Code Coverage |
||||||||||
Lines |
Functions and Methods |
Classes and Traits |
||||||||
Total | |
71.43% |
5 / 7 |
|
0.00% |
0 / 2 |
CRAP | |
0.00% |
0 / 1 |
CentralAuthHeaderSessionProvider | |
71.43% |
5 / 7 |
|
0.00% |
0 / 2 |
4.37 | |
0.00% |
0 / 1 |
getTokenFromRequest | |
83.33% |
5 / 6 |
|
0.00% |
0 / 1 |
3.04 | |||
safeAgainstCsrf | |
0.00% |
0 / 1 |
|
0.00% |
0 / 1 |
2 |
1 | <?php |
2 | |
3 | use MediaWiki\Request\WebRequest; |
4 | |
5 | /** |
6 | * Session provider for CentralAuth Authorization header for use in REST APIs. |
7 | * |
8 | * This session provider looks for an Authorization header using the MWCentralAuth |
9 | * authentication type, and checks that the token provided in the header |
10 | * corresponds to an existing token set up by ApiCentralAuthToken. |
11 | * If the header is present but invalid, it returns a |
12 | * bogus SessionInfo to prevent other SessionProviders from establishing a session. |
13 | * |
14 | * @see \MediaWiki\Extension\CentralAuth\Api\ApiCentralAuthToken |
15 | */ |
16 | class CentralAuthHeaderSessionProvider extends CentralAuthTokenSessionProvider { |
17 | |
18 | /** @inheritDoc */ |
19 | protected function getTokenFromRequest( WebRequest $request ) { |
20 | $authHeader = $request->getHeader( 'Authorization' ); |
21 | if ( $authHeader === null ) { |
22 | return null; |
23 | } |
24 | |
25 | if ( !preg_match( '/^CentralAuthToken\s+(\w+)/is', $authHeader, $match ) ) { |
26 | return null; |
27 | } |
28 | |
29 | return $match[1]; |
30 | } |
31 | |
32 | /** |
33 | * This session provider is based on a header, so it's safe against CSRF attacks. |
34 | * @return true |
35 | */ |
36 | public function safeAgainstCsrf() { |
37 | return true; |
38 | } |
39 | |
40 | } |