CSRF Token + small fixes
This commit is contained in:
@@ -9,6 +9,7 @@ class Create extends Request {
|
||||
public function __construct($user, $externalCall = false) {
|
||||
parent::__construct($user, $externalCall, array());
|
||||
$this->apiKeyAllowed = false;
|
||||
$this->csrfTokenRequired = true;
|
||||
$this->loginRequired = true;
|
||||
}
|
||||
|
||||
|
||||
@@ -12,6 +12,7 @@ class Fetch extends Request {
|
||||
public function __construct($user, $externalCall = false) {
|
||||
parent::__construct($user, $externalCall, array());
|
||||
$this->loginRequired = true;
|
||||
$this->csrfTokenRequired = true;
|
||||
}
|
||||
|
||||
public function execute($values = array()) {
|
||||
|
||||
@@ -13,6 +13,7 @@ class Refresh extends Request {
|
||||
"id" => new Parameter("id", Parameter::TYPE_INT),
|
||||
));
|
||||
$this->loginRequired = true;
|
||||
$this->csrfTokenRequired = true;
|
||||
}
|
||||
|
||||
private function apiKeyExists() {
|
||||
|
||||
@@ -13,6 +13,7 @@ class Revoke extends Request {
|
||||
"id" => new Parameter("id", Parameter::TYPE_INT),
|
||||
));
|
||||
$this->loginRequired = true;
|
||||
$this->csrfTokenRequired = true;
|
||||
}
|
||||
|
||||
private function apiKeyExists() {
|
||||
|
||||
@@ -17,6 +17,7 @@ class Create extends Request {
|
||||
'message' => new StringType('message', 256),
|
||||
));
|
||||
$this->isPublic = false;
|
||||
$this->csrfTokenRequired = true;
|
||||
}
|
||||
|
||||
private function checkUser($userId) {
|
||||
|
||||
@@ -12,6 +12,7 @@ class Fetch extends Request {
|
||||
public function __construct($user, $externalCall = false) {
|
||||
parent::__construct($user, $externalCall, array());
|
||||
$this->loginRequired = true;
|
||||
$this->csrfTokenRequired = true;
|
||||
}
|
||||
|
||||
private function fetchUserNotifications() {
|
||||
|
||||
@@ -17,6 +17,7 @@ class Request {
|
||||
protected bool $isDisabled;
|
||||
protected bool $apiKeyAllowed;
|
||||
protected int $requiredGroup;
|
||||
protected bool $csrfTokenRequired;
|
||||
|
||||
private array $aDefaultParams;
|
||||
private array $allowedMethods;
|
||||
@@ -37,6 +38,7 @@ class Request {
|
||||
$this->allowedMethods = array("GET", "POST");
|
||||
$this->requiredGroup = 0;
|
||||
$this->lastError = "";
|
||||
$this->csrfTokenRequired = false;
|
||||
}
|
||||
|
||||
protected function forbidMethod($method) {
|
||||
@@ -111,13 +113,13 @@ class Request {
|
||||
}
|
||||
|
||||
if($this->loginRequired || $this->requiredGroup > 0) {
|
||||
$authorized = false;
|
||||
$apiKeyAuthorized = false;
|
||||
if(isset($values['api_key']) && $this->apiKeyAllowed) {
|
||||
$apiKey = $values['api_key'];
|
||||
$authorized = $this->user->authorize($apiKey);
|
||||
$apiKeyAuthorized = $this->user->authorize($apiKey);
|
||||
}
|
||||
|
||||
if(!$this->user->isLoggedIn() && !$authorized) {
|
||||
if(!$this->user->isLoggedIn() && !$apiKeyAuthorized) {
|
||||
$this->lastError = 'You are not logged in.';
|
||||
header('HTTP 1.1 401 Unauthorized');
|
||||
return false;
|
||||
@@ -125,6 +127,14 @@ class Request {
|
||||
$this->lastError = "Insufficient permissions. Required group: ". GroupName($this->requiredGroup);
|
||||
header('HTTP 1.1 401 Unauthorized');
|
||||
return false;
|
||||
} else if($this->csrfTokenRequired && !$apiKeyAuthorized && $this->externalCall) {
|
||||
// csrf token required + external call
|
||||
// if it's not a call with API_KEY, check for csrf_token
|
||||
if (!isset($values["csrf_token"]) || strcmp($values["csrf_token"], $this->user->getSession()->getCsrfToken()) !== 0) {
|
||||
$this->lastError = "CSRF-Token mismatch";
|
||||
header('HTTP 1.1 403 Forbidden');
|
||||
return false;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -17,6 +17,7 @@ class SetLanguage extends Request {
|
||||
'langId' => new Parameter('langId', Parameter::TYPE_INT, true, NULL),
|
||||
'langCode' => new StringType('langCode', 5, true, NULL),
|
||||
));
|
||||
$this->csrfTokenRequired = true;
|
||||
}
|
||||
|
||||
private function checkLanguage() {
|
||||
|
||||
@@ -20,6 +20,7 @@ class Fetch extends Request {
|
||||
$this->loginRequired = true;
|
||||
$this->requiredGroup = USER_GROUP_ADMIN;
|
||||
$this->userCount = 0;
|
||||
$this->csrfTokenRequired = true;
|
||||
}
|
||||
|
||||
private function getUserCount() {
|
||||
|
||||
28
core/Api/User/Info.class.php
Normal file
28
core/Api/User/Info.class.php
Normal file
@@ -0,0 +1,28 @@
|
||||
<?php
|
||||
|
||||
namespace Api\User;
|
||||
|
||||
use \Api\Request;
|
||||
|
||||
class Info extends Request {
|
||||
|
||||
public function __construct($user, $externalCall = false) {
|
||||
parent::__construct($user, $externalCall, array());
|
||||
$this->csrfTokenRequired = true;
|
||||
}
|
||||
|
||||
public function execute($values = array()) {
|
||||
if(!parent::execute($values)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
if (!$this->user->isLoggedIn()) {
|
||||
$this->result["loggedIn"] = false;
|
||||
} else {
|
||||
$this->result["loggedIn"] = true;
|
||||
}
|
||||
|
||||
$this->result["user"] = $this->user->jsonSerialize();
|
||||
return $this->success;
|
||||
}
|
||||
}
|
||||
@@ -65,6 +65,7 @@ class Login extends Request {
|
||||
if(!($this->success = $this->user->createSession($uid, $stayLoggedIn))) {
|
||||
return $this->createError("Error creating Session: " . $sql->getLastError());
|
||||
} else {
|
||||
$this->result["loggedIn"] = true;
|
||||
$this->result['logoutIn'] = $this->user->getSession()->getExpiresSeconds();
|
||||
$this->success = true;
|
||||
}
|
||||
|
||||
@@ -10,6 +10,7 @@ class Logout extends Request {
|
||||
parent::__construct($user, $externalCall);
|
||||
$this->loginRequired = true;
|
||||
$this->apiKeyAllowed = false;
|
||||
$this->csrfTokenRequired = true;
|
||||
}
|
||||
|
||||
public function execute($values = array()) {
|
||||
|
||||
Reference in New Issue
Block a user