forked from openemr/openemr
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- added support so that the client secret is validated - supported encryption of the client secret - updated password grant - removed need for user_roles
- Loading branch information
1 parent
46d9fc3
commit 5384f4e
Showing
16 changed files
with
370 additions
and
213 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -10,19 +10,19 @@ | |
* @author Brady Miller <[email protected]> | ||
* @copyright Copyright (c) 2018 Matthew Vita <[email protected]> | ||
* @copyright Copyright (c) 2020 Jerry Padgett <[email protected]> | ||
* @copyright Copyright (c) 2019 Brady Miller <[email protected]> | ||
* @copyright Copyright (c) 2019-2020 Brady Miller <[email protected]> | ||
* @license https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3 | ||
*/ | ||
|
||
require_once("./../_rest_config.php"); | ||
|
||
use OpenEMR\Common\Auth\UuidUserAccount; | ||
use OpenEMR\Common\Csrf\CsrfUtils; | ||
use OpenEMR\Common\Http\HttpRestRouteHandler; | ||
use OpenEMR\Events\RestApiExtend\RestApiCreateEvent; | ||
use Psr\Http\Message\ResponseInterface; | ||
|
||
$gbl = RestConfig::GetInstance(); | ||
$base_path = $gbl::$ROOT_URL; | ||
$routes = array(); | ||
|
||
// Parse needed information from Redirect or REQUEST_URI | ||
|
@@ -47,25 +47,16 @@ | |
// collect token attributes | ||
$attributes = $tokenRaw->getAttributes(); | ||
|
||
// collect site and user role | ||
// collect site | ||
$site = ''; | ||
$userRole = ''; | ||
$scopes = $attributes['oauth_scopes']; | ||
foreach ($scopes as $attr) { | ||
if (stripos($attr, 'site:') !== false) { | ||
$site = str_replace('site:', '', $attr); | ||
// while here parse site from endpoint | ||
$resource = str_replace('/' . $site, '', $resource); | ||
} else if (stripos($attr, 'user_role:') !== false) { | ||
$userRole = str_replace('user_role:', '', $attr); | ||
} | ||
} | ||
// ensure user_role in access token | ||
if (empty($userRole)) { | ||
error_log("OpenEMR Error - api user role not available, so forced exit"); | ||
http_response_code(400); | ||
exit(); | ||
} | ||
// ensure 1) sane site 2) site from gbl and access token are the same and 3) ensure the site exists on filesystem | ||
if (empty($site) || empty($gbl::$SITE) || preg_match('/[^A-Za-z0-9\\-.]/', $gbl::$SITE) || ($site !== $gbl::$SITE) || !file_exists(__DIR__ . '/../sites/' . $gbl::$SITE)) { | ||
error_log("OpenEMR Error - api site error, so forced exit"); | ||
|
@@ -120,6 +111,30 @@ | |
exit(); | ||
} | ||
} else { | ||
// authenticate the token | ||
if (!$gbl->authenticateUserToken($tokenId, $userId)) { | ||
$gbl::destroySession(); | ||
http_response_code(401); | ||
exit(); | ||
} | ||
// collect user information and user role | ||
$uuidToUser = new UuidUserAccount($userId); | ||
$user = $uuidToUser->getUserAccount(); | ||
$userRole = $uuidToUser->getUserRole(); | ||
if (empty($user)) { | ||
// unable to identify the users user role | ||
error_log("OpenEMR Error - api user account could not be identified, so forced exit"); | ||
$gbl::destroySession(); | ||
http_response_code(400); | ||
exit(); | ||
} | ||
if (empty($userRole)) { | ||
// unable to identify the users user role | ||
error_log("OpenEMR Error - api user role for user could not be identified, so forced exit"); | ||
$gbl::destroySession(); | ||
http_response_code(400); | ||
exit(); | ||
} | ||
// ensure user role has access to the resource | ||
// for now assuming: | ||
// users has access to oemr and fhir | ||
|
@@ -134,14 +149,7 @@ | |
http_response_code(401); | ||
exit(); | ||
} | ||
// authenticate the token | ||
if (!$gbl->authenticateUserToken($tokenId, $userId, $userRole)) { | ||
$gbl::destroySession(); | ||
http_response_code(401); | ||
exit(); | ||
} | ||
// collect user information and then set pertinent session variables | ||
$user = $gbl->getUserAccount($userId, $userRole); | ||
// set pertinent session variables | ||
if ($userRole == 'users') { | ||
$_SESSION['authUser'] = $user["username"] ?? null; | ||
$_SESSION['authUserID'] = $user["id"] ?? null; | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.