diff --git a/api/apisettings.php b/api/apisettings.php index 0b2767a..32ce97f 100644 --- a/api/apisettings.php +++ b/api/apisettings.php @@ -12,14 +12,16 @@ $APIS = [ "vars" => [ ], "permission" => [ - ] + ], + "keytype" => "NONE" ], "auth" => [ "load" => "auth.php", "vars" => [ "username" => "string", "password" => "string" - ] + ], + "keytype" => "AUTH" ], "userinfo" => [ "load" => "userinfo.php", @@ -28,7 +30,8 @@ $APIS = [ "username" => "string", "uid" => "numeric" ] - ] + ], + "keytype" => "READ" ], "userexists" => [ "load" => "userexists.php", @@ -37,33 +40,38 @@ $APIS = [ "username" => "string", "uid" => "numeric" ] - ] + ], + "keytype" => "AUTH" ], "hastotp" => [ "load" => "hastotp.php", "vars" => [ "username" => "string" - ] + ], + "keytype" => "AUTH" ], "verifytotp" => [ "load" => "verifytotp.php", "vars" => [ "username" => "string", "code" => "string" - ] + ], + "keytype" => "AUTH" ], "acctstatus" => [ "load" => "acctstatus.php", "vars" => [ "username" => "string" - ] + ], + "keytype" => "AUTH" ], "login" => [ "load" => "login.php", "vars" => [ "username" => "string", "password" => "string" - ] + ], + "keytype" => "AUTH" ], "ismanagerof" => [ "load" => "ismanagerof.php", @@ -71,7 +79,8 @@ $APIS = [ "manager" => "string", "employee" => "string", "uid (optional)" => "numeric" - ] + ], + "keytype" => "READ" ], "getmanaged" => [ "load" => "getmanaged.php", @@ -81,7 +90,8 @@ $APIS = [ "uid" => "numeric" ], "get (optional)" => "string" - ] + ], + "keytype" => "READ" ], "getmanagers" => [ "load" => "getmanagers.php", @@ -90,13 +100,15 @@ $APIS = [ "username" => "string", "uid" => "numeric" ] - ] + ], + "keytype" => "READ" ], "usersearch" => [ "load" => "usersearch.php", "vars" => [ "search" => "string" - ] + ], + "keytype" => "READ" ], "permission" => [ "load" => "permission.php", @@ -106,40 +118,47 @@ $APIS = [ "uid" => "numeric" ], "code" => "string" - ] + ], + "keytype" => "READ" ], "mobileenabled" => [ - "load" => "mobileenabled.php" + "load" => "mobileenabled.php", + "keytype" => "NONE" ], "mobilevalid" => [ "load" => "mobilevalid.php", "vars" => [ "username" => "string", "code" => "string" - ] + ], + "keytype" => "AUTH" ], "alertemail" => [ "load" => "alertemail.php", "vars" => [ "username" => "string", "appname (optional)" => "string" - ] + ], + "keytype" => "FULL" ], "codelogin" => [ "load" => "codelogin.php", "vars" => [ "code" => "string" - ] + ], + "keytype" => "AUTH" ], "listapps" => [ - "load" => "listapps.php" + "load" => "listapps.php", + "keytype" => "NONE" ], "getusersbygroup" => [ "load" => "getusersbygroup.php", "vars" => [ "gid" => "numeric", "get (optional)" => "string" - ] + ], + "keytype" => "READ" ], "getgroupsbyuser" => [ "load" => "getgroupsbyuser.php", @@ -148,16 +167,19 @@ $APIS = [ "uid" => "numeric", "username" => "string" ] - ] + ], + "keytype" => "READ" ], "getgroups" => [ - "load" => "getgroups.php" + "load" => "getgroups.php", + "keytype" => "READ" ], "groupsearch" => [ "load" => "groupsearch.php", "vars" => [ "search" => "string" - ] + ], + "keytype" => "READ" ], "checkpin" => [ "load" => "checkpin.php", @@ -167,7 +189,8 @@ $APIS = [ "uid" => "numeric", "username" => "string" ] - ] + ], + "keytype" => "AUTH" ], "getnotifications" => [ "load" => "getnotifications.php", @@ -176,7 +199,8 @@ $APIS = [ "uid" => "numeric", "username" => "string" ] - ] + ], + "keytype" => "READ" ], "readnotification" => [ "load" => "readnotification.php", @@ -186,7 +210,8 @@ $APIS = [ "username" => "string" ], "id" => "numeric" - ] + ], + "keytype" => "FULL" ], "addnotification" => [ "load" => "addnotification.php", @@ -200,7 +225,8 @@ $APIS = [ "timestamp (optional)" => "string", "url (optional)" => "string", "sensitive (optional)" => "string" - ] + ], + "keytype" => "FULL" ], "deletenotification" => [ "load" => "deletenotification.php", @@ -210,19 +236,22 @@ $APIS = [ "username" => "string" ], "id" => "numeric" - ] + ], + "keytype" => "FULL" ], "getloginkey" => [ "load" => "getloginkey.php", "vars" => [ "appname" => "string", "appicon (optional)" => "string" - ] + ], + "keytype" => "AUTH" ], "checkloginkey" => [ "load" => "checkloginkey.php", "vars" => [ "code" => "string" - ] + ], + "keytype" => "AUTH" ] ]; diff --git a/api/functions.php b/api/functions.php index 78e84c1..551f34f 100644 --- a/api/functions.php +++ b/api/functions.php @@ -121,3 +121,41 @@ function checkVars($vars, $or = false) { } } } + +/** + * Check if the client API key is allowed to access API functions that require the + * specified API key type. + * @global type $VARS + * @global type $database + * @param string $type The required key type: "NONE", "AUTH", "READ", or "FULL" + * @return bool + */ +function checkkeytype(string $type): bool { + global $VARS, $database; + if (empty($VARS['key'])) { + return false; + } else { + $key = $VARS['key']; + $keytype = $database->get('apikeys', 'type', ['key' => $key]); + $allowedtypes = []; + switch ($type) { + case "NONE": + $allowedtypes = ["NONE", "AUTH", "READ", "FULL"]; + break; + case "AUTH": + $allowedtypes = ["AUTH", "READ", "FULL"]; + break; + case "READ": + $allowedtypes = ["READ", "FULL"]; + break; + case "FULL": + $allowedtypes = ["FULL"]; + } + if (!in_array($type, $allowedtypes)) { + http_response_code(403); + Log::insert(LogType::API_BAD_KEY, null, "Key: " . $key); + return false; + } + } + return true; +} \ No newline at end of file diff --git a/api/index.php b/api/index.php index 59d0c2a..3821d60 100644 --- a/api/index.php +++ b/api/index.php @@ -74,4 +74,13 @@ if (!empty($APIACTION["vars"])) { checkVars($APIACTION["vars"]); } +// Assume we need full API access +if (empty($APIACTION["keytype"])) { + $APIACTION["keytype"] = "FULL"; +} + +if (!checkkeytype($APIACTION["keytype"])) { + die("403 Unauthorized"); +} + require_once __DIR__ . "/actions/" . $APIACTION["load"]; diff --git a/database.mwb b/database.mwb index 235a664..a7fea3b 100644 Binary files a/database.mwb and b/database.mwb differ