summaryrefslogtreecommitdiff
path: root/extlib/Auth/OpenID/DumbStore.php
blob: e8f29ace55cc0c207eeba54979667e02af0c9d82 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
<?php

/**
 * This file supplies a dumb store backend for OpenID servers and
 * consumers.
 *
 * PHP versions 4 and 5
 *
 * LICENSE: See the COPYING file included in this distribution.
 *
 * @package OpenID
 * @author JanRain, Inc. <openid@janrain.com>
 * @copyright 2005-2008 Janrain, Inc.
 * @license http://www.apache.org/licenses/LICENSE-2.0 Apache
 */

/**
 * Import the interface for creating a new store class.
 */
require_once 'Auth/OpenID/Interface.php';
require_once 'Auth/OpenID/HMAC.php';

/**
 * This is a store for use in the worst case, when you have no way of
 * saving state on the consumer site. Using this store makes the
 * consumer vulnerable to replay attacks, as it's unable to use
 * nonces. Avoid using this store if it is at all possible.
 *
 * Most of the methods of this class are implementation details.
 * Users of this class need to worry only about the constructor.
 *
 * @package OpenID
 */
class Auth_OpenID_DumbStore extends Auth_OpenID_OpenIDStore {

    /**
     * Creates a new {@link Auth_OpenID_DumbStore} instance. For the security
     * of the tokens generated by the library, this class attempts to
     * at least have a secure implementation of getAuthKey.
     *
     * When you create an instance of this class, pass in a secret
     * phrase. The phrase is hashed with sha1 to make it the correct
     * length and form for an auth key. That allows you to use a long
     * string as the secret phrase, which means you can make it very
     * difficult to guess.
     *
     * Each {@link Auth_OpenID_DumbStore} instance that is created for use by
     * your consumer site needs to use the same $secret_phrase.
     *
     * @param string secret_phrase The phrase used to create the auth
     * key returned by getAuthKey
     */
    function Auth_OpenID_DumbStore($secret_phrase)
    {
        $this->auth_key = Auth_OpenID_SHA1($secret_phrase);
    }

    /**
     * This implementation does nothing.
     */
    function storeAssociation($server_url, $association)
    {
    }

    /**
     * This implementation always returns null.
     */
    function getAssociation($server_url, $handle = null)
    {
        return null;
    }

    /**
     * This implementation always returns false.
     */
    function removeAssociation($server_url, $handle)
    {
        return false;
    }

    /**
     * In a system truly limited to dumb mode, nonces must all be
     * accepted. This therefore always returns true, which makes
     * replay attacks feasible.
     */
    function useNonce($server_url, $timestamp, $salt)
    {
        return true;
    }

    /**
     * This method returns the auth key generated by the constructor.
     */
    function getAuthKey()
    {
        return $this->auth_key;
    }
}