-
Notifications
You must be signed in to change notification settings - Fork 8
/
SwordServerAccessPolicy.inc.php
77 lines (70 loc) · 2.16 KB
/
SwordServerAccessPolicy.inc.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
<?php
/**
* @file SwordServerAccessPolicy.inc.php
*
* Copyright (c) 2014-2020 Simon Fraser University
* Copyright (c) 2000-2020 John Willinsky
* Distributed under the GNU GPL v3. For full terms see the file LICENSE.
*
* @class SwordServerAccessPolicy
* @ingroup security_authorization
*
* @brief Class to that makes sure that a user is logged in.
*/
use \Firebase\JWT\JWT;
class SwordServerAccessPolicy extends AuthorizationPolicy {
/**
* Constructor
* @param $request PKPRequest
*/
function __construct($request) {
$this->request = $request;
}
/**
* Serve a SWORD Error Document to unauthorized requests
*/
function unauthorizedResponse() {
$swordError = new SwordError([
'summary' => "You are not authorized to make this request"
]);
header('Content-Type: application/xml');
header("HTTP/1.1 401 Unauthorized");
echo $swordError->saveXML();
exit;
}
/**
* @copydoc AuthorizationPolicy::effect()
*/
function effect() {
$callOnDeny = array($this, 'unauthorizedResponse', array());
$this->setAdvice(AUTHORIZATION_ADVICE_CALL_ON_DENY, $callOnDeny);
$headers = getallheaders();
$user = null;
// 1. Try Http Basic Auth
if (array_key_exists('Authorization', $headers)) {
$auth_header = $headers["Authorization"];
$userPass = base64_decode(substr($auth_header, 6));
$userPass = explode(":", $userPass);
if (Validation::checkCredentials($userPass[0], $userPass[1])) {
$userDao = DAORegistry::getDAO('UserDAO');
$user = $userDao->getByUsername($userPass[0]);
}
}
// 2. Try API Key
if (!$user && $apiToken = $headers['X-Ojs-Sword-Api-Token']) {
$secret = Config::getVar('security', 'api_key_secret', '');
try {
$decoded = json_decode(JWT::decode($apiToken, $secret, array('HS256')));
$userDao = DAORegistry::getDAO('UserDAO');
$user = $userDao->getBySetting('apiKey', $decoded);
} catch (Firebase\JWT\SignatureInvalidException $e) {
} catch (DomainException $e) {
}
}
if ($user && $user->hasRole(ROLE_ID_MANAGER, $this->request->getJournal()->getId())) {
$this->addAuthorizedContextObject(ASSOC_TYPE_USER, $user);
return AUTHORIZATION_PERMIT;
}
return AUTHORIZATION_DENY;
}
}