From 3e10baf9010c5271baf02435b949f8d5e9ecad29 Mon Sep 17 00:00:00 2001
From: Lawrence Oks <ljoks0727@gmail.com>
Date: Fri, 19 Nov 2021 15:23:06 -0500
Subject: [PATCH] adds third party oauth check when uploading media files

---
 fuel/app/classes/controller/media.php | 11 +++++---
 fuel/app/classes/thirdparty/oauth.php | 39 +++++++++++++++++++++++++++
 2 files changed, 47 insertions(+), 3 deletions(-)
 create mode 100644 fuel/app/classes/thirdparty/oauth.php

diff --git a/fuel/app/classes/controller/media.php b/fuel/app/classes/controller/media.php
index ed3506046..274a23c28 100644
--- a/fuel/app/classes/controller/media.php
+++ b/fuel/app/classes/controller/media.php
@@ -5,6 +5,7 @@
  */
 use \Materia\Widget_Asset_Manager;
 use \Materia\Widget_Asset;
+use \Thirdparty\Oauth;
 
 class Controller_Media extends Controller
 {
@@ -64,8 +65,11 @@ public function get_import()
 	// This currently assumes a single uploaded file at a time
 	public function action_upload()
 	{
-		// Validate Logged in
-		if (\Service_User::verify_session() !== true) throw new HttpNotFoundException;
+		// Either Validate Logged in
+		// or validate a third party server thru Oauth
+		if (\Service_User::verify_session() !== true)
+			if (Oauth::validate_post() !== true) 
+				throw new HttpNotFoundException;
 
 		$res = new Response();
 		// Make sure file is not cached (as it happens for example on iOS devices)
@@ -74,6 +78,7 @@ public function action_upload()
 		$res->set_header('Cache-Control', 'no-store, no-cache, must-revalidate');
 		$res->set_header('Pragma', 'no-cache');
 
+
 		// Upload::process is called automatically
 		if (\Upload::is_valid()) \Upload::save();
 
@@ -89,7 +94,7 @@ public function action_upload()
 		}
 
 		$uploaded_file = \Upload::get_files(0);
-
+		
 		if ( ! $uploaded_file)
 		{
 			trace('Unable to process upload');
diff --git a/fuel/app/classes/thirdparty/oauth.php b/fuel/app/classes/thirdparty/oauth.php
new file mode 100644
index 000000000..146b36444
--- /dev/null
+++ b/fuel/app/classes/thirdparty/oauth.php
@@ -0,0 +1,39 @@
+<?php
+namespace Thirdparty;
+// phpcs:disable FuelPHP.NamingConventions.ConciseUnderscoredVariableName
+
+class Oauth
+{
+	public static function validate_post()
+	{
+		try
+		{
+			// get signature, timestamp, nonce from body formData
+			$signature  = \Input::post('oauth_signature', '');
+			$timestamp  = (int) \Input::post('oauth_timestamp', 0);
+			$nonce      = \Input::post('oauth_nonce', false);
+
+			// check to make sure all are present
+			if (empty($signature)) throw new \Exception('Authorization signature is missing.');
+			if (empty($nonce)) throw new \Exception('Authorization fingerprint is missing.');
+			if (\Input::post('oauth_consumer_key') !== $_ENV['OAUTH_KEY']) throw new \Exception('Authorization signature failure.');
+
+			// make sure request was made in the last hour
+			if ($timestamp < (time() - 3600)) throw new \Exception('Authorization signature is too old.');
+
+			// hash key and secret to make sure token matches
+			$new_sig = hash_hmac('sha256', $_ENV['OAUTH_KEY'], $_ENV['OAUTH_SECRET'].$timestamp.$nonce, false);
+
+			if ($new_sig !== $signature) throw new \Exception('Authorization signature failure.');
+			return true;
+		}
+		catch (\Exception $e)
+		{
+			logger('DEBUG', 'ERROR: INVALID OAUTH EXCEPTION');
+			logger('DEBUG', $e);
+			// \Materia\Log::profile(['invalid-oauth-received', $e->getMessage(), \Uri::current(), print_r(\Input::post(), 1)], 'lti-error-dump');
+		}
+
+		return false;
+	}
+}
\ No newline at end of file