Rev 559 | Go to most recent revision | Show entire file | Regard whitespace | Details | Blame | Last modification | View Log | RSS feed
| Rev 559 | Rev 566 | ||
|---|---|---|---|
| Line 41... | Line 41... | ||
| 41 | 41 | ||
| 42 | public function init($html=true) { |
42 | public function init($html=true) { |
| 43 | if (isset($_SERVER['SCRIPT_FILENAME']) && (basename($_SERVER['SCRIPT_FILENAME']) == 'ajax.php')) { |
43 | if (isset($_SERVER['SCRIPT_FILENAME']) && (basename($_SERVER['SCRIPT_FILENAME']) == 'ajax.php')) { |
| 44 | $input = array_merge($_POST,$_GET); |
44 | $input = array_merge($_POST,$_GET); |
| 45 | 45 | ||
| - | 46 | if (isset($input['OIDPLUS_AUTH_JWT'])) { |
|
| - | 47 | ||
| - | 48 | originHeaders(); // Allows queries from other domains |
|
| - | 49 | OIDplus::authUtils()->disableCSRF(); // allow access to ajax.php without valid CSRF token |
|
| - | 50 | ||
| - | 51 | // Nothing else to do. The OIDplusAuthUtils->getAuthContentStore() will automatically care if OIDPLUS_AUTH_JWT exists! |
|
| - | 52 | ||
| 46 | if (isset($input['batch_ajax_unlock_key']) && isset($input['batch_login_username']) && isset($input['batch_login_password'])) { |
53 | } else if (isset($input['batch_ajax_unlock_key']) && isset($input['batch_login_username']) && isset($input['batch_login_password'])) { |
| - | 54 | ||
| - | 55 | // batch_* fields are for backwards compatibility! |
|
| - | 56 | ||
| 47 | originHeaders(); // Allows queries from other domains |
57 | originHeaders(); // Allows queries from other domains |
| 48 | OIDplus::authUtils()->disableCSRF(); // allow access to ajax.php without valid CSRF token |
58 | OIDplus::authUtils()->disableCSRF(); // allow access to ajax.php without valid CSRF token |
| 49 | 59 | ||
| 50 | if ($input['batch_login_username'] != 'admin') { |
60 | if ($input['batch_login_username'] != 'admin') { |
| 51 | if ($input['batch_ajax_unlock_key'] != self::getUnlockKey($input['batch_login_username'])) { |
61 | if ($input['batch_ajax_unlock_key'] != self::getUnlockKey($input['batch_login_username'])) { |
| 52 | throw new OIDplusException(_L('Invalid AJAX unlock key')); |
62 | throw new OIDplusException(_L('Invalid AJAX unlock key')); |
| 53 | } |
63 | } |
| 54 | 64 | ||
| 55 | if (OIDplus::authUtils()->raCheckPassword($input['batch_login_username'], $input['batch_login_password'])) { |
65 | if (OIDplus::authUtils()->raCheckPassword($input['batch_login_username'], $input['batch_login_password'])) { |
| 56 | OIDplus::sesHandler()->simulate = true; // do not change the user session |
66 | // OIDplusAuthUtils->getAuthContentStore() will use a OIDplusAuthContentStoreDummy instead of a OIDplusAuthContentStoreSession |
| - | 67 | // if the argument "batch_ajax_unlock_key" exists. Therefore, the user session will be ignored and not modified. |
|
| 57 | OIDplus::authUtils()->raLogin($input['batch_login_username']); |
68 | OIDplus::authUtils()->raLogin($input['batch_login_username']); |
| 58 | $this->autoLoginList[] = $input['batch_login_username']; |
69 | $this->autoLoginList[] = $input['batch_login_username']; |
| 59 | register_shutdown_function(array($this,'shutdownLogout')); |
70 | register_shutdown_function(array($this,'shutdownLogout')); |
| 60 | } else { |
71 | } else { |
| 61 | throw new OIDplusException(_L('Wrong RA username or password')); |
72 | throw new OIDplusException(_L('Wrong RA username or password')); |
| Line 78... | Line 89... | ||
| 78 | $out['icon'] = 'img/error_big.png'; |
89 | $out['icon'] = 'img/error_big.png'; |
| 79 | $out['text'] = '<p>'._L('You need to <a %1>log in</a> as the requested RA %2 or as admin.',OIDplus::gui()->link('oidplus:login$ra$'.$ra_email),'<b>'.htmlentities($ra_email).'</b>').'</p>'; |
90 | $out['text'] = '<p>'._L('You need to <a %1>log in</a> as the requested RA %2 or as admin.',OIDplus::gui()->link('oidplus:login$ra$'.$ra_email),'<b>'.htmlentities($ra_email).'</b>').'</p>'; |
| 80 | return; |
91 | return; |
| 81 | } |
92 | } |
| 82 | 93 | ||
| - | 94 | $authSimulation = new OIDplusAuthContentStoreJWT(); |
|
| - | 95 | $authSimulation->raLogin($ra_email); |
|
| - | 96 | ||
| 83 | $out['text'] .= '<p>'._L('You can make automated calls to your OIDplus account by calling the AJAX API.').'</p>'; |
97 | $out['text'] .= '<p>'._L('You can make automated calls to your OIDplus account by calling the AJAX API.').'</p>'; |
| 84 | $out['text'] .= '<p>'._L('The URL for the AJAX script is:').':</p>'; |
98 | $out['text'] .= '<p>'._L('The URL for the AJAX script is:').':</p>'; |
| 85 | $out['text'] .= '<p><b>'.OIDplus::webpath(null,false).'ajax.php</b></p>'; |
99 | $out['text'] .= '<p><b>'.OIDplus::webpath(null,false).'ajax.php</b></p>'; |
| 86 | $out['text'] .= '<p>'._L('You must at least provide following fields').':</p>'; |
100 | $out['text'] .= '<p>'._L('You must at least provide following fields').':</p>'; |
| 87 | $out['text'] .= '<p><pre>'; |
101 | $out['text'] .= '<p><pre>'; |
| 88 | $out['text'] .= 'batch_login_username = "'.htmlentities($ra_email).'"'."\n"; |
- | |
| 89 | $out['text'] .= 'batch_login_password = "........."'."\n"; |
- | |
| 90 | $out['text'] .= 'batch_ajax_unlock_key = "'.$this->getUnlockKey($ra_email).'"'."\n"; |
102 | $out['text'] .= 'OIDPLUS_AUTH_JWT = "'.$authSimulation->GetJWTToken().'"'."\n"; |
| 91 | $out['text'] .= '</pre></p>'; |
103 | $out['text'] .= '</pre></p>'; |
| 92 | $out['text'] .= '<p>'._L('Please keep this information confidential!').'</p>'; |
104 | $out['text'] .= '<p>'._L('Please keep this information confidential!').'</p>'; |
| 93 | $out['text'] .= '<p>'._L('The batch-fields will automatically perform a one-time-login to fulfill the request. The other fields are the normal fields which are called during the usual operation of OIDplus.').'</p>'; |
105 | $out['text'] .= '<p>'._L('The JWT-token (secret!) will automatically perform a one-time-login to fulfill the request. The other fields are the normal fields which are called during the usual operation of OIDplus.').'</p>'; |
| 94 | $out['text'] .= '<p>'._L('Currently, there is no documentation for the AJAX calls. However, you can look at the <b>script.js</b> files of the plugins to see the field names being used. You can also enable network analysis in your web browser debugger (F12) to see the request headers sent to the server during the operation of OIDplus.').'</p>'; |
106 | $out['text'] .= '<p>'._L('Currently, there is no documentation for the AJAX calls. However, you can look at the <b>script.js</b> files of the plugins to see the field names being used. You can also enable network analysis in your web browser debugger (F12) to see the request headers sent to the server during the operation of OIDplus.').'</p>'; |
| 95 | 107 | ||
| 96 | $out['text'] .= '<h2>'._L('Example for adding OID 2.999.123 using JavaScript').'</h2>'; |
108 | $out['text'] .= '<h2>'._L('Example for adding OID 2.999.123 using JavaScript').'</h2>'; |
| 97 | $cont = file_get_contents(__DIR__.'/examples/example_js.html'); |
109 | $cont = file_get_contents(__DIR__.'/examples/example_js.html'); |
| 98 | $cont = str_replace('<url>', OIDplus::webpath(null,false).'ajax.php', $cont); |
110 | $cont = str_replace('<url>', OIDplus::webpath(null,false).'ajax.php', $cont); |