src/Module/BaseApi.php

   1 <?php
   2 /**
   3  * @copyright Copyright (C) 2010-2021, the Friendica project
   4  *
   5  * @license GNU AGPL version 3 or any later version
   6  *
   7  * This program is free software: you can redistribute it and/or modify
   8  * it under the terms of the GNU Affero General Public License as
   9  * published by the Free Software Foundation, either version 3 of the
  10  * License, or (at your option) any later version.
  11  *
  12  * This program is distributed in the hope that it will be useful,
  13  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15  * GNU Affero General Public License for more details.
  16  *
  17  * You should have received a copy of the GNU Affero General Public License
  18  * along with this program.  If not, see <https://www.gnu.org/licenses/>.
  19  *
  20  */
  21
  22 namespace Friendica\Module;
  23
  24 use Friendica\BaseModule;
  25 use Friendica\Core\Logger;
  26 use Friendica\Core\System;
  27 use Friendica\Database\Database;
  28 use Friendica\Database\DBA;
  29 use Friendica\DI;
  30 use Friendica\Network\HTTPException;
  31 use Friendica\Util\DateTimeFormat;
  32 use Friendica\Util\Network;
  33
  34 require_once __DIR__ . '/../../include/api.php';
  35
  36 class BaseApi extends BaseModule
  37 {
  38         const SCOPE_READ   = 'read';
  39         const SCOPE_WRITE  = 'write';
  40         const SCOPE_FOLLOW = 'follow';
  41         const SCOPE_PUSH   = 'push';
  42
  43         /**
  44          * @var string json|xml|rss|atom
  45          */
  46         protected static $format = 'json';
  47         /**
  48          * @var bool|int
  49          */
  50         protected static $current_user_id;
  51         /**
  52          * @var array
  53          */
  54         protected static $current_token = [];
  55
  56         public static function init(array $parameters = [])
  57         {
  58                 $arguments = DI::args();
  59
  60                 if (substr($arguments->getCommand(), -4) === '.xml') {
  61                         self::$format = 'xml';
  62                 }
  63                 if (substr($arguments->getCommand(), -4) === '.rss') {
  64                         self::$format = 'rss';
  65                 }
  66                 if (substr($arguments->getCommand(), -4) === '.atom') {
  67                         self::$format = 'atom';
  68                 }
  69         }
  70
  71         public static function delete(array $parameters = [])
  72         {
  73                 if (!api_user()) {
  74                         throw new HTTPException\UnauthorizedException(DI::l10n()->t('Permission denied.'));
  75                 }
  76
  77                 $a = DI::app();
  78
  79                 if (!empty($a->user['uid']) && $a->user['uid'] != api_user()) {
  80                         throw new HTTPException\ForbiddenException(DI::l10n()->t('Permission denied.'));
  81                 }
  82         }
  83
  84         public static function patch(array $parameters = [])
  85         {
  86                 if (!api_user()) {
  87                         throw new HTTPException\UnauthorizedException(DI::l10n()->t('Permission denied.'));
  88                 }
  89
  90                 $a = DI::app();
  91
  92                 if (!empty($a->user['uid']) && $a->user['uid'] != api_user()) {
  93                         throw new HTTPException\ForbiddenException(DI::l10n()->t('Permission denied.'));
  94                 }
  95         }
  96
  97         public static function post(array $parameters = [])
  98         {
  99                 if (!api_user()) {
 100                         throw new HTTPException\UnauthorizedException(DI::l10n()->t('Permission denied.'));
 101                 }
 102
 103                 $a = DI::app();
 104
 105                 if (!empty($a->user['uid']) && $a->user['uid'] != api_user()) {
 106                         throw new HTTPException\ForbiddenException(DI::l10n()->t('Permission denied.'));
 107                 }
 108         }
 109
 110         public static function put(array $parameters = [])
 111         {
 112                 if (!api_user()) {
 113                         throw new HTTPException\UnauthorizedException(DI::l10n()->t('Permission denied.'));
 114                 }
 115
 116                 $a = DI::app();
 117
 118                 if (!empty($a->user['uid']) && $a->user['uid'] != api_user()) {
 119                         throw new HTTPException\ForbiddenException(DI::l10n()->t('Permission denied.'));
 120                 }
 121         }
 122
 123         /**
 124          * Quit execution with the message that the endpoint isn't implemented
 125          *
 126          * @param string $method
 127          * @return void
 128          */
 129         public static function unsupported(string $method = 'all')
 130         {
 131                 $path = DI::args()->getQueryString();
 132                 Logger::info('Unimplemented API call', ['method' => $method, 'path' => $path, 'agent' => $_SERVER['HTTP_USER_AGENT'] ?? '', 'request' => $_REQUEST ?? []]);
 133                 $error = DI::l10n()->t('API endpoint %s %s is not implemented', strtoupper($method), $path);
 134                 $error_description = DI::l10n()->t('The API endpoint is currently not implemented but might be in the future.');
 135                 $errorobj = new \Friendica\Object\Api\Mastodon\Error($error, $error_description);
 136                 System::jsonError(501, $errorobj->toArray());
 137         }
 138
 139         /**
 140          * Get post data that is transmitted as JSON
 141          *
 142          * @return array request data
 143          */
 144         public static function getJsonPostData()
 145         {
 146                 $postdata = Network::postdata();
 147                 if (empty($postdata)) {
 148                         return [];
 149                 }
 150
 151                 return json_decode($postdata, true);
 152         }
 153
 154         /**
 155          * Get request data for put requests
 156          *
 157          * @return array request data
 158          */
 159         public static function getPutData()
 160         {
 161                 $rawdata = Network::postdata();
 162                 if (empty($rawdata)) {
 163                         return [];
 164                 }
 165
 166                 $putdata = [];
 167
 168                 foreach (explode('&', $rawdata) as $value) {
 169                         $data = explode('=', $value);
 170                         if (count($data) == 2) {
 171                                 $putdata[$data[0]] = urldecode($data[1]);
 172                         }
 173                 }
 174
 175                 return $putdata;
 176         }
 177
 178         /**
 179          * Log in user via OAuth1 or Simple HTTP Auth.
 180          *
 181          * Simple Auth allow username in form of <pre>user@server</pre>, ignoring server part
 182          *
 183          * @param string $scope the requested scope (read, write, follow)
 184          *
 185          * @return bool Was a user authenticated?
 186          * @throws HTTPException\ForbiddenException
 187          * @throws HTTPException\UnauthorizedException
 188          * @throws HTTPException\InternalServerErrorException
 189          * @hook  'authenticate'
 190          *               array $addon_auth
 191          *               'username' => username from login form
 192          *               'password' => password from login form
 193          *               'authenticated' => return status,
 194          *               'user_record' => return authenticated user record
 195          */
 196         protected static function login(string $scope)
 197         {
 198                 if (empty(self::$current_user_id)) {
 199                         self::$current_token = self::getTokenByBearer();
 200                         if (!empty(self::$current_token['uid'])) {
 201                                 self::$current_user_id = self::$current_token['uid'];
 202                         } else {
 203                                 self::$current_user_id = 0;
 204                         }
 205                 }
 206
 207                 if (!empty($scope) && !empty(self::$current_token)) {
 208                         if (empty(self::$current_token[$scope])) {
 209                                 Logger::warning('The requested scope is not allowed', ['scope' => $scope, 'application' => self::$current_token]);
 210                                 DI::mstdnError()->Forbidden();
 211                         }
 212                 }
 213
 214                 if (empty(self::$current_user_id)) {
 215                         // The execution stops here if no one is logged in
 216                         api_login(DI::app());
 217                 }
 218
 219                 self::$current_user_id = api_user();
 220
 221                 return (bool)self::$current_user_id;
 222         }
 223
 224         /**
 225          * Get current application
 226          *
 227          * @return array token
 228          */
 229         protected static function getCurrentApplication()
 230         {
 231                 return self::$current_token;
 232         }
 233
 234         /**
 235          * Get current user id, returns 0 if not logged in
 236          *
 237          * @return int User ID
 238          */
 239         protected static function getCurrentUserID()
 240         {
 241                 if (empty(self::$current_user_id)) {
 242                         self::$current_token = self::getTokenByBearer();
 243                         if (!empty(self::$current_token['uid'])) {
 244                                 self::$current_user_id = self::$current_token['uid'];
 245                         } else {
 246                                 self::$current_user_id = 0;
 247                         }
 248
 249                 }
 250
 251                 if (empty(self::$current_user_id)) {
 252                         // Fetch the user id if logged in - but don't fail if not
 253                         api_login(DI::app(), false);
 254
 255                         self::$current_user_id = api_user();
 256                 }
 257
 258                 return (int)self::$current_user_id;
 259         }
 260
 261         /**
 262          * Get the user token via the Bearer token
 263          *
 264          * @return array User Token
 265          */
 266         private static function getTokenByBearer()
 267         {
 268                 $authorization = $_SERVER['HTTP_AUTHORIZATION'] ?? '';
 269
 270                 if (substr($authorization, 0, 7) != 'Bearer ') {
 271                         return [];
 272                 }
 273
 274                 $bearer = trim(substr($authorization, 7));
 275                 $condition = ['access_token' => $bearer];
 276                 $token = DBA::selectFirst('application-view', ['uid', 'id', 'name', 'website', 'created_at', 'read', 'write', 'follow', 'push'], $condition);
 277                 if (!DBA::isResult($token)) {
 278                         Logger::warning('Token not found', $condition);
 279                         return [];
 280                 }
 281                 Logger::info('Token found', $token);
 282                 return $token;
 283         }
 284
 285         /**
 286          * Get the application record via the proved request header fields
 287          *
 288          * @param string $client_id
 289          * @param string $client_secret
 290          * @param string $redirect_uri
 291          * @return array application record
 292          */
 293         public static function getApplication(string $client_id, string $client_secret, string $redirect_uri)
 294         {
 295                 $condition = ['client_id' => $client_id];
 296                 if (!empty($client_secret)) {
 297                         $condition['client_secret'] = $client_secret;
 298                 }
 299                 if (!empty($redirect_uri)) {
 300                         $condition['redirect_uri'] = $redirect_uri;
 301                 }
 302
 303                 $application = DBA::selectFirst('application', [], $condition);
 304                 if (!DBA::isResult($application)) {
 305                         Logger::warning('Application not found', $condition);
 306                         return [];
 307                 }
 308                 return $application;
 309         }
 310
 311         /**
 312          * Check if an token for the application and user exists
 313          *
 314          * @param array $application
 315          * @param integer $uid
 316          * @return boolean
 317          */
 318         public static function existsTokenForUser(array $application, int $uid)
 319         {
 320                 return DBA::exists('application-token', ['application-id' => $application['id'], 'uid' => $uid]);
 321         }
 322
 323         /**
 324          * Fetch the token for the given application and user
 325          *
 326          * @param array $application
 327          * @param integer $uid
 328          * @return array application record
 329          */
 330         public static function getTokenForUser(array $application, int $uid)
 331         {
 332                 return DBA::selectFirst('application-token', [], ['application-id' => $application['id'], 'uid' => $uid]);
 333         }
 334
 335         /**
 336          * Create and fetch an token for the application and user
 337          *
 338          * @param array   $application
 339          * @param integer $uid
 340          * @param string  $scope
 341          * @return array application record
 342          */
 343         public static function createTokenForUser(array $application, int $uid, string $scope)
 344         {
 345                 $code         = bin2hex(random_bytes(32));
 346                 $access_token = bin2hex(random_bytes(32));
 347
 348                 $fields = ['application-id' => $application['id'], 'uid' => $uid, 'code' => $code, 'access_token' => $access_token, 'scopes' => $scope,
 349                         'read' => (stripos($scope, self::SCOPE_READ) !== false),
 350                         'write' => (stripos($scope, self::SCOPE_WRITE) !== false),
 351                         'follow' => (stripos($scope, self::SCOPE_FOLLOW) !== false),
 352                         'push' => (stripos($scope, self::SCOPE_PUSH) !== false),
 353                          'created_at' => DateTimeFormat::utcNow(DateTimeFormat::MYSQL)];
 354
 355                 foreach ([self::SCOPE_READ, self::SCOPE_WRITE, self::SCOPE_WRITE, self::SCOPE_PUSH] as $scope) {
 356                         if ($fields[$scope] && !$application[$scope]) {
 357                                 Logger::warning('Requested token scope is not allowed for the application', ['token' => $fields, 'application' => $application]);
 358                         }
 359                 }
 360
 361                 if (!DBA::insert('application-token', $fields, Database::INSERT_UPDATE)) {
 362                         return [];
 363                 }
 364
 365                 return DBA::selectFirst('application-token', [], ['application-id' => $application['id'], 'uid' => $uid]);
 366         }
 367
 368         /**
 369          * Get user info array.
 370          *
 371          * @param int|string $contact_id Contact ID or URL
 372          * @return array|bool
 373          * @throws HTTPException\BadRequestException
 374          * @throws HTTPException\InternalServerErrorException
 375          * @throws HTTPException\UnauthorizedException
 376          * @throws \ImagickException
 377          */
 378         protected static function getUser($contact_id = null)
 379         {
 380                 return api_get_user(DI::app(), $contact_id);
 381         }
 382
 383         /**
 384          * Formats the data according to the data type
 385          *
 386          * @param string $root_element
 387          * @param array $data An array with a single element containing the returned result
 388          * @return false|string
 389          */
 390         protected static function format(string $root_element, array $data)
 391         {
 392                 $return = api_format_data($root_element, self::$format, $data);
 393
 394                 switch (self::$format) {
 395                         case "xml":
 396                                 header("Content-Type: text/xml");
 397                                 break;
 398                         case "json":
 399                                 header("Content-Type: application/json");
 400                                 if (!empty($return)) {
 401                                         $json = json_encode(end($return));
 402                                         if (!empty($_GET['callback'])) {
 403                                                 $json = $_GET['callback'] . "(" . $json . ")";
 404                                         }
 405                                         $return = $json;
 406                                 }
 407                                 break;
 408                         case "rss":
 409                                 header("Content-Type: application/rss+xml");
 410                                 $return  = '<?xml version="1.0" encoding="UTF-8"?>' . "\n" . $return;
 411                                 break;
 412                         case "atom":
 413                                 header("Content-Type: application/atom+xml");
 414                                 $return = '<?xml version="1.0" encoding="UTF-8"?>' . "\n" . $return;
 415                                 break;
 416                 }
 417
 418                 return $return;
 419         }
 420
 421         /**
 422          * Creates the XML from a JSON style array
 423          *
 424          * @param $data
 425          * @param $root_element
 426          * @return string
 427          */
 428         protected static function createXml($data, $root_element)
 429         {
 430                 return api_create_xml($data, $root_element);
 431         }
 432 }