X-Git-Url: http://git.polytechnique.org/?a=blobdiff_plain;f=classes%2Fplsession.php;h=94665c6817d5f63e23ad3cc82909b5baf89b4491;hb=feb45d1d9fc152beff746c83048ff7704cc27ea2;hp=5f406f1beee0b2252fa5f3b677b3be545bbcd76c;hpb=3ecd0a882aebbb539b4b0e507a360e961cd51c63;p=platal.git diff --git a/classes/plsession.php b/classes/plsession.php index 5f406f1..94665c6 100644 --- a/classes/plsession.php +++ b/classes/plsession.php @@ -1,6 +1,6 @@ checkAuth($level)) { return true; } @@ -160,6 +159,23 @@ abstract class PlSession */ abstract protected function startSessionAs($user, $level); + /** Authenticate the request for the given (method, payload) pair. + * + * Implementations are expected to provide strong authentication. It is + * suggested to use an HMAC-based scheme, where the signature validates the + * method, url, and payload (to avoid replay of the signature against other + * methods), and the timestamp (to avoid replay in time). + * + * @param method method of the request (GET, POST, PUT, DELETE) + * @param resource URL path of the resource (eg. "/api/user") + * @param payload binary payload sent with the request (before decoding) + * @return a valid PlUser object if authentication is successfull, or null. + */ + public function apiAuth($method, $resource, $payload) + { + return null; // Default implementation does nothing + } + /** Check authentication with the given token. * * Token authentication is a light-weight authentication based on a user-specific token. @@ -190,8 +206,7 @@ abstract class PlSession if (S::suid()) { return false; } - $backup = $_SESSION; - $_SESSION = array(); + $backup = S::changeSession(array()); $this->fillSession(); S::set('suid', $backup); if (!$this->startSessionAs($user, AUTH_SUID)) { @@ -212,7 +227,7 @@ abstract class PlSession if (!S::suid()) { return false; } - $_SESSION = $_SESSION['suid']; + S::changeSession(S::v('suid')); return true; }