src/Module/BaseApi.php

   1 <?php
   2 /**
   3  * @copyright Copyright (C) 2010-2021, the Friendica project
   4  *
   5  * @license GNU AGPL version 3 or any later version
   6  *
   7  * This program is free software: you can redistribute it and/or modify
   8  * it under the terms of the GNU Affero General Public License as
   9  * published by the Free Software Foundation, either version 3 of the
  10  * License, or (at your option) any later version.
  11  *
  12  * This program is distributed in the hope that it will be useful,
  13  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15  * GNU Affero General Public License for more details.
  16  *
  17  * You should have received a copy of the GNU Affero General Public License
  18  * along with this program.  If not, see <https://www.gnu.org/licenses/>.
  19  *
  20  */
  21
  22 namespace Friendica\Module;
  23
  24 use Friendica\BaseModule;
  25 use Friendica\Core\Logger;
  26 use Friendica\Core\System;
  27 use Friendica\Database\Database;
  28 use Friendica\Database\DBA;
  29 use Friendica\DI;
  30 use Friendica\Network\HTTPException;
  31 use Friendica\Util\DateTimeFormat;
  32 use Friendica\Util\HTTPInputData;
  33
  34 require_once __DIR__ . '/../../include/api.php';
  35
  36 class BaseApi extends BaseModule
  37 {
  38         const SCOPE_READ   = 'read';
  39         const SCOPE_WRITE  = 'write';
  40         const SCOPE_FOLLOW = 'follow';
  41         const SCOPE_PUSH   = 'push';
  42
  43         /**
  44          * @var string json|xml|rss|atom
  45          */
  46         protected static $format = 'json';
  47         /**
  48          * @var bool|int
  49          */
  50         protected static $current_user_id;
  51         /**
  52          * @var array
  53          */
  54         protected static $current_token = [];
  55
  56         public static function init(array $parameters = [])
  57         {
  58                 $arguments = DI::args();
  59
  60                 if (substr($arguments->getCommand(), -4) === '.xml') {
  61                         self::$format = 'xml';
  62                 }
  63                 if (substr($arguments->getCommand(), -4) === '.rss') {
  64                         self::$format = 'rss';
  65                 }
  66                 if (substr($arguments->getCommand(), -4) === '.atom') {
  67                         self::$format = 'atom';
  68                 }
  69         }
  70
  71         public static function delete(array $parameters = [])
  72         {
  73                 if (!api_user()) {
  74                         throw new HTTPException\UnauthorizedException(DI::l10n()->t('Permission denied.'));
  75                 }
  76
  77                 $a = DI::app();
  78
  79                 if (!empty($a->user['uid']) && $a->user['uid'] != api_user()) {
  80                         throw new HTTPException\ForbiddenException(DI::l10n()->t('Permission denied.'));
  81                 }
  82         }
  83
  84         public static function patch(array $parameters = [])
  85         {
  86                 if (!api_user()) {
  87                         throw new HTTPException\UnauthorizedException(DI::l10n()->t('Permission denied.'));
  88                 }
  89
  90                 $a = DI::app();
  91
  92                 if (!empty($a->user['uid']) && $a->user['uid'] != api_user()) {
  93                         throw new HTTPException\ForbiddenException(DI::l10n()->t('Permission denied.'));
  94                 }
  95         }
  96
  97         public static function post(array $parameters = [])
  98         {
  99                 if (!api_user()) {
 100                         throw new HTTPException\UnauthorizedException(DI::l10n()->t('Permission denied.'));
 101                 }
 102
 103                 $a = DI::app();
 104
 105                 if (!empty($a->user['uid']) && $a->user['uid'] != api_user()) {
 106                         throw new HTTPException\ForbiddenException(DI::l10n()->t('Permission denied.'));
 107                 }
 108         }
 109
 110         public static function put(array $parameters = [])
 111         {
 112                 if (!api_user()) {
 113                         throw new HTTPException\UnauthorizedException(DI::l10n()->t('Permission denied.'));
 114                 }
 115
 116                 $a = DI::app();
 117
 118                 if (!empty($a->user['uid']) && $a->user['uid'] != api_user()) {
 119                         throw new HTTPException\ForbiddenException(DI::l10n()->t('Permission denied.'));
 120                 }
 121         }
 122
 123         /**
 124          * Quit execution with the message that the endpoint isn't implemented
 125          *
 126          * @param string $method
 127          * @return void
 128          */
 129         public static function unsupported(string $method = 'all')
 130         {
 131                 $path = DI::args()->getQueryString();
 132                 Logger::info('Unimplemented API call', ['method' => $method, 'path' => $path, 'agent' => $_SERVER['HTTP_USER_AGENT'] ?? '', 'request' => HTTPInputData::process()]);
 133                 $error = DI::l10n()->t('API endpoint %s %s is not implemented', strtoupper($method), $path);
 134                 $error_description = DI::l10n()->t('The API endpoint is currently not implemented but might be in the future.');
 135                 $errorobj = new \Friendica\Object\Api\Mastodon\Error($error, $error_description);
 136                 System::jsonError(501, $errorobj->toArray());
 137         }
 138
 139         /**
 140          * Processes data from GET requests and sets defaults
 141          *
 142          * @return array request data
 143          */
 144         public static function getRequest(array $defaults)
 145         {
 146                 $httpinput = HTTPInputData::process();
 147                 $input = array_merge($httpinput['variables'], $httpinput['files'], $_REQUEST);
 148
 149                 $request = [];
 150
 151                 foreach ($defaults as $parameter => $defaultvalue) {
 152                         if (is_string($defaultvalue)) {
 153                                 $request[$parameter] = $input[$parameter] ?? $defaultvalue;
 154                         } elseif (is_int($defaultvalue)) {
 155                                 $request[$parameter] = (int)($input[$parameter] ?? $defaultvalue);
 156                         } elseif (is_float($defaultvalue)) {
 157                                 $request[$parameter] = (float)($input[$parameter] ?? $defaultvalue);
 158                         } elseif (is_array($defaultvalue)) {
 159                                 $request[$parameter] = $input[$parameter] ?? [];
 160                         } elseif (is_bool($defaultvalue)) {
 161                                 $request[$parameter] = in_array(strtolower($input[$parameter] ?? ''), ['true', '1']);
 162                         } else {
 163                                 Logger::notice('Unhandled default value type', ['parameter' => $parameter, 'type' => gettype($defaultvalue)]);
 164                         }
 165                 }
 166
 167                 foreach ($input ?? [] as $parameter => $value) {
 168                         if ($parameter == 'pagename') {
 169                                 continue;
 170                         }
 171                         if (!in_array($parameter, array_keys($defaults))) {
 172                                 Logger::notice('Unhandled request field', ['parameter' => $parameter, 'value' => $value, 'command' => DI::args()->getCommand()]);
 173                         }
 174                 }
 175
 176                 Logger::debug('Got request parameters', ['request' => $request, 'command' => DI::args()->getCommand()]);
 177                 return $request;
 178         }
 179
 180         /**
 181          * Log in user via OAuth1 or Simple HTTP Auth.
 182          *
 183          * Simple Auth allow username in form of <pre>user@server</pre>, ignoring server part
 184          *
 185          * @param string $scope the requested scope (read, write, follow)
 186          *
 187          * @return bool Was a user authenticated?
 188          * @throws HTTPException\ForbiddenException
 189          * @throws HTTPException\UnauthorizedException
 190          * @throws HTTPException\InternalServerErrorException
 191          * @hook  'authenticate'
 192          *               array $addon_auth
 193          *               'username' => username from login form
 194          *               'password' => password from login form
 195          *               'authenticated' => return status,
 196          *               'user_record' => return authenticated user record
 197          */
 198         protected static function login(string $scope)
 199         {
 200                 if (empty(self::$current_user_id)) {
 201                         self::$current_token = self::getTokenByBearer();
 202                         if (!empty(self::$current_token['uid'])) {
 203                                 self::$current_user_id = self::$current_token['uid'];
 204                         } else {
 205                                 self::$current_user_id = 0;
 206                         }
 207                 }
 208
 209                 if (!empty($scope) && !empty(self::$current_token)) {
 210                         if (empty(self::$current_token[$scope])) {
 211                                 Logger::warning('The requested scope is not allowed', ['scope' => $scope, 'application' => self::$current_token]);
 212                                 DI::mstdnError()->Forbidden();
 213                         }
 214                 }
 215
 216                 if (empty(self::$current_user_id)) {
 217                         // The execution stops here if no one is logged in
 218                         api_login(DI::app());
 219                 }
 220
 221                 self::$current_user_id = api_user();
 222
 223                 return (bool)self::$current_user_id;
 224         }
 225
 226         /**
 227          * Get current application
 228          *
 229          * @return array token
 230          */
 231         protected static function getCurrentApplication()
 232         {
 233                 return self::$current_token;
 234         }
 235
 236         /**
 237          * Get current user id, returns 0 if not logged in
 238          *
 239          * @return int User ID
 240          */
 241         protected static function getCurrentUserID()
 242         {
 243                 if (empty(self::$current_user_id)) {
 244                         self::$current_token = self::getTokenByBearer();
 245                         if (!empty(self::$current_token['uid'])) {
 246                                 self::$current_user_id = self::$current_token['uid'];
 247                         } else {
 248                                 self::$current_user_id = 0;
 249                         }
 250
 251                 }
 252
 253                 if (empty(self::$current_user_id)) {
 254                         // Fetch the user id if logged in - but don't fail if not
 255                         api_login(DI::app(), false);
 256
 257                         self::$current_user_id = api_user();
 258                 }
 259
 260                 return (int)self::$current_user_id;
 261         }
 262
 263         /**
 264          * Get the user token via the Bearer token
 265          *
 266          * @return array User Token
 267          */
 268         private static function getTokenByBearer()
 269         {
 270                 $authorization = $_SERVER['HTTP_AUTHORIZATION'] ?? '';
 271
 272                 if (substr($authorization, 0, 7) != 'Bearer ') {
 273                         return [];
 274                 }
 275
 276                 $bearer = trim(substr($authorization, 7));
 277                 $condition = ['access_token' => $bearer];
 278                 $token = DBA::selectFirst('application-view', ['uid', 'id', 'name', 'website', 'created_at', 'read', 'write', 'follow', 'push'], $condition);
 279                 if (!DBA::isResult($token)) {
 280                         Logger::warning('Token not found', $condition);
 281                         return [];
 282                 }
 283                 Logger::debug('Token found', $token);
 284                 return $token;
 285         }
 286
 287         /**
 288          * Get the application record via the proved request header fields
 289          *
 290          * @param string $client_id
 291          * @param string $client_secret
 292          * @param string $redirect_uri
 293          * @return array application record
 294          */
 295         public static function getApplication(string $client_id, string $client_secret, string $redirect_uri)
 296         {
 297                 $condition = ['client_id' => $client_id];
 298                 if (!empty($client_secret)) {
 299                         $condition['client_secret'] = $client_secret;
 300                 }
 301                 if (!empty($redirect_uri)) {
 302                         $condition['redirect_uri'] = $redirect_uri;
 303                 }
 304
 305                 $application = DBA::selectFirst('application', [], $condition);
 306                 if (!DBA::isResult($application)) {
 307                         Logger::warning('Application not found', $condition);
 308                         return [];
 309                 }
 310                 return $application;
 311         }
 312
 313         /**
 314          * Check if an token for the application and user exists
 315          *
 316          * @param array $application
 317          * @param integer $uid
 318          * @return boolean
 319          */
 320         public static function existsTokenForUser(array $application, int $uid)
 321         {
 322                 return DBA::exists('application-token', ['application-id' => $application['id'], 'uid' => $uid]);
 323         }
 324
 325         /**
 326          * Fetch the token for the given application and user
 327          *
 328          * @param array $application
 329          * @param integer $uid
 330          * @return array application record
 331          */
 332         public static function getTokenForUser(array $application, int $uid)
 333         {
 334                 return DBA::selectFirst('application-token', [], ['application-id' => $application['id'], 'uid' => $uid]);
 335         }
 336
 337         /**
 338          * Create and fetch an token for the application and user
 339          *
 340          * @param array   $application
 341          * @param integer $uid
 342          * @param string  $scope
 343          * @return array application record
 344          */
 345         public static function createTokenForUser(array $application, int $uid, string $scope)
 346         {
 347                 $code         = bin2hex(random_bytes(32));
 348                 $access_token = bin2hex(random_bytes(32));
 349
 350                 $fields = ['application-id' => $application['id'], 'uid' => $uid, 'code' => $code, 'access_token' => $access_token, 'scopes' => $scope,
 351                         'read' => (stripos($scope, self::SCOPE_READ) !== false),
 352                         'write' => (stripos($scope, self::SCOPE_WRITE) !== false),
 353                         'follow' => (stripos($scope, self::SCOPE_FOLLOW) !== false),
 354                         'push' => (stripos($scope, self::SCOPE_PUSH) !== false),
 355                          'created_at' => DateTimeFormat::utcNow(DateTimeFormat::MYSQL)];
 356
 357                 foreach ([self::SCOPE_READ, self::SCOPE_WRITE, self::SCOPE_WRITE, self::SCOPE_PUSH] as $scope) {
 358                         if ($fields[$scope] && !$application[$scope]) {
 359                                 Logger::warning('Requested token scope is not allowed for the application', ['token' => $fields, 'application' => $application]);
 360                         }
 361                 }
 362
 363                 if (!DBA::insert('application-token', $fields, Database::INSERT_UPDATE)) {
 364                         return [];
 365                 }
 366
 367                 return DBA::selectFirst('application-token', [], ['application-id' => $application['id'], 'uid' => $uid]);
 368         }
 369
 370         /**
 371          * Get user info array.
 372          *
 373          * @param int|string $contact_id Contact ID or URL
 374          * @return array|bool
 375          * @throws HTTPException\BadRequestException
 376          * @throws HTTPException\InternalServerErrorException
 377          * @throws HTTPException\UnauthorizedException
 378          * @throws \ImagickException
 379          */
 380         protected static function getUser($contact_id = null)
 381         {
 382                 return api_get_user(DI::app(), $contact_id);
 383         }
 384
 385         /**
 386          * Formats the data according to the data type
 387          *
 388          * @param string $root_element
 389          * @param array $data An array with a single element containing the returned result
 390          * @return false|string
 391          */
 392         protected static function format(string $root_element, array $data)
 393         {
 394                 $return = api_format_data($root_element, self::$format, $data);
 395
 396                 switch (self::$format) {
 397                         case "xml":
 398                                 header("Content-Type: text/xml");
 399                                 break;
 400                         case "json":
 401                                 header("Content-Type: application/json");
 402                                 if (!empty($return)) {
 403                                         $json = json_encode(end($return));
 404                                         if (!empty($_GET['callback'])) {
 405                                                 $json = $_GET['callback'] . "(" . $json . ")";
 406                                         }
 407                                         $return = $json;
 408                                 }
 409                                 break;
 410                         case "rss":
 411                                 header("Content-Type: application/rss+xml");
 412                                 $return  = '<?xml version="1.0" encoding="UTF-8"?>' . "\n" . $return;
 413                                 break;
 414                         case "atom":
 415                                 header("Content-Type: application/atom+xml");
 416                                 $return = '<?xml version="1.0" encoding="UTF-8"?>' . "\n" . $return;
 417                                 break;
 418                 }
 419
 420                 return $return;
 421         }
 422
 423         /**
 424          * Creates the XML from a JSON style array
 425          *
 426          * @param $data
 427          * @param $root_element
 428          * @return string
 429          */
 430         protected static function createXml($data, $root_element)
 431         {
 432                 return api_create_xml($data, $root_element);
 433         }
 434 }