Support for tokens in multipart file upload using API.

2014-10-24 03:57:35 +00:00 · 2014-10-24 03:57:35 +00:00 · c02ed026f4
parent aec189089a
commit c02ed026f4
1 changed files with 24 additions and 0 deletions
--- a/airtime_mvc/application/modules/rest/controllers/MediaController.php
+++ b/airtime_mvc/application/modules/rest/controllers/MediaController.php
@ -129,6 +129,15 @@ class Rest_MediaController extends Zend_Rest_Controller
    
    public function postAction()
    {
+        /*  If the user presents a valid API key, we don't check CSRF tokens.  
+            CSRF tokens are only used for session based authentication.
+        */
+        if(!$this->verifyAPIKey()){
+            if(!$this->verifyCSRFToken($this->_getParam('csrf_token'))){
+                return;
+            }
+        }
+
        if (!$this->verifyAuth(true, true))
        {
            return;
@ -294,6 +303,21 @@ class Rest_MediaController extends Zend_Rest_Controller
        } 
        return $id;
    }
+
+    private function verifyCSRFToken($token){
+        $current_namespace = new Zend_Session_Namespace('csrf_namespace');
+        $observed_csrf_token = $token;
+        $expected_csrf_token = $current_namespace->authtoken;
+
+        if($observed_csrf_token == $expected_csrf_token){
+            return true;
+        }else{
+            $resp = $this->getResponse();
+            $resp->setHttpResponseCode(401);
+            $resp->appendBody("ERROR: Token Missmatch."); 
+            return false;
+        }
+    }
    
    private function verifyAuth($checkApiKey, $checkSession)
    {