[6351] | 1 | <?php |
---|
| 2 | /** |
---|
| 3 | * @file |
---|
| 4 | * Sample authorize endpoint. |
---|
| 5 | * |
---|
| 6 | * This sample provides two click-jacking prevention methods, neither which are perfect. |
---|
| 7 | * The javascript solution is similar to what facebook used to have (but can be defeated with a |
---|
| 8 | * specially crafted frame-wrapper). |
---|
| 9 | */ |
---|
| 10 | |
---|
| 11 | // Clickjacking prevention (supported by IE8+, FF3.6.9+, Opera10.5+, Safari4+, Chrome 4.1.249.1042+) |
---|
| 12 | header('X-Frame-Options: DENY'); |
---|
| 13 | |
---|
| 14 | require "lib/OAuth2StoragePdo.php"; |
---|
| 15 | |
---|
| 16 | /* |
---|
| 17 | * You would need to authenticate the user before authorization. |
---|
| 18 | * |
---|
| 19 | * Below is some psudeo-code to show what you might do: |
---|
| 20 | * |
---|
| 21 | session_start(); |
---|
| 22 | if (!isLoggedIn()) { |
---|
| 23 | redirectToLoginPage(); |
---|
| 24 | exit(); |
---|
| 25 | } |
---|
| 26 | */ |
---|
| 27 | |
---|
| 28 | $oauth = new OAuth2(new OAuth2StoragePDO()); |
---|
| 29 | |
---|
| 30 | if ($_POST) { |
---|
| 31 | $userId = '12345'; // Use whatever method you have for identifying users. |
---|
| 32 | $oauth->finishClientAuthorization($_POST["accept"] == "Yep", $userId, $_POST); |
---|
| 33 | } |
---|
| 34 | |
---|
| 35 | try { |
---|
| 36 | $auth_params = $oauth->getAuthorizeParams(); |
---|
| 37 | } catch (OAuth2ServerException $oauthError) { |
---|
| 38 | $oauthError->sendHttpResponse(); |
---|
| 39 | } |
---|
| 40 | |
---|
| 41 | ?> |
---|
| 42 | <html> |
---|
| 43 | <head> |
---|
| 44 | <title>Authorize</title> |
---|
| 45 | <script> |
---|
| 46 | if (top != self) { |
---|
| 47 | window.document.write("<div style='background:black; opacity:0.5; filter: alpha (opacity = 50); position: absolute; top:0px; left: 0px;" |
---|
| 48 | + "width: 9999px; height: 9999px; zindex: 1000001' onClick='top.location.href=window.location.href'></div>"); |
---|
| 49 | } |
---|
| 50 | </script> |
---|
| 51 | </head> |
---|
| 52 | <body> |
---|
| 53 | <form method="post" action="authorize.php"> |
---|
| 54 | |
---|
| 55 | |
---|
| 56 | <?php |
---|
| 57 | foreach ($auth_params as $key => $value) : ?> |
---|
| 58 | <input type="hidden" |
---|
| 59 | name="<?php echo htmlspecialchars($key, ENT_QUOTES); ?>" |
---|
| 60 | value="<?php echo htmlspecialchars($value, ENT_QUOTES); ?>" /> |
---|
| 61 | <?php endforeach; ?> |
---|
| 62 | Do you authorize the app to do its thing? |
---|
| 63 | <p><input type="submit" name="accept" value="Yep" /> <input |
---|
| 64 | type="submit" name="accept" value="Nope" /></p> |
---|
| 65 | </form> |
---|
| 66 | </body> |
---|
| 67 | </html> |
---|