From 9850820b4276b197433bb64d84ed085cdcd01e0e Mon Sep 17 00:00:00 2001
From: Michiel de Jong <michiel@unhosted.org>
Date: Wed, 22 Feb 2012 18:05:52 +0000
Subject: [PATCH] BearerAuth and multiple tokens support in remoteStorage app

---
 apps/remoteStorage/BearerAuth.php        | 61 ++++++++++++++++++++++++
 apps/remoteStorage/WebDAV.php            |  1 +
 apps/remoteStorage/auth.php              |  4 +-
 apps/remoteStorage/lib_remoteStorage.php | 32 +++++++------
 apps/remoteStorage/oauth_ro_auth.php     |  4 +-
 5 files changed, 84 insertions(+), 18 deletions(-)
 create mode 100644 apps/remoteStorage/BearerAuth.php

diff --git a/apps/remoteStorage/BearerAuth.php b/apps/remoteStorage/BearerAuth.php
new file mode 100644
index 00000000000..ebcf189dfb9
--- /dev/null
+++ b/apps/remoteStorage/BearerAuth.php
@@ -0,0 +1,61 @@
+<?php
+
+/**
+ * HTTP Bearer Authentication handler
+ *
+ * Use this class for easy http authentication setup
+ * 
+ * @package Sabre
+ * @subpackage HTTP 
+ * @copyright Copyright (C) 2007-2011 Rooftop Solutions. All rights reserved.
+ * @author Evert Pot (http://www.rooftopsolutions.nl/) 
+ * @license http://code.google.com/p/sabredav/wiki/License Modified BSD License
+ */
+class Sabre_HTTP_BearerAuth extends Sabre_HTTP_AbstractAuth {
+
+    /**
+     * Returns the supplied username and password.
+     *
+     * The returned array has two values:
+     *   * 0 - username
+     *   * 1 - password
+     *
+     * If nothing was supplied, 'false' will be returned
+     *
+     * @return mixed 
+     */
+    public function getUserPass() {
+
+        // Apache and mod_php
+        if (($user = $this->httpRequest->getRawServerValue('PHP_AUTH_USER')) && ($pass = $this->httpRequest->getRawServerValue('PHP_AUTH_PW'))) {
+
+            return array($user,$pass);
+
+        }
+
+        // Most other webservers 
+        $auth = $this->httpRequest->getHeader('Authorization');
+
+        if (!$auth) return false;
+
+        if (strpos(strtolower($auth),'bearer')!==0) return false; 
+
+        return explode(':', base64_decode(substr($auth, 7)));
+
+    }
+
+    /**
+     * Returns an HTTP 401 header, forcing login
+     *
+     * This should be called when username and password are incorrect, or not supplied at all
+     *
+     * @return void
+     */
+    public function requireLogin() {
+
+        $this->httpResponse->setHeader('WWW-Authenticate','Basic realm="' . $this->realm . '"');
+        $this->httpResponse->sendStatus(401);
+
+    }
+
+}
diff --git a/apps/remoteStorage/WebDAV.php b/apps/remoteStorage/WebDAV.php
index e048d19e8f2..06520b4021b 100644
--- a/apps/remoteStorage/WebDAV.php
+++ b/apps/remoteStorage/WebDAV.php
@@ -33,6 +33,7 @@ require_once('../../lib/base.php');
 OC_Util::checkAppEnabled('remoteStorage');
 require_once('Sabre/autoload.php');
 require_once('lib_remoteStorage.php');
+require_once('BearerAuth.php');
 require_once('oauth_ro_auth.php');
 
 ini_set('default_charset', 'UTF-8');
diff --git a/apps/remoteStorage/auth.php b/apps/remoteStorage/auth.php
index 85421ba3d88..75e0aac419d 100644
--- a/apps/remoteStorage/auth.php
+++ b/apps/remoteStorage/auth.php
@@ -68,14 +68,14 @@ if(count($pathParts) == 2 && $pathParts[0] == '') {
 		} else if($k=='redirect_uri'){
 			$appUrl=$v;
 		} else if($k=='scope'){
-			$category=$v;
+			$categories=$v;
 		}
 	}
 	$currUser = OC_User::getUser();
 	if($currUser == $ownCloudUser) {
 		if(isset($_POST['allow'])) {
 			//TODO: check if this can be faked by editing the cookie in firebug!
-			$token=OC_remoteStorage::createCategory($appUrl, $category);
+			$token=OC_remoteStorage::createCategories($appUrl, $categories);
 			header('Location: '.$_GET['redirect_uri'].'#access_token='.$token.'&token_type=bearer');
 		} else {
 			echo '<form method="POST"><input name="allow" type="submit" value="Allow this web app to store stuff on your owncloud."></form>';
diff --git a/apps/remoteStorage/lib_remoteStorage.php b/apps/remoteStorage/lib_remoteStorage.php
index 4f19310904e..4f5c9664509 100644
--- a/apps/remoteStorage/lib_remoteStorage.php
+++ b/apps/remoteStorage/lib_remoteStorage.php
@@ -2,11 +2,13 @@
 
 class OC_remoteStorage {
 	public static function getValidTokens($ownCloudUser, $category) {
-		$query=OC_DB::prepare("SELECT token,appUrl FROM *PREFIX*authtoken WHERE user=? AND category=? LIMIT 100");
-		$result=$query->execute(array($ownCloudUser,$category));
+		$query=OC_DB::prepare("SELECT token,appUrl,category FROM *PREFIX*authtoken WHERE user=? LIMIT 100");
+		$result=$query->execute(array($ownCloudUser));
 		$ret = array();
 		while($row=$result->fetchRow()){
-			$ret[$row['token']]=true;
+			if(in_array($category, explode(',', $row['category']))) {
+				$ret[$row['token']]=true;
+			}
 		}
 		return $ret;
 	}
@@ -19,7 +21,7 @@ class OC_remoteStorage {
 		while($row=$result->fetchRow()){
 			$ret[$row['token']] = array(
 				'appUrl' => $row['appurl'],
-				'category' => $row['category'],
+				'categories' => $row['category'],
 			);
 		}
 		return $ret;
@@ -30,21 +32,23 @@ class OC_remoteStorage {
 		$query=OC_DB::prepare("DELETE FROM *PREFIX*authtoken WHERE token=? AND user=?");
 		$result=$query->execute(array($token,$user));
 	}
-	private static function addToken($token, $appUrl, $category){
+	private static function addToken($token, $appUrl, $categories){
 		$user=OC_User::getUser();
 		$query=OC_DB::prepare("INSERT INTO *PREFIX*authtoken (`token`,`appUrl`,`user`,`category`) VALUES(?,?,?,?)");
-		$result=$query->execute(array($token,$appUrl,$user,$category));
+		$result=$query->execute(array($token,$appUrl,$user,$categories));
 	}
-	public static function createCategory($appUrl, $category) {
+	public static function createCategories($appUrl, $categories) {
 		$token=uniqid();
-		self::addToken($token, $appUrl, $category);
-		//TODO: input checking on $category
 		OC_Util::setupFS(OC_User::getUser());
-		$scopePathParts = array('remoteStorage', $category);
-		for($i=0;$i<=count($scopePathParts);$i++){
-			$thisPath = '/'.implode('/', array_slice($scopePathParts, 0, $i));
-			if(!OC_Filesystem::file_exists($thisPath)) {
-				OC_Filesystem::mkdir($thisPath);
+		self::addToken($token, $appUrl, $categories);
+		foreach($categories as $category) {
+			//TODO: input checking on $category
+			$scopePathParts = array('remoteStorage', $category);
+			for($i=0;$i<=count($scopePathParts);$i++){
+				$thisPath = '/'.implode('/', array_slice($scopePathParts, 0, $i));
+				if(!OC_Filesystem::file_exists($thisPath)) {
+					OC_Filesystem::mkdir($thisPath);
+				}
 			}
 		}
 		return base64_encode('remoteStorage:'.$token);
diff --git a/apps/remoteStorage/oauth_ro_auth.php b/apps/remoteStorage/oauth_ro_auth.php
index 5403fbe20c9..d4a55061492 100644
--- a/apps/remoteStorage/oauth_ro_auth.php
+++ b/apps/remoteStorage/oauth_ro_auth.php
@@ -34,7 +34,7 @@ class OC_Connector_Sabre_Auth_ro_oauth extends Sabre_DAV_Auth_Backend_AbstractBa
 		if(in_array($_SERVER['REQUEST_METHOD'], array('GET', 'HEAD', 'OPTIONS'))) {
 			OC_Util::setUpFS();
 			return true;
-		} else if(isset($this->validTokens[$password]) && $this->validTokens[$password] == $username) {
+		} else if(isset($this->validTokens[$password])) {
 			OC_Util::setUpFS();
 			return true;
 		} else {
@@ -47,7 +47,7 @@ die('not getting in with "'.$username.'"/"'.$password.'"!');
 
 	//overwriting this to make it not automatically fail if no auth header is found:
 	public function authenticate(Sabre_DAV_Server $server,$realm) {
-		$auth = new Sabre_HTTP_BasicAuth();
+		$auth = new Sabre_HTTP_BearerAuth();
 		$auth->setHTTPRequest($server->httpRequest);
 		$auth->setHTTPResponse($server->httpResponse);
 		$auth->setRealm($realm);
-- 
2.39.5