ident = $headers[$this->config['header']['ident']];
if (preg_match('/(?P<type>[a-z\d]+) (?P<date>\d{'.self::DATE_LENGTH.'})(?P<id>[a-z\d]+)/i', $tokenValue, $rs)) { if (preg_match('/(?P<type>[a-z\d]+) (?P<date>\d{'.self::DATE_LENGTH.'})(?P<id>[a-z\d]+)/i', $tokenValue, $rs)) {
$date = Tool::formatDate($rs['date'], self::DATE_FORMAT, Tool::TIMESTAMP_SQLDATETIME); $date = Tool::formatDate($rs['date'], self::DATE_FORMAT, Tool::TIMESTAMP_SQLDATETIME);
$tokenValue = substr($rs['id'], 0, -$this->config['hash']['noise.length']); $tokenValue = substr($rs['id'], 0, -$this->config['hash']['noise.length']);
@ -229,6 +230,10 @@ class Authenticator
$token = new Token($rs['type'], $ident, $date, $tokenValue, $noise); $token = new Token($rs['type'], $ident, $date, $tokenValue, $noise);
} }
} }
else {
throw new \Exception('missing required headers');
}
}
catch(\Exception $e) { catch(\Exception $e) {
throw new AuthenticateException("invalid authentication protocol : ".$e->getMessage()); throw new AuthenticateException("invalid authentication protocol : ".$e->getMessage());
} }