如何在Google+服务器端注册中创建反请求伪造状态令牌 [英] How to Create an anti-request forgery state token In google+ server side sign-up
问题描述
<?php
require_once '/google-api-php-client/src/Google_Client.php';
require_once '/google-api-php-client/src/contrib/Google_PlusService.php';
session_start();
// Create a state token to prevent request forgery.
// Store it in the session for later validation.
$state = md5(rand());
$app['session']->set('state', $state);
// Set the client ID, token state, and application name in the HTML while
// serving it.
return $app['twig']->render('index.html', array(
'CLIENT_ID' => CLIENT_ID,
'STATE' => $state,
'APPLICATION_NAME' => APPLICATION_NAME
));
// Ensure that this is no request forgery going on, and that the user
// sending us this connect request is the user that was supposed to.
if ($request->get('state') != ($app['session']->get('state'))) {
return new Response('Invalid state parameter', 401);
}
$code = $request->getContent();
$gPlusId = $request->get['gplus_id'];
// Exchange the OAuth 2.0 authorization code for user credentials.
$client->authenticate($code);
$token = json_decode($client->getAccessToken());
// Verify the token
$reqUrl = 'https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=' .
$token->access_token;
$req = new Google_HttpRequest($reqUrl);
$tokenInfo = json_decode(
$client::getIo()->authenticatedRequest($req)->getResponseBody());
// If there was an error in the token info, abort.
if ($tokenInfo->error) {
return new Response($tokenInfo->error, 500);
}
// Make sure the token we got is for the intended user.
if ($tokenInfo->userid != $gPlusId) {
return new Response(
"Token's user ID doesn't match given user ID", 401);
}
// Make sure the token we got is for our app.
if ($tokenInfo->audience != CLIENT_ID) {
return new Response(
"Token's client ID does not match app's.", 401);
}
// Store the token in the session for later use.
$app['session']->set('token', json_encode($token));
$response = 'Succesfully connected with token: ' . print_r($token, true);
?>
这是我的code.php.
我已经从 https://developers.google.com/+获取了此代码/web/signin/server-side-flow .
我想在我的应用程序中添加google +服务器端注册.
所以我决定运行示例代码.
运行代码时出现错误.
我已经包含了PHP的Google API客户端库.
我无法使用代码中显示的设置和渲染功能
This is my code.php.
I have taken this code from https://developers.google.com/+/web/signin/server-side-flow.
I want to add google+ server side sign-up in to my application.
so i decide to run the sample code.
I am getting the error while i have run the code.
I have already include the Google APIs client library for PHP.
I am unable to use set and render function which are shown in the code
this is My index.html
<!-- The top of file index.html -->
<html itemscope itemtype="http://schema.org/Article">
<head>
<!-- BEGIN Pre-requisites -->
<script src="//ajax.googleapis.com/ajax/libs/jquery/1.8.2/jquery.min.js">
</script>
<script type="text/javascript">
(function () {
var po = document.createElement('script');
po.type = 'text/javascript';
po.async = true;
po.src = 'https://plus.google.com/js/client:plusone.js?onload=start';
var s = document.getElementsByTagName('script')[0];
s.parentNode.insertBefore(po, s);
})();
</script>
<!-- END Pre-requisites -->
</head>
<!-- ... -->
</html>
<!-- Add where you want your sign-in button to render -->
<div id="signinButton">
<span class="g-signin"
data-scope="https://www.googleapis.com/auth/plus.login"
data-clientid="YOUR_CLIENT_ID"
data-redirecturi="postmessage"
data-accesstype="offline"
data-cookiepolicy="single_host_origin"
data-callback="signInCallback">
</span>
</div>
<div id="result"></div>
<!-- Last part of BODY element in file index.html -->
<script type="text/javascript">
function signInCallback(authResult) {
if (authResult['code']) {
// Hide the sign-in button now that the user is authorized, for example:
$('#signinButton').attr('style', 'display: none');
// Send the code to the server
$.ajax({
type: 'POST',
url: 'plus.php?storeToken',
contentType: 'application/octet-stream; charset=utf-8',
success: function(result) {
// Handle or verify the server response if necessary.
// Prints the list of people that the user has allowed the app to know
// to the console.
console.log(result);
if (result['profile'] && result['people']){
$('#results').html('Hello ' + result['profile']['displayName'] + '. You successfully made a server side call to people.get and people.list');
} else {
$('#results').html('Failed to make a server-side call. Check your configuration and console.');
}
},
processData: false,
data: authResult['code']
});
}
else if (authResult['error']) {
// There was an error.
// Possible error codes:
// "access_denied" - User denied access to your app
// "immediate_failed" - Could not automatially log in the user
// console.log('There was an error: ' + authResult['error']);
}
}
</script>
推荐答案
我相信问题在于文档为您提供了不完整的代码片段(我已经打开了一个有关此问题的错误).该特定示例依赖于Symfony,这就是您遇到的缺少变量/方法的情况.
I believe the issue is with the documentation providing you incomplete code snippets (I've opened a bug about that). That particular sample relies on Symfony, which is what you're encountering with the missing variable/method.
PHP快速入门提供了完成此特定示例设置的完整说明.您还可以从Github获取完整的源代码.
The PHP Quickstart provides the full instructions to get this particular sample set up. You can also get the full source code from Github.
您当然不必使用Symfony,但如果选择使用本机PHP方法,则需要更新对示例所使用的$ request,$ app和其他Symfony方法的引用.
You don't have to use Symfony of course but if you choose to go with native PHP methods, you'd need to update the references to $request, $app, and other Symfony methods that the sample uses.
这篇关于如何在Google+服务器端注册中创建反请求伪造状态令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
