From 6b1cbb31b42999c858ec1cf82fa440ee68895379 Mon Sep 17 00:00:00 2001 From: Marks Polakovs Date: Sat, 11 Dec 2021 17:41:09 +0000 Subject: [PATCH 1/7] Allow using traditional_auth with API keys --- src/Controllers/traditional_auth.php | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/src/Controllers/traditional_auth.php b/src/Controllers/traditional_auth.php index 107e03dcc..d933f5739 100644 --- a/src/Controllers/traditional_auth.php +++ b/src/Controllers/traditional_auth.php @@ -7,9 +7,20 @@ //Load the basic MyRadio framework use \MyRadio\MyRadio\URLUtils; +use MyRadio\Config; +use MyRadio\ServiceAPI\MyRadio_APIKey; +use MyRadio\ServiceAPI\MyRadio_Swagger2; require_once __DIR__.'/root_cli.php'; +if (defined('SHIBBOBLEH_ALLOW_API') && SHIBBOBLEH_ALLOW_API === true + && (!isset($_SESSION['memberid']))) { + $caller = MyRadio_Swagger2::getAPICaller(); + if ($caller instanceof MyRadio_APIKey) { + $_SESSION['memberid'] = Config::$system_user; + } +} + //Check the current authentication status of the user if ((!isset($_SESSION['memberid']) or $_SESSION['auth_use_locked']) && (!defined('SHIBBOBLEH_ALLOW_READONLY') or SHIBBOBLEH_ALLOW_READONLY === false) From 9085296fbddfae82d1d7603602b0712d1539e9a6 Mon Sep 17 00:00:00 2001 From: Marks Polakovs Date: Sat, 11 Dec 2021 18:04:07 +0000 Subject: [PATCH 2/7] Check if API keys exist --- src/Classes/ServiceAPI/MyRadio_APIKey.php | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/Classes/ServiceAPI/MyRadio_APIKey.php b/src/Classes/ServiceAPI/MyRadio_APIKey.php index 83c7a467a..9e158a5b2 100644 --- a/src/Classes/ServiceAPI/MyRadio_APIKey.php +++ b/src/Classes/ServiceAPI/MyRadio_APIKey.php @@ -6,6 +6,7 @@ namespace MyRadio\ServiceAPI; use MyRadio\Iface\APICaller; +use MyRadio\MyRadioException; /** * The APIKey Class provies information and management of API Keys for the MyRadio @@ -40,6 +41,10 @@ protected function __construct($key) { $this->key = $key; $revoked = self::$db->fetchColumn('SELECT revoked from myury.api_key WHERE key_string=$1', [$key]); + if (count($revoked) === 0) + { + throw new MyRadioException('Invalid API key', 404); + } $this->revoked = ($revoked[0] == 't'); $this->permissions = array_map( 'intval', From ff39f226c5a6a233c471263ce504e2a7e0549e26 Mon Sep 17 00:00:00 2001 From: Marks Polakovs Date: Sat, 11 Dec 2021 18:14:45 +0000 Subject: [PATCH 3/7] Avoid writing to real session for API requests --- src/Controllers/traditional_auth.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/Controllers/traditional_auth.php b/src/Controllers/traditional_auth.php index d933f5739..991194a0f 100644 --- a/src/Controllers/traditional_auth.php +++ b/src/Controllers/traditional_auth.php @@ -13,8 +13,9 @@ require_once __DIR__.'/root_cli.php'; -if (defined('SHIBBOBLEH_ALLOW_API') && SHIBBOBLEH_ALLOW_API === true - && (!isset($_SESSION['memberid']))) { +if (defined('SHIBBOBLEH_ALLOW_API') && SHIBBOBLEH_ALLOW_API === true && + (isset($_REQUEST['api_key']) || isset($_REQUEST['apiKey']))) { + define('DISABLE_SESSION', true); $caller = MyRadio_Swagger2::getAPICaller(); if ($caller instanceof MyRadio_APIKey) { $_SESSION['memberid'] = Config::$system_user; From efd0de80acd0d9a2bb1d1876948ccb67a6362ad3 Mon Sep 17 00:00:00 2001 From: Marks Polakovs Date: Sat, 11 Dec 2021 18:23:48 +0000 Subject: [PATCH 4/7] =?UTF-8?q?Just=20don'=C5=A7=20mess=20with=20session?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- src/Controllers/traditional_auth.php | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/src/Controllers/traditional_auth.php b/src/Controllers/traditional_auth.php index 991194a0f..69e04c257 100644 --- a/src/Controllers/traditional_auth.php +++ b/src/Controllers/traditional_auth.php @@ -15,19 +15,15 @@ if (defined('SHIBBOBLEH_ALLOW_API') && SHIBBOBLEH_ALLOW_API === true && (isset($_REQUEST['api_key']) || isset($_REQUEST['apiKey']))) { - define('DISABLE_SESSION', true); $caller = MyRadio_Swagger2::getAPICaller(); - if ($caller instanceof MyRadio_APIKey) { - $_SESSION['memberid'] = Config::$system_user; - } + $authed = $caller instanceof MyRadio_APIKey && !$caller->isRevoked(); +} else { + $authed = isset($_SESSION['memberid']) && !$_SESSION['auth_use_locked']; } //Check the current authentication status of the user -if ((!isset($_SESSION['memberid']) or $_SESSION['auth_use_locked']) - && (!defined('SHIBBOBLEH_ALLOW_READONLY') or SHIBBOBLEH_ALLOW_READONLY === false) -) { +if (!$authed && (!defined('SHIBBOBLEH_ALLOW_READONLY') or SHIBBOBLEH_ALLOW_READONLY === false)) { //Authentication is required. - header('HTTP/1.1 403 Forbidden'); URLUtils::redirect('MyRadio', 'login', ['next' => $_SERVER['REQUEST_URI']]); exit; } @@ -37,7 +33,6 @@ && (defined('SHIBBOBLEH_REQUIRE_TIMESLOT') and SHIBBOBLEH_REQUIRE_TIMESLOT) ) { //Timeslot needs configuring - header('HTTP/1.1 403 Forbidden'); URLUtils::redirect('MyRadio', 'timeslot', ['next' => $_SERVER['REQUEST_URI']]); exit; } From 9ab66faa24e499b4e414402fb5a42bab5ea0ac50 Mon Sep 17 00:00:00 2001 From: Marks Polakovs Date: Sat, 11 Dec 2021 18:27:23 +0000 Subject: [PATCH 5/7] Handle non-existent API keys --- src/Controllers/traditional_auth.php | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/src/Controllers/traditional_auth.php b/src/Controllers/traditional_auth.php index 69e04c257..1731d2b21 100644 --- a/src/Controllers/traditional_auth.php +++ b/src/Controllers/traditional_auth.php @@ -8,6 +8,7 @@ use \MyRadio\MyRadio\URLUtils; use MyRadio\Config; +use MyRadio\MyRadioException; use MyRadio\ServiceAPI\MyRadio_APIKey; use MyRadio\ServiceAPI\MyRadio_Swagger2; @@ -15,8 +16,16 @@ if (defined('SHIBBOBLEH_ALLOW_API') && SHIBBOBLEH_ALLOW_API === true && (isset($_REQUEST['api_key']) || isset($_REQUEST['apiKey']))) { - $caller = MyRadio_Swagger2::getAPICaller(); - $authed = $caller instanceof MyRadio_APIKey && !$caller->isRevoked(); + try { + $caller = MyRadio_Swagger2::getAPICaller(); + $authed = $caller instanceof MyRadio_APIKey && !$caller->isRevoked(); + } catch (MyRadioException $e) { + if ($e->getCode() === 404) { + $authed = false; + } else { + throw $e; + } + } } else { $authed = isset($_SESSION['memberid']) && !$_SESSION['auth_use_locked']; } From 40c9bc154bb76c0a0d0bfdbc35749b6e3af85901 Mon Sep 17 00:00:00 2001 From: Marks Polakovs Date: Sat, 11 Dec 2021 18:28:56 +0000 Subject: [PATCH 6/7] Return null instead of throwing --- src/Classes/ServiceAPI/MyRadio_APIKey.php | 2 +- src/Controllers/traditional_auth.php | 13 ++----------- 2 files changed, 3 insertions(+), 12 deletions(-) diff --git a/src/Classes/ServiceAPI/MyRadio_APIKey.php b/src/Classes/ServiceAPI/MyRadio_APIKey.php index 9e158a5b2..82cb2ac78 100644 --- a/src/Classes/ServiceAPI/MyRadio_APIKey.php +++ b/src/Classes/ServiceAPI/MyRadio_APIKey.php @@ -43,7 +43,7 @@ protected function __construct($key) $revoked = self::$db->fetchColumn('SELECT revoked from myury.api_key WHERE key_string=$1', [$key]); if (count($revoked) === 0) { - throw new MyRadioException('Invalid API key', 404); + return null; } $this->revoked = ($revoked[0] == 't'); $this->permissions = array_map( diff --git a/src/Controllers/traditional_auth.php b/src/Controllers/traditional_auth.php index 1731d2b21..69e04c257 100644 --- a/src/Controllers/traditional_auth.php +++ b/src/Controllers/traditional_auth.php @@ -8,7 +8,6 @@ use \MyRadio\MyRadio\URLUtils; use MyRadio\Config; -use MyRadio\MyRadioException; use MyRadio\ServiceAPI\MyRadio_APIKey; use MyRadio\ServiceAPI\MyRadio_Swagger2; @@ -16,16 +15,8 @@ if (defined('SHIBBOBLEH_ALLOW_API') && SHIBBOBLEH_ALLOW_API === true && (isset($_REQUEST['api_key']) || isset($_REQUEST['apiKey']))) { - try { - $caller = MyRadio_Swagger2::getAPICaller(); - $authed = $caller instanceof MyRadio_APIKey && !$caller->isRevoked(); - } catch (MyRadioException $e) { - if ($e->getCode() === 404) { - $authed = false; - } else { - throw $e; - } - } + $caller = MyRadio_Swagger2::getAPICaller(); + $authed = $caller instanceof MyRadio_APIKey && !$caller->isRevoked(); } else { $authed = isset($_SESSION['memberid']) && !$_SESSION['auth_use_locked']; } From bf68b436faa3fd75a77e5577a379bc8b9927a642 Mon Sep 17 00:00:00 2001 From: Marks Polakovs Date: Sat, 11 Dec 2021 18:31:35 +0000 Subject: [PATCH 7/7] =?UTF-8?q?You=20can'=C5=A7=20return=20null=20from=20a?= =?UTF-8?q?=20constructor?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- src/Classes/ServiceAPI/MyRadio_APIKey.php | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/src/Classes/ServiceAPI/MyRadio_APIKey.php b/src/Classes/ServiceAPI/MyRadio_APIKey.php index 82cb2ac78..e8ce1f54c 100644 --- a/src/Classes/ServiceAPI/MyRadio_APIKey.php +++ b/src/Classes/ServiceAPI/MyRadio_APIKey.php @@ -40,12 +40,6 @@ class MyRadio_APIKey extends ServiceAPI implements APICaller protected function __construct($key) { $this->key = $key; - $revoked = self::$db->fetchColumn('SELECT revoked from myury.api_key WHERE key_string=$1', [$key]); - if (count($revoked) === 0) - { - return null; - } - $this->revoked = ($revoked[0] == 't'); $this->permissions = array_map( 'intval', self::$db->fetchColumn( @@ -71,4 +65,16 @@ public function isRevoked() { return $this->revoked; } + + public static function factory($key) + { + $apiKey = new static($key); + $revoked = self::$db->fetchColumn('SELECT revoked from myury.api_key WHERE key_string=$1', [$key]); + if (count($revoked) === 0) + { + return null; + } + $apiKey->revoked = ($revoked[0] == 't'); + return $apiKey; + } }