Last active
September 2, 2015 07:37
-
-
Save uncatcrea/4bb0a2fcfbd29dd0876e to your computer and use it in GitHub Desktop.
The current use of the User Authentication API is to secure web services. Here is how to use it to secure a link.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/** | |
* WP-AppKit User Authentication API example: | |
* example of how to build a secured file download link. | |
* | |
* For example in your app theme's functions.js : | |
*/ | |
/** | |
* Builds a secured download link | |
* | |
* @param {String} Id of the file (WP attachment for example) to download | |
* @return {String} Secured download link (if a user has previously logged into | |
* the app using Auth.logUserIn(...) ). | |
*/ | |
function build_secured_download_link( download_id ) { | |
//Retrieve authentication data that we will be added to our link | |
//to secure it. We want to be sure that the id received by the | |
//server has not been modified along the way, so we add it to | |
//the hmac (= control token) computation : | |
var auth_data = Auth.getActionAuthData( | |
'download-file', //action name | |
['id'], //defines the key order of the following data for hmac computation | |
//(order matters for hmac and JSON objects are not ordered) | |
{ id: download_id } //data that we want to be added to hmac computation | |
); | |
//Build download link: | |
var download_link = ''; | |
//If a user is authenticated, add authentication data to the download link: | |
if ( auth_data ) { | |
download_link = http://your-site/wp-content/scripts/test-download.php?id='+ download_id; //Path example | |
download_link += '&user='+ auth_data.user; | |
download_link += '×tamp='+ auth_data.timestamp; | |
download_link += '&control='+ auth_data.control; | |
} | |
return download_link; | |
} | |
/** | |
* For example, use this function to build the link when we click a | |
* #download link : | |
*/ | |
$( '#download' ).click( function(e) { | |
e.preventDefault(); | |
var download_id = '1234'; | |
var download_link = build_secured_download_link( download_id ); | |
//Here you would navigate to download_link to download the document | |
} ); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
/** | |
* WP-AppKit User Authentication API example | |
* Example of a PHP script "test-download.php" that checks that the authentication | |
* data passed through $_GET is OK, and download the file if ok. | |
*/ | |
require_once( __DIR__ . '/../../wp-load.php' ); | |
$download_id = isset( $_GET['id'] ) ? $_GET['id'] : ''; | |
$user = isset( $_GET['user'] ) ? $_GET['user'] : ''; | |
$timestamp = isset( $_GET['timestamp'] ) ? $_GET['timestamp'] : ''; | |
$control = isset( $_GET['control'] ) ? $_GET['control'] : ''; | |
//Check authentication data (and download id) and logs the | |
//user in if OK : | |
$result = WpakUserLogin::log_user_from_authenticated_action( | |
WpakApps::get_app_id( 'my-app-slug' ), | |
'download-file', //action name | |
compact( 'user', 'timestamp', 'control' ), | |
array( $download_id ) | |
); | |
if ( $result['ok'] ) { | |
//Here, if you want to test user permissions, you can use | |
//current_user_can(...). | |
//File example: | |
$file = __DIR__ . '/test-file-'. $download_id .'.txt'; | |
//Serve the file if exists: | |
if ( file_exists( $file ) ) { | |
header( 'Content-Description: File Transfer' ); | |
header( 'Content-Type: application/octet-stream' ); | |
header( 'Content-Disposition: attachment; filename=' . basename( $file ) ); | |
header( 'Expires: 0' ); | |
header( 'Cache-Control: must-revalidate' ); | |
header( 'Pragma: public' ); | |
header( 'Content-Length: ' . filesize( $file ) ); | |
readfile( $file ); | |
exit; | |
} | |
} else { | |
echo $result['auth_error']; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment