summaryrefslogtreecommitdiff
path: root/oauth/callback/index.php
blob: bb3f57f566cb0ed4d8fcdd80a2ccc9eb4de95467 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53

<?php

header("X-Frame-Options: DENY");
$app = json_decode(file_get_contents($_SERVER['DOCUMENT_ROOT'] . "/includes/app.json"), true);
$server = "account.equestria.dev";

header("Content-Type: text/plain");

if (!isset($_GET['code'])) {
    die();
}

$crl = curl_init('https://' . $server . '/hub/api/rest/oauth2/token');
curl_setopt($crl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($crl, CURLINFO_HEADER_OUT, true);
curl_setopt($crl, CURLOPT_POST, true);
curl_setopt($crl, CURLOPT_HTTPHEADER, [
    "Authorization: Basic " . base64_encode($app["id"] . ":" . $app["secret"]),
    "Content-Type: application/x-www-form-urlencoded",
    "Accept: application/json"
]);
curl_setopt($crl, CURLOPT_POSTFIELDS, "grant_type=authorization_code&redirect_uri=" . urlencode(($_SERVER['HTTP_HOST'] === "mist-testing.equestria.horse" ? "https://mist-testing.equestria.horse" : "https://mist.equestria.horse") . "/oauth/callback") . "&code=" . $_GET['code']);

$result = curl_exec($crl);
$result = json_decode($result, true);

curl_close($crl);

if (isset($result["access_token"])) {
    $crl = curl_init('https://' . $server . '/hub/api/rest/users/me');
    curl_setopt($crl, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($crl, CURLINFO_HEADER_OUT, true);
    curl_setopt($crl, CURLOPT_HTTPHEADER, [
        "Authorization: Bearer " . $result["access_token"],
        "Accept: application/json"
    ]);

    $result = $result_orig = curl_exec($crl);
    $result = json_decode($result, true);

    if (!in_array($result["id"], $app["allowed"])) {
        header("HTTP/1.1 403 Forbidden");
        die("Not allowed to log in to this application. This will be reported.");
    }

    if (!file_exists($_SERVER['DOCUMENT_ROOT'] . "/includes/tokens")) mkdir($_SERVER['DOCUMENT_ROOT'] . "/includes/tokens");

    $token = "wv_" . bin2hex(random_bytes(64));
    file_put_contents($_SERVER['DOCUMENT_ROOT'] . "/includes/tokens/" . $token, $result_orig);
    header("Set-Cookie: WAVY_SESSION_TOKEN=" . $token . "; SameSite=None; Path=/; Secure; HttpOnly; Expires=" . date("r", time() + (86400 * 730)));
    header("Location: /");
    die();
}
© Floofi Systems, Some rights reserved. Powered by cgit.