[OSM-dev] API suggestion - "authorise"?
Lambertus
osm at na1400.info
Sat Nov 17 12:13:00 GMT 2007
As TomH said earlier, the forum also uses the API for authentication (only
since about a week though). I have not heard of anyone complaining about
security or even mentioning it. In fact I was urged to implement this. Note
that the forum is running on an external site even though it uses an OSM
subdomain, so it compares to your situation.
As a sidenote, I agree that using plain HTTP for authentication is not very
secure. But common sense dictates the use of different passwords for every
account, so in case the OSM authentication request gets intercepted it won't
do much harm.
Below is the PHP code that performs the authentication, maybe it is of use
to you (heavily modified example code, so don't look at the aestetics):
function my_get_url($user, $pass, $url ) {
$url_info=parse_url($url);
if (isset($url_info['scheme']) && $url_info['scheme'] == 'https') {
$port = 443;
@$fp=fsockopen('ssl://'.$url_info['host'], $port, $errno, $errstr, 10);
} else {
$port = isset($url_info['port']) ? $url_info['port'] : 80;
@$fp=fsockopen($url_info['host'], $port, $errno, $errstr, 10);
}
if($fp) {
stream_set_timeout($fp, 10);
$urlString = "GET $url HTTP/1.0\r\nHost: $addr\r\n";
if ($user) {
$urlString .= "Authorization: Basic
".base64_encode("$user:$pass")."\r\n";
$urlString .= "Credentials: ".$user.":".$pass."\r\n";
}
$urlString .= "\r\n";
fputs($fp, $urlString);
$bBody = false;
while(!feof($fp)) {
if($header=trim(fgets($fp, 1024))) {
$sc_pos = strpos( $header, '<' );
if ( $sc_pos === false && $bBody == false) {
$sc_pos = strpos( $header, ':' );
if( $sc_pos === false ) {
$headers['status'] = $header;
} else {
$label = substr( $header, 0, $sc_pos );
$value = substr( $header, $sc_pos+1 );
$headers[strtolower($label)] = trim($value);
}
} else {
$headers['body'] .= $header;
$bBody = true;
}
}
}
return $headers;
} else {
return false;
}
}
$action = isset($_GET['action']) ? $_GET['action'] : null;
if (isset($_POST['form_sent']) && $action == 'in')
{
//Login attempt
$form_username = trim($_POST['req_username']);
$form_password = trim($_POST['req_password']);
$form_password_hash = pun_hash($form_password); // This could result in
either an SHA-1 or an MD5 hash (depends on $sha1_available)
print "Checking your identity against OpenStreetMap userbase. Please wait
for the server to complete the process....";
$authURL=sprintf("http://%s:%s@api.openstreetmap.org/api/0.5/user/details",urlencode($form_username),urlencode($form_password)); $header = my_get_url($form_username, $form_password, $authURL); if ($header['status'] == 'HTTP/1.0 200 OK') { $sc_pos = strpos($header['body'], 'display_name="'); if ($sc_pos > 0) { $sc_pos += 14; $sc_end = strpos($header['body'], '"', $sc_pos); $username = substr($header['body'], $sc_pos, $sc_end - $sc_pos); if (strlen($username) == 0) message('A problem was encountered: The display name cannot be empty.Please setup your <ahref="http://forum.openstreetmap.org/viewtopic.php?pid=1087">\'Displayname\'</a> which you can find on the \'My Settings\' page on theOpenStreetMap main page.'); } else message('A problem was encountered: Could not lookup the Display name inthe authentication response. Please try again'); // Does the user exist already? $username_sql = ($db_type == 'mysql' || $db_type == 'mysqli') ?'username=\''.$db->escape($u
sername).'\'' :'LOWER(username)=LOWER(\''.$db->escape($username).'\')'; $result = $db->query('SELECT id, group_id FROM '.$db->prefix.'users WHERE'.$username_sql) or error('Unable to fetch user info', __FILE__, __LINE__,$db->error()); list($user_id, $group_id) = $db->fetch_row($result); if (!$user_id) { //Create the user $intial_group_id = ($pun_config['o_regs_verify'] == '0') ?$pun_config['o_default_user_group'] : PUN_UNVERIFIED; $email1 = ""; $email_setting = 1; $save_pass = 0; $timezone = 0; $language = $pun_config['o_default_lang']; $now = time(); $sql = 'INSERT INTO '.$db->prefix.'users (username, group_id, password,email, email_setting, save_pass, timezone, language, style, registered,registration_ip, last_visit) VALUES(\''.$db->escape($username).'\','.$intial_group_id.', \''.$form_password_hash.'\', \''.$email1.'\','.$email_setting.', '.$save_pass.', '.$timezone.' ,\''.$db->escape($language).'\', \''.$pun_config['o_default_style'].'\','.$now.', \''
.get_remote_address().'\', '.$now.')'; $db->query($sql) or error('Unable to create user', __FILE__, __LINE__,$db->error()); $user_id = $db->insert_id(); } $authorized = true; } else {// remote auth failed. Fail totally (returning NULL would Phorum let dothe auth locally) $authorized = false; }//At this point you know if you're authorized or not
More information about the dev
mailing list