123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399 |
- <?php
- if (!defined('GNUSOCIAL')) { exit(1); }
- class ApiAuthAction extends ApiAction
- {
- var $auth_user_nickname = null;
- var $auth_user_password = null;
-
- protected function prepare(array $args=array())
- {
- parent::prepare($args);
-
-
-
-
-
- if (common_logged_in() && common_local_referer()) {
- $this->scoped = Profile::current();
- $this->auth_user = $this->scoped->getUser();
- if (!$this->auth_user->hasRight(Right::API)) {
-
- throw new AuthorizationException(_('Not allowed to use API.'));
- }
-
- Event::handle('EndSetApiUser', array($this->auth_user));
- $this->access = self::READ_WRITE;
- } else {
- $oauthReq = $this->getOAuthRequest();
- if ($oauthReq instanceof OAuthRequest) {
- $this->checkOAuthRequest($oauthReq);
- } else {
-
-
- $this->checkBasicAuthUser($this->requiresAuth());
- }
-
- if (isset($this->auth_user) && $this->auth_user instanceof User) {
- $this->scoped = $this->auth_user->getProfile();
- } else {
- $this->scoped = null;
- }
- }
-
-
- $this->user = $this->auth_user;
-
- if ($this->isReadOnly($args) == false) {
- if ($this->access != self::READ_WRITE) {
-
- $msg = _('API resource requires read-write access, ' .
- 'but you only have read access.');
- $this->clientError($msg, 401);
- }
- }
- return true;
- }
-
- function getOAuthRequest()
- {
- ApiOAuthAction::cleanRequest();
- $req = OAuthRequest::from_request();
- $consumer = $req->get_parameter('oauth_consumer_key');
- $accessToken = $req->get_parameter('oauth_token');
-
-
- if (empty($consumer) || empty($accessToken)) {
- return false;
- }
- return $req;
- }
-
- function checkOAuthRequest($request)
- {
- $datastore = new ApiGNUsocialOAuthDataStore();
- $server = new OAuthServer($datastore);
- $hmac_method = new OAuthSignatureMethod_HMAC_SHA1();
- $server->add_signature_method($hmac_method);
- try {
- $server->verify_request($request);
- $consumer = $request->get_parameter('oauth_consumer_key');
- $access_token = $request->get_parameter('oauth_token');
- $app = Oauth_application::getByConsumerKey($consumer);
- if (empty($app)) {
- common_log(
- LOG_WARNING,
- 'API OAuth - Couldn\'t find the OAuth app for consumer key: ' .
- $consumer
- );
-
- throw new OAuthException(_('No application for that consumer key.'));
- }
-
- if ($app->name != 'anonymous') {
- $this->source = $app->name;
- }
- $appUser = Oauth_application_user::getKV('token', $access_token);
- if (!empty($appUser)) {
-
-
- if ($appUser->access_type != 0) {
-
- $this->access = ($appUser->access_type & Oauth_application::$writeAccess)
- ? self::READ_WRITE : self::READ_ONLY;
-
- if (Event::handle('StartSetApiUser', array(&$user))) {
- $user = User::getKV('id', $appUser->profile_id);
- }
- if ($user instanceof User) {
- if (!$user->hasRight(Right::API)) {
-
- throw new AuthorizationException(_('Not allowed to use API.'));
- }
- $this->auth_user = $user;
- Event::handle('EndSetApiUser', array($this->auth_user));
- } else {
-
- $this->auth_user = null;
- }
-
-
-
- global $_cur;
- $_cur = $this->auth_user;
- $msg = "API OAuth authentication for user '%s' (id: %d) on behalf of " .
- "application '%s' (id: %d) with %s access.";
- common_log(
- LOG_INFO,
- sprintf(
- $msg,
- $this->auth_user->nickname,
- $this->auth_user->id,
- $app->name,
- $app->id,
- ($this->access = self::READ_WRITE) ? 'read-write' : 'read-only'
- )
- );
- } else {
-
- throw new OAuthException(_('Bad access token.'));
- }
- } else {
-
-
- throw new OAuthException(_('No user for that token.'));
- }
- } catch (OAuthException $e) {
- $this->logAuthFailure($e->getMessage());
- common_log(LOG_WARNING, 'API OAuthException - ' . $e->getMessage());
- $this->clientError($e->getMessage(), 401);
- }
- }
-
- public function requiresAuth()
- {
- return true;
- }
-
- function checkBasicAuthUser($required = true)
- {
- $this->basicAuthProcessHeader();
- $realm = common_config('api', 'realm');
- if (empty($realm)) {
- $realm = common_config('site', 'name') . ' API';
- }
- if (empty($this->auth_user_nickname) && $required) {
- header('WWW-Authenticate: Basic realm="' . $realm . '"');
-
-
- $this->clientError(_('Could not authenticate you.'), 401);
- } else {
-
- $user = common_check_user($this->auth_user_nickname,
- $this->auth_user_password);
- Event::handle('StartSetApiUser', array(&$user));
- if ($user instanceof User) {
- if (!$user->hasRight(Right::API)) {
-
- throw new AuthorizationException(_('Not allowed to use API.'));
- }
- $this->auth_user = $user;
- Event::handle('EndSetApiUser', array($this->auth_user));
- } else {
- $this->auth_user = null;
- }
- if ($required && $this->auth_user instanceof User) {
-
- $this->access = self::READ_WRITE;
- } elseif ($required) {
- $msg = sprintf(
- "basic auth nickname = %s",
- $this->auth_user_nickname
- );
- $this->logAuthFailure($msg);
-
- header('WWW-Authenticate: Basic realm="' . $realm . '"');
-
- $this->clientError(_('Could not authenticate you.'), 401);
- } else {
-
- $this->access = self::READ_WRITE;
- }
- }
- }
-
- function basicAuthProcessHeader()
- {
- $authHeaders = array('AUTHORIZATION',
- 'HTTP_AUTHORIZATION',
- 'REDIRECT_HTTP_AUTHORIZATION');
- $authorization_header = null;
- foreach ($authHeaders as $header) {
- if (isset($_SERVER[$header])) {
- $authorization_header = $_SERVER[$header];
- break;
- }
- }
- if (isset($_SERVER['PHP_AUTH_USER'])) {
- $this->auth_user_nickname = $_SERVER['PHP_AUTH_USER'];
- $this->auth_user_password = $_SERVER['PHP_AUTH_PW'];
- } elseif (isset($authorization_header)
- && strstr(substr($authorization_header, 0, 5), 'Basic')) {
-
-
- $auth_hash = base64_decode(substr($authorization_header, 6));
- list($this->auth_user_nickname,
- $this->auth_user_password) = explode(':', $auth_hash);
-
- if (empty($this->auth_user_nickname)) {
- $this->auth_user_nickname = null;
- $this->auth_password = null;
- }
- }
- }
-
- function logAuthFailure($logMsg)
- {
- list($proxy, $ip) = common_client_ip();
- $msg = sprintf(
- 'API auth failure (proxy = %1$s, ip = %2$s) - ',
- $proxy,
- $ip
- );
- common_log(LOG_WARNING, $msg . $logMsg);
- }
- }
|