Basic implementation of submissions handshake protocol (currently only works...

Basic implementation of submissions handshake protocol (currently only works with standard authentication, not web services auth) Add helper functions for validating webservices/standard tokens (only standard tokens are implemented) Change password storage to only be md5($password) rather than md5(md5($password)), otherwise standard tokens can't be generated (standard tokens are "md5(md5($password) . $timestamp)") Update README to give details on testing submissions handshake via standard auth.

Basic implementation of submissions handshake protocol (currently only works...
Basic implementation of submissions handshake protocol (currently only works with standard authentication, not web services auth) Add helper functions for validating webservices/standard tokens (only standard tokens are implemented) Change password storage to only be md5($password) rather than md5(md5($password)), otherwise standard tokens can't be generated (standard tokens are "md5(md5($password) . $timestamp)") Update README to give details on testing submissions handshake via standard auth.
ede29a03 · elleo · 443f7b41 · ede29a03 · ede29a03 · ede29a03
Commit ede29a03 authored Apr 04, 2009 by elleo
6 changed files
--- a/gobbler/README
+++ b/gobbler/README
@@ -5,6 +5,7 @@
 As things stand you'll need the MDB2 pear module installed (and at least one MDB2 driver) this can be achieved by running "pear install mdb2 mdb2#sqlite".
 (For distribution we can include the latest version of MDB2 in the release packages if we want to make things even simpler for people.)

+Web services API:
 To test the authentication API once the server is set up:
  1. Navigate to /2.0/?method=auth.gettoken&api_key=01234567890123456789012345678901&api_sig=01234567890123456789012345678901
     (The api_key and api_sig are only checked to be 32 characters long since Last.FM shared secrets cannot be checked)
@@ -15,4 +16,13 @@
  5. Close the browser when requested
  6. Navigate to /2.0/?method=auth.getsession&api_key=01234567890123456789012345678901&api_sig=01234567890123456789012345678901&token=<copied token>
     (Once again substituting the old copied token into the noted place)
-  7. The 32-byte key returned between the <key> tags in this response will be used in the Submissions protocol handshake
\ No newline at end of file
+  7. The 32-byte key returned between the <key> tags in this response will be used in the Submissions protocol handshake
+
+
+Submissions API:
+ The submissions API (http://www.last.fm/api/submissions) is used by clients for scrobbling tracks, authentication can either be carried out with a token from the web services API or via a token created by "md5(md5(password) + timestamp)"
+
+ To test standard authentication:
+
+ 1. Visit /?hs=true&p=1.2&u=testuser&t=1238855138&a=a40dfdc5aa3012c64425a5953267b232
+ 2. You should receive "OK". (In the future this will be followed by session id, now playing server and submission server addresses)
--- a/gobbler/api/auth/index.php
+++ b/gobbler/api/auth/index.php
@@ -12,7 +12,7 @@ require_once('../../database.php');
 // Authenticate the user using the submitted password
 $result = $mdb2->query('SELECT username FROM Users WHERE '
 	. 'username = ' . $mdb2->quote($_POST['username'], 'text') . ' AND '
-	. 'password = ' . $mdb2->quote(md5(md5($_POST['password'])), 'text'));
+	. 'password = ' . $mdb2->quote(md5($_POST['password']), 'text'));
 if (PEAR::isError($result))
 	die("Database error");
 if (!$result->numRows())

--- a/gobbler/auth-utils.php
+++ b/gobbler/auth-utils.php
+<?
+require_once('database.php');
+
+function check_web_auth($username, $token, $timestamp, $api_key, $sk) {
+	// Validates authentication using a web services token
+	global $mdb2;
+
+}
+
+
+function check_standard_auth($username, $token, $timestamp) {
+	// Validates authentication using a standard authentication token
+	global $mdb2;
+
+	$result = $mdb2->query("SELECT password FROM Users WHERE username=" . $mdb2->quote($username, 'text'));
+	if (PEAR::isError($result) || !$result->numRows()) {
+		// TODO: Log failures somewhere
+		return false;
+	}
+
+	$pass = $result->fetchOne(0);
+	$check_token = md5($pass . $timestamp);
+
+	return $check_token == $token;
+}
+
+
+?>
--- a/gobbler/index.php
+++ b/gobbler/index.php
@@ -2,4 +2,5 @@

 require_once('database.php');

-?>
\ No newline at end of file
+require_once('submissions-handshake.php');
+?>
--- a/gobbler/install.php
+++ b/gobbler/install.php
@@ -41,7 +41,7 @@ if (isset($_POST['install'])) {
 	$res = $mdb2->query("INSERT INTO Users
 		(username, password, created)
 		VALUES
-		('testuser', '" . md5(md5('password')) . "', " . time() . ")");
+		('testuser', '" . md5('password') . "', " . time() . ")");
 	
 	$mdb2->disconnect();


--- a/gobbler/submissions-handshake.php
+++ b/gobbler/submissions-handshake.php
+<?
+// Implements the submissions handshake protocol as detailed at: http://www.last.fm/api/submissions
+
+require_once('auth-utils.php');
+
+$supported_protocols = array("1.2", "1.2.1");
+
+if(isset($_GET['hs'])) {
+	//Handshake
+
+	if(!isset($_GET['p']) || !isset($_GET['u']) || !isset($_GET['t']) || !isset($_GET['a'])) {
+		die("BADAUTH");
+	}
+
+	$protocol = $_GET['p']; $username = $_GET['u']; $timestamp = $_GET['t']; $auth_token = $_GET['a'];
+
+	if(!in_array($protocol, $supported_protocols))  {
+		die("FAILED Unsupported protocol version");
+	}
+
+	if(isset($_GET['api_key']) && isset($_GET['sk'])) {
+		$authed = check_web_auth($username, $auth_token, $timestamp, $_GET['api_key'], $_GET['sk']);
+	} else {
+		$authed = check_standard_auth($username, $auth_token, $timestamp);
+	}
+
+	if(!$authed) {
+		die("BADAUTH");
+	}
+
+	echo "OK\n";
+}
+
+
+?>