|
|
@ -52,30 +52,12 @@ function getCensoredKey() {
|
|
|
|
* @return bool true if the request should continue, false if the request is bad
|
|
|
|
* @return bool true if the request should continue, false if the request is bad
|
|
|
|
*/
|
|
|
|
*/
|
|
|
|
function authenticate(): bool {
|
|
|
|
function authenticate(): bool {
|
|
|
|
|
|
|
|
global $VARS, $APIACTION, $database;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if (!empty($APIACTION["insecure"]) && $APIACTION["insecure"] === true) {
|
|
|
|
return true;
|
|
|
|
return true;
|
|
|
|
global $VARS, $SETTINGS;
|
|
|
|
|
|
|
|
// HTTP basic auth
|
|
|
|
|
|
|
|
if (!empty($_SERVER['PHP_AUTH_USER']) && !empty($_SERVER['PHP_AUTH_PW'])) {
|
|
|
|
|
|
|
|
$username = $_SERVER['PHP_AUTH_USER'];
|
|
|
|
|
|
|
|
$password = $_SERVER['PHP_AUTH_PW'];
|
|
|
|
|
|
|
|
} else if (!empty($VARS['username']) && !empty($VARS['password'])) {
|
|
|
|
|
|
|
|
$username = $VARS['username'];
|
|
|
|
|
|
|
|
$password = $VARS['password'];
|
|
|
|
|
|
|
|
} else {
|
|
|
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
$user = User::byUsername($username);
|
|
|
|
|
|
|
|
if (!$user->exists()) {
|
|
|
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
if ($user->checkPassword($password, true)) {
|
|
|
|
|
|
|
|
// Check that the user has permission to access the app
|
|
|
|
|
|
|
|
$perms = is_array($SETTINGS['api_permissions']) ? $SETTINGS['api_permissions'] : $SETTINGS['permissions'];
|
|
|
|
|
|
|
|
foreach ($perms as $perm) {
|
|
|
|
|
|
|
|
if (!$user->hasPermission($perm)) {
|
|
|
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if ($database->has("authkeys", ["AND" => ["key" => $VARS["key"], "expires[>]" => date("Y-m-d H:i:s")]])) {
|
|
|
|
return true;
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return false;
|
|
|
|
return false;
|
|
|
|