<?php

/*
	Battle.net API Authentication Tester
	A script for developers to test their implementation of the Battle.net API Authentication process.
	August 2011

	This program is free software: you can redistribute it and/or modify
	it under the terms of the GNU General Public License as published by
	the Free Software Foundation, either version 3 of the License, or
	(at your option) any later version.

	This program is distributed in the hope that it will be useful,
	but WITHOUT ANY WARRANTY; without even the implied warranty of
	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
	GNU General Public License for more details.

	You should have received a copy of the GNU General Public License
	along with this program.  If not, see <http://www.gnu.org/licenses/>.
*/

error_reporting(E_ALL);

if (isset($_GET['source'])) {
	header('Content-type: text/plain');
	readfile(basename($_SERVER['SCRIPT_FILENAME']));
	exit();
}

$pubkey = '123PUBLIC456';
$privkey = '987PRIVATE65';

function hmacsha1($key,$data) {
	$blocksize=64;
	$hashfunc='sha1';
	if (strlen($key)>$blocksize)
		$key=pack('H*', $hashfunc($key));
	$key=str_pad($key,$blocksize,chr(0x00));
	$ipad=str_repeat(chr(0x36),$blocksize);
	$opad=str_repeat(chr(0x5c),$blocksize);
	$hmac = pack(
				'H*',$hashfunc(
					($key^$opad).pack(
						'H*',$hashfunc(
							($key^$ipad).$data
						)
					)
				)
			);
	return $hmac;
}

function testauth() {
	global $pubkey,$privkey;
	header('Content-type: text/plain');

	if (!isset($_SERVER['HTTP_DATE'])) {
		echo "Error: Missing Date header in your request.\n";
		die();
	}
	if (!isset($_SERVER['HTTP_AUTHORIZATION'])) {
		echo "Error: Missing Authorization header in your request.\n";
		die();

		/*
		If you're getting this on your own server, know that many web servers 
		parse the authorization header before it gets to PHP, and don't pass it along.

		I've added the following lines to my .htaccess file on my Apache web server
		to push the authorization header to the script. Other servers may require different methods.

		RewriteEngine on
		RewriteRule bnetauthtest.php - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

		*/

	}
	$dth = $_SERVER['HTTP_DATE'];
	if (preg_match('/(?:Mon|Tue|Wed|Thu|Fri|Sat|Sun), \d\d (?:Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec) \d{4} \d\d:\d\d:\d\d GMT/',$dth)==0) {
		$ourdt = date_format(date_create('now',timezone_open('GMT')),'D, d M Y H:i:s').' GMT';
		echo "Your Date header must be in RFC 1123 format.\nSee this: http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.18\n\n";
		echo "Date received: $dth\nDate expected: $ourdt\n";
		die();
	}

	$dtho = date_create($dth);
	$ourdto = date_create('now',timezone_open('GMT'));
	$dtdiff = abs(intval(date_format($dtho, 'U')) - intval(date_format($ourdto, 'U')));
	if ($dtdiff > 180) {
		$ourdt = date_format($ourdto,'D, d M Y H:i:s').' GMT';
		echo "Your Date header is more than 180 seconds away from current GMT time.\n\n";
		echo "Date received: $dth\nDate expected: $ourdt\n";
		die();
	}
	if ($dtdiff > 120) {
		$ourdt = date_format($ourdto,'D, d M Y H:i:s').' GMT';
		echo "Warning: your Date header is more than 120 seconds away from current GMT time.\nYou are allowed up to 180 seconds of difference, so we will continue.\n\n";
		echo "Date received: $dth\nDate expected: $ourdt\n";
	}

	$urlpath = $_SERVER['PHP_SELF'];
	$tosign = "GET\n$dth\n$urlpath\n";
	$sig = base64_encode(hmacsha1($privkey,$tosign));

	if (preg_match('/^BNET (\w+):([a-zA-Z0-9\+\/=]+)$/',$_SERVER['HTTP_AUTHORIZATION'],$athh)==0) {
		echo "Your Authorization header is malformed.\n\n";
		echo "Expected format: BNET $pubkey:$sig\n"; 
		echo "Received format: ".$_SERVER['HTTP_AUTHORIZATION']."\n";
		die();
	}
	if ($athh[1] != $pubkey) {
		echo "Your public key is incorrect.\n\n";
		echo "Expected key: $pubkey\nReceived key: ".$athh[1]."\n";
		die();
	}
	if ($athh[2] != $sig) {
		echo "Your signature is incorrect.\n\n";
		echo "String to sign: ".str_replace("\n","\\n",$tosign)."\n";
		echo "Expected signature: $sig\n";
		echo "Received signature: ".$athh[2]."\n";
		die();
	}

	echo "Your authentication headers look good!\n";
	die();

}

if (isset($_GET['test'])) testauth();

?><html><head><title>Battle.net API Authentication Tester</title></head><body>
<h2>Battle.net API Authentication Tester</h2>
First, <a href="http://blizzard.github.com/api-wow-docs/">read the Authentication docs.</a><br><br>
This page lets you test whether your authentication code works properly. Submit a request and it will try to return a detailed response on where your authentication implementation is wrong.<br><br>

<table border="1" cellspacing="0" cellpadding="4">
<tr><td align="right">Test Request URL:</td><td><tt>http://<?php echo $_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF']; ?>?test=1</tt></td></tr>
<tr><td align="right">Public Key:</td><td><tt><?php echo $pubkey;?></tt></td></tr>
<tr><td align="right">Private Key:</td><td><tt><?php echo $privkey;?></tt></td></tr>
</table>

<br>
<b>Note</b>: Use the keys above, <b>not</b> the keys supplied by Blizzard, when using this tester!
<hr>
This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions.
<br><br>
<a href="?source=1">Authentication Tester PHP Source Code</a>

</body></html>