Check API keys for methods not flagged insecure

api/apisettings.php

@@ -11,11 +11,13 @@ $keyregex = "/[a-z0-9]{64}/";
 $APIS = [
     "ping" => [
         "load" => "ping.php",
+        "insecure" => true,
         "vars" => [
         ]
     ],
     "signup" => [
         "load" => "addaccount.php",
+        "insecure" => true,
         "vars" => [
             "username" => "string",
             "password" => "string",
@@ -24,6 +26,7 @@ $APIS = [
     ],
     "getkey" => [
         "load" => "getkey.php",
+        "insecure" => true,
         "vars" => [
             "OR user" => [
                 "username" => "/[a-zA-Z0-9]+/",

api/functions.php

@@ -52,30 +52,12 @@ function getCensoredKey() {
  * @return bool true if the request should continue, false if the request is bad
  */
 function authenticate(): bool {
-    return true;
-    global $VARS, $SETTINGS;
-    // HTTP basic auth
-    if (!empty($_SERVER['PHP_AUTH_USER']) && !empty($_SERVER['PHP_AUTH_PW'])) {
-        $username = $_SERVER['PHP_AUTH_USER'];
-        $password = $_SERVER['PHP_AUTH_PW'];
-    } else if (!empty($VARS['username']) && !empty($VARS['password'])) {
-        $username = $VARS['username'];
-        $password = $VARS['password'];
-    } else {
-        return false;
-    }
-    $user = User::byUsername($username);
-    if (!$user->exists()) {
-        return false;
+    global $VARS, $APIACTION, $database;
+
+    if (!empty($APIACTION["insecure"]) && $APIACTION["insecure"] === true) {
+        return true;
     }
-    if ($user->checkPassword($password, true)) {
-        // Check that the user has permission to access the app
-        $perms = is_array($SETTINGS['api_permissions']) ? $SETTINGS['api_permissions'] : $SETTINGS['permissions'];
-        foreach ($perms as $perm) {
-            if (!$user->hasPermission($perm)) {
-                return false;
-            }
-        }
+    if ($database->has("authkeys", ["AND" => ["key" => $VARS["key"], "expires[>]" => date("Y-m-d H:i:s")]])) {
         return true;
     }
     return false;

api/index.php

@@ -51,12 +51,6 @@ if (strpos($_SERVER['REQUEST_URI'], "/api.php") === FALSE) {
     }
 }
 
-if (!authenticate()) {
-    header('WWW-Authenticate: Basic realm="' . $SETTINGS['site_title'] . '"');
-    header('HTTP/1.1 401 Unauthorized');
-    die("401 Unauthorized: you need to supply valid credentials.");
-}
-
 if (empty($VARS['action'])) {
     http_response_code(404);
     die("404 No action specified");
@@ -69,6 +63,11 @@ if (!isset($APIS[$VARS['action']])) {
 
 $APIACTION = $APIS[$VARS["action"]];
 
+if (!authenticate()) {
+    header('HTTP/1.1 401 Unauthorized');
+    die("401 Unauthorized: you need to supply valid credentials.");
+}
+
 if (!file_exists(__DIR__ . "/actions/" . $APIACTION["load"])) {
     http_response_code(404);
     die("404 Action not found");