+
diff --git a/login_external_basic.php b/login_external_basic.php
index af0e93e..2a1c68c 100644
--- a/login_external_basic.php
+++ b/login_external_basic.php
@@ -31,9 +31,29 @@ if ($query['callback'] != $app['callback']) {
goto login;
}
+if ($_SESSION['auth'] && $_SERVER['REQUEST_METHOD'] == 'GET') {
+ // We can check if there's already a valid token of the same level and just pass that on instead.
+ $valid_tokens = db_execute_all("SELECT * FROM tokens WHERE owner_id = ? AND type = ? AND application_id = ? AND expiry > ?",
+ [$_SESSION['id'], "basic", $app_id, time()]);
+
+ if (sizeof($valid_tokens) > 0) {
+ print_r($valid_tokens);
+
+ $token = $valid_tokens[0];
+
+ header('Location: '. $_GET['callback'].'?access_token='.$token['access_token'].'&refresh='.$token['refresh_token']
+ .'&expiry='.$token['expiry']);
+ exit();
+ }
+
+// if (validate_access_token())
+
+
+}
+
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
// Here's a few easy steps to figure out if we should give the other party a token or not.
- print_r($_POST);
+// print_r($_POST);
// First: match the session ids. If they aren't the same it's probably Not Ok.
if (session_id() != $_POST['sessionid']) {
@@ -74,7 +94,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
}
// The following gets run assuming we know the client is the one CLICKING the button.
- $tokens = generate_basic_access_token($_POST['bcid']);
+ $tokens = generate_basic_access_token($_POST['bcid'], $app_id);
header('Location: '. $_POST['callback'].'?access_token='.$tokens['access'].'&refresh='.$tokens['refresh']
.'&expiry='.$tokens['expiry']);
@@ -94,15 +114,15 @@ login:
Sign into = htmlspecialchars($app['title']) ?>
-
Owned by = get_display_name($app['owner_id'], put_bcid_in_parenthesis: true) ?>
+
Owned by = htmlspecialchars( get_display_name($app['owner_id'], put_bcid_in_parenthesis: true) ) ?>
-
+
+
Something went wrong!
Server returned error: $error[0] (HTTP response code $error[1])
= $app['title'] ?> uses ByeCorps ID for authentication.
+
= htmlspecialchars($app['title']) ?> uses ByeCorps ID for authentication.
Please double-check the information and avoid signing in with your BCID if you do not trust this app.
-
Please confirm that you'd like to sign into = $app['title'] ?>.
+
Please confirm that you'd like to sign into = htmlspecialchars($app['title']) ?>.
$flash";
@@ -131,11 +151,10 @@ login:
-
-
+
- You will be brought to = $query['callback'] ?>.
- = $app['title'] ?> will be able to see your email and display name.
+ You will be brought to = htmlspecialchars($query['callback']) ?>.
+ = htmlspecialchars($app['title']) ?> will be able to see your email and display name.
diff --git a/profile.php b/profile.php
index 4f65db5..1636266 100644
--- a/profile.php
+++ b/profile.php
@@ -33,7 +33,7 @@ if ($_SESSION['id'] != $profile['id']) {
}
// Get badges owned by this person
-$badges = db_execute_all('SELECT * FROM badge_owners INNER JOIN badges b on badge_owners.badge_id = b.id; ', []);
+$badges = db_execute_all('SELECT * FROM badge_owners INNER JOIN badges b on badge_owners.badge_id = b.id WHERE owner_id = ?; ', [$profile['id']]);
if (!empty($badges)) {
if (!array_is_list($badges)) {
$badges = array (0 => $badges);
@@ -42,49 +42,3 @@ if (!empty($badges)) {
?>
-
-
-
-
= htmlspecialchars($display_name) ?>
-
= format_bcid( $profile['id'] ); ?>
-
-
-
-
-
-
Badges
- This profile has no badges :(';
- } else {
- foreach ($badges as $badge) {
- echo "