Support for tokens in multipart file upload using API.

airtime_mvc/application/modules/rest/controllers/MediaController.php

@@ -129,6 +129,15 @@ class Rest_MediaController extends Zend_Rest_Controller
     
     public function postAction()
     {
+        /*  If the user presents a valid API key, we don't check CSRF tokens.  
+            CSRF tokens are only used for session based authentication.
+        */
+        if(!$this->verifyAPIKey()){
+            if(!$this->verifyCSRFToken($this->_getParam('csrf_token'))){
+                return;
+            }
+        }
+
         if (!$this->verifyAuth(true, true))
         {
             return;
@@ -295,6 +304,21 @@ class Rest_MediaController extends Zend_Rest_Controller
         return $id;
     }
 
+    private function verifyCSRFToken($token){
+        $current_namespace = new Zend_Session_Namespace('csrf_namespace');
+        $observed_csrf_token = $token;
+        $expected_csrf_token = $current_namespace->authtoken;
+
+        if($observed_csrf_token == $expected_csrf_token){
+            return true;
+        }else{
+            $resp = $this->getResponse();
+            $resp->setHttpResponseCode(401);
+            $resp->appendBody("ERROR: Token Missmatch."); 
+            return false;
+        }
+    }
+    
     private function verifyAuth($checkApiKey, $checkSession)
     {
         //Session takes precedence over API key for now: