mirror of
https://github.com/pierre42100/ComunicAPI
synced 2024-12-25 04:58:59 +00:00
Enforced API security
This commit is contained in:
parent
3729b56ff4
commit
4bbe967e2e
@ -17,11 +17,15 @@ class Tokens{
|
||||
return false; //No token specified
|
||||
|
||||
//Check tokens
|
||||
if(!$serviceID = $this->validateClientTokens($_POST['serviceName'], $_POST['serviceToken']))
|
||||
if(!$serviceInfos = $this->validateClientTokens($_POST['serviceName'], $_POST['serviceToken']))
|
||||
return false;
|
||||
|
||||
//Save service ID in a constant
|
||||
define("APIServiceID", $serviceID);
|
||||
define("APIServiceID", $serviceInfos["ID"]);
|
||||
|
||||
//Save service domain in a constant (if any)
|
||||
if($serviceInfos["clientDomain"])
|
||||
define("APIServiceDomain", $serviceInfos["clientDomain"]);
|
||||
|
||||
//Else everything went good
|
||||
return true;
|
||||
@ -52,7 +56,14 @@ class Tokens{
|
||||
}
|
||||
else {
|
||||
//The API is correctly identified
|
||||
return $requestResult[0]['ID'];
|
||||
//Generate client informations
|
||||
$clientInformations = array(
|
||||
"ID" => $requestResult[0]['ID'],
|
||||
"clientDomain" => ($requestResult[0]["client_domain"] == "" ? false : $requestResult[0]["client_domain"])
|
||||
);
|
||||
|
||||
//Return API informations
|
||||
return $clientInformations;
|
||||
}
|
||||
|
||||
}
|
||||
|
31
functions/url.php
Normal file
31
functions/url.php
Normal file
@ -0,0 +1,31 @@
|
||||
<?php
|
||||
/**
|
||||
* URL functions
|
||||
*
|
||||
* @author Pierre HUBERT
|
||||
*/
|
||||
|
||||
|
||||
/**
|
||||
* Determine the domain of an URL
|
||||
*
|
||||
* @param String $url The URL to analyse
|
||||
* @return String The domain of the URL
|
||||
*/
|
||||
function get_url_domain($url){
|
||||
|
||||
//First, check for "://"
|
||||
if(!preg_match("<://>", $url))
|
||||
return false;
|
||||
|
||||
//Then split the URL
|
||||
$path = strstr($url, "://");
|
||||
$path = str_replace("://", "", $path);
|
||||
|
||||
//Check if we are at the root of the domain or not
|
||||
if(!preg_match("</>", $path))
|
||||
return $path;
|
||||
|
||||
//Else the url is a little more complex
|
||||
return explode("/", $path)[0];
|
||||
}
|
26
index.php
26
index.php
@ -20,21 +20,39 @@ foreach(glob(PROJECT_PATH."RestControllers/*.php") as $restControllerFile){
|
||||
//Include RestServer library
|
||||
require PROJECT_PATH."3rdparty/RestServer/RestServer.php";
|
||||
|
||||
//Allow remote requests
|
||||
header("Access-Control-Allow-Origin: *");
|
||||
|
||||
//By default return format is json
|
||||
if(!isset($_GET["format"]))
|
||||
$_GET['format'] = "json";
|
||||
|
||||
//Check client tokens
|
||||
//Set debug clients tokens
|
||||
if($cs->config->get("site_mode") == "debug"){ //DEBUG ONLY
|
||||
$_POST['serviceName'] = "testService";
|
||||
$_POST['serviceToken'] = "testPasswd";
|
||||
}
|
||||
|
||||
//Check client tokens
|
||||
if(!$cs->tokens->checkClientRequestTokens())
|
||||
Rest_fatal_error(401, "Please check your client tokens!");
|
||||
|
||||
//Check for remote requests limit
|
||||
if(defined("APIServiceDomain")){
|
||||
|
||||
//First, limit requests
|
||||
header("Access-Control-Allow-Origin: ".APIServiceDomain);
|
||||
|
||||
//Then check for referer
|
||||
if(!isset($_SERVER["HTTP_REFERER"]))
|
||||
Rest_fatal_error(401, "Access from direct requests denied !");
|
||||
|
||||
//Check the referer
|
||||
if(get_url_domain($_SERVER["HTTP_REFERER"]) !== APIServiceDomain)
|
||||
Rest_fatal_error(401, "Access denied from this domain with this client token !");
|
||||
}
|
||||
else {
|
||||
//Allow remote requests from anywhere
|
||||
header("Access-Control-Allow-Origin: *");
|
||||
}
|
||||
|
||||
//Check if login tokens where specified
|
||||
if(isset($_POST['userToken1']) AND isset($_POST['userToken2'])){
|
||||
//Try to login user
|
||||
|
Loading…
Reference in New Issue
Block a user