diff options
| -rw-r--r-- | src/Broker.php | 4 | ||||
| -rw-r--r-- | src/Server.php | 29 |
2 files changed, 25 insertions, 8 deletions
diff --git a/src/Broker.php b/src/Broker.php index 5ae9a26..2d91f98 100644 --- a/src/Broker.php +++ b/src/Broker.php @@ -169,8 +169,6 @@ class Broker protected function getRequestUrl($command, $params = []) { $params['command'] = $command; - $params['sso_session'] = $this->getSessionId(); - return $this->url . '?' . http_build_query($params); } @@ -192,7 +190,7 @@ class Broker $ch = curl_init($url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method); - curl_setopt($ch, CURLOPT_HTTPHEADER, ['Accept: application/json']); + curl_setopt($ch, CURLOPT_HTTPHEADER, ['Accept: application/json', 'Authorization:'. $this->getSessionID()]); if ($method === 'POST' && !empty($data)) { $post = is_string($data) ? $data : http_build_query($data); diff --git a/src/Server.php b/src/Server.php index 8d1ecd4..f91e52f 100644 --- a/src/Server.php +++ b/src/Server.php @@ -68,12 +68,12 @@ abstract class Server { if (isset($this->brokerId)) return; - if (!isset($_GET['sso_session'])) { + $sid = $this->getBrokerSessionID(); + + if ($sid == FALSE) { return $this->fail("Broker didn't send a session key", 400); } - - $sid = $_GET['sso_session']; - + $linkedId = $this->cache->get($sid); if (!$linkedId) { @@ -90,6 +90,25 @@ abstract class Server $this->brokerId = $this->validateBrokerSessionId($sid); } + + /** + * Get session ID from header Authorization or from $_GET/$_POST + */ + protected function getBrokerSessionID(){ + $headers = getallheaders(); + + if (isset($headers['Authorization'])){ + return $headers['Authorization']; + } + if (isset($_GET['sso_session'])) { + return $_GET['sso_session']; + } + if (isset($_POST['sso_session'])) { + return $_POST['sso_session']; + } + + return FALSE; + } /** * Validate the broker session id @@ -101,7 +120,7 @@ abstract class Server { $matches = null; - if (!preg_match('/^SSO-(\w*+)-(\w*+)-([a-z0-9]*+)$/', $_GET['sso_session'], $matches)) { + if (!preg_match('/^SSO-(\w*+)-(\w*+)-([a-z0-9]*+)$/', $this->getBrokerSessionID(), $matches)) { return $this->fail("Invalid session id"); } |