如何創建一個反請求僞造狀態令牌在google +服務器端註冊

Question

<?php 
    require_once '/google-api-php-client/src/Google_Client.php'; 
    require_once '/google-api-php-client/src/contrib/Google_PlusService.php'; 

    session_start(); 
    // Create a state token to prevent request forgery. 
    // Store it in the session for later validation. 
    $state = md5(rand()); 
    $app['session']->set('state', $state); 
    // Set the client ID, token state, and application name in the HTML while 
    // serving it. 
    return $app['twig']->render('index.html', array(
     'CLIENT_ID' => CLIENT_ID, 
     'STATE' => $state, 
     'APPLICATION_NAME' => APPLICATION_NAME 
    )); 

     // Ensure that this is no request forgery going on, and that the user 
    // sending us this connect request is the user that was supposed to. 
    if ($request->get('state') != ($app['session']->get('state'))) { 
    return new Response('Invalid state parameter', 401); 
    } 


    $code = $request->getContent(); 
    $gPlusId = $request->get['gplus_id']; 
    // Exchange the OAuth 2.0 authorization code for user credentials. 
    $client->authenticate($code); 

    $token = json_decode($client->getAccessToken()); 
    // Verify the token 
    $reqUrl = 'https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=' . 
      $token->access_token; 
    $req = new Google_HttpRequest($reqUrl); 

    $tokenInfo = json_decode(
     $client::getIo()->authenticatedRequest($req)->getResponseBody()); 

    // If there was an error in the token info, abort. 
    if ($tokenInfo->error) { 
    return new Response($tokenInfo->error, 500); 
    } 
    // Make sure the token we got is for the intended user. 
    if ($tokenInfo->userid != $gPlusId) { 
     return new Response(
     "Token's user ID doesn't match given user ID", 401); 
    } 
    // Make sure the token we got is for our app. 
    if ($tokenInfo->audience != CLIENT_ID) { 
    return new Response(
     "Token's client ID does not match app's.", 401); 
    } 

    // Store the token in the session for later use. 
    $app['session']->set('token', json_encode($token)); 
    $response = 'Succesfully connected with token: ' . print_r($token, true); 
    ?> 

這是我的code.php。
我已從https://developers.google.com/+/web/signin/server-side-flow採取此代碼。 我想將Google +服務器端註冊添加到我的應用程序中。 所以我決定運行示例代碼。 我在運行代碼時遇到錯誤。 我已經包含PHP的Google API客戶端庫。 我無法使用組和渲染這些代碼中顯示的功能

this is My index.html 


    <!-- The top of file index.html --> 
    <html itemscope itemtype="http://schema.org/Article"> 
    <head> 
    <!-- BEGIN Pre-requisites --> 
    <script src="//ajax.googleapis.com/ajax/libs/jquery/1.8.2/jquery.min.js"> 
    </script> 
    <script type="text/javascript"> 
    (function() { 
     var po = document.createElement('script'); 
     po.type = 'text/javascript'; 
     po.async = true; 
     po.src = 'https://plus.google.com/js/client:plusone.js?onload=start'; 
     var s = document.getElementsByTagName('script')[0]; 
     s.parentNode.insertBefore(po, s); 
    })(); 
    </script> 
    <!-- END Pre-requisites --> 
</head> 
<!-- ... --> 
</html> 

<!-- Add where you want your sign-in button to render --> 
<div id="signinButton"> 
    <span class="g-signin" 
    data-scope="https://www.googleapis.com/auth/plus.login" 
    data-clientid="YOUR_CLIENT_ID" 
    data-redirecturi="postmessage" 
    data-accesstype="offline" 
    data-cookiepolicy="single_host_origin" 
    data-callback="signInCallback"> 
    </span> 
</div> 
<div id="result"></div> 

    <!-- Last part of BODY element in file index.html --> 
    <script type="text/javascript"> 

     function signInCallback(authResult) { 
     if (authResult['code']) { 

     // Hide the sign-in button now that the user is authorized, for example: 
    $('#signinButton').attr('style', 'display: none'); 

    // Send the code to the server 
    $.ajax({ 
     type: 'POST', 
     url: 'plus.php?storeToken', 
     contentType: 'application/octet-stream; charset=utf-8', 
     success: function(result) { 
     // Handle or verify the server response if necessary. 

     // Prints the list of people that the user has allowed the app to know 
     // to the console. 
     console.log(result); 
     if (result['profile'] && result['people']){ 
      $('#results').html('Hello ' + result['profile']['displayName'] + '. You successfully made a server side call to people.get and people.list'); 
     } else { 
      $('#results').html('Failed to make a server-side call. Check your configuration and console.'); 
     } 
     }, 
     processData: false, 
     data: authResult['code'] 
    }); 
    } 
    else if (authResult['error']) { 
     // There was an error. 
     // Possible error codes: 
     // "access_denied" - User denied access to your app 
     // "immediate_failed" - Could not automatially log in the user 
     // console.log('There was an error: ' + authResult['error']); 
    } 
    } 
    </script> 

Answer 1

我相信問題是文檔提供了不完整的代碼片段（我已經打開了一個關於這個的錯誤）。這個特殊的例子依賴於Symfony，這就是你遇到的缺失變量/方法。

PHP Quickstart提供了完整的說明來獲得這個特定的樣本設置。你也可以get the full source code from Github。

當然，您不必使用Symfony，但如果您選擇使用本機PHP方法，則需要更新對示例使用的$ request，$ app和其他Symfony方法的引用。

Answer 2

UPDATE：

簽到/註冊鏈接：

1. http://www.w3resource.com/API/google-plus/tutorial.php
2. http://rscavilla.blogspot.in/2011/06/using-oauth-20-with-php-to-authenticate.html

要獲取用戶信息：

Look at this code to get the user-info from the Google+ API.

問題是你沒有應用程序上有一個$app對象，當您的應用程序嘗試設置會話中的狀態時，該對象可以調用set方法。

也就是說，谷歌方面的文檔告訴讀取文檔的用戶，以確保狀態值存儲在他們的應用程序會話中，以及如何存儲google_auth API的其他所需值。

教程：

看看到this link關於如何配置和使用谷歌API的OAuth更詳細的教程。