From 8389d8677d4e2deaaf5da028d9abacf7ce5ef250 Mon Sep 17 00:00:00 2001
From: redmatrix <redmatrix@redmatrix.me>
Date: Thu, 10 Dec 2015 16:39:46 -0800
Subject: some major cleanup of api authentication stuff - still needs much
 more and this still may not solve #206

---
 include/api_auth.php | 66 ++++++++++++++++++++++++++--------------------------
 1 file changed, 33 insertions(+), 33 deletions(-)

(limited to 'include/api_auth.php')

diff --git a/include/api_auth.php b/include/api_auth.php
index cabaed93e..c9978c99d 100644
--- a/include/api_auth.php
+++ b/include/api_auth.php
@@ -1,16 +1,18 @@
 <?php /** @file */
 
-require_once('include/oauth.php');
-
-
 /**
- * Simple HTTP Login
+ * API Login via basic-auth or OAuth
  */
 
 function api_login(&$a){
+
+	$record = null;
+
+	require_once('include/oauth.php');
+
 	// login with oauth
 	try {
-		$oauth = new FKOAuth1();
+		$oauth = new ZotOAuth1();
 		$req = OAuthRequest::from_request();
 
 		list($consumer,$token) = $oauth->verify_request($req);
@@ -23,16 +25,14 @@ function api_login(&$a){
 			call_hooks('logged_in', $a->user);
 			return;
 		}
-		echo __file__.__line__.__function__."<pre>"; 
-//			var_dump($consumer, $token); 
 		killme();
 	}
 	catch(Exception $e) {
 		logger(__file__.__line__.__function__."\n".$e);
 	}
-
 		
-	// workaround for HTTP-auth in CGI mode
+	// workarounds for HTTP-auth in CGI mode
+
 	if(x($_SERVER,'REDIRECT_REMOTE_USER')) {
 		$userpass = base64_decode(substr($_SERVER["REDIRECT_REMOTE_USER"],6)) ;
 		if(strlen($userpass)) {
@@ -51,43 +51,43 @@ function api_login(&$a){
 		}
 	}
 
+	require_once('include/auth.php');
+	require_once('include/security.php');
 
-	if (!isset($_SERVER['PHP_AUTH_USER'])) {
-		logger('API_login: ' . print_r($_SERVER,true), LOGGER_DEBUG);
-		retry_basic_auth();
-	}
-		
 	// process normal login request
-	require_once('include/auth.php');
-	$channel_login = 0;
-	$record = account_verify_password($_SERVER['PHP_AUTH_USER'],$_SERVER['PHP_AUTH_PW']);
-	if(! $record) {
-	        $r = q("select * from channel where channel_address = '%s' limit 1",
+
+	if(isset($_SERVER['PHP_AUTH_USER'])) {
+		$channel_login = 0;
+		$record = account_verify_password($_SERVER['PHP_AUTH_USER'],$_SERVER['PHP_AUTH_PW']);
+		if(! $record) {
+	        $r = q("select * from channel left join account on account.account_id = channel.channel_account_id 
+				where channel.channel_address = '%s' limit 1",
 		       dbesc($_SERVER['PHP_AUTH_USER'])
 			);
         	if ($r) {
-			$x = q("select * from account where account_id = %d limit 1",
-			       intval($r[0]['channel_account_id'])
-				);
-			if ($x) {
-				$record = account_verify_password($x[0]['account_email'],$_SERVER['PHP_AUTH_PW']);
+				$record = account_verify_password($r[0]['account_email'],$_SERVER['PHP_AUTH_PW']);
 				if($record)
 					$channel_login = $r[0]['channel_id'];
 			}
 		}
-		if(! $record) {	
-			logger('API_login failure: ' . print_r($_SERVER,true), LOGGER_DEBUG);
-			retry_basic_auth();
-		}
 	}
 
-	require_once('include/security.php');
-	authenticate_success($record);
+	if($record) {
+		authenticate_success($record);
+
+		if($channel_login)
+			change_channel($channel_login);
 
-	if($channel_login)
-		change_channel($channel_login);
+		$_SESSION['allow_api'] = true;
+		return true;
+	}
+	else {
+		$_SERVER['PHP_AUTH_PW'] = '*****';
+		logger('API_login failure: ' . print_r($_SERVER,true), LOGGER_DEBUG);
+		log_failed_login('API login failure');
+		retry_basic_auth();
+	}
 
-	$_SESSION['allow_api'] = true;
 }
 
 
-- 
cgit v1.2.3