diff --git a/actions/openidlogin.php b/actions/openidlogin.php index 9b0b1793ca..fa04d45765 100644 --- a/actions/openidlogin.php +++ b/actions/openidlogin.php @@ -28,7 +28,10 @@ class OpenidloginAction extends Action { if (common_logged_in()) { common_user_error(_t('Already logged in.')); } else if ($_SERVER['REQUEST_METHOD'] == 'POST') { - $this->start_openid_login(); + $result = oid_authenticate($this->trimmed('openid_url'), 'finishopenidlogin'); + if (is_string($result)) { # error message + $this->show_form($result); + } } else { $this->show_form(); } @@ -50,88 +53,4 @@ class OpenidloginAction extends Action { common_element_end('form'); common_show_footer(); } - - function start_openid_login() { - # XXX: form token in $_SESSION to prevent XSS - # XXX: login throttle - $openid_url = $this->trimmed('openid_url'); - - $consumer = oid_consumer(); - - if (!$consumer) { - common_server_error(_t('Cannot instantiate OpenID consumer object.')); - return; - } - - common_ensure_session(); - - $auth_request = $consumer->begin($openid_url); - - // Handle failure status return values. - if (!$auth_request) { - $this->show_form(_t('Not a valid OpenID.')); - return; - } else if (Auth_OpenID::isFailure($auth_request)) { - $this->show_form(_t('OpenID failure: ') . $auth_request->message); - return; - } - - $sreg_request = Auth_OpenID_SRegRequest::build(// Required - array(), - // Optional - array('nickname', - 'email', - 'fullname', - 'language', - 'timezone', - 'postcode', - 'country')); - - if ($sreg_request) { - $auth_request->addExtension($sreg_request); - } - - $trust_root = common_root_url(); - $process_url = common_local_url('finishopenidlogin'); - - if ($auth_request->shouldSendRedirect()) { - $redirect_url = $auth_request->redirectURL($trust_root, - $process_url); - if (!$redirect_url) { - } else if (Auth_OpenID::isFailure($redirect_url)) { - $this->show_form(_t('Could not redirect to server: ') . $redirect_url->message); - return; - } else { - common_redirect($redirect_url); - } - } else { - // Generate form markup and render it. - $form_id = 'openid_message'; - $form_html = $auth_request->formMarkup($trust_root, $process_url, - false, array('id' => $form_id)); - - # XXX: This is cheap, but things choke if we don't escape ampersands - # in the HTML attributes - - $form_html = preg_replace('/&/', '&', $form_html); - - // Display an error if the form markup couldn't be generated; - // otherwise, render the HTML. - if (Auth_OpenID::isFailure($form_html)) { - $this->show_form(_t('Could not create OpenID form: ') . $form_html->message); - } else { - common_show_header(_t('OpenID Auto-Submit')); - common_element('p', 'instructions', - _t('This form should automatically submit itself. '. - 'If not, click the submit button to go to your '. - 'OpenID provider.')); - common_raw($form_html); - common_element('script', NULL, - '$(document).ready(function() { ' . - ' $("#'. $form_id .'").submit(); '. - '});'); - common_show_footer(); - } - } - } } diff --git a/actions/openidsettings.php b/actions/openidsettings.php index c918cc27e6..d4ec8a8cd6 100644 --- a/actions/openidsettings.php +++ b/actions/openidsettings.php @@ -80,7 +80,10 @@ class OpenidsettingsAction extends SettingsAction { function handle_post() { if ($this->arg('add')) { - $this->add_openid(); + $result = oid_authenticate($this->trimmed('openid_url'), 'finishaddopenid'); + if (is_string($result)) { # error message + $this->show_form($result); + } } else if ($this->arg('remove')) { $this->remove_openid(); } else { @@ -105,87 +108,4 @@ class OpenidsettingsAction extends SettingsAction { $this->show_form(_t('OpenID removed.', true)); return; } - - function add_openid() { - - $openid_url = $this->trimmed('openid_url'); - - $consumer = oid_consumer(); - - if (!$consumer) { - common_server_error(_t('Cannot instantiate OpenID consumer object.')); - return; - } - - common_ensure_session(); - - $auth_request = $consumer->begin($openid_url); - - // Handle failure status return values. - if (!$auth_request) { - $this->show_form(_t('Not a valid OpenID.')); - return; - } else if (Auth_OpenID::isFailure($auth_request)) { - $this->show_form(_t('OpenID failure: ') . $auth_request->message); - return; - } - - $sreg_request = Auth_OpenID_SRegRequest::build(// Required - array(), - // Optional - array('nickname', - 'email', - 'fullname', - 'language', - 'timezone', - 'postcode', - 'country')); - - if ($sreg_request) { - $auth_request->addExtension($sreg_request); - } - - $trust_root = common_root_url(); - $process_url = common_local_url('finishaddopenid'); - - if ($auth_request->shouldSendRedirect()) { - $redirect_url = $auth_request->redirectURL($trust_root, - $process_url); - if (!$redirect_url) { - } else if (Auth_OpenID::isFailure($redirect_url)) { - $this->show_form(_t('Could not redirect to server: ') . $redirect_url->message); - return; - } else { - common_redirect($redirect_url); - } - } else { - // Generate form markup and render it. - $form_id = 'openid_message'; - $form_html = $auth_request->formMarkup($trust_root, $process_url, - false, array('id' => $form_id)); - - # XXX: This is cheap, but things choke if we don't escape ampersands - # in the HTML attributes - - $form_html = preg_replace('/&/', '&', $form_html); - - // Display an error if the form markup couldn't be generated; - // otherwise, render the HTML. - if (Auth_OpenID::isFailure($form_html)) { - $this->show_form(_t('Could not create OpenID form: ') . $form_html->message); - } else { - common_show_header(_t('OpenID Auto-Submit')); - common_element('p', 'instructions', - _t('This form should automatically submit itself. '. - 'If not, click the submit button to go to your '. - 'OpenID provider.')); - common_raw($form_html); - common_element('script', NULL, - '$(document).ready(function() { ' . - ' $("#'. $form_id .'").submit(); '. - '});'); - common_show_footer(); - } - } - } } \ No newline at end of file diff --git a/lib/openid.php b/lib/openid.php index c41b3424cd..c280415547 100644 --- a/lib/openid.php +++ b/lib/openid.php @@ -59,3 +59,82 @@ function oid_link_user($id, $canonical, $display) { return true; } + +function oid_authenticate($openid_url, $returnto) { + + $consumer = oid_consumer(); + + if (!$consumer) { + common_server_error(_t('Cannot instantiate OpenID consumer object.')); + return false; + } + + common_ensure_session(); + + $auth_request = $consumer->begin($openid_url); + + // Handle failure status return values. + if (!$auth_request) { + return _t('Not a valid OpenID.'); + } else if (Auth_OpenID::isFailure($auth_request)) { + return _t('OpenID failure: ') . $auth_request->message; + } + + $sreg_request = Auth_OpenID_SRegRequest::build(// Required + array(), + // Optional + array('nickname', + 'email', + 'fullname', + 'language', + 'timezone', + 'postcode', + 'country')); + + if ($sreg_request) { + $auth_request->addExtension($sreg_request); + } + + $trust_root = common_root_url(); + $process_url = common_local_url($returnto); + + if ($auth_request->shouldSendRedirect()) { + $redirect_url = $auth_request->redirectURL($trust_root, + $process_url); + if (!$redirect_url) { + } else if (Auth_OpenID::isFailure($redirect_url)) { + return _t('Could not redirect to server: ') . $redirect_url->message; + } else { + common_redirect($redirect_url); + } + } else { + // Generate form markup and render it. + $form_id = 'openid_message'; + $form_html = $auth_request->formMarkup($trust_root, $process_url, + false, array('id' => $form_id)); + + # XXX: This is cheap, but things choke if we don't escape ampersands + # in the HTML attributes + + $form_html = preg_replace('/&/', '&', $form_html); + + // Display an error if the form markup couldn't be generated; + // otherwise, render the HTML. + if (Auth_OpenID::isFailure($form_html)) { + $this->show_form(_t('Could not create OpenID form: ') . $form_html->message); + } else { + common_show_header(_t('OpenID Auto-Submit')); + common_element('p', 'instructions', + _t('This form should automatically submit itself. '. + 'If not, click the submit button to go to your '. + 'OpenID provider.')); + common_raw($form_html); + common_element('script', NULL, + '$(document).ready(function() { ' . + ' $("#'. $form_id .'").submit(); '. + '});'); + common_show_footer(); + } + } + } +} \ No newline at end of file