1 | <?php |
---|
2 | /** |
---|
3 | * @file |
---|
4 | * Sample authorize endpoint. |
---|
5 | * |
---|
6 | * This sample provides two click-jacking prevention methods, neither which are perfect. |
---|
7 | * The javascript solution is similar to what facebook used to have (but can be defeated with a |
---|
8 | * specially crafted frame-wrapper). |
---|
9 | */ |
---|
10 | |
---|
11 | // Clickjacking prevention (supported by IE8+, FF3.6.9+, Opera10.5+, Safari4+, Chrome 4.1.249.1042+) |
---|
12 | header('X-Frame-Options: DENY'); |
---|
13 | |
---|
14 | require "lib/OAuth2StoragePdo.php"; |
---|
15 | |
---|
16 | /* |
---|
17 | * You would need to authenticate the user before authorization. |
---|
18 | * |
---|
19 | * Below is some psudeo-code to show what you might do: |
---|
20 | * |
---|
21 | session_start(); |
---|
22 | if (!isLoggedIn()) { |
---|
23 | redirectToLoginPage(); |
---|
24 | exit(); |
---|
25 | } |
---|
26 | */ |
---|
27 | |
---|
28 | $oauth = new OAuth2(new OAuth2StoragePDO()); |
---|
29 | |
---|
30 | if ($_POST) { |
---|
31 | $userId = '12345'; // Use whatever method you have for identifying users. |
---|
32 | $oauth->finishClientAuthorization($_POST["accept"] == "Yep", $userId, $_POST); |
---|
33 | } |
---|
34 | |
---|
35 | try { |
---|
36 | $auth_params = $oauth->getAuthorizeParams(); |
---|
37 | } catch (OAuth2ServerException $oauthError) { |
---|
38 | $oauthError->sendHttpResponse(); |
---|
39 | } |
---|
40 | |
---|
41 | ?> |
---|
42 | <html> |
---|
43 | <head> |
---|
44 | <title>Authorize</title> |
---|
45 | <script> |
---|
46 | if (top != self) { |
---|
47 | window.document.write("<div style='background:black; opacity:0.5; filter: alpha (opacity = 50); position: absolute; top:0px; left: 0px;" |
---|
48 | + "width: 9999px; height: 9999px; zindex: 1000001' onClick='top.location.href=window.location.href'></div>"); |
---|
49 | } |
---|
50 | </script> |
---|
51 | </head> |
---|
52 | <body> |
---|
53 | <form method="post" action="authorize.php"> |
---|
54 | |
---|
55 | |
---|
56 | <?php |
---|
57 | foreach ($auth_params as $key => $value) : ?> |
---|
58 | <input type="hidden" |
---|
59 | name="<?php echo htmlspecialchars($key, ENT_QUOTES); ?>" |
---|
60 | value="<?php echo htmlspecialchars($value, ENT_QUOTES); ?>" /> |
---|
61 | <?php endforeach; ?> |
---|
62 | Do you authorize the app to do its thing? |
---|
63 | <p><input type="submit" name="accept" value="Yep" /> <input |
---|
64 | type="submit" name="accept" value="Nope" /></p> |
---|
65 | </form> |
---|
66 | </body> |
---|
67 | </html> |
---|