WebSVN – oidplus – Diff – /trunk/includes/classes/OIDplusAuthUtils.class.php

         /**
          * @return OIDplusAuthContentStore|null
          * @throws OIDplusException
          */
         protected function getAuthContentStore()/*: ?OIDplusAuthContentStore*/ {
+                // TODO: Should we implement these AuthContentStore as plugin type, so that there can be more than just JWT and PHP session?
                 // Logged in via JWT
                 $tmp = OIDplusAuthContentStoreJWT::getActiveProvider();
                 if ($tmp) return $tmp;
+                // For REST, we must only allow JWT from Bearer and nothing else! So disable cookies if we are accessing the REST plugin
+                $rel_url = substr($_SERVER['REQUEST_URI'], strlen(OIDplus::webpath(null, OIDplus::PATH_RELATIVE_TO_ROOT)));
+                if (!str_starts_with($rel_url, 'rest/')) { // <== TODO: Find a way how to move this into the plugin, since REST does not belong to the core. (Maybe some kind of "stateless mode" that is enabled by the REST plugin)
-                // Normal login via web-browser
+                        // Normal login via web-browser
-                // Cookie will only be created once content is stored
+                        // Cookie will only be created once content is stored
-                $tmp = OIDplusAuthContentStoreSession::getActiveProvider();
+                        $tmp = OIDplusAuthContentStoreSession::getActiveProvider();
-                if ($tmp) return $tmp;
+                        if ($tmp) return $tmp;
+                }
                 // No active session and no JWT token available. User is not logged in.
                 return null;
+        }
         /**

Subversion Repositories oidplus

oidplus/trunk/includes/classes/OIDplusAuthUtils.class.php @ 1301 – Rev 1199 → 1265