ljr/livejournal/htdocs/openid/approve.bml

84 lines
3.6 KiB
Plaintext
Executable File

<?_code
{
return "OpenID consumer support is disabled" unless LJ::OpenID::server_enabled();
use strict;
use vars qw($title $body %GET %POST);
use LJ::OpenID;
my $err = sub {
$title = "Error";
$body = shift;
return "";
};
my $u = LJ::get_remote() or
return $err->("Currently you need to be logged in to grant another site permission to know your identity, but this page will eventually let you log in during the same step.");
my $identity = LJ::OpenID::is_identity($u, $GET{'identity'}, \%GET);
unless ($identity) {
return $err->("The site you just came from seems to want to verify <a href='" .
LJ::ehtml($GET{'identity'}) .
"'>an identity</a> that you, as " .
LJ::ljuser($u) .
", cannot provide.");
}
my $site = $GET{'trust_root'};
$site =~ s/\?.*//;
return $err->("Invalid site address") unless $site =~ m!^https?://!;
# TODO: check URL and see if it contains images or external scripts/css/images, where
# an attacker could sniff the validation tokens in the Referer header?
if (LJ::did_post()) {
return $err->("Possible form tampering detected.") unless LJ::check_form_auth();
my $dur;
$body = "";
$dur = "always" if $POST{'yes:always'};
$dur = "once" if $POST{'yes:once'};
LJ::OpenID::add_trust($u, $site, $dur)
or return $err->("Failed to save");
$title = "Saved";
$body .= "Permission has been granted. You can now <a href='javascript:window.close()'>close this window</a> and login to the site you were previously visiting.";
if ($GET{"openid.post_grant"} eq "close") {
$body .= "<script>window.close();</script>";
} elsif ($GET{"openid.post_grant"} eq "return") {
my $nos = LJ::OpenID::server();
my $sig_return = $nos->signed_return_url(
identity => $GET{'identity'},
return_to => $GET{'return_to'},
trust_root => $GET{'trust_root'},
assoc_handle => $GET{'assoc_handle'},
);
return BML::redirect($sig_return) if $sig_return;
return $err->("Failed to make signed return URL.");
}
return;
}
$title = "Grant identity validation?";
$body = "";
$body .= "<?h1 Identity Validation h1?><?p Another site on the web wants to validate your LiveJournal identity. No information will be shared with them that isn't already public in your profile, only that you're who you've already told them you are (if you told them). p?><?p The address wanting permission is: p?>";
$body .= "<form method='post'>";
$body .= LJ::form_auth();
my $dis_site = LJ::ehtml($site);
$dis_site =~ s!\*\.!<span style='color: red'><i>&lt;anything&gt;</i></span>.!;
$body .= "<div style='overflow: auto; background: #DDD; word-wrap: break-word; color: black; border: 2px solid black; padding: 0.5em; font-size: 13pt'><tt>$dis_site</tt></div>";
$body .= "<?p Do you want to pass your identity to them? p?>";
$body .= "<table align='center'><tr><td><input type='submit' name='yes:once' value='Yes; just this time.' /> <input type='submit' name='yes:always' value='Yes; always.' /></td></tr></table>";
$body .= "<?p If not, just close this window. p?>";
$body .= "</form>";
return;
}
_code?><?page
title=><?_code return $title; _code?>
body=><?_code return $body; _code?>
page?>