Enforced API security

classes/tokens.php

@@ -17,11 +17,15 @@ class Tokens{
 			return false; //No token specified
 		
 		//Check tokens
-		if(!$serviceID = $this->validateClientTokens($_POST['serviceName'], $_POST['serviceToken']))
+		if(!$serviceInfos = $this->validateClientTokens($_POST['serviceName'], $_POST['serviceToken']))
 			return false;
 
 		//Save service ID in a constant
-		define("APIServiceID", $serviceID);
+		define("APIServiceID", $serviceInfos["ID"]);
+
+		//Save service domain in a constant (if any)
+		if($serviceInfos["clientDomain"])
+			define("APIServiceDomain", $serviceInfos["clientDomain"]);
 
 		//Else everything went good
 		return true;
@@ -52,7 +56,14 @@ class Tokens{
 		}
 		else {
 			//The API is correctly identified
-			return $requestResult[0]['ID'];
+			//Generate client informations
+			$clientInformations = array(
+				"ID" => $requestResult[0]['ID'],
+				"clientDomain" => ($requestResult[0]["client_domain"] == "" ? false : $requestResult[0]["client_domain"])
+			);
+
+			//Return API informations
+			return $clientInformations;
 		}
 
 	}

functions/url.php

@@ -0,0 +1,31 @@
+<?php
+/**
+ * URL functions
+ *
+ * @author Pierre HUBERT
+ */
+
+
+/**
+ * Determine the domain of an URL
+ *
+ * @param String $url The URL to analyse
+ * @return String The domain of the URL
+ */
+function get_url_domain($url){
+
+	//First, check for "://"
+	if(!preg_match("<://>", $url))
+		return false;
+	
+	//Then split the URL
+	$path = strstr($url, "://");
+	$path = str_replace("://", "", $path);
+
+	//Check if we are at the root of the domain or not
+	if(!preg_match("</>", $path))
+		return $path;
+	
+	//Else the url is a little more complex
+	return explode("/", $path)[0];
+}

index.php

@@ -20,21 +20,39 @@ foreach(glob(PROJECT_PATH."RestControllers/*.php") as $restControllerFile){
 //Include RestServer library
 require PROJECT_PATH."3rdparty/RestServer/RestServer.php";
 
-//Allow remote requests
-header("Access-Control-Allow-Origin: *");
-
 //By default return format is json
 if(!isset($_GET["format"]))
 	$_GET['format'] = "json";
 
-//Check client tokens
+//Set debug clients tokens
 if($cs->config->get("site_mode") == "debug"){ //DEBUG ONLY
 	$_POST['serviceName'] = "testService";
 	$_POST['serviceToken'] = "testPasswd";
 }
+
+//Check client tokens
 if(!$cs->tokens->checkClientRequestTokens())
 	Rest_fatal_error(401, "Please check your client tokens!");
 
+//Check for remote requests limit
+if(defined("APIServiceDomain")){
+
+	//First, limit requests
+	header("Access-Control-Allow-Origin: ".APIServiceDomain);
+
+	//Then check for referer
+	if(!isset($_SERVER["HTTP_REFERER"]))
+		Rest_fatal_error(401, "Access from direct requests denied !");
+
+	//Check the referer
+	if(get_url_domain($_SERVER["HTTP_REFERER"]) !== APIServiceDomain)
+		Rest_fatal_error(401, "Access denied from this domain with this client token !");
+}
+else {
+	//Allow remote requests from anywhere
+	header("Access-Control-Allow-Origin: *");
+}
+
 //Check if login tokens where specified
 if(isset($_POST['userToken1']) AND isset($_POST['userToken2'])){
 	//Try to login user