Error: $header

$body

HTML; die($html); } $configfile= __DIR__ . '/config.php'; if (file_exists($configfile)) { include_once $configfile; } else { error_page( 'Configuration Error', 'Endpoint not yet configured, visit setup.php for instructions on how to set it up.' ); } // Enable string comparison in constant time. if (!function_exists('hash_equals')) { function hash_equals($known_string, $user_string) { $known_length = strlen($known_string); if ($known_length !== strlen($user_string)) { return false; } $match = 0; for ($i = 0; $i < $known_length; $i++) { $match |= (ord($known_string[$i]) ^ ord($user_string[$i])); } return $match === 0; } } // Signed codes always have an time-to-live, by default 1 year (31536000 seconds). function create_signed_code($key, $message, $ttl = 31536000, $appended_data = '') { $expires = time() + $ttl; $body = $message . $expires . $appended_data; $signature = hash_hmac('sha256', $body, $key); return dechex($expires) . ':' . $signature . ':' . base64_url_encode($appended_data); } function verify_signed_code($key, $message, $code) { $code_parts = explode(':', $code, 3); if (count($code_parts) !== 3) { return false; } $expires = hexdec($code_parts[0]); if (time() > $expires) { return false; } $body = $message . $expires . base64_url_decode($code_parts[2]); $signature = hash_hmac('sha256', $body, $key); return hash_equals($signature, $code_parts[1]); } function verify_password($pass) { $hash_user = trim(preg_replace('/^https?:\/\//', '', USER_URL), '/'); $hash = md5($hash_user . $pass . APP_KEY); return hash_equals(USER_HASH, $hash); } function filter_input_regexp($type, $variable, $regexp, $flags = null) { $options = array( 'options' => array('regexp' => $regexp) ); if ($flags !== null) { $options['flags'] = $flags; } return filter_input( $type, $variable, FILTER_VALIDATE_REGEXP, $options ); } function get_q_value($mime, $accept) { $fulltype = preg_replace('@^([^/]+\/).+$@', '$1*', $mime); $regex = implode( '', array( '/(?<=^|,)\s*(\*\/\*|', preg_quote($fulltype, '/'), '|', preg_quote($mime, '/'), ')\s*(?:[^,]*?;\s*q\s*=\s*([0-9.]+))?\s*(?:,|$)/' ) ); $out = preg_match_all($regex, $accept, $matches); $types = array_combine($matches[1], $matches[2]); if (array_key_exists($mime, $types)) { $q = $types[$mime]; } elseif (array_key_exists($fulltype, $types)) { $q = $types[$fulltype]; } elseif (array_key_exists('*/*', $types)) { $q = $types['*/*']; } else { return 0; } return $q === '' ? 1 : floatval($q); } // URL Safe Base64 per https://tools.ietf.org/html/rfc7515#appendix-C function base64_url_encode($string) { $string = base64_encode(isset($string) ? $string : ""); $string = rtrim($string, '='); $string = strtr($string, '+/', '-_'); return $string; } function base64_url_decode($string) { $string = strtr($string, '-_', '+/'); $padding = strlen($string) % 4; if ($padding !== 0) { $string .= str_repeat('=', 4 - $padding); } $string = base64_decode($string); return $string; } if ((!defined('APP_URL') || APP_URL == '') || (!defined('APP_KEY') || APP_KEY == '') || (!defined('USER_HASH') || USER_HASH == '') || (!defined('USER_URL') || USER_URL == '') ) { error_page( 'Configuration Error', 'Endpoint not configured correctly, visit setup.php for instructions on how to set it up.' ); } // First handle verification of codes. $code = filter_input_regexp(INPUT_POST, 'code', '@^[0-9a-f]+:[0-9a-f]{64}:@'); if ($code !== null) { $redirect_uri = filter_input(INPUT_POST, 'redirect_uri', FILTER_VALIDATE_URL); $client_id = filter_input(INPUT_POST, 'client_id', FILTER_VALIDATE_URL); // Exit if there are errors in the client supplied data. if (!(is_string($code) && is_string($redirect_uri) && is_string($client_id) && verify_signed_code(APP_KEY, USER_URL . $redirect_uri . $client_id, $code)) ) { error_page('Verification Failed', 'Given Code Was Invalid'); } $response = array('me' => USER_URL); $code_parts = explode(':', $code, 3); if ($code_parts[2] !== '') { $response['scope'] = base64_url_decode($code_parts[2]); } // Accept header $accept_header = '*/*'; if (isset($_SERVER['HTTP_ACCEPT']) && strlen($_SERVER['HTTP_ACCEPT']) > 0) { $accept_header = $_SERVER['HTTP_ACCEPT']; } // Find the q value for application/json. $json = get_q_value('application/json', $accept_header); // Find the q value for application/x-www-form-urlencoded. $form = get_q_value('application/x-www-form-urlencoded', $accept_header); // Respond in the correct way. if ($json === 0 && $form === 0) { error_page( 'No Accepted Response Types', 'The client accepts neither JSON nor Form encoded responses.', '406 Not Acceptable' ); } elseif ($json >= $form) { header('Content-Type: application/json'); exit(json_encode($response)); } else { header('Content-Type: application/x-www-form-urlencoded'); exit(http_build_query($response)); } } // If this is not verification, collect all the client supplied data. Exit on errors. $me = filter_input(INPUT_GET, 'me', FILTER_VALIDATE_URL); $client_id = filter_input(INPUT_GET, 'client_id', FILTER_VALIDATE_URL); $redirect_uri = filter_input(INPUT_GET, 'redirect_uri', FILTER_VALIDATE_URL); $state = filter_input_regexp(INPUT_GET, 'state', '@^[\x20-\x7E]*$@'); $response_type = filter_input_regexp(INPUT_GET, 'response_type', '@^(id|code)?$@'); $scope = filter_input_regexp(INPUT_GET, 'scope', '@^([\x21\x23-\x5B\x5D-\x7E]+( [\x21\x23-\x5B\x5D-\x7E]+)*)?$@'); if (!is_string($client_id)) { // client_id is either omitted or not a valid URL. error_page( 'Faulty Request', 'There was an error with the request. The "client_id" field is invalid.' ); } if (!is_string($redirect_uri)) { // redirect_uri is either omitted or not a valid URL. error_page( 'Faulty Request', 'There was an error with the request. The "redirect_uri" field is invalid.' ); } if ($state === false) { // state contains invalid characters. error_page( 'Faulty Request', 'There was an error with the request. The "state" field contains invalid data.' ); } if ($response_type === false) { // response_type is given as something other than id or code. error_page( 'Faulty Request', 'There was an error with the request. The "response_type" field must be "code".' ); } if ($scope === false) { // scope contains invalid characters. error_page( 'Faulty Request', 'There was an error with the request. The "scope" field contains invalid data.' ); } if ($scope === '') { // scope is left empty. // Treat empty parameters as if omitted. $scope = null; } // If the user submitted a password, get ready to redirect back to the callback. $pass_input = filter_input(INPUT_POST, 'password', FILTER_UNSAFE_RAW); if ($pass_input !== null) { $csrf_code = filter_input(INPUT_POST, '_csrf', FILTER_UNSAFE_RAW); // Exit if the CSRF does not verify. if ($csrf_code === null || !verify_signed_code(APP_KEY, $client_id . $redirect_uri . $state, $csrf_code)) { error_page( 'Invalid CSF Code', 'Usually this means you took too long to log in. Please try again.' ); } // Exit if the password does not verify. if (!verify_password($pass_input)) { // Optional logging for failed logins. // // Enabling this on shared hosting may not be a good idea if syslog // isn't private and accessible. Enable with caution. if (function_exists('syslog') && defined('SYSLOG_FAILURE') && SYSLOG_FAILURE === 'I understand') { syslog(LOG_CRIT, sprintf( 'IndieAuth: login failure from %s for %s', $_SERVER['REMOTE_ADDR'], $me )); } error_page('Login Failed', 'Invalid password.'); } $scope = filter_input_regexp(INPUT_POST, 'scopes', '@^[\x21\x23-\x5B\x5D-\x7E]+$@', FILTER_REQUIRE_ARRAY); // Scopes are defined. if ($scope !== null) { // Exit if the scopes ended up with illegal characters or were not supplied as array. if ($scope === false || in_array(false, $scope, true)) { error_page('Invalid Scopes', 'The scopes provided contained illegal characters.'); } // Turn scopes into a single string again. $scope = implode(' ', $scope); } $code = create_signed_code(APP_KEY, USER_URL . $redirect_uri . $client_id, 5 * 60, $scope); $final_redir = $redirect_uri; if (strpos($redirect_uri, '?') === false) { $final_redir .= '?'; } else { $final_redir .= '&'; } $parameters = array( 'code' => $code, 'me' => USER_URL ); if ($state !== null) { $parameters['state'] = $state; } $final_redir .= http_build_query($parameters); // Optional logging for successful logins. // // Enabling this on shared hosting may not be a good idea if syslog // isn't private and accessible. Enable with caution. if (function_exists('syslog') && defined('SYSLOG_SUCCESS') && SYSLOG_SUCCESS === 'I understand') { syslog(LOG_INFO, sprintf( 'IndieAuth: login from %s for %s', $_SERVER['REMOTE_ADDR'], $me )); } // Redirect back. header('Location: ' . $final_redir, true, 302); exit(); } // If neither password nor a code was submitted, we need to ask the user to authenticate. $csrf_code = create_signed_code(APP_KEY, $client_id . $redirect_uri . $state, 2 * 60); ?> Login

Error: $header

Authenticate