Check API keys for methods not flagged insecure
This commit is contained in:
parent
082973517b
commit
dfae57bc01
@ -11,11 +11,13 @@ $keyregex = "/[a-z0-9]{64}/";
|
||||
$APIS = [
|
||||
"ping" => [
|
||||
"load" => "ping.php",
|
||||
"insecure" => true,
|
||||
"vars" => [
|
||||
]
|
||||
],
|
||||
"signup" => [
|
||||
"load" => "addaccount.php",
|
||||
"insecure" => true,
|
||||
"vars" => [
|
||||
"username" => "string",
|
||||
"password" => "string",
|
||||
@ -24,6 +26,7 @@ $APIS = [
|
||||
],
|
||||
"getkey" => [
|
||||
"load" => "getkey.php",
|
||||
"insecure" => true,
|
||||
"vars" => [
|
||||
"OR user" => [
|
||||
"username" => "/[a-zA-Z0-9]+/",
|
||||
|
@ -52,30 +52,12 @@ function getCensoredKey() {
|
||||
* @return bool true if the request should continue, false if the request is bad
|
||||
*/
|
||||
function authenticate(): bool {
|
||||
return true;
|
||||
global $VARS, $SETTINGS;
|
||||
// HTTP basic auth
|
||||
if (!empty($_SERVER['PHP_AUTH_USER']) && !empty($_SERVER['PHP_AUTH_PW'])) {
|
||||
$username = $_SERVER['PHP_AUTH_USER'];
|
||||
$password = $_SERVER['PHP_AUTH_PW'];
|
||||
} else if (!empty($VARS['username']) && !empty($VARS['password'])) {
|
||||
$username = $VARS['username'];
|
||||
$password = $VARS['password'];
|
||||
} else {
|
||||
return false;
|
||||
global $VARS, $APIACTION, $database;
|
||||
|
||||
if (!empty($APIACTION["insecure"]) && $APIACTION["insecure"] === true) {
|
||||
return true;
|
||||
}
|
||||
$user = User::byUsername($username);
|
||||
if (!$user->exists()) {
|
||||
return false;
|
||||
}
|
||||
if ($user->checkPassword($password, true)) {
|
||||
// Check that the user has permission to access the app
|
||||
$perms = is_array($SETTINGS['api_permissions']) ? $SETTINGS['api_permissions'] : $SETTINGS['permissions'];
|
||||
foreach ($perms as $perm) {
|
||||
if (!$user->hasPermission($perm)) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
if ($database->has("authkeys", ["AND" => ["key" => $VARS["key"], "expires[>]" => date("Y-m-d H:i:s")]])) {
|
||||
return true;
|
||||
}
|
||||
return false;
|
||||
|
@ -51,12 +51,6 @@ if (strpos($_SERVER['REQUEST_URI'], "/api.php") === FALSE) {
|
||||
}
|
||||
}
|
||||
|
||||
if (!authenticate()) {
|
||||
header('WWW-Authenticate: Basic realm="' . $SETTINGS['site_title'] . '"');
|
||||
header('HTTP/1.1 401 Unauthorized');
|
||||
die("401 Unauthorized: you need to supply valid credentials.");
|
||||
}
|
||||
|
||||
if (empty($VARS['action'])) {
|
||||
http_response_code(404);
|
||||
die("404 No action specified");
|
||||
@ -69,6 +63,11 @@ if (!isset($APIS[$VARS['action']])) {
|
||||
|
||||
$APIACTION = $APIS[$VARS["action"]];
|
||||
|
||||
if (!authenticate()) {
|
||||
header('HTTP/1.1 401 Unauthorized');
|
||||
die("401 Unauthorized: you need to supply valid credentials.");
|
||||
}
|
||||
|
||||
if (!file_exists(__DIR__ . "/actions/" . $APIACTION["load"])) {
|
||||
http_response_code(404);
|
||||
die("404 Action not found");
|
||||
|
Loading…
x
Reference in New Issue
Block a user