sequenceDiagram
participant C as Client (public.toni-develops.com)
participant AP as Auth Proxy (public.toni-develops.com)
participant A as Auth Server (toninichev.com)
participant PP as Protected API Proxy
participant P as Protected API
C->>AP: 1. Opens popup to /authenticate.php
AP->>A: 2. Forwards auth request
A-->>AP: 3. Returns auth page + sets cookie (.toninichev.com)
AP-->>C: 4. Sends postMessage with user data
C->>PP: 5. Calls protected API with cookie
PP->>P: 6. Forwards request with cookie
P-->>PP: 7. Returns protected data
PP-->>C: 8. Returns data to client
https://public.toni-develops.com/examples/oauth2/proxy-example
index.html
<!DOCTYPE html>
<html>
<head>
<title>OAuth Client</title>
</head>
<body>
<button onclick="initiateOAuth()">Login</button>
<div id="user-info"></div>
<script>
function initiateOAuth() {
const relayURL = encodeURIComponent(
'storagerelay://https/toninichev.com/auth/callback'
);
const authWindow = window.open(
`https://public.toni-develops.com/examples/oauth2/proxy-example/authenticate-proxy.php`,
'oauth',
'width=600,height=600'
);
const messageHandler = (event) => {
if (event.origin !== 'https://public.toni-develops.com') return;
if (event.data.type === 'AUTH_SUCCESS') {
document.getElementById('user-info').textContent =
`Logged in as: ${event.data.user.email}`;
fetch('https://public.toni-develops.com/examples/oauth2/proxy-example/protected-api-proxy.php', {
credentials: 'include'
})
.then(res => {
if (!res.ok) throw new Error('API request failed');
return res.json();
})
.then(data => console.log('Protected API response:', data))
.catch(err => {
console.error('API error:', err);
document.getElementById('user-info').textContent = 'API error occurred';
});
}
// Cleanup
window.removeEventListener('message', messageHandler);
};
window.addEventListener('message', messageHandler);
}
</script>
</body>
</html>authenticate-proxy.php
<?php
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, 'https://toninichev.com/examples/oauth/proxy-example/');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
$response = curl_exec($ch);
$header_size = curl_getinfo($ch, CURLINFO_HEADER_SIZE);
$headers = substr($response, 0, $header_size);
$body = substr($response, $header_size);
curl_close($ch);
// Parse and forward cookies
$headerLines = explode("\n", $headers);
foreach($headerLines as $header) {
if (strpos(strtolower($header), 'set-cookie') !== false) {
header($header);
}
}
echo $body;
https://toninichev.com/examples/oauth/proxy-example/
index.php
<?php
require_once 'config.php';
header("Access-Control-Allow-Origin: " . CLIENT_DOMAIN);
header("Access-Control-Allow-Credentials: true");
header("Access-Control-Allow-Methods: GET, POST");
$user = [
'id' => '123',
'email' => 'user@example.com'
];
$token = 'this_is_test_jwt';
setcookie('auth_token', $token, [
'expires' => time() + 3600,
'path' => '/',
'domain' => '.toni-develops.com',
'secure' => true,
'httponly' => true,
'samesite' => 'None'
]);
?>
<!DOCTYPE html>
<html>
<script>
window.opener.postMessage(
{
type: 'AUTH_SUCCESS',
user: <?php echo json_encode($user); ?>
},
'<?php echo CLIENT_DOMAIN; ?>'
);
//window.close();
</script>
</html>
protected-api.php
<?php
define('CLIENT_DOMAIN', 'https://public.toni-develops.com');
header("Access-Control-Allow-Origin: " . CLIENT_DOMAIN);
header("Access-Control-Allow-Credentials: true");
header("Access-Control-Allow-Methods: GET, POST, OPTIONS");
header("Access-Control-Allow-Headers: Content-Type");
header("Content-Type: application/json");
// Handle preflight requests
if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
exit(0);
}
if (!isset($_COOKIE['auth_token'])) {
http_response_code(401);
echo json_encode(['error' => 'Unauthorized']);
exit;
}
$response = [
'status' => 'success',
'message' => 'Protected data accessed',
'data' => [
'timestamp' => time(),
'user_id' => '123'
]
];
echo json_encode($response);