From b03c9c9a2217968e9d7bcd827cefc381b7d347f2 Mon Sep 17 00:00:00 2001
From: Sonia Zorba <sonia.zorba@inaf.it>
Date: Thu, 28 Nov 2019 16:03:14 +0100
Subject: [PATCH] Changes for /check_token endpoint

---
 README.md                    |  4 ++++
 include/front-controller.php | 15 +++++++++++++--
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index e5664c0..b24ffab 100644
--- a/README.md
+++ b/README.md
@@ -108,6 +108,10 @@ Before using social API it is necessary to register an application on each socia
 
 Copy the `config-example.php` into `config.php` and edit it for matching your needs.
 
+### Generate keypair
+
+    php exec/generate-keypair.php
+
 ### Logs directory
 
 Create the logs directory and assign ownership to the Apache user (usually www-data or apache)
diff --git a/include/front-controller.php b/include/front-controller.php
index e10616f..5d8f3ce 100644
--- a/include/front-controller.php
+++ b/include/front-controller.php
@@ -127,10 +127,21 @@ Flight::route('POST /auth/oauth2/check_token', function() {
 
     global $locator;
 
-    $token = filter_input(INPUT_POST, 'token', FILTER_SANITIZE_STRING);
+    $headers = apache_request_headers();
+
+    if (!isset($headers['Authorization'])) {
+        throw new BadRequestException("Missing Authorization header");
+    }
+
+    $authorizationHeader = explode(" ", $headers['Authorization']);
+    if ($authorizationHeader[0] === "Bearer") {
+        $token = $authorizationHeader[1];
+    } else {
+        throw new BadRequestException("Invalid token type");
+    }
 
     if ($token === null) {
-        throw new BadRequestException("Access token id is required");
+        throw new BadRequestException("Access token is required");
     }
 
     $requestHandler = new \RAP\OAuth2RequestHandler($locator);
-- 
GitLab