yms/validate.php
author Dan Fuhry <dan@enanocms.org>
Fri, 20 Aug 2010 01:43:08 -0400
changeset 7 3db638306413
parent 0 9997bee9ad03
child 10 351d40b21cbc
permissions -rw-r--r--
Fixed claimauth strings
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
0
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options.
Dan
parents:
diff changeset
     1
<?php
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options.
Dan
parents:
diff changeset
     2
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options.
Dan
parents:
diff changeset
     3
function page_Special_YubikeyValidate()
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options.
Dan
parents:
diff changeset
     4
{
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options.
Dan
parents:
diff changeset
     5
  global $db, $session, $paths, $template, $plugins; // Common objects
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options.
Dan
parents:
diff changeset
     6
  global $do_gzip;
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options.
Dan
parents:
diff changeset
     7
  $do_gzip = false;
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options.
Dan
parents:
diff changeset
     8
  
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options.
Dan
parents:
diff changeset
     9
  // Check parameters
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options.
Dan
parents:
diff changeset
    10
  if ( !isset($_GET['id']) )
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options.
Dan
parents:
diff changeset
    11
  {
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options.
Dan
parents:
diff changeset
    12
    yms_send_reply('MISSING_PARAMETER', '', array('info' => 'id'));
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options.
Dan
parents:
diff changeset
    13
  }
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options.
Dan
parents:
diff changeset
    14
  
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options.
Dan
parents:
diff changeset
    15
  if ( !isset($_GET['otp']) )
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options.
Dan
parents:
diff changeset
    16
  {
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options.
Dan
parents:
diff changeset
    17
    yms_send_reply('MISSING_PARAMETER', '', array('info' => 'otp'));
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options.
Dan
parents:
diff changeset
    18
  }
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options.
Dan
parents:
diff changeset
    19
  
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options.
Dan
parents:
diff changeset
    20
  // first, get API key so we can properly sign responses
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options.
Dan
parents:
diff changeset
    21
  $id = intval($_GET['id']);
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options.
Dan
parents:
diff changeset
    22
  $q = $db->sql_query("SELECT apikey FROM " . table_prefix . "yms_clients WHERE id = $id;");
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options.
Dan
parents:
diff changeset
    23
  if ( !$q )
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options.
Dan
parents:
diff changeset
    24
    $db->_die();
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options.
Dan
parents:
diff changeset
    25
  
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options.
Dan
parents:
diff changeset
    26
  if ( $db->numrows($q) < 1 )
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options.
Dan
parents:
diff changeset
    27
    yms_send_reply("NO_SUCH_CLIENT");
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options.
Dan
parents:
diff changeset
    28
  
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options.
Dan
parents:
diff changeset
    29
  list($g_api_key) = $db->fetchrow_num($q);
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options.
Dan
parents:
diff changeset
    30
  $db->free_result($q);
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options.
Dan
parents:
diff changeset
    31
  
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options.
Dan
parents:
diff changeset
    32
  // check API key
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options.
Dan
parents:
diff changeset
    33
  if ( isset($_GET['h']) )
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options.
Dan
parents:
diff changeset
    34
  {
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options.
Dan
parents:
diff changeset
    35
    $hex_api_key = yms_hex_encode(base64_decode($g_api_key));
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options.
Dan
parents:
diff changeset
    36
    $right_sig = yubikey_sign($_GET, $hex_api_key);
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options.
Dan
parents:
diff changeset
    37
    if ( $right_sig !== $_GET['h'] )
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options.
Dan
parents:
diff changeset
    38
    {
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options.
Dan
parents:
diff changeset
    39
      yms_send_reply('BAD_SIGNATURE');
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options.
Dan
parents:
diff changeset
    40
    }
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options.
Dan
parents:
diff changeset
    41
  }
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options.
Dan
parents:
diff changeset
    42
  
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options.
Dan
parents:
diff changeset
    43
  $GLOBALS['g_api_key'] =& $g_api_key;
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options.
Dan
parents:
diff changeset
    44
  
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options.
Dan
parents:
diff changeset
    45
  yms_send_reply(yms_validate_otp($_GET['otp'], $id));
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options.
Dan
parents:
diff changeset
    46
}
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options.
Dan
parents:
diff changeset
    47