Check API keys for methods not flagged insecure

2019-03-26 19:24:30 -06:00 · 2019-03-26 19:24:30 -06:00 · dfae57bc01
commit dfae57bc01
parent 082973517b
3 changed files with 13 additions and 29 deletions
--- a/api/apisettings.php
+++ b/api/apisettings.php
@ -11,11 +11,13 @@ $keyregex = "/[a-z0-9]{64}/";
 $APIS = [
    "ping" => [
        "load" => "ping.php",
+        "insecure" => true,
        "vars" => [
        ]
    ],
    "signup" => [
        "load" => "addaccount.php",
+        "insecure" => true,
        "vars" => [
            "username" => "string",
            "password" => "string",
@ -24,6 +26,7 @@ $APIS = [
    ],
    "getkey" => [
        "load" => "getkey.php",
+        "insecure" => true,
        "vars" => [
            "OR user" => [
                "username" => "/[a-zA-Z0-9]+/",
--- a/api/functions.php
+++ b/api/functions.php
@ -52,30 +52,12 @@ function getCensoredKey() {
 * @return bool true if the request should continue, false if the request is bad
 */
 function authenticate(): bool {
-    return true;
-    global $VARS, $SETTINGS;
-    // HTTP basic auth
-    if (!empty($_SERVER['PHP_AUTH_USER']) && !empty($_SERVER['PHP_AUTH_PW'])) {
-        $username = $_SERVER['PHP_AUTH_USER'];
-        $password = $_SERVER['PHP_AUTH_PW'];
-    } else if (!empty($VARS['username']) && !empty($VARS['password'])) {
-        $username = $VARS['username'];
-        $password = $VARS['password'];
-    } else {
-        return false;
+    global $VARS, $APIACTION, $database;
+
+    if (!empty($APIACTION["insecure"]) && $APIACTION["insecure"] === true) {
+        return true;
    }
-    $user = User::byUsername($username);
-    if (!$user->exists()) {
-        return false;
-    }
-    if ($user->checkPassword($password, true)) {
-        // Check that the user has permission to access the app
-        $perms = is_array($SETTINGS['api_permissions']) ? $SETTINGS['api_permissions'] : $SETTINGS['permissions'];
-        foreach ($perms as $perm) {
-            if (!$user->hasPermission($perm)) {
-                return false;
-            }
-        }
+    if ($database->has("authkeys", ["AND" => ["key" => $VARS["key"], "expires[>]" => date("Y-m-d H:i:s")]])) {
        return true;
    }
    return false;
--- a/api/index.php
+++ b/api/index.php
@ -51,12 +51,6 @@ if (strpos($_SERVER['REQUEST_URI'], "/api.php") === FALSE) {
    }
 }

-if (!authenticate()) {
-    header('WWW-Authenticate: Basic realm="' . $SETTINGS['site_title'] . '"');
-    header('HTTP/1.1 401 Unauthorized');
-    die("401 Unauthorized: you need to supply valid credentials.");
-}
-
 if (empty($VARS['action'])) {
    http_response_code(404);
    die("404 No action specified");
@ -69,6 +63,11 @@ if (!isset($APIS[$VARS['action']])) {

 $APIACTION = $APIS[$VARS["action"]];

+if (!authenticate()) {
+    header('HTTP/1.1 401 Unauthorized');
+    die("401 Unauthorized: you need to supply valid credentials.");
+}
+
 if (!file_exists(__DIR__ . "/actions/" . $APIACTION["load"])) {
    http_response_code(404);
    die("404 Action not found");