more security stuff
This commit is contained in:
Mike Koch
parent
0db1f88b7f
commit
ab0082c735
@ -5,7 +5,9 @@ define('API_PATH', '../../');
|
||||
require_once(HESK_PATH . 'hesk_settings.inc.php');
|
||||
require_once(HESK_PATH . 'inc/common.inc.php');
|
||||
require_once(API_PATH . 'core/output.php');
|
||||
require_once(API_PATH . 'core/');
|
||||
require_once(API_PATH . 'dao/canned_dao.php');
|
||||
require_once(API_PATH . 'businesslogic/security_retriever.php');
|
||||
|
||||
hesk_load_api_database_functions();
|
||||
hesk_dbConnect();
|
||||
@ -13,6 +15,21 @@ hesk_dbConnect();
|
||||
// Routing
|
||||
$request_method = $_SERVER['REQUEST_METHOD'];
|
||||
if ($request_method == 'GET') {
|
||||
$headers = getallheaders();
|
||||
$token = NULL;
|
||||
if (isset($headers['X-Auth-Token'])) {
|
||||
$token = $headers['X-Auth-Token'];
|
||||
}
|
||||
|
||||
try {
|
||||
get_user_for_token($token, $hesk_settings);
|
||||
} catch (AccessException $e) {
|
||||
if ($e->getCode() == 422) {
|
||||
print_error($e->getMessage(), $e->getMessage());
|
||||
}
|
||||
return http_response_code($e->getCode());
|
||||
}
|
||||
|
||||
if (isset($_GET['id'])) {
|
||||
$results = get_canned_response($hesk_settings, $_GET['id']);
|
||||
} else {
|
||||
@ -22,7 +39,7 @@ if ($request_method == 'GET') {
|
||||
if ($results == NULL) {
|
||||
return http_response_code(404);
|
||||
}
|
||||
output($results);
|
||||
return output($results);
|
||||
}
|
||||
|
||||
return http_response_code(405);
|
||||
@ -2,6 +2,7 @@
|
||||
require_once(API_PATH . 'dao/security_dao.php');
|
||||
|
||||
function get_user_for_token($token, $hesk_settings) {
|
||||
|
||||
$hash = hash('sha512', $token);
|
||||
|
||||
return get_user_for_token_hash($hash, $hesk_settings);
|
||||
|
||||
9
api/core/headers.php
Normal file
9
api/core/headers.php
Normal file
@ -0,0 +1,9 @@
|
||||
<?php
|
||||
|
||||
function get_header($key) {
|
||||
$headers = getallheaders();
|
||||
|
||||
return isset($headers[$key])
|
||||
? $headers[$key]
|
||||
: NULL;
|
||||
}
|
||||
@ -1,12 +1,18 @@
|
||||
<?php
|
||||
define('NULL_OR_EMPTY_STRING', 'cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e');
|
||||
require_once(API_PATH . 'exception/AccessException.php');
|
||||
|
||||
function get_user_for_token_hash($hash, $hesk_settings) {
|
||||
if ($hash == NULL_OR_EMPTY_STRING) {
|
||||
throw new AccessException(404);
|
||||
}
|
||||
|
||||
$user_id_sql = "SELECT `user_id` FROM `" . hesk_dbEscape($hesk_settings['db_pfix']) . "user_api_tokens`
|
||||
WHERE `token` = '" . hesk_dbEscape($hash) . "'";
|
||||
|
||||
$user_id_rs = hesk_dbQuery($user_id_sql);
|
||||
if (hesk_dbNumRows($user_id_rs) == 0) {
|
||||
return http_response_code(422);
|
||||
throw new AccessException(422);
|
||||
}
|
||||
$user_id = hesk_dbFetchAssoc($user_id_rs);
|
||||
|
||||
|
||||
11
api/exception/AccessException.php
Normal file
11
api/exception/AccessException.php
Normal file
@ -0,0 +1,11 @@
|
||||
<?php
|
||||
class AccessException extends Exception {
|
||||
public function __construct($code)
|
||||
{
|
||||
$message = '';
|
||||
if ($code == 422) {
|
||||
$message = 'The X-Auth-Token is invalid';
|
||||
}
|
||||
parent::__construct($message, $code);
|
||||
}
|
||||
}
|
||||
Loading…
x
Reference in New Issue
Block a user