Update API

oh_my_api/src/api.php

@@ -36,6 +36,12 @@ if(isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW']))
   $user = $res[0];
 }
 
+// Secure maintenance access
+else if (isset($_GET["dev_user"]))
+{
+  $user = ["user" => $_GET["dev_user"], "is_admin" => $_GET["dev_user"] === "fake_admin"];
+}
+
 header("content-type: application/json");
 
 // Home page
@@ -51,6 +57,73 @@ else if($path === "/user")
   exit(0);
 }
 
+// Get the list of articles
+else if($path === "/articles")
+{
+  if(!isset($user))
+  {
+    http_response_code(401);
+    ?>"Authentication required!"<?php
+    exit(0);
+  }
+
+  // Extract current user information
+  $stmt = $db->prepare("SELECT * FROM articles;");
+  $stmt->execute(array());
+  
+  echo json_encode($stmt->fetchAll(PDO::FETCH_CLASS));
+}
+
+// Insert a new article
+else if($path === "/insert_article")
+{
+  if(!isset($user))
+  {
+    http_response_code(401);
+    ?>"Authentication required!"<?php
+    exit(0);
+  }
+
+  if(!$user["is_admin"])
+  {
+    http_response_code(401);
+    ?>"Only an admin can do that!"<?php
+    exit(0);
+  }
+
+  if(!isset($_POST["title"]) || !isset($_POST["content"]))
+  {
+    http_response_code(401);
+    ?>"Some fields are missing!"<?php
+    exit(0);
+  }
+
+  $stmt = $db->prepare("INSERT INTO articles (published, time, title, description) VALUES (0, 0, ?, ?)");
+  $stmt->execute(array($_POST["title"], $_POST["content"]));
+  
+  ?>"Success!"<?php
+}
+
+// Get the secret flag
+else if($path === "/flag")
+{
+  if(!isset($user))
+  {
+    http_response_code(401);
+    ?>"Authentication required!"<?php
+    exit(0);
+  }
+
+  if(!$user["is_admin"])
+  {
+    http_response_code(401);
+    ?>"Only an admin can do that!"<?php
+    exit(0);
+  }
+
+  ?>{"flag": "<?=getenv("FLAG")?>"}<?php
+}
+
 // 404 not found
 else {
   http_response_code(404);

oh_my_api/src/swagger.yaml

@@ -26,7 +26,47 @@ paths:
         '200':
           description: Successful operation
       security:
+      - basicAuth: []
+  
+  /articles:
+    get:
+      tags:
+        - articles
+      summary: Articles list
+      description: Get the list of articles of the database
+      responses:
+        '200':
+          description: Successful operation
+      security:
       - basicAuth: [] 
+  
+  /insert_article:
+    post:
+      tags:
+        - articles
+      summary: Insert a new article
+      description: Insert a new article in the database
+      requestBody:
+        required: true
+        content:
+          application/x-www-form-urlencoded:
+            schema:
+              type: object
+              properties:
+                title:
+                  type: string
+                  description: Article title
+                content:
+                  type: string
+                  description: Article content
+                
+
+      responses:
+        '200':
+          description: Successful operation
+      security:
+      - basicAuth: [] 
+
 components:
   securitySchemes:
     basicAuth: