Merge pull request #8381 from annando/Invalid-consumer-key

API: Only perform OAuth when no login data are provided
2020-03-09 01:23:36 -04:00 · 2020-03-09 01:23:36 -04:00 · d89f90e80e
parent 02027fff13 bcf9430822
commit d89f90e80e
1 changed files with 18 additions and 17 deletions
--- a/include/api.php
+++ b/include/api.php
@ -186,6 +186,18 @@ function api_register_func($path, $func, $auth = false, $method = API_METHOD_ANY
 */
 function api_login(App $a)
 {
+	// workaround for HTTP-auth in CGI mode
+	if (!empty($_SERVER['REDIRECT_REMOTE_USER'])) {
+		$userpass = base64_decode(substr($_SERVER["REDIRECT_REMOTE_USER"], 6));
+		if (strlen($userpass)) {
+			list($name, $password) = explode(':', $userpass);
+			$_SERVER['PHP_AUTH_USER'] = $name;
+			$_SERVER['PHP_AUTH_PW'] = $password;
+		}
+	}
+
+	if (empty($_SERVER['PHP_AUTH_USER'])) {
+		// Try OAuth when no user is provided
 		$oauth1 = new FKOAuth1();
 		// login with oauth
 		try {
@ -200,20 +212,9 @@ function api_login(App $a)
 			var_dump($consumer, $token);
 			die();
 		} catch (Exception $e) {
-		Logger::warning(API_LOG_PREFIX . 'error', ['module' => 'api', 'action' => 'login', 'exception' => $e->getMessage()]);
+			Logger::warning(API_LOG_PREFIX . 'OAuth error', ['module' => 'api', 'action' => 'login', 'exception' => $e->getMessage()]);
 		}

-	// workaround for HTTP-auth in CGI mode
-	if (!empty($_SERVER['REDIRECT_REMOTE_USER'])) {
-		$userpass = base64_decode(substr($_SERVER["REDIRECT_REMOTE_USER"], 6));
-		if (strlen($userpass)) {
-			list($name, $password) = explode(':', $userpass);
-			$_SERVER['PHP_AUTH_USER'] = $name;
-			$_SERVER['PHP_AUTH_PW'] = $password;
-		}
-	}
-
-	if (empty($_SERVER['PHP_AUTH_USER'])) {
 		Logger::debug(API_LOG_PREFIX . 'failed', ['module' => 'api', 'action' => 'login', 'parameters' => $_SERVER]);
 		header('WWW-Authenticate: Basic realm="Friendica"');
 		throw new UnauthorizedException("This API requires login");