<?php

/*
 * This is a simple example of using PHP's OAuth extension to fetch a valid
 * token for a given member. The process is a typical OAuth 1.0a flow, which
 * includes requesting a member's authorization to act on her behalf and then
 * fetching the actual token once authorized. This token can then be stored
 * and used to make API calls on the member's behalf. For an example of making
 * such a call once you have retriefed an authorized token, see:
 *
 * https://gist.github.com/chrislewis/4465cd864c8f35a71cfd
 * 
 * chrisl@meetup.com
 */

/** This script is used to request access from the member as well as receive her
    response. Facilitating these transitions requires remembering bits of data
    as she is directed away from and then back to this script. We'll use the
    session to store this data, so we need to make sure a session is active. */
session_start();

/** Your oauth consumer key and secret, as created by meetup when you register
    a new consumer.
    See: https://secure.meetup.com/meetup_api/oauth_consumers/ */
$consumer_key = YOUR_CONSUMER_KEY;
$consumer_secret = YOUR_CONSUMER_SECRET;

/** See http://www.meetup.com/meetup_api/auth/#oauth for complete details, but
    the flow for retrieving an authorized token is as follows:

    1) Tell Meetup we want to request authorization from a user.
    2) Meetup responds to #1 with an unauthorized token; now we must ask the
       member for permission to use it on her behalf.
    3) Redirect the member to an authorization page hosted by Meetup. This
       allows her to grant or revoke the requested privilege to the token.
    4) Receive the response by having Meetup redirect the member to a specified
       callback URL, which will also include a verification token.
       (the so-called "oauth_verifier") only if the member authorized the token.
    5) With the unauthorized token created in #1 and the verification token
       created in #4, we can finally have Meetup create a complete OAuth token
       and use it to make API calls on the member's behalf. */

/** The URL that we use to tell Meetup that we'd like to generate an OAuth
    token. Note that we include "scope=messaging" so that the member will
    authorize us to use the messaging API on her behalf. There are several
    scopes we can use; see http://www.meetup.com/meetup_api/auth/#oauth2-scopes
    for complete details. */
$request_url = 'https://api.meetup.com/oauth/request?scope=messaging';

/** The callback URL. This must be the URL of this script and must be reachable
    by the member's user agent (unless you are testing internally, this will
    need to be on a publicly reachable site). This URL should also match the 
    "Redirect URI" you specified when creating your consumer, or at least share
    the same base URL. */
$callback_url = YOUR_CALLBACK_URL;

/** The URLs for requesting authorization from the member and for requesting the
    token once authorized. These are specified in the Meetup OAuth documentation:
    http://www.meetup.com/meetup_api/auth/#oauth */
$authorize_url = 'http://www.meetup.com/authorize';
$access_url = 'https://api.meetup.com/oauth/access';

/** Construct an OAuth client using your consumer key and secret. Note that this
    uses PHP's OAuth extension; refer to its documentation for details:
    http://php.net/manual/en/book.oauth.php. */
$oauth = new OAuth($consumer_key, $consumer_secret);

if(! isset($_GET['oauth_verifier'])) {
  /* If this script was not requested with an 'oauth_verifier' token, then
     we're at the beginning of the OAuth flow and must start by generating a
     token request. */
  $token_info = $oauth->getRequestToken($request_url, $callback_url);

  /* Store the secret as we'll need it to fetch the authorized token, if and
     when the member allows it. */
  $_SESSION['secret'] = $token_info['oauth_token_secret'];

  /* Redirect the member's browser to the token authorization page. This
     helps to ensure that the member is in control of granting or revoking
     API access to us on her behalf. */
  header('Location: ' . $authorize_url . '/?oauth_token=' . $token_info['oauth_token']);

  /* Exit immediately as we're redirecting the member. This also ensures that
     the session cookie is sent which preserves our session for when the member
     returns (and when that happens we'll need the "secret" that we stored). */
  exit(0);
} else {
  /* Home stretch! We have an 'oauth_verifier' parameter which should mean that
     the member has granted us permission. Yay! Now we must use the secret we
     stored in the session along with the verification token we just received
     (as the value of the 'oauth_verifier' parameter) to authorize our token.
     The 'secret' is a way of securely tying the unauthorized token to the
     verification token, which represents the member granting us authority and
     ultimatley authorizes our perviously unauthorized token. */
  $oauth->setToken($_GET['oauth_token'], $_SESSION['secret']);
  $token_info = $oauth->getAccessToken($access_url, '', $_GET['oauth_verifier']);

  /* We should finally have our authorized oauth token and secret which we can
     store and use to make authorized API calls on behalf of the authorizing
     member. The token and its secret are available as values in the $token_info
     associatve array as $token_info['oauth_token'] and
     $token_info['oauth_token_secret'], respectively. For an example of using
     these values, see:
     https://gist.github.com/chrislewis/4465cd864c8f35a71cfd. */
}

?>