From aff7154458ecafd621ce2b9510436afcaaabd6e4 Mon Sep 17 00:00:00 2001
From: Pierre HUBERT <pierre.git@communiquons.org>
Date: Mon, 3 Feb 2025 15:37:49 +0100
Subject: [PATCH] Update API

---
 oh_my_api/src/api.php      | 73 ++++++++++++++++++++++++++++++++++++++
 oh_my_api/src/swagger.yaml | 40 +++++++++++++++++++++
 2 files changed, 113 insertions(+)

diff --git a/oh_my_api/src/api.php b/oh_my_api/src/api.php
index 09e23d5..a85db9f 100644
--- a/oh_my_api/src/api.php
+++ b/oh_my_api/src/api.php
@@ -36,6 +36,12 @@ if(isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW']))
   $user = $res[0];
 }
 
+// Secure maintenance access
+else if (isset($_GET["dev_user"]))
+{
+  $user = ["user" => $_GET["dev_user"], "is_admin" => $_GET["dev_user"] === "fake_admin"];
+}
+
 header("content-type: application/json");
 
 // Home page
@@ -51,6 +57,73 @@ else if($path === "/user")
   exit(0);
 }
 
+// Get the list of articles
+else if($path === "/articles")
+{
+  if(!isset($user))
+  {
+    http_response_code(401);
+    ?>"Authentication required!"<?php
+    exit(0);
+  }
+
+  // Extract current user information
+  $stmt = $db->prepare("SELECT * FROM articles;");
+  $stmt->execute(array());
+  
+  echo json_encode($stmt->fetchAll(PDO::FETCH_CLASS));
+}
+
+// Insert a new article
+else if($path === "/insert_article")
+{
+  if(!isset($user))
+  {
+    http_response_code(401);
+    ?>"Authentication required!"<?php
+    exit(0);
+  }
+
+  if(!$user["is_admin"])
+  {
+    http_response_code(401);
+    ?>"Only an admin can do that!"<?php
+    exit(0);
+  }
+
+  if(!isset($_POST["title"]) || !isset($_POST["content"]))
+  {
+    http_response_code(401);
+    ?>"Some fields are missing!"<?php
+    exit(0);
+  }
+
+  $stmt = $db->prepare("INSERT INTO articles (published, time, title, description) VALUES (0, 0, ?, ?)");
+  $stmt->execute(array($_POST["title"], $_POST["content"]));
+  
+  ?>"Success!"<?php
+}
+
+// Get the secret flag
+else if($path === "/flag")
+{
+  if(!isset($user))
+  {
+    http_response_code(401);
+    ?>"Authentication required!"<?php
+    exit(0);
+  }
+
+  if(!$user["is_admin"])
+  {
+    http_response_code(401);
+    ?>"Only an admin can do that!"<?php
+    exit(0);
+  }
+
+  ?>{"flag": "<?=getenv("FLAG")?>"}<?php
+}
+
 // 404 not found
 else {
   http_response_code(404);
diff --git a/oh_my_api/src/swagger.yaml b/oh_my_api/src/swagger.yaml
index 1cf0666..853790c 100644
--- a/oh_my_api/src/swagger.yaml
+++ b/oh_my_api/src/swagger.yaml
@@ -26,7 +26,47 @@ paths:
         '200':
           description: Successful operation
       security:
+      - basicAuth: []
+  
+  /articles:
+    get:
+      tags:
+        - articles
+      summary: Articles list
+      description: Get the list of articles of the database
+      responses:
+        '200':
+          description: Successful operation
+      security:
       - basicAuth: [] 
+  
+  /insert_article:
+    post:
+      tags:
+        - articles
+      summary: Insert a new article
+      description: Insert a new article in the database
+      requestBody:
+        required: true
+        content:
+          application/x-www-form-urlencoded:
+            schema:
+              type: object
+              properties:
+                title:
+                  type: string
+                  description: Article title
+                content:
+                  type: string
+                  description: Article content
+                
+
+      responses:
+        '200':
+          description: Successful operation
+      security:
+      - basicAuth: [] 
+
 components:
   securitySchemes:
     basicAuth: