| 
									
										
										
										
											2009-09-25 16:58:35 -07:00
										 |  |  | <?php | 
					
						
							|  |  |  | /** | 
					
						
							|  |  |  |  * StatusNet, the distributed open-source microblogging tool | 
					
						
							|  |  |  |  * | 
					
						
							|  |  |  |  * Base class for API actions that require authentication | 
					
						
							|  |  |  |  * | 
					
						
							|  |  |  |  * PHP version 5 | 
					
						
							|  |  |  |  * | 
					
						
							|  |  |  |  * LICENCE: This program is free software: you can redistribute it and/or modify | 
					
						
							|  |  |  |  * it under the terms of the GNU Affero General Public License as published by | 
					
						
							|  |  |  |  * the Free Software Foundation, either version 3 of the License, or | 
					
						
							|  |  |  |  * (at your option) any later version. | 
					
						
							|  |  |  |  * | 
					
						
							|  |  |  |  * This program is distributed in the hope that it will be useful, | 
					
						
							|  |  |  |  * but WITHOUT ANY WARRANTY; without even the implied warranty of | 
					
						
							|  |  |  |  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the | 
					
						
							|  |  |  |  * GNU Affero General Public License for more details. | 
					
						
							|  |  |  |  * | 
					
						
							|  |  |  |  * You should have received a copy of the GNU Affero General Public License | 
					
						
							|  |  |  |  * along with this program.  If not, see <http://www.gnu.org/licenses/>. | 
					
						
							|  |  |  |  * | 
					
						
							|  |  |  |  * @category  API | 
					
						
							|  |  |  |  * @package   StatusNet | 
					
						
							| 
									
										
										
										
											2009-10-12 16:36:00 -07:00
										 |  |  |  * @author    Adrian Lang <mail@adrianlang.de> | 
					
						
							|  |  |  |  * @author    Brenda Wallace <shiny@cpan.org> | 
					
						
							|  |  |  |  * @author    Craig Andrews <candrews@integralblue.com> | 
					
						
							|  |  |  |  * @author    Dan Moore <dan@moore.cx> | 
					
						
							|  |  |  |  * @author    Evan Prodromou <evan@status.net> | 
					
						
							|  |  |  |  * @author    mEDI <medi@milaro.net> | 
					
						
							|  |  |  |  * @author    Sarven Capadisli <csarven@status.net> | 
					
						
							| 
									
										
										
										
											2010-01-11 17:30:56 -08:00
										 |  |  |  * @author    Zach Copley <zach@status.net> | 
					
						
							| 
									
										
										
										
											2010-01-27 08:41:26 +00:00
										 |  |  |  * @copyright 2009-2010 StatusNet, Inc. | 
					
						
							| 
									
										
										
										
											2010-05-27 18:26:47 -04:00
										 |  |  |  * @copyright 2009 Free Software Foundation, Inc http://www.fsf.org | 
					
						
							| 
									
										
										
										
											2009-09-25 16:58:35 -07:00
										 |  |  |  * @license   http://www.fsf.org/licensing/licenses/agpl-3.0.html GNU Affero General Public License version 3.0 | 
					
						
							|  |  |  |  * @link      http://status.net/ | 
					
						
							|  |  |  |  */ | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2010-03-30 18:52:21 -07:00
										 |  |  | /* External API usage documentation. Please update when you change how this method works. */ | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | /*! @page authentication Authentication | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     StatusNet supports HTTP Basic Authentication and OAuth for API calls. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     @warning Currently, users who have created accounts without setting a | 
					
						
							|  |  |  |     password via OpenID, Facebook Connect, etc., cannot use the API until | 
					
						
							|  |  |  |     they set a password with their account settings panel. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     @section HTTP Basic Auth | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     @section OAuth | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | */ | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2013-10-06 13:38:09 +02:00
										 |  |  | if (!defined('GNUSOCIAL')) { exit(1); } | 
					
						
							| 
									
										
										
										
											2009-09-25 16:58:35 -07:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2009-09-27 15:33:46 -07:00
										 |  |  | /** | 
					
						
							|  |  |  |  * Actions extending this class will require auth | 
					
						
							|  |  |  |  * | 
					
						
							|  |  |  |  * @category API | 
					
						
							|  |  |  |  * @package  StatusNet | 
					
						
							|  |  |  |  * @author   Zach Copley <zach@status.net> | 
					
						
							|  |  |  |  * @license  http://www.fsf.org/licensing/licenses/agpl-3.0.html GNU Affero General Public License version 3.0 | 
					
						
							|  |  |  |  * @link     http://status.net/ | 
					
						
							|  |  |  |  */ | 
					
						
							| 
									
										
										
										
											2009-10-09 14:22:18 -07:00
										 |  |  | class ApiAuthAction extends ApiAction | 
					
						
							| 
									
										
										
										
											2009-09-25 16:58:35 -07:00
										 |  |  | { | 
					
						
							| 
									
										
										
										
											2010-01-27 08:41:26 +00:00
										 |  |  |     var $auth_user_nickname = null; | 
					
						
							|  |  |  |     var $auth_user_password = null; | 
					
						
							| 
									
										
										
										
											2009-09-30 10:22:26 -07:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2009-10-09 16:57:22 -07:00
										 |  |  |     /** | 
					
						
							| 
									
										
										
										
											2010-01-29 01:49:38 +00:00
										 |  |  |      * Take arguments for running, looks for an OAuth request, | 
					
						
							|  |  |  |      * and outputs basic auth header if needed | 
					
						
							| 
									
										
										
										
											2009-10-09 16:57:22 -07:00
										 |  |  |      * | 
					
						
							|  |  |  |      * @param array $args $_REQUEST args | 
					
						
							|  |  |  |      * | 
					
						
							|  |  |  |      * @return boolean success flag | 
					
						
							|  |  |  |      * | 
					
						
							|  |  |  |      */ | 
					
						
							| 
									
										
										
										
											2013-10-06 13:38:09 +02:00
										 |  |  |     protected function prepare(array $args=array()) | 
					
						
							| 
									
										
										
										
											2009-10-09 16:57:22 -07:00
										 |  |  |     { | 
					
						
							|  |  |  |         parent::prepare($args); | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-11-10 11:38:50 +01:00
										 |  |  |         // NOTE: $this->scoped and $this->auth_user has to get set in
 | 
					
						
							|  |  |  |         // prepare(), not handle(), as subclasses use them in prepares.
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |         // Allow regular login session
 | 
					
						
							|  |  |  |         if (common_logged_in()) { | 
					
						
							|  |  |  |             $this->scoped = Profile::current(); | 
					
						
							|  |  |  |             $this->auth_user = $this->scoped->getUser(); | 
					
						
							|  |  |  |             if (!$this->auth_user->hasRight(Right::API)) { | 
					
						
							|  |  |  |                 // TRANS: Authorization exception thrown when a user without API access tries to access the API.
 | 
					
						
							|  |  |  |                 throw new AuthorizationException(_('Not allowed to use API.')); | 
					
						
							|  |  |  |             } | 
					
						
							| 
									
										
										
										
											2015-01-31 16:02:01 +01:00
										 |  |  |             // Let's run this in the same way as if we've just authenticated the user (basic/oauth auth)
 | 
					
						
							|  |  |  |             Event::handle('EndSetApiUser', array($this->auth_user)); | 
					
						
							| 
									
										
										
										
											2014-11-10 11:38:50 +01:00
										 |  |  |             $this->access = self::READ_WRITE; | 
					
						
							|  |  |  |         } else { | 
					
						
							|  |  |  |             $oauthReq = $this->getOAuthRequest(); | 
					
						
							| 
									
										
										
										
											2010-01-29 01:49:38 +00:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-11-10 11:43:08 +01:00
										 |  |  |             if ($oauthReq instanceof OAuthRequest) { | 
					
						
							| 
									
										
										
										
											2014-11-10 11:38:50 +01:00
										 |  |  |                 $this->checkOAuthRequest($oauthReq); | 
					
						
							| 
									
										
										
										
											2014-11-10 11:43:08 +01:00
										 |  |  |             } else { | 
					
						
							|  |  |  |                 // If not using OAuth, check if there is a basic auth
 | 
					
						
							|  |  |  |                 // and require it if the current action requires it.
 | 
					
						
							|  |  |  |                 $this->checkBasicAuthUser($this->requiresAuth()); | 
					
						
							| 
									
										
										
										
											2010-01-27 08:41:26 +00:00
										 |  |  |             } | 
					
						
							| 
									
										
										
										
											2010-01-17 11:21:07 +01:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-11-10 11:38:50 +01:00
										 |  |  |             // NOTE: Make sure we're scoped properly based on the auths!
 | 
					
						
							|  |  |  |             if (isset($this->auth_user) && $this->auth_user instanceof User) { | 
					
						
							|  |  |  |                 $this->scoped = $this->auth_user->getProfile(); | 
					
						
							|  |  |  |             } else { | 
					
						
							|  |  |  |                 $this->scoped = null; | 
					
						
							|  |  |  |             } | 
					
						
							| 
									
										
										
										
											2013-09-09 23:08:43 +02:00
										 |  |  |         } | 
					
						
							| 
									
										
										
										
											2013-09-09 21:35:16 +02:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2013-10-15 02:54:10 +02:00
										 |  |  |         // legacy user transferral
 | 
					
						
							|  |  |  |         // TODO: remove when sure no extended classes need it
 | 
					
						
							|  |  |  |         $this->user = $this->auth_user; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2010-01-17 11:21:07 +01:00
										 |  |  |         // Reject API calls with the wrong access level
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |         if ($this->isReadOnly($args) == false) { | 
					
						
							|  |  |  |             if ($this->access != self::READ_WRITE) { | 
					
						
							| 
									
										
										
										
											2010-04-10 22:50:15 +02:00
										 |  |  |                 // TRANS: Client error 401.
 | 
					
						
							| 
									
										
										
										
											2010-01-28 00:41:44 +00:00
										 |  |  |                 $msg = _('API resource requires read-write access, ' . | 
					
						
							|  |  |  |                          'but you only have read access.'); | 
					
						
							| 
									
										
										
										
											2013-10-15 00:19:03 +02:00
										 |  |  |                 $this->clientError($msg, 401); | 
					
						
							| 
									
										
										
										
											2010-01-13 05:06:35 +00:00
										 |  |  |             } | 
					
						
							| 
									
										
										
										
											2009-10-09 16:57:22 -07:00
										 |  |  |         } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |         return true; | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2010-01-29 01:49:38 +00:00
										 |  |  |     /** | 
					
						
							|  |  |  |      * Determine whether the request is an OAuth request. | 
					
						
							|  |  |  |      * This is to avoid doign any unnecessary DB lookups. | 
					
						
							|  |  |  |      * | 
					
						
							|  |  |  |      * @return mixed the OAuthRequest or false | 
					
						
							|  |  |  |      */ | 
					
						
							|  |  |  |     function getOAuthRequest() | 
					
						
							| 
									
										
										
										
											2010-01-14 02:16:03 +00:00
										 |  |  |     { | 
					
						
							| 
									
										
										
										
											2013-10-06 12:40:58 +02:00
										 |  |  |         ApiOAuthAction::cleanRequest(); | 
					
						
							| 
									
										
										
										
											2010-01-29 01:49:38 +00:00
										 |  |  | 
 | 
					
						
							|  |  |  |         $req  = OAuthRequest::from_request(); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |         $consumer    = $req->get_parameter('oauth_consumer_key'); | 
					
						
							|  |  |  |         $accessToken = $req->get_parameter('oauth_token'); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |         // XXX: Is it good enough to assume it's not meant to be an
 | 
					
						
							|  |  |  |         // OAuth request if there is no consumer or token? --Z
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |         if (empty($consumer) || empty($accessToken)) { | 
					
						
							|  |  |  |             return false; | 
					
						
							|  |  |  |         } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |         return $req; | 
					
						
							| 
									
										
										
										
											2010-01-14 02:16:03 +00:00
										 |  |  |     } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2010-01-29 01:49:38 +00:00
										 |  |  |     /** | 
					
						
							|  |  |  |      * Verifies the OAuth request signature, sets the auth user | 
					
						
							|  |  |  |      * and access type (read-only or read-write) | 
					
						
							|  |  |  |      * | 
					
						
							|  |  |  |      * @param OAuthRequest $request the OAuth Request | 
					
						
							|  |  |  |      * | 
					
						
							|  |  |  |      * @return nothing | 
					
						
							|  |  |  |      */ | 
					
						
							|  |  |  |     function checkOAuthRequest($request) | 
					
						
							| 
									
										
										
										
											2010-01-11 17:30:56 -08:00
										 |  |  |     { | 
					
						
							| 
									
										
										
										
											2013-10-15 00:20:36 +02:00
										 |  |  |         $datastore   = new ApiGNUsocialOAuthDataStore(); | 
					
						
							| 
									
										
										
										
											2010-01-13 05:06:35 +00:00
										 |  |  |         $server      = new OAuthServer($datastore); | 
					
						
							|  |  |  |         $hmac_method = new OAuthSignatureMethod_HMAC_SHA1(); | 
					
						
							| 
									
										
										
										
											2010-01-11 17:30:56 -08:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2010-01-13 05:06:35 +00:00
										 |  |  |         $server->add_signature_method($hmac_method); | 
					
						
							| 
									
										
										
										
											2010-01-11 17:30:56 -08:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2010-01-13 05:06:35 +00:00
										 |  |  |         try { | 
					
						
							| 
									
										
										
										
											2010-01-29 01:49:38 +00:00
										 |  |  |             $server->verify_request($request); | 
					
						
							| 
									
										
										
										
											2010-01-11 17:30:56 -08:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2010-01-29 01:49:38 +00:00
										 |  |  |             $consumer     = $request->get_parameter('oauth_consumer_key'); | 
					
						
							|  |  |  |             $access_token = $request->get_parameter('oauth_token'); | 
					
						
							| 
									
										
										
										
											2010-01-11 17:30:56 -08:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2010-01-29 01:49:38 +00:00
										 |  |  |             $app = Oauth_application::getByConsumerKey($consumer); | 
					
						
							| 
									
										
										
										
											2010-01-11 17:30:56 -08:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2010-01-29 01:49:38 +00:00
										 |  |  |             if (empty($app)) { | 
					
						
							| 
									
										
										
										
											2010-10-19 12:07:59 -07:00
										 |  |  |                 common_log( | 
					
						
							|  |  |  |                     LOG_WARNING, | 
					
						
							|  |  |  |                     'API OAuth - Couldn\'t find the OAuth app for consumer key: ' . | 
					
						
							|  |  |  |                     $consumer | 
					
						
							|  |  |  |                 ); | 
					
						
							| 
									
										
										
										
											2010-09-13 00:49:42 +02:00
										 |  |  |                 // TRANS: OAuth exception thrown when no application is found for a given consumer key.
 | 
					
						
							|  |  |  |                 throw new OAuthException(_('No application for that consumer key.')); | 
					
						
							| 
									
										
										
										
											2010-01-13 05:06:35 +00:00
										 |  |  |             } | 
					
						
							| 
									
										
										
										
											2010-01-11 17:30:56 -08:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2010-01-14 02:38:01 +00:00
										 |  |  |             // set the source attr
 | 
					
						
							| 
									
										
										
										
											2010-10-19 20:54:53 -07:00
										 |  |  |             if ($app->name != 'anonymous') { | 
					
						
							|  |  |  |                 $this->source = $app->name; | 
					
						
							|  |  |  |             } | 
					
						
							| 
									
										
										
										
											2010-01-14 02:38:01 +00:00
										 |  |  | 
 | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2013-08-18 13:04:58 +02:00
										 |  |  |             $appUser = Oauth_application_user::getKV('token', $access_token); | 
					
						
							| 
									
										
										
										
											2010-01-11 17:30:56 -08:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2010-01-13 05:06:35 +00:00
										 |  |  |             if (!empty($appUser)) { | 
					
						
							|  |  |  |                 // If access_type == 0 we have either a request token
 | 
					
						
							|  |  |  |                 // or a bad / revoked access token
 | 
					
						
							| 
									
										
										
										
											2010-01-11 17:30:56 -08:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2010-01-27 08:41:26 +00:00
										 |  |  |                 if ($appUser->access_type != 0) { | 
					
						
							|  |  |  |                     // Set the access level for the api call
 | 
					
						
							| 
									
										
										
										
											2010-01-14 02:16:03 +00:00
										 |  |  |                     $this->access = ($appUser->access_type & Oauth_application::$writeAccess) | 
					
						
							|  |  |  |                       ? self::READ_WRITE : self::READ_ONLY; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2010-01-29 01:49:38 +00:00
										 |  |  |                     // Set the auth user
 | 
					
						
							| 
									
										
										
										
											2010-01-20 18:01:07 -08:00
										 |  |  |                     if (Event::handle('StartSetApiUser', array(&$user))) { | 
					
						
							| 
									
										
										
										
											2013-08-18 13:04:58 +02:00
										 |  |  |                         $user = User::getKV('id', $appUser->profile_id); | 
					
						
							| 
									
										
										
										
											2015-02-13 01:19:59 +01:00
										 |  |  |                     } | 
					
						
							|  |  |  |                     if ($user instanceof User) { | 
					
						
							|  |  |  |                         if (!$user->hasRight(Right::API)) { | 
					
						
							|  |  |  |                             // TRANS: Authorization exception thrown when a user without API access tries to access the API.
 | 
					
						
							|  |  |  |                             throw new AuthorizationException(_('Not allowed to use API.')); | 
					
						
							| 
									
										
										
										
											2011-02-21 10:20:42 -05:00
										 |  |  |                         } | 
					
						
							|  |  |  |                         $this->auth_user = $user; | 
					
						
							| 
									
										
										
										
											2015-02-13 01:19:59 +01:00
										 |  |  |                         Event::handle('EndSetApiUser', array($this->auth_user)); | 
					
						
							|  |  |  |                     } else { | 
					
						
							|  |  |  |                         // If $user is not a real User, let's force it to null.
 | 
					
						
							|  |  |  |                         $this->auth_user = null; | 
					
						
							| 
									
										
										
										
											2010-01-20 18:01:07 -08:00
										 |  |  |                     } | 
					
						
							| 
									
										
										
										
											2010-01-11 17:30:56 -08:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2015-02-13 01:19:59 +01:00
										 |  |  |                     // FIXME: setting the value returned by common_current_user()
 | 
					
						
							|  |  |  |                     // There should probably be a better method for this. common_set_user()
 | 
					
						
							|  |  |  |                     // does lots of session stuff.
 | 
					
						
							|  |  |  |                     global $_cur; | 
					
						
							|  |  |  |                     $_cur = $this->auth_user; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2010-01-13 05:06:35 +00:00
										 |  |  |                     $msg = "API OAuth authentication for user '%s' (id: %d) on behalf of " . | 
					
						
							| 
									
										
										
										
											2010-10-19 12:07:59 -07:00
										 |  |  |                         "application '%s' (id: %d) with %s access."; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |                     common_log( | 
					
						
							|  |  |  |                         LOG_INFO, | 
					
						
							|  |  |  |                         sprintf( | 
					
						
							|  |  |  |                             $msg, | 
					
						
							|  |  |  |                             $this->auth_user->nickname, | 
					
						
							|  |  |  |                             $this->auth_user->id, | 
					
						
							|  |  |  |                             $app->name, | 
					
						
							|  |  |  |                             $app->id, | 
					
						
							|  |  |  |                             ($this->access = self::READ_WRITE) ? 'read-write' : 'read-only' | 
					
						
							|  |  |  |                         ) | 
					
						
							|  |  |  |                     ); | 
					
						
							| 
									
										
										
										
											2010-01-13 05:06:35 +00:00
										 |  |  |                 } else { | 
					
						
							| 
									
										
										
										
											2010-09-13 00:49:42 +02:00
										 |  |  |                     // TRANS: OAuth exception given when an incorrect access token was given for a user.
 | 
					
						
							|  |  |  |                     throw new OAuthException(_('Bad access token.')); | 
					
						
							| 
									
										
										
										
											2010-01-13 05:06:35 +00:00
										 |  |  |                 } | 
					
						
							|  |  |  |             } else { | 
					
						
							| 
									
										
										
										
											2011-04-01 19:46:40 +02:00
										 |  |  |                 // Also should not happen.
 | 
					
						
							| 
									
										
										
										
											2010-09-13 00:49:42 +02:00
										 |  |  |                 // TRANS: OAuth exception given when no user was found for a given token (no token was found).
 | 
					
						
							|  |  |  |                 throw new OAuthException(_('No user for that token.')); | 
					
						
							| 
									
										
										
										
											2010-01-27 08:41:26 +00:00
										 |  |  |             } | 
					
						
							| 
									
										
										
										
											2010-01-11 17:30:56 -08:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2010-01-13 05:06:35 +00:00
										 |  |  |         } catch (OAuthException $e) { | 
					
						
							| 
									
										
										
										
											2010-10-19 12:07:59 -07:00
										 |  |  |             $this->logAuthFailure($e->getMessage()); | 
					
						
							| 
									
										
										
										
											2010-01-27 08:41:26 +00:00
										 |  |  |             common_log(LOG_WARNING, 'API OAuthException - ' . $e->getMessage()); | 
					
						
							| 
									
										
										
										
											2013-10-15 00:19:03 +02:00
										 |  |  |             $this->clientError($e->getMessage(), 401); | 
					
						
							| 
									
										
										
										
											2010-01-13 05:06:35 +00:00
										 |  |  |         } | 
					
						
							| 
									
										
										
										
											2010-01-11 17:30:56 -08:00
										 |  |  |     } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2009-09-25 16:58:35 -07:00
										 |  |  |     /** | 
					
						
							|  |  |  |      * Does this API resource require authentication? | 
					
						
							|  |  |  |      * | 
					
						
							|  |  |  |      * @return boolean true | 
					
						
							|  |  |  |      */ | 
					
						
							| 
									
										
										
										
											2013-10-15 00:19:03 +02:00
										 |  |  |     public function requiresAuth() | 
					
						
							| 
									
										
										
										
											2009-09-25 16:58:35 -07:00
										 |  |  |     { | 
					
						
							|  |  |  |         return true; | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2009-09-27 15:33:46 -07:00
										 |  |  |     /** | 
					
						
							| 
									
										
										
										
											2009-11-09 20:01:46 +01:00
										 |  |  |      * Check for a user specified via HTTP basic auth. If there isn't | 
					
						
							| 
									
										
										
										
											2009-09-27 15:33:46 -07:00
										 |  |  |      * one, try to get one by outputting the basic auth header. | 
					
						
							|  |  |  |      * | 
					
						
							|  |  |  |      * @return boolean true or false | 
					
						
							|  |  |  |      */ | 
					
						
							| 
									
										
										
										
											2010-01-17 11:21:07 +01:00
										 |  |  |     function checkBasicAuthUser($required = true) | 
					
						
							| 
									
										
										
										
											2009-09-25 16:58:35 -07:00
										 |  |  |     { | 
					
						
							|  |  |  |         $this->basicAuthProcessHeader(); | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2010-03-08 12:36:03 -05:00
										 |  |  |         $realm = common_config('api', 'realm'); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |         if (empty($realm)) { | 
					
						
							|  |  |  |             $realm = common_config('site', 'name') . ' API'; | 
					
						
							|  |  |  |         } | 
					
						
							| 
									
										
										
										
											2009-10-12 15:12:20 -07:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2010-03-10 03:39:05 +00:00
										 |  |  |         if (empty($this->auth_user_nickname) && $required) { | 
					
						
							| 
									
										
										
										
											2009-10-12 15:12:20 -07:00
										 |  |  |             header('WWW-Authenticate: Basic realm="' . $realm . '"'); | 
					
						
							| 
									
										
										
										
											2009-09-25 16:58:35 -07:00
										 |  |  | 
 | 
					
						
							|  |  |  |             // show error if the user clicks 'cancel'
 | 
					
						
							| 
									
										
										
										
											2014-11-10 11:38:50 +01:00
										 |  |  |             // TRANS: Client error thrown when authentication fails because a user clicked "Cancel".
 | 
					
						
							| 
									
										
										
										
											2013-10-15 00:19:03 +02:00
										 |  |  |             $this->clientError(_('Could not authenticate you.'), 401); | 
					
						
							| 
									
										
										
										
											2009-09-25 16:58:35 -07:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-11-10 11:38:50 +01:00
										 |  |  |         } elseif ($required) { | 
					
						
							| 
									
										
										
										
											2014-11-10 12:10:21 +01:00
										 |  |  |             // $this->auth_user_nickname - i.e. PHP_AUTH_USER - will have a value since it was not empty
 | 
					
						
							| 
									
										
										
										
											2010-01-27 08:41:26 +00:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2010-01-28 00:41:44 +00:00
										 |  |  |             $user = common_check_user($this->auth_user_nickname, | 
					
						
							|  |  |  |                                       $this->auth_user_password); | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2015-02-13 01:19:59 +01:00
										 |  |  |             Event::handle('StartSetApiUser', array(&$user)); | 
					
						
							|  |  |  |             if ($user instanceof User) { | 
					
						
							|  |  |  |                 if (!$user->hasRight(Right::API)) { | 
					
						
							|  |  |  |                     // TRANS: Authorization exception thrown when a user without API access tries to access the API.
 | 
					
						
							|  |  |  |                     throw new AuthorizationException(_('Not allowed to use API.')); | 
					
						
							| 
									
										
										
										
											2010-01-28 00:41:44 +00:00
										 |  |  |                 } | 
					
						
							| 
									
										
										
										
											2015-02-13 01:19:59 +01:00
										 |  |  |                 $this->auth_user = $user; | 
					
						
							| 
									
										
										
										
											2010-01-17 11:21:07 +01:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2015-02-13 01:19:59 +01:00
										 |  |  |                 Event::handle('EndSetApiUser', array($this->auth_user)); | 
					
						
							|  |  |  |             } else { | 
					
						
							|  |  |  |                 $this->auth_user = null; | 
					
						
							| 
									
										
										
										
											2009-11-18 14:19:43 -05:00
										 |  |  |             } | 
					
						
							| 
									
										
										
										
											2009-09-25 16:58:35 -07:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2010-01-27 08:41:26 +00:00
										 |  |  |             // By default, basic auth users have rw access
 | 
					
						
							|  |  |  |             $this->access = self::READ_WRITE; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-11-10 12:10:21 +01:00
										 |  |  |             if (!$this->auth_user instanceof User) { | 
					
						
							| 
									
										
										
										
											2010-10-19 12:07:59 -07:00
										 |  |  |                 $msg = sprintf( | 
					
						
							|  |  |  |                     "basic auth nickname = %s", | 
					
						
							|  |  |  |                     $this->auth_user_nickname | 
					
						
							|  |  |  |                 ); | 
					
						
							|  |  |  |                 $this->logAuthFailure($msg); | 
					
						
							| 
									
										
										
										
											2014-11-10 12:17:39 +01:00
										 |  |  | 
 | 
					
						
							|  |  |  |                 // We must present WWW-Authenticate in accordance to HTTP status code 401
 | 
					
						
							|  |  |  |                 header('WWW-Authenticate: Basic realm="' . $realm . '"'); | 
					
						
							| 
									
										
										
										
											2010-09-13 00:49:42 +02:00
										 |  |  |                 // TRANS: Client error thrown when authentication fails.
 | 
					
						
							| 
									
										
										
										
											2013-10-15 00:19:03 +02:00
										 |  |  |                 $this->clientError(_('Could not authenticate you.'), 401); | 
					
						
							| 
									
										
										
										
											2009-09-25 16:58:35 -07:00
										 |  |  |             } | 
					
						
							| 
									
										
										
										
											2014-11-10 11:38:50 +01:00
										 |  |  |         } else { | 
					
						
							| 
									
										
										
										
											2014-11-10 12:17:39 +01:00
										 |  |  |             // all get rw access for actions that don't require auth
 | 
					
						
							| 
									
										
										
										
											2014-11-10 11:38:50 +01:00
										 |  |  |             $this->access = self::READ_WRITE; | 
					
						
							| 
									
										
										
										
											2009-09-25 16:58:35 -07:00
										 |  |  |         } | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2009-09-27 15:33:46 -07:00
										 |  |  |     /** | 
					
						
							|  |  |  |      * Read the HTTP headers and set the auth user.  Decodes HTTP_AUTHORIZATION | 
					
						
							|  |  |  |      * param to support basic auth when PHP is running in CGI mode. | 
					
						
							|  |  |  |      * | 
					
						
							|  |  |  |      * @return void | 
					
						
							|  |  |  |      */ | 
					
						
							| 
									
										
										
										
											2009-09-25 16:58:35 -07:00
										 |  |  |     function basicAuthProcessHeader() | 
					
						
							|  |  |  |     { | 
					
						
							| 
									
										
										
										
											2010-03-17 10:52:11 -07:00
										 |  |  |         $authHeaders = array('AUTHORIZATION', | 
					
						
							|  |  |  |                              'HTTP_AUTHORIZATION', | 
					
						
							|  |  |  |                              'REDIRECT_HTTP_AUTHORIZATION'); // rewrite for CGI
 | 
					
						
							|  |  |  |         $authorization_header = null; | 
					
						
							|  |  |  |         foreach ($authHeaders as $header) { | 
					
						
							|  |  |  |             if (isset($_SERVER[$header])) { | 
					
						
							|  |  |  |                 $authorization_header = $_SERVER[$header]; | 
					
						
							|  |  |  |                 break; | 
					
						
							|  |  |  |             } | 
					
						
							| 
									
										
										
										
											2009-09-25 16:58:35 -07:00
										 |  |  |         } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |         if (isset($_SERVER['PHP_AUTH_USER'])) { | 
					
						
							| 
									
										
										
										
											2010-01-27 08:41:26 +00:00
										 |  |  |             $this->auth_user_nickname = $_SERVER['PHP_AUTH_USER']; | 
					
						
							|  |  |  |             $this->auth_user_password = $_SERVER['PHP_AUTH_PW']; | 
					
						
							| 
									
										
										
										
											2009-09-27 15:33:46 -07:00
										 |  |  |         } elseif (isset($authorization_header) | 
					
						
							|  |  |  |             && strstr(substr($authorization_header, 0, 5), 'Basic')) { | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2010-01-27 08:41:26 +00:00
										 |  |  |             // Decode the HTTP_AUTHORIZATION header on php-cgi server self
 | 
					
						
							| 
									
										
										
										
											2009-09-25 16:58:35 -07:00
										 |  |  |             // on fcgid server the header name is AUTHORIZATION
 | 
					
						
							|  |  |  |             $auth_hash = base64_decode(substr($authorization_header, 6)); | 
					
						
							| 
									
										
										
										
											2010-01-27 08:41:26 +00:00
										 |  |  |             list($this->auth_user_nickname, | 
					
						
							|  |  |  |                  $this->auth_user_password) = explode(':', $auth_hash); | 
					
						
							| 
									
										
										
										
											2009-09-25 16:58:35 -07:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2010-01-27 08:41:26 +00:00
										 |  |  |             // Set all to null on a empty basic auth request
 | 
					
						
							| 
									
										
										
										
											2009-09-27 15:33:46 -07:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2010-01-27 08:41:26 +00:00
										 |  |  |             if (empty($this->auth_user_nickname)) { | 
					
						
							|  |  |  |                 $this->auth_user_nickname = null; | 
					
						
							|  |  |  |                 $this->auth_password = null; | 
					
						
							| 
									
										
										
										
											2009-09-25 16:58:35 -07:00
										 |  |  |             } | 
					
						
							|  |  |  |         } | 
					
						
							|  |  |  |     } | 
					
						
							| 
									
										
										
										
											2010-10-19 12:07:59 -07:00
										 |  |  | 
 | 
					
						
							|  |  |  |     /** | 
					
						
							| 
									
										
										
										
											2011-01-19 15:52:18 -08:00
										 |  |  |      * Log an API authentication failure. Collect the proxy and IP | 
					
						
							| 
									
										
										
										
											2010-10-19 12:07:59 -07:00
										 |  |  |      * and log them | 
					
						
							|  |  |  |      * | 
					
						
							|  |  |  |      * @param string $logMsg additional log message | 
					
						
							|  |  |  |      */ | 
					
						
							|  |  |  |      function logAuthFailure($logMsg) | 
					
						
							|  |  |  |      { | 
					
						
							|  |  |  |         list($proxy, $ip) = common_client_ip(); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |         $msg = sprintf( | 
					
						
							|  |  |  |             'API auth failure (proxy = %1$s, ip = %2$s) - ', | 
					
						
							|  |  |  |             $proxy, | 
					
						
							|  |  |  |             $ip | 
					
						
							|  |  |  |         ); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |         common_log(LOG_WARNING, $msg . $logMsg); | 
					
						
							|  |  |  |      } | 
					
						
							| 
									
										
										
										
											2009-09-27 15:33:46 -07:00
										 |  |  | } |