OAuth2与php不一致

2022-02-22 00:00:00 discord oauth-2.0 php

我正在尝试使用DISCORD的OAuth2创建登录系统。

这是我的代码:

  <?php
    ini_set('display_errors', 1);
    ini_set('display_startup_errors', 1);
    ini_set('max_execution_time', 300); //300 seconds = 5 minutes. In case if your CURL is slow and is loading too much (Can be IPv6 problem)
    
    error_reporting(E_ALL);
    
    define('OAUTH2_CLIENT_ID', 'XXXXXXXXXXXXXXXXXXXXXX'); //Your client Id
    define('OAUTH2_CLIENT_SECRET', 'XXXXXXXXXXXXXXXXXXXXXX'); //Your secret client code
    
    $authorizeURL = 'https://discordapp.com/api/oauth2/authorize';
    $tokenURL = 'https://discordapp.com/api/oauth2/token';
    $apiURLBase = 'https://discordapp.com/api/users/@me';
    
    session_start();
    
    // Start the login process by sending the user to Discord's authorization page
    if(get('action') == 'login') {
    
      // Redirect the user to Discord's authorization page
      header('Location: https://discord.com/api/oauth2/authorize?client_id=873917693953191946&redirect_uri=http%3A%2F%2Fbouncerbot.go-atcode.com%2Fauth.php&response_type=code&scope=identify%20email%20connections%20guilds%20gdm.join%20guilds.join%20rpc%20rpc.notifications.read%20rpc.voice.read%20rpc.voice.write');
      die();
    }
    
    
    // When Discord redirects the user back here, there will be a "code" and "state" parameter in the query string
    if(get('code')) {
    
      $token = apiRequest($tokenURL, array(
    "grant_type" => "authorization_code",
    'client_id' => 'XXXXXXXXXXXXXXXX', //censored
    'client_secret' => 'XXX-XXXXXXXXXXXXXXXXXXX',
    'redirect_uri' => 'http://bouncerbot.go-atcode.com/auth.php',
    'code' => get('code')
  ));
      $logout_token = $token->access_token;
      $_SESSION['access_token'] = $token->access_token;
    
    
      header('Location: ' . $_SERVER['PHP_SELF']);
    }
    ?><script> console.log(<? echo $user->username?> )</script><?
    if(session('access_token')) {
      $user = apiRequest($apiURLBase);
    
      echo '<h3>Logged In</h3>';
      echo '<h4>Welcome, ' . $user->username . '</h4>';
      echo '<pre>';
        print_r($user);
      echo '</pre>';
    
    } else {
      echo '<h3>Not logged in</h3>';
      echo '<p><a href="?action=login">Log In</a></p>';
    }
    
    
    if(get('action') == 'logout') {
      // This must to logout you, but it didn't worked(
    
      $params = array(
        'access_token' => $logout_token
      );
    
      // Redirect the user to Discord's revoke page
      header('Location: https://discordapp.com/api/oauth2/token/revoke' . '?' . http_build_query($params));
      die();
    }
    
    function apiRequest($url, $post=FALSE, $headers=array()) {
      $ch = curl_init($url);
      curl_setopt($ch, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V4);
      curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
    
      $response = curl_exec($ch);
    
    
      if($post)
        curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post));
    
      $headers[] = 'Accept: application/json';
    
      if(session('access_token'))
        $headers[] = 'Authorization: Bearer ' . session('access_token');
    
      curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
    
      $response = curl_exec($ch);
      return json_decode($response);
    }
    
    function get($key, $default=NULL) {
      return array_key_exists($key, $_GET) ? $_GET[$key] : $default;
    }
    
    function session($key, $default=NULL) {
      return array_key_exists($key, $_SESSION) ? $_SESSION[$key] : $default;
    }
    
    ?>

问题是,当我在不一致上进行授权,然后不一致将我重定向回auth.php时,不会获取令牌,因此仍然是:

未登录登录

我找不到问题的原因,所以我问了一个问题。这是登录页面:http://bouncerbot.go-atcode.com/auth.php


解决方案

第一个)重定向工作正常,因为您正在使用

'redirect_uri' => 'http://bouncerbot.go-atcode.com/auth.php',

这就是为什么要重定向到auth.php

2)您必须在不一致应用上定义相同的重定向URL,如下所示:

3)创建代码生成页和重定向页,您可以在同一页上创建代码生成页和重定向页,也可以同时创建两个单独的页。

因为我正在测试创建2个页面

1.代码请求(discrid.php)

 <?php

    define('OAUTH2_CLIENT_ID', '882143362046640112');

    $redirectURL = 'https://localhost/test_project/disocrd_responce.php';

    $params = array(
        'client_id' => OAUTH2_CLIENT_ID,
        'redirect_uri' => $redirectURL,
        'response_type' => 'code',
        'scope' => 'identify guilds'
    );

    // Redirect the user to Discord's authorization page
    header('Location: https://discord.com/api/oauth2/authorize' . '?' . http_build_query($params));
    die();
    ?>

点击此页面后,页面将自动重定向到https://localhost/test_project/disocrd_responce.php,代码为

2.使用代码(discrd_responce.php)生成令牌

<?php

ini_set('display_errors', 1);
ini_set('display_startup_errors', 1);
ini_set('max_execution_time', 300); //300 seconds = 5 minutes. In case if your CURL is slow and is loading too much (Can be IPv6 problem)

error_reporting(E_ALL);

$code = isset($_REQUEST['code']) ? $_REQUEST['code'] : '';

define('OAUTH2_CLIENT_ID', '882143362046640112');
define('OAUTH2_CLIENT_SECRET', 'hYvpAl_heUJNC0veaoraMxNhJL2fgHVU');

$authorizeURL = 'https://discord.com/api/oauth2/authorize';
$tokenURL = 'https://discord.com/api/oauth2/token';
$redirectURL = 'https://localhost/test_project/disocrd_responce.php';

if(get('code')) {

  session_start();

  // Exchange the auth code for a token
  $token = apiRequest($tokenURL, array(
    "grant_type" => "authorization_code",
    'client_id' => OAUTH2_CLIENT_ID,
    'client_secret' => OAUTH2_CLIENT_SECRET,
    'redirect_uri' => $redirectURL,
    'code' => get('code')
  ));
  $logout_token = $token->access_token;
  $_SESSION['access_token'] = $token->access_token;

  echo "<pre>"; print_r($token); exit; // get token properly
// header('Location: ' . $_SERVER['PHP_SELF']);
}

function apiRequest($url, $post=FALSE, $headers=array()) {
  $ch = curl_init($url);
  curl_setopt($ch, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V4);
  curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);

  $response = curl_exec($ch);


  if($post){
    curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post));
  }
  $headers[] = 'Accept: application/json';

  if(isset($_SESSION['access_token']))
    $headers[] = 'Authorization: Bearer ' . $_SESSION['access_token'];

  curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);

  $response = curl_exec($ch);
  return json_decode($response);
}

function get($key, $default=NULL) {
  return array_key_exists($key, $_GET) ? $_GET[$key] : $default;
}

?>

当我这样打印令牌时:

echo "<pre>"; print_r($token); exit;

我们正确地获得了令牌,如下所示:

 stdClass Object
 (
   [access_token] => 'FBLOYotKRxe0uO7KJcS8mfce5z9YEE'
   [expires_in] => 604800
   [refresh_token] => FxlsNH06OHcbMCJlAZhWzbi4DsIjUO
   [scope] => identify guilds
   [token_type] => Bearer
 )

注意:我按安全观点更改了客户ID和令牌

相关文章