/api/oauth.php

https://gitlab.com/craftbynick/Circular · PHP · 243 lines · 160 code · 52 blank · 31 comment · 21 complexity · 8c394575e8df945f2d431d23f5d0fbfc MD5 · raw file 

    

  1. <?php
    2. 

  2. 

  3. /**
    4. 

  4.  * @see tmhOAuth/examples/oauth_flow.php
    5. 

  5.  * 
    6. 

  6.  * If the user doesn't already have an active session, we use `authenticate` instead of `authorize` 
    7. 

  7.  * so that a user having already authorized the app doesn't have to do it again.
    8. 

  8.  * If on the other hand, the user already has an active session, we use `authorize`
    9. 

  9.  * so that he can log out from his current Twitter account and log in as somebody else if needed.
    10. 

  10.  */
    11. 

  11. 

  12. require 'config.php';
    13. 

  13. 

  14. require '../extlib/tmhOAuth/tmhOAuth.php';
    15. 

  15. require '../extlib/tmhOAuth/tmhUtilities.php';
    16. 

  16. $tmhOAuth = new tmhOAuth(array(
    17. 

  17. 	'consumer_key'    => CONSUMER_KEY,
    18. 

  18. 	'consumer_secret' => CONSUMER_SECRET,
    19. 

  19. ));
    20. 

  20. 

  21. header('Content-type: application/json');
    22. 

  22. 

  23. session_set_cookie_params(60*60*24*30);
    24. 

  24. ini_set('session.gc_maxlifetime', 60*60*24*30);
    25. 

  25. session_start();
    26. 

  26. 

  27. 

  28. function outputError($tmhOAuth) {
    29. 

  29. 	header('HTTP/1.1 500 Internal Server Error');
    30. 

  30. 	echo json_encode($tmhOAuth->response['response']);
    31. 

  31. }
    32. 

  32. 

  33. function wipe() {
    34. 

  34. 	session_destroy();
    35. 

  35. 	echo json_encode(array('wiped' => "success"));
    36. 

  36. }
    37. 

  37. 

  38. 

  39. // Step 1: Request a temporary token
    40. 

  40. function request_token($tmhOAuth) {
    41. 

  41. 	$code = $tmhOAuth->request(
    42. 

  42. 		'POST',
    43. 

  43. 		$tmhOAuth->url('oauth/request_token', ''),
    44. 

  44. 		array(
    45. 

  45. 			'oauth_callback' => tmhUtilities::php_self()
    46. 

  46. 		)
    47. 

  47. 	);
    48. 

  48. 	
    49. 

  49. 	if ($code == 200) {
    50. 

  50. 		$_SESSION['oauth'] = $tmhOAuth->extract_params($tmhOAuth->response['response']);
    51. 

  51. 		if (isset($_SESSION['account']['id'])) {
    52. 

  52. 			// We already have a logged in user account
    53. 

  53. 			authorize($tmhOAuth);
    54. 

  54. 		}
    55. 

  55. 		else {
    56. 

  56. 			authenticate($tmhOAuth);
    57. 

  57. 		}
    58. 

  58. 	} 
    59. 

  59. 	else {
    60. 

  60. 		outputError($tmhOAuth);
    61. 

  61. 	}
    62. 

  62. }
    63. 

  63. 

  64. 

  65. // Step 2: Direct the user to the authenticate web page
    66. 

  66. function authenticate($tmhOAuth) {
    67. 

  67. 	$authurl = $tmhOAuth->url("oauth/authenticate", '') .  "?oauth_token={$_SESSION['oauth']['oauth_token']}";
    68. 

  68. 	
    69. 

  69. 	echo json_encode(array('authurl' => $authurl));
    70. 

  70. }
    71. 

  71. 

  72. 

  73. function authorize($tmhOAuth) {
    74. 

  74. 	$authurl = $tmhOAuth->url("oauth/authorize", '') .  "?oauth_token={$_SESSION['oauth']['oauth_token']}";
    75. 

  75. 	
    76. 

  76. 	echo json_encode(array('authurl' => $authurl));
    77. 

  77. }
    78. 

  78. 

  79. 

  80. 

  81. // Step 3: This is the code that runs when Twitter redirects the user to the callback. Exchange the temporary token for a permanent access token
    82. 

  82. function access_token($tmhOAuth) {
    83. 

  83. 	$tmhOAuth->config['user_token']  = $_SESSION['oauth']['oauth_token'];
    84. 

  84. 	$tmhOAuth->config['user_secret'] = $_SESSION['oauth']['oauth_token_secret'];
    85. 

  85. 	
    86. 

  86. 	$code = $tmhOAuth->request(
    87. 

  87. 		'POST',
    88. 

  88. 		$tmhOAuth->url('oauth/access_token', ''),
    89. 

  89. 		array(
    90. 

  90. 			'oauth_verifier' => $_REQUEST['oauth_verifier']
    91. 

  91. 		)
    92. 

  92. 	);
    93. 

  93. 	
    94. 

  94. 	if ($code == 200) {
    95. 

  95. 		unset($_SESSION['oauth']);
    96. 

  96. 		
    97. 

  97. 		$access_token = $tmhOAuth->extract_params($tmhOAuth->response['response']);
    98. 

  98. 		
    99. 

  99. 		$user_id = (int) $access_token['user_id'];
    100. 

  100. 		
    101. 

  101. 		$m = new Mongo();
    102. 

  102. 		$user = $m->circular->users->findOne(array('user_id' => $user_id));
    103. 

  103. 		
    104. 

  104. 		if ($user) {
    105. 

  105. 			// This Twitter user has already logged in before.
    106. 

  106. 			
    107. 

  107. 		}
    108. 

  108. 		else {
    109. 

  109. 			// This Twitter user has never logged in before, add him to our users.
    110. 

  110. 			$user = array(
    111. 

  111. 				'user_id'          => (int) $access_token['user_id'],
    112. 

  112. 				'user_screen_name' =>       $access_token['screen_name'],
    113. 

  113. 				'user_token'       =>       $access_token['oauth_token'],
    114. 

  114. 				'user_secret'      =>       $access_token['oauth_token_secret']
    115. 

  115. 			);
    116. 

  116. 			
    117. 

  117. 			$m->circular->users->insert($user, array('safe' => true));
    118. 

  118. 		}
    119. 

  119. 		
    120. 

  120. 		// We now have our $user, including $user['_id'] (the user's MongoId in our system).
    121. 

  121. 		// Now let's figure out which account manages this user:
    122. 

  122. 		
    123. 

  123. 		if (isset($_SESSION['account']['id'])) {
    124. 

  124. 			// We already have a logged in user account
    125. 

  125. 			
    126. 

  126. 			$m->circular->accounts->update(
    127. 

  127. 				array('_id' => new MongoId($_SESSION['account']['id'])),
    128. 

  128. 				array('$addToSet' => array('users' => $user['_id'])),
    129. 

  129. 				array('safe' => true)
    130. 

  130. 			);
    131. 

  131. 			$account = $m->circular->accounts->findOne(array('_id' => new MongoId($_SESSION['account']['id'])));
    132. 

  132. 			// Is there a way to do the previous two operations in one operation?
    133. 

  133. 			
    134. 

  134. 			// Remove the user from any other account (we don't want any user to be managed by several accounts)
    135. 

  135. 			// This enables "merging" accounts.
    136. 

  136. 			$m->circular->accounts->update(
    137. 

  137. 				array(
    138. 

  138. 					'_id' => array('$ne' => new MongoId($_SESSION['account']['id'])),
    139. 

  139. 					'users' => $user['_id']
    140. 

  140. 				),
    141. 

  141. 				array(
    142. 

  142. 					'$pull' => array('users' => $user['_id'])
    143. 

  143. 				)
    144. 

  144. 			);
    145. 

  145. 			// Should we remove accounts that have no more users?
    146. 

  146. 		}
    147. 

  147. 		else {
    148. 

  148. 			// No account's logged in right now
    149. 

  149. 			
    150. 

  150. 			$account = $m->circular->accounts->findOne(array('users' => $user['_id']));
    151. 

  151. 			if ($account) {
    152. 

  152. 				// We have retrieved an existing account for this user.
    153. 

  153. 			}
    154. 

  154. 			else {
    155. 

  155. 				// We don't have an account for this user, let's create one:
    156. 

  156. 				$account = array('users' => array($user['_id']));
    157. 

  157. 				
    158. 

  158. 				$m->circular->accounts->insert(
    159. 

  159. 					$account,
    160. 

  160. 					array('safe' => true)
    161. 

  161. 				);
    162. 

  162. 			}
    163. 

  163. 		}
    164. 

  164. 		
    165. 

  165. 		// At this point, we have our $account, containing MongoId references to several users.
    166. 

  166. 		
    167. 

  167. 		$_SESSION['account']['id']    = (string) $account['_id'];
    168. 

  168. 		$_SESSION['account']['users'] = array();
    169. 

  169. 		foreach ($account['users'] as $user) {
    170. 

  170. 			$_SESSION['account']['users'][(string) $user] = array();
    171. 

  171. 		}
    172. 

  172. 		
    173. 

  173. 		
    174. 

  174. 		header('Location: ' . APP_URL);
    175. 

  175. 	}
    176. 

  176. 	else {
    177. 

  177. 		outputError($tmhOAuth);
    178. 

  178. 	}
    179. 

  179. }
    180. 

  180. 

  181. 

  182. // Step 4: Now the user has authenticated, do something with the permanent token and secret we received
    183. 

  183. function verify_credentials($tmhOAuth, $id) {
    184. 

  184. 	$m = new Mongo();
    185. 

  185. 	$user = $m->circular->users->findOne(array('_id' => new MongoId($id)));
    186. 

  186. 	
    187. 

  187. 	$tmhOAuth->config['user_token']  = $user['user_token'];
    188. 

  188. 	$tmhOAuth->config['user_secret'] = $user['user_secret'];
    189. 

  189. 	
    190. 

  190. 	$code = $tmhOAuth->request(
    191. 

  191. 		'GET',
    192. 

  192. 		$tmhOAuth->url('1.1/account/verify_credentials')
    193. 

  193. 	);
    194. 

  194. 	
    195. 

  195. 	if ($code == 200) {
    196. 

  196. 		$response = json_decode($tmhOAuth->response['response']);
    197. 

  197. 		
    198. 

  198. 		$_SESSION['account']['users'][$id] = array(
    199. 

  199. 			'user_id'           => $response->id,
    200. 

  200. 			'user_screen_name'  => $response->screen_name,
    201. 

  201. 			'profile_image_url' => $response->profile_image_url,
    202. 

  202. 			'name'              => $response->name,
    203. 

  203. 			'id'                => $id
    204. 

  204. 		);
    205. 

  205. 	}
    206. 

  206. 	else {
    207. 

  207. 		outputError($tmhOAuth);
    208. 

  208. 	}
    209. 

  209. }
    210. 

  210. 

  211. 

  212. 

  213. /* Auth Flow */
    214. 

  214. 

  215. if (isset($_REQUEST['wipe'])) {
    216. 

  216. 	// Logging out
    217. 

  217. 	wipe();
    218. 

  218. 	return;
    219. 

  219. }
    220. 

  220. 

  221. if (isset($_REQUEST['start'])) {
    222. 

  222. 	// Let's start the OAuth dance
    223. 

  223. 	request_token($tmhOAuth);
    224. 

  224. }
    225. 

  225. elseif (isset($_REQUEST['oauth_verifier'])) {
    226. 

  226. 	access_token($tmhOAuth);
    227. 

  227. }
    228. 

  228. elseif (isset($_SESSION['account'])) {
    229. 

  229. 	// Some credentials already stored in this browser session.
    230. 

  230. 	
    231. 

  231. 	foreach ($_SESSION['account']['users'] as $id => $user) {
    232. 

  232. 		if (!isset($user['profile_image_url'])) {
    233. 

  233. 			verify_credentials($tmhOAuth, $id);
    234. 

  234. 		}
    235. 

  235. 	}
    236. 

  236. 	
    237. 

  237. 	echo json_encode($_SESSION['account']);
    238. 

  238. }
    239. 

  239. else {
    240. 

  240. 	// User's not logged in.
    241. 

  241. 	echo json_encode(array('loggedin' => false));
    242. 

  242. }
    243.