Merge pull request #10381 from annando/basic-auth
Move basic auth functionality to the new class
This commit is contained in:
commit
a99b619338
3 changed files with 129 additions and 23 deletions
|
@ -11,7 +11,7 @@ Authentication is the same as described in [Using the APIs](help/api#Authenticat
|
||||||
|
|
||||||
## Clients
|
## Clients
|
||||||
|
|
||||||
Supported mobile apps:
|
Supported apps:
|
||||||
|
|
||||||
- [AndStatus](http://andstatus.org)
|
- [AndStatus](http://andstatus.org)
|
||||||
- [Husky](https://husky.fwgs.ru)
|
- [Husky](https://husky.fwgs.ru)
|
||||||
|
@ -20,11 +20,17 @@ Supported mobile apps:
|
||||||
- [Twidere](https://github.com/TwidereProject/)
|
- [Twidere](https://github.com/TwidereProject/)
|
||||||
- [twitlatte](https://github.com/moko256/twitlatte)
|
- [twitlatte](https://github.com/moko256/twitlatte)
|
||||||
- [Yuito](https://github.com/accelforce/Yuito)
|
- [Yuito](https://github.com/accelforce/Yuito)
|
||||||
|
- [Amaroq](https://github.com/ReticentJohn/Amaroq/tree/master)
|
||||||
|
|
||||||
Unsupported mobile apps:
|
Unsupported apps:
|
||||||
|
|
||||||
- [Fedilab](https://framagit.org/tom79/fedilab) Automatically uses the legacy API, see issue: https://framagit.org/tom79/fedilab/-/issues/520
|
- [Fedilab](https://framagit.org/tom79/fedilab) Automatically uses the legacy API, see issue: https://framagit.org/tom79/fedilab/-/issues/520
|
||||||
- [Mammut](https://github.com/jamiesanson/Mammut) There are problems with the token request, see issue https://github.com/jamiesanson/Mammut/issues/19
|
- [Mammut](https://github.com/jamiesanson/Mammut) There are problems with the token request, see issue https://github.com/jamiesanson/Mammut/issues/19
|
||||||
|
- [Mast](https://github.com/Beesitech/Mast) Doesn't accept the entered instance name. Claims that it is invalid (Message is: "Not a valid instance (may be closed or dead)")
|
||||||
|
- [Pinafore](https://github.com/nolanlawson/pinafore) Returns message "Error: NetworkError when attempting to fetch resource.. Is this a valid Mastodon instance?"
|
||||||
|
- [Mastonaut](https://mastonaut.app/)
|
||||||
|
- [Toot!](https://apps.apple.com/app/toot/id1229021451)
|
||||||
|
- [Halycon](https://www.halcyon.social/) Doesn't load content, creates masses of HTTP requests
|
||||||
|
|
||||||
## Entities
|
## Entities
|
||||||
|
|
||||||
|
|
|
@ -61,52 +61,44 @@ class BaseApi extends BaseModule
|
||||||
|
|
||||||
public static function delete(array $parameters = [])
|
public static function delete(array $parameters = [])
|
||||||
{
|
{
|
||||||
if (!api_user()) {
|
self::checkAllowedScope(self::SCOPE_WRITE);
|
||||||
throw new HTTPException\UnauthorizedException(DI::l10n()->t('Permission denied.'));
|
|
||||||
}
|
|
||||||
|
|
||||||
$a = DI::app();
|
$a = DI::app();
|
||||||
|
|
||||||
if (!empty($a->user['uid']) && $a->user['uid'] != api_user()) {
|
if (!empty($a->user['uid']) && $a->user['uid'] != self::getCurrentUserID()) {
|
||||||
throw new HTTPException\ForbiddenException(DI::l10n()->t('Permission denied.'));
|
throw new HTTPException\ForbiddenException(DI::l10n()->t('Permission denied.'));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public static function patch(array $parameters = [])
|
public static function patch(array $parameters = [])
|
||||||
{
|
{
|
||||||
if (!api_user()) {
|
self::checkAllowedScope(self::SCOPE_WRITE);
|
||||||
throw new HTTPException\UnauthorizedException(DI::l10n()->t('Permission denied.'));
|
|
||||||
}
|
|
||||||
|
|
||||||
$a = DI::app();
|
$a = DI::app();
|
||||||
|
|
||||||
if (!empty($a->user['uid']) && $a->user['uid'] != api_user()) {
|
if (!empty($a->user['uid']) && $a->user['uid'] != self::getCurrentUserID()) {
|
||||||
throw new HTTPException\ForbiddenException(DI::l10n()->t('Permission denied.'));
|
throw new HTTPException\ForbiddenException(DI::l10n()->t('Permission denied.'));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public static function post(array $parameters = [])
|
public static function post(array $parameters = [])
|
||||||
{
|
{
|
||||||
if (!api_user()) {
|
self::checkAllowedScope(self::SCOPE_WRITE);
|
||||||
throw new HTTPException\UnauthorizedException(DI::l10n()->t('Permission denied.'));
|
|
||||||
}
|
|
||||||
|
|
||||||
$a = DI::app();
|
$a = DI::app();
|
||||||
|
|
||||||
if (!empty($a->user['uid']) && $a->user['uid'] != api_user()) {
|
if (!empty($a->user['uid']) && $a->user['uid'] != self::getCurrentUserID()) {
|
||||||
throw new HTTPException\ForbiddenException(DI::l10n()->t('Permission denied.'));
|
throw new HTTPException\ForbiddenException(DI::l10n()->t('Permission denied.'));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public static function put(array $parameters = [])
|
public static function put(array $parameters = [])
|
||||||
{
|
{
|
||||||
if (!api_user()) {
|
self::checkAllowedScope(self::SCOPE_WRITE);
|
||||||
throw new HTTPException\UnauthorizedException(DI::l10n()->t('Permission denied.'));
|
|
||||||
}
|
|
||||||
|
|
||||||
$a = DI::app();
|
$a = DI::app();
|
||||||
|
|
||||||
if (!empty($a->user['uid']) && $a->user['uid'] != api_user()) {
|
if (!empty($a->user['uid']) && $a->user['uid'] != self::getCurrentUserID()) {
|
||||||
throw new HTTPException\ForbiddenException(DI::l10n()->t('Permission denied.'));
|
throw new HTTPException\ForbiddenException(DI::l10n()->t('Permission denied.'));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -189,7 +181,7 @@ class BaseApi extends BaseModule
|
||||||
*
|
*
|
||||||
* @return int User ID
|
* @return int User ID
|
||||||
*/
|
*/
|
||||||
public static function getCurrentUserID()
|
protected static function getCurrentUserID()
|
||||||
{
|
{
|
||||||
$uid = OAuth::getCurrentUserID();
|
$uid = OAuth::getCurrentUserID();
|
||||||
|
|
||||||
|
|
|
@ -21,8 +21,15 @@
|
||||||
|
|
||||||
namespace Friendica\Security;
|
namespace Friendica\Security;
|
||||||
|
|
||||||
|
use Exception;
|
||||||
|
use Friendica\Core\Hook;
|
||||||
|
use Friendica\Core\Logger;
|
||||||
|
use Friendica\Core\Session;
|
||||||
use Friendica\Database\DBA;
|
use Friendica\Database\DBA;
|
||||||
use Friendica\DI;
|
use Friendica\DI;
|
||||||
|
use Friendica\Model\User;
|
||||||
|
use Friendica\Network\HTTPException\UnauthorizedException;
|
||||||
|
use Friendica\Util\DateTimeFormat;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Authentification via the basic auth method
|
* Authentification via the basic auth method
|
||||||
|
@ -49,9 +56,7 @@ class BasicAuth
|
||||||
public static function getCurrentUserID(bool $login)
|
public static function getCurrentUserID(bool $login)
|
||||||
{
|
{
|
||||||
if (empty(self::$current_user_id)) {
|
if (empty(self::$current_user_id)) {
|
||||||
api_login(DI::app(), $login);
|
self::$current_user_id = self::getUserIdByAuth($login);
|
||||||
|
|
||||||
self::$current_user_id = api_user();
|
|
||||||
}
|
}
|
||||||
|
|
||||||
return (int)self::$current_user_id;
|
return (int)self::$current_user_id;
|
||||||
|
@ -72,10 +77,27 @@ class BasicAuth
|
||||||
return self::$current_token;
|
return self::$current_token;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$source = $_REQUEST['source'] ?? '';
|
||||||
|
|
||||||
|
// Support for known clients that doesn't send a source name
|
||||||
|
if (empty($source) && !empty($_SERVER['HTTP_USER_AGENT'])) {
|
||||||
|
if(strpos($_SERVER['HTTP_USER_AGENT'], "Twidere") !== false) {
|
||||||
|
$source = 'Twidere';
|
||||||
|
}
|
||||||
|
|
||||||
|
Logger::info('Unrecognized user-agent', ['http_user_agent' => $_SERVER['HTTP_USER_AGENT']]);
|
||||||
|
} else {
|
||||||
|
Logger::info('Empty user-agent');
|
||||||
|
}
|
||||||
|
|
||||||
|
if (empty($source)) {
|
||||||
|
$source = 'api';
|
||||||
|
}
|
||||||
|
|
||||||
self::$current_token = [
|
self::$current_token = [
|
||||||
'uid' => self::$current_user_id,
|
'uid' => self::$current_user_id,
|
||||||
'id' => 0,
|
'id' => 0,
|
||||||
'name' => api_source(),
|
'name' => $source,
|
||||||
'website' => '',
|
'website' => '',
|
||||||
'created_at' => DBA::NULL_DATETIME,
|
'created_at' => DBA::NULL_DATETIME,
|
||||||
'read' => true,
|
'read' => true,
|
||||||
|
@ -85,4 +107,90 @@ class BasicAuth
|
||||||
|
|
||||||
return self::$current_token;
|
return self::$current_token;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Fetch the user id via the auth header information
|
||||||
|
*
|
||||||
|
* @param boolean $do_login Perform a login request if not logged in
|
||||||
|
*
|
||||||
|
* @return integer User ID
|
||||||
|
*/
|
||||||
|
private static function getUserIdByAuth(bool $do_login = true):int
|
||||||
|
{
|
||||||
|
$a = DI::app();
|
||||||
|
Session::set('allow_api', false);
|
||||||
|
self::$current_user_id = 0;
|
||||||
|
|
||||||
|
// workaround for HTTP-auth in CGI mode
|
||||||
|
if (!empty($_SERVER['REDIRECT_REMOTE_USER'])) {
|
||||||
|
$userpass = base64_decode(substr($_SERVER["REDIRECT_REMOTE_USER"], 6));
|
||||||
|
if (strlen($userpass)) {
|
||||||
|
list($name, $password) = explode(':', $userpass);
|
||||||
|
$_SERVER['PHP_AUTH_USER'] = $name;
|
||||||
|
$_SERVER['PHP_AUTH_PW'] = $password;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
$user = $_SERVER['PHP_AUTH_USER'] ?? '';
|
||||||
|
$password = $_SERVER['PHP_AUTH_PW'] ?? '';
|
||||||
|
|
||||||
|
// allow "user@server" login (but ignore 'server' part)
|
||||||
|
$at = strstr($user, "@", true);
|
||||||
|
if ($at) {
|
||||||
|
$user = $at;
|
||||||
|
}
|
||||||
|
|
||||||
|
// next code from mod/auth.php. needs better solution
|
||||||
|
$record = null;
|
||||||
|
|
||||||
|
$addon_auth = [
|
||||||
|
'username' => trim($user),
|
||||||
|
'password' => trim($password),
|
||||||
|
'authenticated' => 0,
|
||||||
|
'user_record' => null,
|
||||||
|
];
|
||||||
|
|
||||||
|
/*
|
||||||
|
* An addon indicates successful login by setting 'authenticated' to non-zero value and returning a user record
|
||||||
|
* Addons should never set 'authenticated' except to indicate success - as hooks may be chained
|
||||||
|
* and later addons should not interfere with an earlier one that succeeded.
|
||||||
|
*/
|
||||||
|
Hook::callAll('authenticate', $addon_auth);
|
||||||
|
|
||||||
|
if ($addon_auth['authenticated'] && !empty($addon_auth['user_record'])) {
|
||||||
|
$record = $addon_auth['user_record'];
|
||||||
|
} else {
|
||||||
|
try {
|
||||||
|
$user_id = User::getIdFromPasswordAuthentication(trim($user), trim($password), true);
|
||||||
|
$record = DBA::selectFirst('user', [], ['uid' => $user_id]);
|
||||||
|
} catch (Exception $ex) {
|
||||||
|
$record = [];
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (empty($record)) {
|
||||||
|
if (!$do_login) {
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
Logger::debug('Access denied', ['parameters' => $_SERVER]);
|
||||||
|
header('WWW-Authenticate: Basic realm="Friendica"');
|
||||||
|
throw new UnauthorizedException("This API requires login");
|
||||||
|
}
|
||||||
|
|
||||||
|
// Don't refresh the login date more often than twice a day to spare database writes
|
||||||
|
$login_refresh = strcmp(DateTimeFormat::utc('now - 12 hours'), $record['login_date']) > 0;
|
||||||
|
|
||||||
|
DI::auth()->setForUser($a, $record, false, false, $login_refresh);
|
||||||
|
|
||||||
|
Session::set('allow_api', true);
|
||||||
|
|
||||||
|
Hook::callAll('logged_in', $a->user);
|
||||||
|
|
||||||
|
if (Session::get('allow_api')) {
|
||||||
|
self::$current_user_id = local_user();
|
||||||
|
} else {
|
||||||
|
self::$current_user_id = 0;
|
||||||
|
}
|
||||||
|
return self::$current_user_id;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue