Make API work with user/pass combo

master
Skylar Ittner 5 years ago
parent d7ca7125ce
commit d36b340692

@ -48,20 +48,27 @@ function getCensoredKey() {
/** /**
* Check if the request is allowed * Check if the request is allowed
* @global type $VARS * @global array $VARS
* @global type $database
* @return bool true if the request should continue, false if the request is bad * @return bool true if the request should continue, false if the request is bad
*/ */
function authenticate(): bool { function authenticate(): bool {
global $VARS, $database; global $VARS;
if (empty($VARS['key'])) { // HTTP basic auth
if (!empty($_SERVER['PHP_AUTH_USER']) && !empty($_SERVER['PHP_AUTH_PW'])) {
$user = User::byUsername($_SERVER['PHP_AUTH_USER']);
if (!$user->checkPassword($_SERVER['PHP_AUTH_PW'])) {
return false;
}
return true;
}
// Form auth
if (empty($VARS['username']) || empty($VARS['password'])) {
return false; return false;
} else { } else {
$key = $VARS['key']; $username = $VARS['username'];
if ($database->has('apikeys', ['key' => $key]) !== TRUE) { $password = $VARS['password'];
engageRateLimit(); $user = User::byUsername($username);
http_response_code(403); if ($user->exists() !== true || Login::auth($username, $password) !== Login::LOGIN_OK) {
Log::insert(LogType::API_BAD_KEY, null, "Key: " . $key);
return false; return false;
} }
} }

@ -25,13 +25,14 @@ if (json_last_error() == JSON_ERROR_NONE) {
if (strpos($_SERVER['REQUEST_URI'], "/api.php") === FALSE) { if (strpos($_SERVER['REQUEST_URI'], "/api.php") === FALSE) {
$route = explode("/", substr($_SERVER['REQUEST_URI'], strpos($_SERVER['REQUEST_URI'], "api/") + 4)); $route = explode("/", substr($_SERVER['REQUEST_URI'], strpos($_SERVER['REQUEST_URI'], "api/") + 4));
if (count($route) > 1) { if (count($route) >= 1) {
$VARS["action"] = $route[0]; $VARS["action"] = $route[0];
} }
if (count($route) >= 2 && strpos($route[1], "?") !== 0) { if (count($route) >= 2 && strpos($route[1], "?") !== 0) {
$VARS["key"] = $route[1]; for ($i = 1; $i < count($route); $i++) {
if (empty($route[$i]) || strpos($route[$i], "=") === false) {
for ($i = 2; $i < count($route); $i++) { continue;
}
$key = explode("=", $route[$i], 2)[0]; $key = explode("=", $route[$i], 2)[0];
$val = explode("=", $route[$i], 2)[1]; $val = explode("=", $route[$i], 2)[1];
$VARS[$key] = $val; $VARS[$key] = $val;
@ -49,8 +50,9 @@ if (strpos($_SERVER['REQUEST_URI'], "/api.php") === FALSE) {
} }
if (!authenticate()) { if (!authenticate()) {
http_response_code(403); header('WWW-Authenticate: Basic realm="' . $SETTINGS['site_title'] . '"');
die("403 Unauthorized"); header('HTTP/1.1 401 Unauthorized');
die("401 Unauthorized: you need to supply valid credentials.");
} }
if (empty($VARS['action'])) { if (empty($VARS['action'])) {

Loading…
Cancel
Save