Add posibility HTTPS without apikey signature #20
Conversation
|
Just curious, if this removes the API key how does the service verify who is making the request? |
|
In this link Sorry for my english. On 18/03/16 11:50, Chris Cornutt wrote:
|
| @@ -328,8 +334,9 @@ public function request($url, array $hosts, $otp, $nonce) | |||
| for ($i = 0; $i < $responseCount; $i++) { | |||
| $responses[$i]->setInputOtp($otp)->setInputNonce($nonce); | |||
|
|
|||
| if ($this->validateResponseSignature($responses[$i]) === false) { | |||
| unset($responses[$i]); | |||
| if ($this->getApiKey() and $this->getClientId()) | |||
There was a problem hiding this comment.
For clarity can you add the opening { here?
|
I think, I've already made all the changes you asked. |
| @@ -269,7 +269,10 @@ public function check($otp, $multi = false) | |||
|
|
|||
| $clientId = $this->getClientId(); | |||
| if ($clientId === null) { | |||
| throw new \InvalidArgumentException('Client ID cannot be null'); | |||
| if (!$this->getUseSecure()){ | |||
There was a problem hiding this comment.
It should have the white space before {.
| @@ -328,8 +335,10 @@ public function request($url, array $hosts, $otp, $nonce) | |||
| for ($i = 0; $i < $responseCount; $i++) { | |||
| $responses[$i]->setInputOtp($otp)->setInputNonce($nonce); | |||
|
|
|||
| if ($this->validateResponseSignature($responses[$i]) === false) { | |||
| unset($responses[$i]); | |||
| if ($this->getApiKey() and $this->getClientId()){ | |||
There was a problem hiding this comment.
It should do that as the previous commit mentioned.
| if (!$this->getUseSecure()){ | ||
| throw new \InvalidArgumentException('Client ID cannot be null'); | ||
| } | ||
| $clientId = rand(1,9999); |
There was a problem hiding this comment.
Is it proper to generate the random $clientId in that method?
I think it should use the original approach is appropriate 👍 .
Add the possibility to send otp code without apikey, behind only HTTPS protocol.