Google+ sign in, PHP one-time-code/server-side flow without "Silex/twig"

StackOverflow https://stackoverflow.com/questions/22893643

  •  28-06-2023
  •  | 
  •  

Question

example code from Google+ Sign-In for server-side apps

  // Create a state token to prevent request forgery.
  // Store it in the session for later validation.
  $state = md5(rand());
  $app['session']->set('state', $state);
  // Set the client ID, token state, and application name in the HTML while
  // serving it.
  return $app['twig']->render('index.html', array(
      'CLIENT_ID' => CLIENT_ID,
      'STATE' => $state,
      'APPLICATION_NAME' => APPLICATION_NAME
  ));

enter image description here

Question: How to server-side work without silex/twig ?

Was it helpful?

Solution

I use this Client Library(PHP)
please test this codes it works fine
index.php

<?php
session_start();
$data['state'] = md5(uniqid(rand(), true));
$_SESSION['state'] = $data['state'];
?>
<html itemscope itemtype="http://schema.org/Article">
<head>
  <!-- BEGIN Pre-requisites -->
  <script src="//ajax.googleapis.com/ajax/libs/jquery/1.8.2/jquery.min.js">
  </script>
  <meta name="google-signin-scope" content="https://www.googleapis.com/auth/plus.login https://www.googleapis.com/auth/plus.moments.write https://www.googleapis.com/auth/plus.me https://www.googleapis.com/auth/plus.profile.agerange.read https://www.googleapis.com/auth/plus.profile.language.read https://www.googleapis.com/auth/plus.circles.members.read https://www.googleapis.com/auth/drive.file https://www.googleapis.com/auth/userinfo.email" />

  <script type="text/javascript">
    (function () {
      var po = document.createElement('script');
      po.type = 'text/javascript';
      po.async = true;
      po.src = 'https://plus.google.com/js/client:plusone.js';
      var s = document.getElementsByTagName('script')[0];
      s.parentNode.insertBefore(po, s);
    })();
  </script>
  <!-- END Pre-requisites -->
</head>
<body>
<!-- Add where you want your sign-in button to render -->
<div id="signinButton">
  <span class="g-signin"
    data-scope="https://www.googleapis.com/auth/plus.login"
    data-clientid="Your clientid"
    data-redirecturi="postmessage"
    data-accesstype="offline"
    data-cookiepolicy="single_host_origin"
    data-callback="signInCallback">
  </span>
</div>
<button id="signoutButton" style="display:none" onclick="signout()">signout</button>
<div id="result"></div>

<script type="text/javascript">
function signInCallback(authResult) {
  if (authResult['code']) {
    // Hide the sign-in button now that the user is authorized, for example:
    $('#signinButton').attr('style', 'display: none');
    $('#signoutButton').attr('style', 'display: block');
    var state = '<?php echo $_SESSION['state']; ?>';
    var param = new Array();
    var param = [authResult['code'],state];
    // Send the code to the server
    $.ajax({
      type: 'POST',
      url: 'plus.php?storeToken&state',
      contentType: 'application/octet-stream; charset=utf-8',
      success: function(result) {
        // Handle or verify the server response if necessary.
       console.log(result);
        alert('connected');
      },
      processData: false,
      data: param
    });
  } else if (authResult['error']) {
    alert('Could not automatially log in the user');
     console.log('There was an error: ' + authResult['error']);
  }
}

function signout(){ 
       gapi.auth.signOut();
        $('#signoutButton').attr('style', 'display: none');
        $('#signinButton').attr('style', 'display: block');
        console.log('sign out');
}
</script>
</body>
</html>

plus.php

<?php
session_start();
require_once 'src/Google_Client.php';
require_once 'src/contrib/Google_PlusService.php';
  $client = new Google_Client();
  $CLIENT_ID = 'CLIENT ID';
  $client->setClientId($CLIENT_ID);
  $client->setClientSecret('Client Secret');
  $client->setRedirectUri('postmessage');

 $code = explode(",",file_get_contents('php://input'));

  if (isset($code[1]) && $code[1] === $_SESSION['state'])
{
$plus = new Google_PlusService($client);
  $client->authenticate($code[0]);
  $token = json_decode($client->getAccessToken());

  // Verify the token
  $reqUrl = 'https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=' .
          $token->access_token;

  $req = new Google_HttpRequest($reqUrl);

  $tokenInfo = json_decode(
      $client::getIo()->authenticatedRequest($req)->getResponseBody());

  $userId = $tokenInfo->user_id;
  $userEmail = $tokenInfo->email;

  // If there was an error in the token info, abort.
  if (isset($tokenInfo->error)) {
    print $tokenInfo->error;
  } 
  // Make sure the token we got is for our app.
   if ($tokenInfo->audience != $CLIENT_ID) {
    print "Token's client ID does not match app's.";
  }

print 'Token from result: ' . print_r($token, true);
print '<<<<<<<<<<< tokenInfo >>>>>>> ' . print_r($tokenInfo, true);

}
else
{
          echo "Invalid state parameter";
}

don't forget to add your CLIENT ID and Client Secret.
Sign out not working in localhost.

OTHER TIPS

There are two answers, as there are two libraries you're wanting to do without.

For the first (Silex):

// Create a state token to prevent request forgery.
// Store it in the session for later validation.
$state = md5(rand());
$app['session']->set('state', $state);

This is simply storing a session variable for later use. This can be done easily in PHP:

<?php
session_start();

$state = md5(rand());
$_SESSION['state'] = $state;
?>

Later on, you would verify the correct state value from the client by comparing what the client sends to $_SESSION['state'].

The second part (Twig):

// Set the client ID, token state, and application name in the HTML while
// serving it.
return $app['twig']->render('index.html', array(
    'CLIENT_ID' => CLIENT_ID,
    'STATE' => $state,
    'APPLICATION_NAME' => APPLICATION_NAME
));

This is simply replacing values in the rendered HTML with known values. You could do this by replacing every instance of {{ VARIABLE_NAME }} in the sample index.html with a PHP variable (such as changing {{ CLIENT_ID }} to <?php echo $CLIENT_ID; ?>) and then, of course, setting that variable in your code.

You would then call your PHP script instead, and have your script read in and return the index.html file.

Edit For Step 7: Confirm the anti-request forgery state token on the server

// Ensure that this is no request forgery going on, and that the user
// sending us this connect request is the user that was supposed to.
if ($request->get('state') != ($app['session']->get('state'))) {
  return new Response('Invalid state parameter', 401);
}

Instead use:

if ($_REQUEST['state'] != $_SESSION['state'])) {
  header("HTTP/1.1 401 Unauthorized");
  echo "Invalid state parameter";
  exit;
}

For Step 8: Initialize the Google API client library and start the Google+ service:

For every line that is return new Response('{Message}', {HTTP status code}); replace it with

header("HTTP/1.1 {HTTP status code});
echo "{Message}";
exit;

Then instead of

// Store the token in the session for later use.
$app['session']->set('token', json_encode($token));
$response = 'Succesfully connected with token: ' . print_r($token, true);

put

// Store the token in the session for later use.
$_SESSION['token'] = json_encode($token));
$response = 'Succesfully connected with token: ' . print_r($token, true);
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top