mirror of
https://github.com/pierre42100/ComunicAPI
synced 2024-11-27 07:49:27 +00:00
Enforced API security
This commit is contained in:
parent
3729b56ff4
commit
4bbe967e2e
@ -17,11 +17,15 @@ class Tokens{
|
|||||||
return false; //No token specified
|
return false; //No token specified
|
||||||
|
|
||||||
//Check tokens
|
//Check tokens
|
||||||
if(!$serviceID = $this->validateClientTokens($_POST['serviceName'], $_POST['serviceToken']))
|
if(!$serviceInfos = $this->validateClientTokens($_POST['serviceName'], $_POST['serviceToken']))
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
//Save service ID in a constant
|
//Save service ID in a constant
|
||||||
define("APIServiceID", $serviceID);
|
define("APIServiceID", $serviceInfos["ID"]);
|
||||||
|
|
||||||
|
//Save service domain in a constant (if any)
|
||||||
|
if($serviceInfos["clientDomain"])
|
||||||
|
define("APIServiceDomain", $serviceInfos["clientDomain"]);
|
||||||
|
|
||||||
//Else everything went good
|
//Else everything went good
|
||||||
return true;
|
return true;
|
||||||
@ -52,7 +56,14 @@ class Tokens{
|
|||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
//The API is correctly identified
|
//The API is correctly identified
|
||||||
return $requestResult[0]['ID'];
|
//Generate client informations
|
||||||
|
$clientInformations = array(
|
||||||
|
"ID" => $requestResult[0]['ID'],
|
||||||
|
"clientDomain" => ($requestResult[0]["client_domain"] == "" ? false : $requestResult[0]["client_domain"])
|
||||||
|
);
|
||||||
|
|
||||||
|
//Return API informations
|
||||||
|
return $clientInformations;
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
31
functions/url.php
Normal file
31
functions/url.php
Normal file
@ -0,0 +1,31 @@
|
|||||||
|
<?php
|
||||||
|
/**
|
||||||
|
* URL functions
|
||||||
|
*
|
||||||
|
* @author Pierre HUBERT
|
||||||
|
*/
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Determine the domain of an URL
|
||||||
|
*
|
||||||
|
* @param String $url The URL to analyse
|
||||||
|
* @return String The domain of the URL
|
||||||
|
*/
|
||||||
|
function get_url_domain($url){
|
||||||
|
|
||||||
|
//First, check for "://"
|
||||||
|
if(!preg_match("<://>", $url))
|
||||||
|
return false;
|
||||||
|
|
||||||
|
//Then split the URL
|
||||||
|
$path = strstr($url, "://");
|
||||||
|
$path = str_replace("://", "", $path);
|
||||||
|
|
||||||
|
//Check if we are at the root of the domain or not
|
||||||
|
if(!preg_match("</>", $path))
|
||||||
|
return $path;
|
||||||
|
|
||||||
|
//Else the url is a little more complex
|
||||||
|
return explode("/", $path)[0];
|
||||||
|
}
|
26
index.php
26
index.php
@ -20,21 +20,39 @@ foreach(glob(PROJECT_PATH."RestControllers/*.php") as $restControllerFile){
|
|||||||
//Include RestServer library
|
//Include RestServer library
|
||||||
require PROJECT_PATH."3rdparty/RestServer/RestServer.php";
|
require PROJECT_PATH."3rdparty/RestServer/RestServer.php";
|
||||||
|
|
||||||
//Allow remote requests
|
|
||||||
header("Access-Control-Allow-Origin: *");
|
|
||||||
|
|
||||||
//By default return format is json
|
//By default return format is json
|
||||||
if(!isset($_GET["format"]))
|
if(!isset($_GET["format"]))
|
||||||
$_GET['format'] = "json";
|
$_GET['format'] = "json";
|
||||||
|
|
||||||
//Check client tokens
|
//Set debug clients tokens
|
||||||
if($cs->config->get("site_mode") == "debug"){ //DEBUG ONLY
|
if($cs->config->get("site_mode") == "debug"){ //DEBUG ONLY
|
||||||
$_POST['serviceName'] = "testService";
|
$_POST['serviceName'] = "testService";
|
||||||
$_POST['serviceToken'] = "testPasswd";
|
$_POST['serviceToken'] = "testPasswd";
|
||||||
}
|
}
|
||||||
|
|
||||||
|
//Check client tokens
|
||||||
if(!$cs->tokens->checkClientRequestTokens())
|
if(!$cs->tokens->checkClientRequestTokens())
|
||||||
Rest_fatal_error(401, "Please check your client tokens!");
|
Rest_fatal_error(401, "Please check your client tokens!");
|
||||||
|
|
||||||
|
//Check for remote requests limit
|
||||||
|
if(defined("APIServiceDomain")){
|
||||||
|
|
||||||
|
//First, limit requests
|
||||||
|
header("Access-Control-Allow-Origin: ".APIServiceDomain);
|
||||||
|
|
||||||
|
//Then check for referer
|
||||||
|
if(!isset($_SERVER["HTTP_REFERER"]))
|
||||||
|
Rest_fatal_error(401, "Access from direct requests denied !");
|
||||||
|
|
||||||
|
//Check the referer
|
||||||
|
if(get_url_domain($_SERVER["HTTP_REFERER"]) !== APIServiceDomain)
|
||||||
|
Rest_fatal_error(401, "Access denied from this domain with this client token !");
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
//Allow remote requests from anywhere
|
||||||
|
header("Access-Control-Allow-Origin: *");
|
||||||
|
}
|
||||||
|
|
||||||
//Check if login tokens where specified
|
//Check if login tokens where specified
|
||||||
if(isset($_POST['userToken1']) AND isset($_POST['userToken2'])){
|
if(isset($_POST['userToken1']) AND isset($_POST['userToken2'])){
|
||||||
//Try to login user
|
//Try to login user
|
||||||
|
Loading…
Reference in New Issue
Block a user