forked from quoideneuf/swordServer
-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathSwordServerAccessPolicy.php
91 lines (82 loc) · 2.57 KB
/
SwordServerAccessPolicy.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
<?php
/**
* @file SwordServerAccessPolicy.php
*
* Copyright (c) 2014-2021 Simon Fraser University
* Copyright (c) 2000-2021 John Willinsky
* Distributed under the GNU GPL v3. For full terms see the file LICENSE.
*
* @class SwordServerAccessPolicy
* @brief Class to that makes sure that a user is logged in.
*/
namespace APP\plugins\gateways\swordServer;
use \Firebase\JWT\JWT;
use PKP\security\authorization\AuthorizationPolicy;
use PKP\security\Validation;
use PKP\db\DAORegistry;
use PKP\core\Registry;
use PKP\security\Role;
use APP\facades\Repo;
class SwordServerAccessPolicy extends AuthorizationPolicy {
/**
* Constructor
* @param $request PKPRequest
*/
function __construct($request) {
$this->request = $request;
}
/**
* Serve a SWORD Error Document to unauthorized requests
*/
function unauthorizedResponse() {
$swordError = new SwordError([
'summary' => "You are not authorized to make this request"
]);
header('Content-Type: application/xml');
header("HTTP/1.1 401 Unauthorized");
error_log('Unauthorized access to PKP SWORD gateway.');
echo $swordError->saveXML();
exit;
}
/**
* @copydoc AuthorizationPolicy::effect()
*/
function effect() {
$callOnDeny = [$this, 'unauthorizedResponse', []];
$this->setAdvice(AUTHORIZATION_ADVICE_CALL_ON_DENY, $callOnDeny);
$headers = getallheaders();
$user = null;
// 1. Try Http Basic Auth
if (array_key_exists('Authorization', $headers)) {
$auth_header = $headers["Authorization"];
$userPass = base64_decode(substr($auth_header, 6));
$userPass = explode(":", $userPass);
if (Validation::checkCredentials($userPass[0], $userPass[1])) {
$user = Repo::user()->getByUsername($userPass[0]);
Registry::set('user', $user);
}
}
// 2. Try API Key
if (!$user && $apiToken = ($headers['X-Ojs-Sword-Api-Token'] ?? null)) {
$secret = Config::getVar('security', 'api_key_secret', '');
try {
$decoded = JWT::decode($apiToken, $secret, ['HS256']);
// Compatibility with old API keys
// https://github.com/pkp/pkp-lib/issues/6462
if (substr($decoded, 0, 2) === '""') {
$decoded = json_decode($decoded);
}
$userDao = DAORegistry::getDAO('UserDAO');
$user = $userDao->getBySetting('apiKey', $decoded);
Registry::set('user', $user);
} catch (Firebase\JWT\SignatureInvalidException $e) {
} catch (DomainException $e) {
}
}
if ($user && $user->hasRole(Role::ROLE_ID_AUTHOR, $this->request->getJournal()->getId())) {
$this->addAuthorizedContextObject(ASSOC_TYPE_USER, $user);
return AUTHORIZATION_PERMIT;
}
return AUTHORIZATION_DENY;
}
}