more security stuff

9 years ago · ab0082c735
parent 0db1f88b7f
commit ab0082c735
5 changed files with 46 additions and 2 deletions
--- a/api/admin/canned/index.php
+++ b/api/admin/canned/index.php
@ -5,7 +5,9 @@ define('API_PATH', '../../');
 require_once(HESK_PATH . 'hesk_settings.inc.php');
 require_once(HESK_PATH . 'inc/common.inc.php');
 require_once(API_PATH . 'core/output.php');
+require_once(API_PATH . 'core/');
 require_once(API_PATH . 'dao/canned_dao.php');
+require_once(API_PATH . 'businesslogic/security_retriever.php');

 hesk_load_api_database_functions();
 hesk_dbConnect();
@ -13,6 +15,21 @@ hesk_dbConnect();
 // Routing
 $request_method = $_SERVER['REQUEST_METHOD'];
 if ($request_method == 'GET') {
+    $headers = getallheaders();
+    $token = NULL;
+    if (isset($headers['X-Auth-Token'])) {
+        $token = $headers['X-Auth-Token'];
+    }
+
+    try {
+        get_user_for_token($token, $hesk_settings);
+    } catch (AccessException $e) {
+        if ($e->getCode() == 422) {
+            print_error($e->getMessage(), $e->getMessage());
+        }
+        return http_response_code($e->getCode());
+    }
+
    if (isset($_GET['id'])) {
        $results = get_canned_response($hesk_settings, $_GET['id']);
    } else {
@ -22,7 +39,7 @@ if ($request_method == 'GET') {
    if ($results == NULL) {
        return http_response_code(404);
    }
-    output($results);
+    return output($results);
 }

 return http_response_code(405);
--- a/api/businesslogic/security_retriever.php
+++ b/api/businesslogic/security_retriever.php
@ -2,6 +2,7 @@
 require_once(API_PATH . 'dao/security_dao.php');

 function get_user_for_token($token, $hesk_settings) {
+
    $hash = hash('sha512', $token);

    return get_user_for_token_hash($hash, $hesk_settings);
--- a/api/core/headers.php
+++ b/api/core/headers.php
@ -0,0 +1,9 @@
+<?php
+
+function get_header($key) {
+    $headers = getallheaders();
+
+    return isset($headers[$key])
+        ? $headers[$key]
+        : NULL;
+}
--- a/api/dao/security_dao.php
+++ b/api/dao/security_dao.php
@ -1,12 +1,18 @@
 <?php
+define('NULL_OR_EMPTY_STRING', 'cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e');
+require_once(API_PATH . 'exception/AccessException.php');

 function get_user_for_token_hash($hash, $hesk_settings) {
+    if ($hash == NULL_OR_EMPTY_STRING) {
+        throw new AccessException(404);
+    }
+
    $user_id_sql = "SELECT `user_id` FROM `" . hesk_dbEscape($hesk_settings['db_pfix']) . "user_api_tokens`
        WHERE `token` = '" . hesk_dbEscape($hash) . "'";

    $user_id_rs = hesk_dbQuery($user_id_sql);
    if (hesk_dbNumRows($user_id_rs) == 0) {
-        return http_response_code(422);
+        throw new AccessException(422);
    }
    $user_id = hesk_dbFetchAssoc($user_id_rs);

--- a/api/exception/AccessException.php
+++ b/api/exception/AccessException.php
@ -0,0 +1,11 @@
+<?php
+class AccessException extends Exception {
+    public function __construct($code)
+    {
+        $message = '';
+        if ($code == 422) {
+            $message = 'The X-Auth-Token is invalid';
+        }
+        parent::__construct($message, $code);
+    }
+}