Add api.php

README.md

@@ -36,6 +36,8 @@ Program Structure
    Read through it to see what those functions do.
 * action.php  
    A good place to post forms to.  By default it only handles logging out, but is easily expanded.
+* api.php
+   Similar to action.php, but designed for user/pass authenticated JSON responses.
 * index.php  
    Login page and handler.  Hands off to `app.php` after authenticating user.  
    It includes 2fa support, by the way.

api.php

@@ -0,0 +1,36 @@
+<?php
+
+/**
+ * Simple JSON API to allow other apps to access data from this app.
+ * 
+ * Requests can be sent via either GET or POST requests.  POST is recommended
+ * as it has a lower chance of being logged on the server, exposing unencrypted
+ * user passwords.
+ */
+require __DIR__ . '/required.php';
+require_once __DIR__ . '/lib/login.php';
+require_once __DIR__ . '/lib/userinfo.php';
+header("Content-Type: application/json");
+
+$username = $VARS['username'];
+$password = $VARS['password'];
+if (user_exists($username) !== true || authenticate_user($username, $password, $errmsg) !== true) {
+    header("HTTP/1.1 403 Unauthorized");
+    die("\"403 Unauthorized\"");
+}
+$userinfo = getUserByUsername($username);
+
+// query max results
+$max = 20;
+if (preg_match("/^[0-9]+$/", $VARS['max']) === 1 && $VARS['max'] <= 1000) {
+    $max = (int) $VARS['max'];
+}
+
+switch ($VARS['action']) {
+    case "ping":
+        $out = ["status" => "OK", "maxresults" => $max, "pong" => true];
+        exit(json_encode($out));
+    default:
+        header("HTTP/1.1 400 Bad Request");
+        die("\"400 Bad Request\"");
+}