*/
protected function checkAccessToken() {
if (isset($_REQUEST['at'])) {
- list($userID, $token) = array_pad(explode('-', StringUtil::trim($_REQUEST['at']), 2), 2, null);
-
- if (WCF::getUser()->userID) {
- if ($userID == WCF::getUser()->userID && \hash_equals(WCF::getUser()->accessToken, $token)) {
- // everything is fine, but we are already logged in
- return;
+ if (preg_match('~^(?P<userID>\d{1,10})-(?P<token>[a-f0-9]{40})$~', $_REQUEST['at'], $matches)) {
+ $userID = $matches['userID'];
+ $token = $matches['token'];
+
+ if (WCF::getUser()->userID) {
+ if ($userID == WCF::getUser()->userID && \hash_equals(WCF::getUser()->accessToken, $token)) {
+ // everything is fine, but we are already logged in
+ return;
+ }
+ else {
+ // token is invalid
+ throw new IllegalLinkException();
+ }
}
else {
- // token is invalid
- throw new IllegalLinkException();
+ $user = new User($userID);
+ if (\hash_equals($user->accessToken, $token) && !$user->banned) {
+ // token is valid and user is not banned -> change user
+ SessionHandler::getInstance()->changeUser($user, true);
+ }
+ else {
+ // token is invalid
+ throw new IllegalLinkException();
+ }
}
}
else {
- $user = new User($userID);
- if (\hash_equals($user->accessToken, $token) && !$user->banned) {
- // token is valid and user is not banned -> change user
- SessionHandler::getInstance()->changeUser($user, true);
- }
- else {
- // token is invalid
- throw new IllegalLinkException();
- }
+ throw new IllegalLinkException();
}
}
}