Comunic/ComunicAPI
1
0
Fork 0
mirror of https://github.com/pierre42100/ComunicAPI synced 2024-11-23 13:59:29 +00:00
Code Issues Projects Releases Wiki Activity

Enforced API security

Browse Source
This commit is contained in:
Pierre 2017-06-13 11:01:36 +02:00
parent 3729b56ff4
commit 4bbe967e2e
3 changed files with 67 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
classes/tokens.php
View File

@ -17,11 +17,15 @@ class Tokens{
return false; //No token specified return false; //No token specified
//Check tokens //Check tokens
if(!$serviceID = $this->validateClientTokens($_POST['serviceName'], $_POST['serviceToken'])) if(!$serviceInfos = $this->validateClientTokens($_POST['serviceName'], $_POST['serviceToken']))
return false; return false;
//Save service ID in a constant //Save service ID in a constant
define("APIServiceID", $serviceID); define("APIServiceID", $serviceInfos["ID"]);
//Save service domain in a constant (if any)
if($serviceInfos["clientDomain"])
define("APIServiceDomain", $serviceInfos["clientDomain"]);
//Else everything went good //Else everything went good
return true; return true;
@ -52,7 +56,14 @@ class Tokens{
} }
else { else {
//The API is correctly identified //The API is correctly identified
return $requestResult[0]['ID']; //Generate client informations
$clientInformations = array(
"ID" => $requestResult[0]['ID'],
"clientDomain" => ($requestResult[0]["client_domain"] == "" ? false : $requestResult[0]["client_domain"])
);
//Return API informations
return $clientInformations;
} }
} }

31
functions/url.php Normal file
View File

@ -0,0 +1,31 @@
<?php
/**
* URL functions
*
* @author Pierre HUBERT
*/
/**
* Determine the domain of an URL
*
* @param String $url The URL to analyse
* @return String The domain of the URL
*/
function get_url_domain($url){
//First, check for "://"
if(!preg_match("<://>", $url))
return false;
//Then split the URL
$path = strstr($url, "://");
$path = str_replace("://", "", $path);
//Check if we are at the root of the domain or not
if(!preg_match("</>", $path))
return $path;
//Else the url is a little more complex
return explode("/", $path)[0];
}

26
index.php
View File

@ -20,21 +20,39 @@ foreach(glob(PROJECT_PATH."RestControllers/*.php") as $restControllerFile){
//Include RestServer library //Include RestServer library
require PROJECT_PATH."3rdparty/RestServer/RestServer.php"; require PROJECT_PATH."3rdparty/RestServer/RestServer.php";
//Allow remote requests
header("Access-Control-Allow-Origin: *");
//By default return format is json //By default return format is json
if(!isset($_GET["format"])) if(!isset($_GET["format"]))
$_GET['format'] = "json"; $_GET['format'] = "json";
//Check client tokens //Set debug clients tokens
if($cs->config->get("site_mode") == "debug"){ //DEBUG ONLY if($cs->config->get("site_mode") == "debug"){ //DEBUG ONLY
$_POST['serviceName'] = "testService"; $_POST['serviceName'] = "testService";
$_POST['serviceToken'] = "testPasswd"; $_POST['serviceToken'] = "testPasswd";
} }
//Check client tokens
if(!$cs->tokens->checkClientRequestTokens()) if(!$cs->tokens->checkClientRequestTokens())
Rest_fatal_error(401, "Please check your client tokens!"); Rest_fatal_error(401, "Please check your client tokens!");
//Check for remote requests limit
if(defined("APIServiceDomain")){
//First, limit requests
header("Access-Control-Allow-Origin: ".APIServiceDomain);
//Then check for referer
if(!isset($_SERVER["HTTP_REFERER"]))
Rest_fatal_error(401, "Access from direct requests denied !");
//Check the referer
if(get_url_domain($_SERVER["HTTP_REFERER"]) !== APIServiceDomain)
Rest_fatal_error(401, "Access denied from this domain with this client token !");
}
else {
//Allow remote requests from anywhere
header("Access-Control-Allow-Origin: *");
}
//Check if login tokens where specified //Check if login tokens where specified
if(isset($_POST['userToken1']) AND isset($_POST['userToken2'])){ if(isset($_POST['userToken1']) AND isset($_POST['userToken2'])){
//Try to login user //Try to login user