AccountHub/mobile/index.php

<?php

/*
 * Mobile app API
 */

require __DIR__ . "/../required.php";

require __DIR__ . "/../lib/login.php";

header('Content-Type: application/json');
header('Access-Control-Allow-Origin: *');

// Allow ping check without authentication
if ($VARS['action'] == "ping") {
    exit(json_encode(["status" => "OK"]));
}

if (MOBILE_ENABLED !== TRUE) {
    exit(json_encode(["status" => "ERROR", "msg" => lang("mobile login disabled", false)]));
}

// Make sure we have a username and access key
if (is_empty($VARS['username']) || is_empty($VARS['key'])) {
    http_response_code(401);
    die(json_encode(["status" => "ERROR", "msg" => "Missing username and/or access key."]));
}

$username = strtolower($VARS['username']);
$key = strtoupper($VARS['key']);

// Make sure the username and key are actually legit
$user_key_valid = $database->has('mobile_codes', ['[>]accounts' => ['uid' => 'uid']], ["AND" => ['mobile_codes.code' => $key, 'accounts.username' => $username]]);
if ($user_key_valid !== TRUE) {
    engageRateLimit();
    //http_response_code(401);
    insertAuthLog(21, null, "Username: " . $username . ", Key: " . $key);
    die(json_encode(["status" => "ERROR", "msg" => "Invalid username and/or access key."]));
}

// Process the action
switch ($VARS['action']) {
    case "check_key":
        // Check if the username/key combo is valid.
        // If we get this far, it is, so return success.
        exit(json_encode(["status" => "OK"]));
    case "check_password":
        // Check if the user-supplied password is valid.
        engageRateLimit();
        if (get_account_status($username) != "NORMAL") {
            insertAuthLog(20, null, "Username: " . $username . ", Key: " . $key);
            exit(json_encode(["status" => "ERROR", "msg" => lang("login failed try on web", false)]));
        }
        if (authenticate_user($username, $VARS['password'], $autherror)) {
            $uid = $database->get("accounts", "uid", ["username" => $username]);
            insertAuthLog(19, $uid, "Key: " . $key);
            exit(json_encode(["status" => "OK", "uid" => $uid]));
        } else {
            if (!is_empty($autherror)) {
                insertAuthLog(20, null, "Username: " . $username . ", Key: " . $key);
                exit(json_encode(["status" => "ERROR", "msg" => $autherror]));
            } else {
                insertAuthLog(20, null, "Username: " . $username . ", Key: " . $key);
                exit(json_encode(["status" => "ERROR", "msg" => lang("login incorrect", false)]));
            }
        }
    case "user_info":
        engageRateLimit();
        if (get_account_status($username) != "NORMAL") {
            insertAuthLog(20, null, "Username: " . $username . ", Key: " . $key);
            exit(json_encode(["status" => "ERROR", "msg" => lang("login failed try on web", false)]));
        }
        if (authenticate_user($username, $VARS['password'], $autherror)) {
            $userinfo = $database->get("accounts", ["uid", "username", "realname", "email"], ["username" => $username]);
            insertAuthLog(19, $userinfo['uid'], "Key: " . $key);
            exit(json_encode(["status" => "OK", "info" => $userinfo]));
        } else {
            if (!is_empty($autherror)) {
                insertAuthLog(20, null, "Username: " . $username . ", Key: " . $key);
                exit(json_encode(["status" => "ERROR", "msg" => $autherror]));
            } else {
                insertAuthLog(20, null, "Username: " . $username . ", Key: " . $key);
                exit(json_encode(["status" => "ERROR", "msg" => lang("login incorrect", false)]));
            }
        }
    case "start_session":
        // Do a web login.
        engageRateLimit();
        if (user_exists($username)) {
            if (get_account_status($username) == "NORMAL") {
                if (authenticate_user($username, $VARS['password'], $autherror)) {
                    doLoginUser($username, $VARS['password']);
                    exit(json_encode(["status" => "OK"]));
                }
            }
        }
        insertAuthLog(20, null, "Username: " . $username . ", Key: " . $key);
        exit(json_encode(["status" => "ERROR", "msg" => lang("login incorrect", false)]));
    case "listapps":
        $apps = EXTERNAL_APPS;
        // Format paths as absolute URLs
        foreach ($apps as $k => $v) {
            if (strpos($apps[$k]['url'], "http") === FALSE) {
                $apps[$k]['url'] = (isset($_SERVER['HTTPS']) ? "https" : "http") . "://" . $_SERVER['HTTP_HOST'] . ($_SERVER['SERVER_PORT'] != 80 || $_SERVER['SERVER_PORT'] != 443 ? ":" . $_SERVER['SERVER_PORT'] : "") . $apps[$k]['url'];
            }
        }
        exit(json_encode(["status" => "OK", "apps" => $apps]));
    default:
        http_response_code(404);
        die(json_encode(["status" => "ERROR", "msg" => "The requested action is not available."]));
}
Add mobile API and pairing widget 2017-06-16 17:36:42 -06:00			`<?php`

			`/*`
			`* Mobile app API`
			`*/`

			`require __DIR__ . "/../required.php";`

			`require __DIR__ . "/../lib/login.php";`

			`header('Content-Type: application/json');`
Tweak mobile APIs 2017-06-29 04:02:15 -06:00			`header('Access-Control-Allow-Origin: *');`
Add mobile API and pairing widget 2017-06-16 17:36:42 -06:00
			`// Allow ping check without authentication`
			`if ($VARS['action'] == "ping") {`
			`exit(json_encode(["status" => "OK"]));`
			`}`

			`if (MOBILE_ENABLED !== TRUE) {`
			`exit(json_encode(["status" => "ERROR", "msg" => lang("mobile login disabled", false)]));`
			`}`

			`// Make sure we have a username and access key`
			`if (is_empty($VARS['username']) \|\| is_empty($VARS['key'])) {`
			`http_response_code(401);`
			`die(json_encode(["status" => "ERROR", "msg" => "Missing username and/or access key."]));`
			`}`

Improve mobile integration, fix some upper/lower case bugs 2017-07-03 03:00:23 -06:00			`$username = strtolower($VARS['username']);`
			`$key = strtoupper($VARS['key']);`

Add mobile API and pairing widget 2017-06-16 17:36:42 -06:00			`// Make sure the username and key are actually legit`
Improve mobile integration, fix some upper/lower case bugs 2017-07-03 03:00:23 -06:00			`$user_key_valid = $database->has('mobile_codes', ['[>]accounts' => ['uid' => 'uid']], ["AND" => ['mobile_codes.code' => $key, 'accounts.username' => $username]]);`
Add mobile API and pairing widget 2017-06-16 17:36:42 -06:00			`if ($user_key_valid !== TRUE) {`
Fix issue #1 (add rate limiting to sensitive actions) 2017-06-16 18:40:12 -06:00			`engageRateLimit();`
Lazy fix for mobile thing 2017-07-05 00:18:22 -06:00			`//http_response_code(401);`
Improve mobile integration, fix some upper/lower case bugs 2017-07-03 03:00:23 -06:00			`insertAuthLog(21, null, "Username: " . $username . ", Key: " . $key);`
Add mobile API and pairing widget 2017-06-16 17:36:42 -06:00			`die(json_encode(["status" => "ERROR", "msg" => "Invalid username and/or access key."]));`
			`}`

			`// Process the action`
			`switch ($VARS['action']) {`
			`case "check_key":`
			`// Check if the username/key combo is valid.`
			`// If we get this far, it is, so return success.`
			`exit(json_encode(["status" => "OK"]));`
			`case "check_password":`
Close #2 (and make the DB diagram more compact) 2017-06-16 21:07:01 -06:00			`// Check if the user-supplied password is valid.`
Fix issue #1 (add rate limiting to sensitive actions) 2017-06-16 18:40:12 -06:00			`engageRateLimit();`
Improve mobile integration, fix some upper/lower case bugs 2017-07-03 03:00:23 -06:00			`if (get_account_status($username) != "NORMAL") {`
			`insertAuthLog(20, null, "Username: " . $username . ", Key: " . $key);`
Add mobile API and pairing widget 2017-06-16 17:36:42 -06:00			`exit(json_encode(["status" => "ERROR", "msg" => lang("login failed try on web", false)]));`
			`}`
Improve mobile integration, fix some upper/lower case bugs 2017-07-03 03:00:23 -06:00			`if (authenticate_user($username, $VARS['password'], $autherror)) {`
			`$uid = $database->get("accounts", "uid", ["username" => $username]);`
			`insertAuthLog(19, $uid, "Key: " . $key);`
Add mobile API and pairing widget 2017-06-16 17:36:42 -06:00			`exit(json_encode(["status" => "OK", "uid" => $uid]));`
			`} else {`
			`if (!is_empty($autherror)) {`
Improve mobile integration, fix some upper/lower case bugs 2017-07-03 03:00:23 -06:00			`insertAuthLog(20, null, "Username: " . $username . ", Key: " . $key);`
Add mobile API and pairing widget 2017-06-16 17:36:42 -06:00			`exit(json_encode(["status" => "ERROR", "msg" => $autherror]));`
			`} else {`
Improve mobile integration, fix some upper/lower case bugs 2017-07-03 03:00:23 -06:00			`insertAuthLog(20, null, "Username: " . $username . ", Key: " . $key);`
Add mobile API and pairing widget 2017-06-16 17:36:42 -06:00			`exit(json_encode(["status" => "ERROR", "msg" => lang("login incorrect", false)]));`
			`}`
			`}`
Tweak mobile APIs 2017-06-29 04:02:15 -06:00			`case "user_info":`
			`engageRateLimit();`
Improve mobile integration, fix some upper/lower case bugs 2017-07-03 03:00:23 -06:00			`if (get_account_status($username) != "NORMAL") {`
			`insertAuthLog(20, null, "Username: " . $username . ", Key: " . $key);`
Tweak mobile APIs 2017-06-29 04:02:15 -06:00			`exit(json_encode(["status" => "ERROR", "msg" => lang("login failed try on web", false)]));`
			`}`
Improve mobile integration, fix some upper/lower case bugs 2017-07-03 03:00:23 -06:00			`if (authenticate_user($username, $VARS['password'], $autherror)) {`
			`$userinfo = $database->get("accounts", ["uid", "username", "realname", "email"], ["username" => $username]);`
			`insertAuthLog(19, $userinfo['uid'], "Key: " . $key);`
Tweak mobile APIs 2017-06-29 04:02:15 -06:00			`exit(json_encode(["status" => "OK", "info" => $userinfo]));`
			`} else {`
			`if (!is_empty($autherror)) {`
Improve mobile integration, fix some upper/lower case bugs 2017-07-03 03:00:23 -06:00			`insertAuthLog(20, null, "Username: " . $username . ", Key: " . $key);`
Tweak mobile APIs 2017-06-29 04:02:15 -06:00			`exit(json_encode(["status" => "ERROR", "msg" => $autherror]));`
			`} else {`
Improve mobile integration, fix some upper/lower case bugs 2017-07-03 03:00:23 -06:00			`insertAuthLog(20, null, "Username: " . $username . ", Key: " . $key);`
Tweak mobile APIs 2017-06-29 04:02:15 -06:00			`exit(json_encode(["status" => "ERROR", "msg" => lang("login incorrect", false)]));`
			`}`
			`}`
Close #2 (and make the DB diagram more compact) 2017-06-16 21:07:01 -06:00			`case "start_session":`
			`// Do a web login.`
			`engageRateLimit();`
Improve mobile integration, fix some upper/lower case bugs 2017-07-03 03:00:23 -06:00			`if (user_exists($username)) {`
			`if (get_account_status($username) == "NORMAL") {`
			`if (authenticate_user($username, $VARS['password'], $autherror)) {`
			`doLoginUser($username, $VARS['password']);`
Close #2 (and make the DB diagram more compact) 2017-06-16 21:07:01 -06:00			`exit(json_encode(["status" => "OK"]));`
			`}`
			`}`
			`}`
Improve mobile integration, fix some upper/lower case bugs 2017-07-03 03:00:23 -06:00			`insertAuthLog(20, null, "Username: " . $username . ", Key: " . $key);`
Close #2 (and make the DB diagram more compact) 2017-06-16 21:07:01 -06:00			`exit(json_encode(["status" => "ERROR", "msg" => lang("login incorrect", false)]));`
Tweak mobile APIs 2017-06-29 04:02:15 -06:00			`case "listapps":`
Support hostless URL paths in mobile API listapps 2017-08-06 16:09:26 -06:00			`$apps = EXTERNAL_APPS;`
			`// Format paths as absolute URLs`
			`foreach ($apps as $k => $v) {`
			`if (strpos($apps[$k]['url'], "http") === FALSE) {`
Support nonstandard ports 2017-08-06 22:54:31 -06:00			`$apps[$k]['url'] = (isset($_SERVER['HTTPS']) ? "https" : "http") . "://" . $_SERVER['HTTP_HOST'] . ($_SERVER['SERVER_PORT'] != 80 \|\| $_SERVER['SERVER_PORT'] != 443 ? ":" . $_SERVER['SERVER_PORT'] : "") . $apps[$k]['url'];`
Support hostless URL paths in mobile API listapps 2017-08-06 16:09:26 -06:00			`}`
			`}`
			`exit(json_encode(["status" => "OK", "apps" => $apps]));`
Add mobile API and pairing widget 2017-06-16 17:36:42 -06:00			`default:`
			`http_response_code(404);`
			`die(json_encode(["status" => "ERROR", "msg" => "The requested action is not available."]));`
			`}`