harukin/core
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

some major cleanup of api authentication stuff - still needs much more and this still may not solve #206

Browse Source
This commit is contained in:
redmatrix 2015-12-10 16:39:46 -08:00
parent 7fa944ed95
commit 8389d8677d
3 changed files with 110 additions and 115 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
include/api.php
View File

@ -2298,12 +2298,11 @@ require_once('include/api_auth.php');
api_register_func('api/direct_messages','api_direct_messages_inbox',true); api_register_func('api/direct_messages','api_direct_messages_inbox',true);
function api_oauth_request_token(&$a, $type){ function api_oauth_request_token(&$a, $type){
try{ try{
$oauth = new FKOAuth1(); $oauth = new ZotOAuth1();
$req = OAuthRequest::from_request(); $req = OAuthRequest::from_request();
logger('Req: ' . var_export($req,true)); logger('Req: ' . var_export($req,true),LOGGER_DATA);
$r = $oauth->fetch_request_token($req); $r = $oauth->fetch_request_token($req);
}catch(Exception $e){ }catch(Exception $e){
logger('oauth_exception: ' . print_r($e->getMessage(),true)); logger('oauth_exception: ' . print_r($e->getMessage(),true));
@ -2313,9 +2312,10 @@ logger('Req: ' . var_export($req,true));
echo $r; echo $r;
killme(); killme();
} }
function api_oauth_access_token(&$a, $type){ function api_oauth_access_token(&$a, $type){
try{ try{
$oauth = new FKOAuth1(); $oauth = new ZotOAuth1();
$req = OAuthRequest::from_request(); $req = OAuthRequest::from_request();
$r = $oauth->fetch_access_token($req); $r = $oauth->fetch_access_token($req);
}catch(Exception $e){ }catch(Exception $e){

50
include/api_auth.php
View File

@ -1,16 +1,18 @@
<?php /** @file */ <?php /** @file */
require_once('include/oauth.php');
/** /**
* Simple HTTP Login * API Login via basic-auth or OAuth
*/ */
function api_login(&$a){ function api_login(&$a){
$record = null;
require_once('include/oauth.php');
// login with oauth // login with oauth
try { try {
$oauth = new FKOAuth1(); $oauth = new ZotOAuth1();
$req = OAuthRequest::from_request(); $req = OAuthRequest::from_request();
list($consumer,$token) = $oauth->verify_request($req); list($consumer,$token) = $oauth->verify_request($req);
@ -23,16 +25,14 @@ function api_login(&$a){
call_hooks('logged_in', $a->user); call_hooks('logged_in', $a->user);
return; return;
} }
echo __file__.__line__.__function__."<pre>";
// var_dump($consumer, $token);
killme(); killme();
} }
catch(Exception $e) { catch(Exception $e) {
logger(__file__.__line__.__function__."\n".$e); logger(__file__.__line__.__function__."\n".$e);
} }
// workarounds for HTTP-auth in CGI mode
// workaround for HTTP-auth in CGI mode
if(x($_SERVER,'REDIRECT_REMOTE_USER')) { if(x($_SERVER,'REDIRECT_REMOTE_USER')) {
$userpass = base64_decode(substr($_SERVER["REDIRECT_REMOTE_USER"],6)) ; $userpass = base64_decode(substr($_SERVER["REDIRECT_REMOTE_USER"],6)) ;
if(strlen($userpass)) { if(strlen($userpass)) {
@ -51,43 +51,43 @@ function api_login(&$a){
} }
} }
require_once('include/auth.php');
if (!isset($_SERVER['PHP_AUTH_USER'])) { require_once('include/security.php');
logger('API_login: ' . print_r($_SERVER,true), LOGGER_DEBUG);
retry_basic_auth();
}
// process normal login request // process normal login request
require_once('include/auth.php');
if(isset($_SERVER['PHP_AUTH_USER'])) {
$channel_login = 0; $channel_login = 0;
$record = account_verify_password($_SERVER['PHP_AUTH_USER'],$_SERVER['PHP_AUTH_PW']); $record = account_verify_password($_SERVER['PHP_AUTH_USER'],$_SERVER['PHP_AUTH_PW']);
if(! $record) { if(! $record) {
$r = q("select * from channel where channel_address = '%s' limit 1", $r = q("select * from channel left join account on account.account_id = channel.channel_account_id
where channel.channel_address = '%s' limit 1",
dbesc($_SERVER['PHP_AUTH_USER']) dbesc($_SERVER['PHP_AUTH_USER'])
); );
if ($r) { if ($r) {
$x = q("select * from account where account_id = %d limit 1", $record = account_verify_password($r[0]['account_email'],$_SERVER['PHP_AUTH_PW']);
intval($r[0]['channel_account_id'])
);
if ($x) {
$record = account_verify_password($x[0]['account_email'],$_SERVER['PHP_AUTH_PW']);
if($record) if($record)
$channel_login = $r[0]['channel_id']; $channel_login = $r[0]['channel_id'];
} }
} }
if(! $record) {
logger('API_login failure: ' . print_r($_SERVER,true), LOGGER_DEBUG);
retry_basic_auth();
}
} }
require_once('include/security.php'); if($record) {
authenticate_success($record); authenticate_success($record);
if($channel_login) if($channel_login)
change_channel($channel_login); change_channel($channel_login);
$_SESSION['allow_api'] = true; $_SESSION['allow_api'] = true;
return true;
}
else {
$_SERVER['PHP_AUTH_PW'] = '*****';
logger('API_login failure: ' . print_r($_SERVER,true), LOGGER_DEBUG);
log_failed_login('API login failure');
retry_basic_auth();
}
} }

87
include/oauth.php
View File

@ -1,4 +1,5 @@
<?php /** @file */ <?php /** @file */
/** /**
* OAuth server * OAuth server
* Based on oauth2-php <http://code.google.com/p/oauth2-php/> * Based on oauth2-php <http://code.google.com/p/oauth2-php/>
@ -9,16 +10,17 @@ define('REQUEST_TOKEN_DURATION', 300);
define('ACCESS_TOKEN_DURATION', 31536000); define('ACCESS_TOKEN_DURATION', 31536000);
require_once("library/OAuth1.php"); require_once("library/OAuth1.php");
require_once("library/oauth2-php/lib/OAuth2.inc");
class FKOAuthDataStore extends OAuthDataStore { //require_once("library/oauth2-php/lib/OAuth2.inc");
class ZotOAuthDataStore extends OAuthDataStore {
function gen_token(){ function gen_token(){
return md5(base64_encode(pack('N6', mt_rand(), mt_rand(), mt_rand(), mt_rand(), mt_rand(), uniqid()))); return md5(base64_encode(pack('N6', mt_rand(), mt_rand(), mt_rand(), mt_rand(), mt_rand(), uniqid())));
} }
function lookup_consumer($consumer_key) { function lookup_consumer($consumer_key) {
logger(__function__.":".$consumer_key); logger('consumer_key: ' . $consumer_key, LOGGER_DEBUG);
// echo "<pre>"; var_dump($consumer_key); killme();
$r = q("SELECT client_id, pw, redirect_uri FROM clients WHERE client_id = '%s'", $r = q("SELECT client_id, pw, redirect_uri FROM clients WHERE client_id = '%s'",
dbesc($consumer_key) dbesc($consumer_key)
@ -32,7 +34,8 @@ class FKOAuthDataStore extends OAuthDataStore {
} }
function lookup_token($consumer, $token_type, $token) { function lookup_token($consumer, $token_type, $token) {
logger(__function__.":".$consumer.", ". $token_type.", ".$token);
logger(__function__.":".$consumer.", ". $token_type.", ".$token, LOGGER_DEBUG);
$r = q("SELECT id, secret, scope, expires, uid FROM tokens WHERE client_id = '%s' AND scope = '%s' AND id = '%s'", $r = q("SELECT id, secret, scope, expires, uid FROM tokens WHERE client_id = '%s' AND scope = '%s' AND id = '%s'",
dbesc($consumer->key), dbesc($consumer->key),
@ -51,7 +54,6 @@ class FKOAuthDataStore extends OAuthDataStore {
} }
function lookup_nonce($consumer, $token, $nonce, $timestamp) { function lookup_nonce($consumer, $token, $nonce, $timestamp) {
// echo __file__.":".__line__."<pre>"; var_dump($consumer,$key); killme();
$r = q("SELECT id, secret FROM tokens WHERE client_id = '%s' AND id = '%s' AND expires = %d", $r = q("SELECT id, secret FROM tokens WHERE client_id = '%s' AND id = '%s' AND expires = %d",
dbesc($consumer->key), dbesc($consumer->key),
@ -65,7 +67,9 @@ class FKOAuthDataStore extends OAuthDataStore {
} }
function new_request_token($consumer, $callback = null) { function new_request_token($consumer, $callback = null) {
logger(__function__.":".$consumer.", ". $callback);
logger(__function__.":".$consumer.", ". $callback, LOGGER_DEBUG);
$key = $this->gen_token(); $key = $this->gen_token();
$sec = $this->gen_token(); $sec = $this->gen_token();
@ -82,12 +86,14 @@ class FKOAuthDataStore extends OAuthDataStore {
'request', 'request',
time()+intval(REQUEST_TOKEN_DURATION)); time()+intval(REQUEST_TOKEN_DURATION));
if (!$r) return null; if(! $r)
return null;
return new OAuthToken($key,$sec); return new OAuthToken($key,$sec);
} }
function new_access_token($token, $consumer, $verifier = null) { function new_access_token($token, $consumer, $verifier = null) {
logger(__function__.":".$token.", ". $consumer.", ". $verifier);
logger(__function__.":".$token.", ". $consumer.", ". $verifier, LOGGER_DEBUG);
// return a new access token attached to this consumer // return a new access token attached to this consumer
// for the user associated with this token if the request token // for the user associated with this token if the request token
@ -98,8 +104,8 @@ class FKOAuthDataStore extends OAuthDataStore {
// get user for this verifier // get user for this verifier
$uverifier = get_config("oauth", $verifier); $uverifier = get_config("oauth", $verifier);
logger(__function__.":".$verifier.",".$uverifier); logger(__function__.":".$verifier.",".$uverifier, LOGGER_DEBUG);
if (is_null($verifier) || ($uverifier!==false)){ if (is_null($verifier) || ($uverifier!==false)) {
$key = $this->gen_token(); $key = $this->gen_token();
$sec = $this->gen_token(); $sec = $this->gen_token();
@ -120,73 +126,62 @@ class FKOAuthDataStore extends OAuthDataStore {
q("DELETE FROM tokens WHERE id='%s'", $token->key); q("DELETE FROM tokens WHERE id='%s'", $token->key);
if (!is_null($ret) && $uverifier!==false){ if (!is_null($ret) && $uverifier!==false) {
del_config("oauth", $verifier); del_config("oauth", $verifier);
/* $apps = get_pconfig($uverifier, "oauth", "apps");
if ($apps===false) $apps=array(); // $apps = get_pconfig($uverifier, "oauth", "apps");
$apps[] = $consumer->key; // if ($apps===false) $apps=array();
set_pconfig($uverifier, "oauth", "apps", $apps);*/ // $apps[] = $consumer->key;
// set_pconfig($uverifier, "oauth", "apps", $apps);
} }
return $ret; return $ret;
} }
} }
class FKOAuth1 extends OAuthServer { class ZotOAuth1 extends OAuthServer {
function __construct() { function __construct() {
parent::__construct(new FKOAuthDataStore()); parent::__construct(new ZotOAuthDataStore());
$this->add_signature_method(new OAuthSignatureMethod_PLAINTEXT()); $this->add_signature_method(new OAuthSignatureMethod_PLAINTEXT());
$this->add_signature_method(new OAuthSignatureMethod_HMAC_SHA1()); $this->add_signature_method(new OAuthSignatureMethod_HMAC_SHA1());
} }
function loginUser($uid){ function loginUser($uid){
logger("RedOAuth1::loginUser $uid");
$a = get_app(); logger("ZotOAuth1::loginUser $uid");
$r = q("SELECT * FROM channel WHERE channel_id = %d LIMIT 1", $r = q("SELECT * FROM channel WHERE channel_id = %d LIMIT 1",
intval($uid) intval($uid)
); );
if(count($r)){ if(count($r)){
$record = $r[0]; $record = $r[0];
} else { } else {
logger('FKOAuth1::loginUser failure: ' . print_r($_SERVER,true), LOGGER_DEBUG); logger('ZotOAuth1::loginUser failure: ' . print_r($_SERVER,true), LOGGER_DEBUG);
header('HTTP/1.0 401 Unauthorized'); header('HTTP/1.0 401 Unauthorized');
die('This api requires login'); echo('This api requires login');
killme();
} }
$_SESSION['uid'] = $record['channel_id']; $_SESSION['uid'] = $record['channel_id'];
$_SESSION['theme'] = $record['channel_theme'];
$_SESSION['account_id'] = $record['channel_account_id'];
$_SESSION['mobile_theme'] = get_pconfig($record['channel_id'], 'system', 'mobile_theme');
$_SESSION['authenticated'] = 1;
$_SESSION['my_url'] = $a->get_baseurl() . '/channel/' . $record['channel_address'];
$_SESSION['addr'] = $_SERVER['REMOTE_ADDR']; $_SESSION['addr'] = $_SERVER['REMOTE_ADDR'];
$_SESSION['allow_api'] = true;
$x = q("select * from account where account_id = %d limit 1", $x = q("select * from account where account_id = %d limit 1",
intval($record['channel_account_id']) intval($record['channel_account_id'])
); );
if($x) if($x) {
$a->account = $x[0]; require_once('include/security.php');
authenticate_success($x[0],true,false,true,true);
change_channel($record['channel_id']); $_SESSION['allow_api'] = true;
$a->channel = $record;
if(strlen($a->channel['channel_timezone'])) {
date_default_timezone_set($a->channel['channel_timezone']);
} }
// q("UPDATE `user` SET `login_date` = '%s' WHERE `uid` = %d LIMIT 1",
// dbesc(datetime_convert()),
// intval($_SESSION['uid'])
// );
//
// call_hooks('logged_in', $a->user);
} }
} }
/* /*
*
not yet used
class FKOAuth2 extends OAuth2 { class FKOAuth2 extends OAuth2 {
private function db_secret($client_secret){ private function db_secret($client_secret){