From e380c087bd93c49e8d6d4fc45a6df21c959b958d Mon Sep 17 00:00:00 2001 From: Skylar Ittner Date: Tue, 19 Dec 2017 04:10:09 -0700 Subject: [PATCH] Allow API key to be used instead of password for API --- api.php | 10 +++++----- lib/login.php | 27 +++++++++++++++++++++++++++ 2 files changed, 32 insertions(+), 5 deletions(-) diff --git a/api.php b/api.php index f8b8e46..89ff443 100644 --- a/api.php +++ b/api.php @@ -19,7 +19,7 @@ header("Content-Type: application/json"); $username = $VARS['username']; $password = $VARS['password']; -if (user_exists($username) !== true || authenticate_user($username, $password, $errmsg) !== true || account_has_permission($username, "QWIKCLOCK") !== true) { +if (user_exists($username) !== true || (authenticate_user($username, $password, $errmsg) !== true && checkAPIKey($password) !== true) || account_has_permission($username, "QWIKCLOCK") !== true) { header("HTTP/1.1 403 Unauthorized"); die("\"403 Unauthorized\""); } @@ -36,14 +36,14 @@ switch ($VARS['action']) { $out = ["status" => "OK", "maxresults" => $max, "pong" => true]; exit(json_encode($out)); case "punchin": - if ($database->has('punches', ['AND' => ['uid' => $_SESSION['uid'], 'out' => null]])) { + if ($database->has('punches', ['AND' => ['uid' => $userinfo['uid'], 'out' => null]])) { die(json_encode(["status" => "ERROR", "msg" => lang("already punched in", false)])); } $shiftid = null; - if ($database->has('assigned_shifts', ['uid' => $_SESSION['uid']])) { + if ($database->has('assigned_shifts', ['uid' => $userinfo['uid']])) { $minclockintime = strtotime("now + 5 minutes"); - $shifts = $database->select('shifts', ["[>]assigned_shifts" => ['shiftid' => 'shiftid']], ["shifts.shiftid", "start", "end", "days"], ["AND" =>['uid' => $_SESSION['uid'], 'start[<=]' => date("H:i:s", $minclockintime)]]); + $shifts = $database->select('shifts', ["[>]assigned_shifts" => ['shiftid' => 'shiftid']], ["shifts.shiftid", "start", "end", "days"], ["AND" =>['uid' => $userinfo['uid'], 'start[<=]' => date("H:i:s", $minclockintime)]]); foreach ($shifts as $shift) { $curday = substr(date("D"), 0, 2); if (strpos($shift['days'], $curday) === FALSE) { @@ -61,7 +61,7 @@ switch ($VARS['action']) { } } - $database->insert('punches', ['uid' => $_SESSION['uid'], 'in' => date("Y-m-d H:i:s"), 'out' => null, 'notes' => '', 'shiftid' => $shiftid]); + $database->insert('punches', ['uid' => $userinfo['uid'], 'in' => date("Y-m-d H:i:s"), 'out' => null, 'notes' => '', 'shiftid' => $shiftid]); exit(json_encode(["status" => "OK", "msg" => lang("punched in", false)])); case "punchout": if (!$database->has('punches', ['AND' => ['uid' => $userinfo['uid'], 'out' => null]])) { diff --git a/lib/login.php b/lib/login.php index 13d5671..aa337d3 100644 --- a/lib/login.php +++ b/lib/login.php @@ -40,6 +40,33 @@ function checkLoginServer() { } } +/** + * Checks if the given AccountHub API key is valid by attempting to + * access the API with it. + * @param String $key The API key to check + * @return boolean TRUE if the key is valid, FALSE if invalid or something went wrong + */ +function checkAPIKey($key) { + try { + $client = new GuzzleHttp\Client(); + + $response = $client + ->request('POST', PORTAL_API, [ + 'form_params' => [ + 'key' => $key, + 'action' => "ping" + ] + ]); + + if ($response->getStatusCode() === 200) { + return true; + } + return false; + } catch (Exception $e) { + return false; + } +} + //////////////////////////////////////////////////////////////////////////////// // Account handling // ////////////////////////////////////////////////////////////////////////////////