From c02ed026f4a334c327cd5be59dc83f4f05f22b57 Mon Sep 17 00:00:00 2001
From: Robert Elder <robert@robertelder.org>
Date: Fri, 24 Oct 2014 03:57:35 +0000
Subject: [PATCH] Support for tokens in multipart file upload using API.

---
 .../rest/controllers/MediaController.php      | 24 +++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/airtime_mvc/application/modules/rest/controllers/MediaController.php b/airtime_mvc/application/modules/rest/controllers/MediaController.php
index dd0497745..1483de816 100644
--- a/airtime_mvc/application/modules/rest/controllers/MediaController.php
+++ b/airtime_mvc/application/modules/rest/controllers/MediaController.php
@@ -129,6 +129,15 @@ class Rest_MediaController extends Zend_Rest_Controller
     
     public function postAction()
     {
+        /*  If the user presents a valid API key, we don't check CSRF tokens.  
+            CSRF tokens are only used for session based authentication.
+        */
+        if(!$this->verifyAPIKey()){
+            if(!$this->verifyCSRFToken($this->_getParam('csrf_token'))){
+                return;
+            }
+        }
+
         if (!$this->verifyAuth(true, true))
         {
             return;
@@ -294,6 +303,21 @@ class Rest_MediaController extends Zend_Rest_Controller
         } 
         return $id;
     }
+
+    private function verifyCSRFToken($token){
+        $current_namespace = new Zend_Session_Namespace('csrf_namespace');
+        $observed_csrf_token = $token;
+        $expected_csrf_token = $current_namespace->authtoken;
+
+        if($observed_csrf_token == $expected_csrf_token){
+            return true;
+        }else{
+            $resp = $this->getResponse();
+            $resp->setHttpResponseCode(401);
+            $resp->appendBody("ERROR: Token Missmatch."); 
+            return false;
+        }
+    }
     
     private function verifyAuth($checkApiKey, $checkSession)
     {