From 656e5fd052d0ee1e9161e25090b54be70d4880ba Mon Sep 17 00:00:00 2001 From: redmatrix Date: Tue, 8 Dec 2015 20:42:46 -0800 Subject: use killme() instead of die() so that any sessions are closed cleanly. --- include/api_auth.php | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'include/api_auth.php') diff --git a/include/api_auth.php b/include/api_auth.php index ee9db3f55..b78c69bac 100644 --- a/include/api_auth.php +++ b/include/api_auth.php @@ -1,6 +1,6 @@ "; // var_dump($consumer, $token); - die(); + killme(); } catch(Exception $e) { logger(__file__.__line__.__function__."\n".$e); @@ -56,7 +56,8 @@ function api_login(&$a){ logger('API_login: ' . print_r($_SERVER,true), LOGGER_DEBUG); header('WWW-Authenticate: Basic realm="Red"'); header('HTTP/1.0 401 Unauthorized'); - die('This api requires login'); + echo('This api requires login'); + killme(); } // process normal login request @@ -81,7 +82,8 @@ function api_login(&$a){ logger('API_login failure: ' . print_r($_SERVER,true), LOGGER_DEBUG); header('WWW-Authenticate: Basic realm="Red"'); header('HTTP/1.0 401 Unauthorized'); - die('This api requires login'); + echo('This api requires login'); + killme(); } } -- cgit v1.2.3 From 0f4ceedbb492126dcbbbcd77b5252816097d2857 Mon Sep 17 00:00:00 2001 From: redmatrix Date: Tue, 8 Dec 2015 20:47:55 -0800 Subject: remove duplicated code --- include/api_auth.php | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) (limited to 'include/api_auth.php') diff --git a/include/api_auth.php b/include/api_auth.php index b78c69bac..cabaed93e 100644 --- a/include/api_auth.php +++ b/include/api_auth.php @@ -54,10 +54,7 @@ function api_login(&$a){ if (!isset($_SERVER['PHP_AUTH_USER'])) { logger('API_login: ' . print_r($_SERVER,true), LOGGER_DEBUG); - header('WWW-Authenticate: Basic realm="Red"'); - header('HTTP/1.0 401 Unauthorized'); - echo('This api requires login'); - killme(); + retry_basic_auth(); } // process normal login request @@ -80,10 +77,7 @@ function api_login(&$a){ } if(! $record) { logger('API_login failure: ' . print_r($_SERVER,true), LOGGER_DEBUG); - header('WWW-Authenticate: Basic realm="Red"'); - header('HTTP/1.0 401 Unauthorized'); - echo('This api requires login'); - killme(); + retry_basic_auth(); } } @@ -95,3 +89,11 @@ function api_login(&$a){ $_SESSION['allow_api'] = true; } + + +function retry_basic_auth() { + header('WWW-Authenticate: Basic realm="Hubzilla"'); + header('HTTP/1.0 401 Unauthorized'); + echo('This api requires login'); + killme(); +} \ No newline at end of file -- cgit v1.2.3 From 8389d8677d4e2deaaf5da028d9abacf7ce5ef250 Mon Sep 17 00:00:00 2001 From: redmatrix Date: Thu, 10 Dec 2015 16:39:46 -0800 Subject: some major cleanup of api authentication stuff - still needs much more and this still may not solve #206 --- include/api_auth.php | 66 ++++++++++++++++++++++++++-------------------------- 1 file changed, 33 insertions(+), 33 deletions(-) (limited to 'include/api_auth.php') diff --git a/include/api_auth.php b/include/api_auth.php index cabaed93e..c9978c99d 100644 --- a/include/api_auth.php +++ b/include/api_auth.php @@ -1,16 +1,18 @@ verify_request($req); @@ -23,16 +25,14 @@ function api_login(&$a){ call_hooks('logged_in', $a->user); return; } - echo __file__.__line__.__function__."
"; 
-//			var_dump($consumer, $token); 
 		killme();
 	}
 	catch(Exception $e) {
 		logger(__file__.__line__.__function__."\n".$e);
 	}
-
 		
-	// workaround for HTTP-auth in CGI mode
+	// workarounds for HTTP-auth in CGI mode
+
 	if(x($_SERVER,'REDIRECT_REMOTE_USER')) {
 		$userpass = base64_decode(substr($_SERVER["REDIRECT_REMOTE_USER"],6)) ;
 		if(strlen($userpass)) {
@@ -51,43 +51,43 @@ function api_login(&$a){
 		}
 	}
 
+	require_once('include/auth.php');
+	require_once('include/security.php');
 
-	if (!isset($_SERVER['PHP_AUTH_USER'])) {
-		logger('API_login: ' . print_r($_SERVER,true), LOGGER_DEBUG);
-		retry_basic_auth();
-	}
-		
 	// process normal login request
-	require_once('include/auth.php');
-	$channel_login = 0;
-	$record = account_verify_password($_SERVER['PHP_AUTH_USER'],$_SERVER['PHP_AUTH_PW']);
-	if(! $record) {
-	        $r = q("select * from channel where channel_address = '%s' limit 1",
+
+	if(isset($_SERVER['PHP_AUTH_USER'])) {
+		$channel_login = 0;
+		$record = account_verify_password($_SERVER['PHP_AUTH_USER'],$_SERVER['PHP_AUTH_PW']);
+		if(! $record) {
+	        $r = q("select * from channel left join account on account.account_id = channel.channel_account_id 
+				where channel.channel_address = '%s' limit 1",
 		       dbesc($_SERVER['PHP_AUTH_USER'])
 			);
         	if ($r) {
-			$x = q("select * from account where account_id = %d limit 1",
-			       intval($r[0]['channel_account_id'])
-				);
-			if ($x) {
-				$record = account_verify_password($x[0]['account_email'],$_SERVER['PHP_AUTH_PW']);
+				$record = account_verify_password($r[0]['account_email'],$_SERVER['PHP_AUTH_PW']);
 				if($record)
 					$channel_login = $r[0]['channel_id'];
 			}
 		}
-		if(! $record) {	
-			logger('API_login failure: ' . print_r($_SERVER,true), LOGGER_DEBUG);
-			retry_basic_auth();
-		}
 	}
 
-	require_once('include/security.php');
-	authenticate_success($record);
+	if($record) {
+		authenticate_success($record);
+
+		if($channel_login)
+			change_channel($channel_login);
 
-	if($channel_login)
-		change_channel($channel_login);
+		$_SESSION['allow_api'] = true;
+		return true;
+	}
+	else {
+		$_SERVER['PHP_AUTH_PW'] = '*****';
+		logger('API_login failure: ' . print_r($_SERVER,true), LOGGER_DEBUG);
+		log_failed_login('API login failure');
+		retry_basic_auth();
+	}
 
-	$_SESSION['allow_api'] = true;
 }
 
 
-- 
cgit v1.2.3


From 395268da22bf5ec773de7fdc42a338a9cbe87d40 Mon Sep 17 00:00:00 2001
From: redmatrix 
Date: Fri, 11 Dec 2015 21:10:20 -0800
Subject: a couple of api improvements

---
 include/api_auth.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'include/api_auth.php')

diff --git a/include/api_auth.php b/include/api_auth.php
index c9978c99d..e3697adb0 100644
--- a/include/api_auth.php
+++ b/include/api_auth.php
@@ -28,7 +28,7 @@ function api_login(&$a){
 		killme();
 	}
 	catch(Exception $e) {
-		logger(__file__.__line__.__function__."\n".$e);
+		logger($e->getMessage());
 	}
 		
 	// workarounds for HTTP-auth in CGI mode
-- 
cgit v1.2.3


From bb0e4044bf08bbac9d73a3e3b75d74c33dcacd7f Mon Sep 17 00:00:00 2001
From: redmatrix 
Date: Sun, 13 Dec 2015 15:35:45 -0800
Subject: remove the unqualified "OAuth" namespace from the project. We need to
 reference either OAuth1 or OAuth2.

---
 include/api_auth.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'include/api_auth.php')

diff --git a/include/api_auth.php b/include/api_auth.php
index e3697adb0..26a9df8d4 100644
--- a/include/api_auth.php
+++ b/include/api_auth.php
@@ -13,7 +13,7 @@ function api_login(&$a){
 	// login with oauth
 	try {
 		$oauth = new ZotOAuth1();
-		$req = OAuthRequest::from_request();
+		$req = OAuth1Request::from_request();
 
 		list($consumer,$token) = $oauth->verify_request($req);
 
-- 
cgit v1.2.3