We are no longer offering accounts on this server. Consider https://gitlab.freedesktop.org/ as a place to host projects.

Commit 443f7b41 authored by bmccalip's avatar bmccalip

Fully implemented authentication model up to handoff to Submission

See the README for a walkthrough of a test sequence.
parent 65ebe7ad
......@@ -53,24 +53,43 @@ function method_auth_gettoken() {
. $mdb2->quote(time() + 3600, 'integer')
. ")");
if (PEAR::isError($result))
report_failure(LFM_TOKEN_ERROR);
report_failure(LFM_SERVICE_OFFLINE);
print("<lfm status=\"ok\">\n");
print(" <token>$key</token></lfm>");
}
function method_auth_getsession() {
global $mdb2;
if (!isset($_GET['api_sig']) || !valid_api_sig($_GET['api_sig']))
report_failure(LFM_INVALID_SIGNATURE);
if (!isset($_GET['token']) || !valid_token($_GET['token']))
if (!isset($_GET['token']))
report_failure(LFM_INVALID_TOKEN);
// Check for a token that (1) is bound to a user, and (2) is not bound to a session
$result = $mdb2->query('SELECT username FROM Auth WHERE '
. 'token = ' . $mdb2->quote($_GET['token'], 'text') . ' AND '
. 'username IS NOT NULL AND sk IS NULL');
if (PEAR::isError($result))
report_failure(LFM_SERVICE_OFFLINE);
if (!$result->numRows())
report_failure(LFM_INVALID_TOKEN);
$username = $result->fetchOne(0);
$session = md5(time() . rand());
// Update the Auth record with the new session key
$result = $mdb2->query('UPDATE Auth SET '
. 'sk = ' . $mdb2->quote($session, 'text') . ' WHERE '
. 'token = ' . $mdb2->quote($_GET['token'], 'text'));
if (PEAR::isError($result))
report_failure(LFM_SERVICE_OFFLINE);
print("<lfm status=\"ok\">\n");
print(" <session>\n");
print(" <name>A User</name>\n");
print(" <name>$username</name>\n");
print(" <key>$session</key>\n");
print(" <subscriber>0</subscriber>\n");
print(" </session>\n");
......@@ -85,10 +104,6 @@ function valid_api_sig($sig) {
return strlen($sig) == 32;
}
function valid_token($token) {
return strlen($token) == 32;
}
function report_failure($code) {
global $error_text;
......
......@@ -4,3 +4,15 @@
As things stand you'll need the MDB2 pear module installed (and at least one MDB2 driver) this can be achieved by running "pear install mdb2 mdb2#sqlite".
(For distribution we can include the latest version of MDB2 in the release packages if we want to make things even simpler for people.)
To test the authentication API once the server is set up:
1. Navigate to /2.0/?method=auth.gettoken&api_key=01234567890123456789012345678901&api_sig=01234567890123456789012345678901
(The api_key and api_sig are only checked to be 32 characters long since Last.FM shared secrets cannot be checked)
2. Copy the key that is returned by the auth.gettoken method
3. Navigate to /api/auth/?api_key=01234567890123456789012345678901&token=<copied token>
(Inserting the copied token into the noted place)
4. Login as testuser/password (this user is hard-coded upon database setup)
5. Close the browser when requested
6. Navigate to /2.0/?method=auth.getsession&api_key=01234567890123456789012345678901&api_sig=01234567890123456789012345678901&token=<copied token>
(Once again substituting the old copied token into the noted place)
7. The 32-byte key returned between the <key> tags in this response will be used in the Submissions protocol handshake
\ No newline at end of file
......@@ -9,8 +9,19 @@ require_once('../../database.php');
<?php if (isset($_POST['username'], $_POST['api_key'], $_POST['token'])) { ?>
<?php
// Authenticate the user using the submitted password
$result = $mdb2->query('SELECT username FROM Users WHERE '
. 'username = ' . $mdb2->quote($_POST['username'], 'text') . ' AND '
. 'password = ' . $mdb2->quote(md5(md5($_POST['password'])), 'text'));
if (PEAR::isError($result))
die("Database error");
if (!$result->numRows())
die("Authentication failed");
// Bind the user to the token and cancel the expiration rule
$result = $mdb2->query('UPDATE Auth SET '
. 'username = ' . $mdb2->quote($_POST['username'], 'text') . ' '
. 'username = ' . $mdb2->quote($_POST['username'], 'text') . ', '
. 'expires = ' . $mdb2->quote(0, 'integer') . ' '
. 'WHERE '
. 'token = ' . $mdb2->quote($_POST['token']));
if (PEAR::isError($result))
......@@ -28,12 +39,14 @@ if (PEAR::isError($result))
<?php } else { ?>
<?php
$result = $mdb2->query('SELECT * FROM Auth WHERE ('
. 'token = ' . $mdb2->quote($_GET['token'], 'text') . ')');
// Ensures the token exists and is not already bound to a user
$result = $mdb2->query('SELECT * FROM Auth WHERE '
. 'token = ' . $mdb2->quote($_GET['token'], 'text') . ' AND '
. 'username IS NULL');
if (PEAR::isError($result))
die("Database error");
if (!$result->numRows())
die("Invalid key");
die("Invalid token");
?>
<form method="post" action="">
......
<?php
require_once('database.php');
?>
\ No newline at end of file
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment