Added .htaccess for index.php

Improved example server index.php Remove comments from Server.php src
author: Arnold Daniels <arnold@jasny.net> 2015-09-16 14:10:38 +0200
committer: Arnold Daniels <arnold@jasny.net> 2015-09-27 16:54:20 +0200
commit: 6d7654315b70abc6f98b99635172f435d17b12d6 (patch)
tree: c25f0ea24e78b8d5bac17f9126b73599f3537c18
parent: 72db5f3dda2db8a9b1e2b11659fd952d47467a93 (diff)
download: sso-6d7654315b70abc6f98b99635172f435d17b12d6.zip
sso-6d7654315b70abc6f98b99635172f435d17b12d6.tar.gz
sso-6d7654315b70abc6f98b99635172f435d17b12d6.tar.bz2
3 files changed, 27 insertions, 23 deletions
diff --git a/examples/server/.htaccess b/examples/server/.htaccess
new file mode 100644
index 0000000..7bb4b5b
--- /dev/null
+++ b/examples/server/.htaccess
@@ -0,0 +1,6 @@
+RewriteEngine On
+
+RewriteCond %{REQUEST_FILENAME} !-d
+RewriteCond %{REQUEST_FILENAME} !-f
+RewriteRule (.+) index.php?command=$1 [L]
+
diff --git a/examples/server/index.php b/examples/server/index.php
index 4d5f68f..d68c55e 100644
--- a/examples/server/index.php
+++ b/examples/server/index.php
@@ -3,13 +3,17 @@
 require_once __DIR__ . '/../../vendor/autoload.php';
 require_once __DIR__ . '/SSOTestServer.php';
 
-if (realpath($_SERVER["SCRIPT_FILENAME"]) == realpath(__FILE__) && isset($_REQUEST['command'])) {
-    $sso = new SSOTestServer();
-    $sso->$_REQUEST['command']();
-} else {
+$sso = new SSOTestServer();
+$request = isset($_REQUEST['command']) ? $_REQUEST['command'] : null;
+
+if (!$request || !method_exists($sso, $request)) {
     error_log('Unkown command');
     header("HTTP/1.1 406 Not Acceptable");
     header('Content-type: application/json; charset=UTF-8');
 
     echo "{error: 'Uknown command'}";
+    die;
 }
+
+$sso->$request();
+
diff --git a/src/Server.php b/src/Server.php
index c9c4307..5c8d230 100644
--- a/src/Server.php
+++ b/src/Server.php
@@ -4,7 +4,7 @@ namespace Jasny\SSO;
 require_once __DIR__ . '/../vendor/autoload.php';
 
 use Desarrolla2\Cache\Cache;
-use Desarrolla2\Cache\Adapter\File;
+use Desarrolla2\Cache\Adapter;
 use Jasny\ValidationResult;
 
 /**
@@ -43,8 +43,10 @@ abstract class Server
         // Broker session
         $matches = null;
 
-        if (isset($_REQUEST[session_name()])
-            && preg_match('/^SSO-(\w*+)-(\w*+)-([a-z0-9]*+)$/', $_REQUEST[session_name()], $matches)) {
+        if (
+            isset($_REQUEST[session_name()])
+            && preg_match('/^SSO-(\w*+)-(\w*+)-([a-z0-9]*+)$/', $_REQUEST[session_name()], $matches)
+        ) {
             $sid = $_REQUEST[session_name()];
 
             /* for (cross domain) ajax attach calls */
@@ -144,7 +146,7 @@ abstract class Server
 
         $validation = $this->authenticate($_POST['username'], $_POST['password']);
 
-        if (!$validation->succeeded()) {
+        if ($validation->failed()) {
             $this->failLogin($validation->getErrors());
         }
 
@@ -198,7 +200,6 @@ abstract class Server
 
     /**
      * Ouput user information as json.
-     * Doesn't return e-mail address to brokers with security level < 2.
      */
     public function userInfo()
     {
@@ -208,26 +209,21 @@ abstract class Server
         $userData = $this->getUserInfo($_SESSION['username']);
         $userData['username'] = $_SESSION['username'];
 
-        foreach ($userData as $key => $value) {
-        // TODO: find alternative for htmlspecialchars, as this can be a vulnerability.
-            $userData[$key] = htmlspecialchars($value, ENT_COMPAT, 'UTF-8');
-        }
-
         header('Content-type: application/json; charset=UTF-8');
         echo json_encode($userData);
     }
 
     /**
      * An error occured.
-     * I would normaly solve this by throwing an Exception and use an exception handler.
      *
      * @param string $message
      */
     protected function fail($message)
     {
-        header("HTTP/1.1 406 Not Acceptable");
-        header('Content-type: application/json; charset=UTF-8');
         error_log($message);
+            
+        header("HTTP/1.1 400 Bad Request");
+        header('Content-type: application/json; charset=UTF-8');
 
         echo json_encode(['error' => $message]);
         exit;
@@ -235,7 +231,6 @@ abstract class Server
 
     /**
      * Login failure.
-     * I would normaly solve this by throwing a LoginException and use an exception handler.
      *
      * @param string $message
      */
@@ -243,20 +238,19 @@ abstract class Server
     {
         header("HTTP/1.1 401 Unauthorized");
         header('Content-type: application/json; charset=UTF-8');
-        error_log($message);
+        
         echo json_encode(['error' => $message]);
         exit;
     }
 
     /**
-     * Create a cache.
-     *
-     * This method is called in the constructor to make a cache to store the broker session id.
+     * Create a cache to store the broker session id.
      */
     protected function createCacheAdapter()
     {
-        $adapter = new File('/tmp');
+        $adapter = new Adapter\File('/tmp');
         $adapter->setOption('ttl', 10 * 3600);
+        
         return new Cache($adapter);
     }
author	Arnold Daniels <arnold@jasny.net>	2015-09-16 14:10:38 +0200
committer	Arnold Daniels <arnold@jasny.net>	2015-09-27 16:54:20 +0200
commit	6d7654315b70abc6f98b99635172f435d17b12d6 (patch)
tree	c25f0ea24e78b8d5bac17f9126b73599f3537c18
parent	72db5f3dda2db8a9b1e2b11659fd952d47467a93 (diff)
download	sso-6d7654315b70abc6f98b99635172f435d17b12d6.zip sso-6d7654315b70abc6f98b99635172f435d17b12d6.tar.gz sso-6d7654315b70abc6f98b99635172f435d17b12d6.tar.bz2