3 * @copyright Copyright (C) 2010-2022, the Friendica project
5 * @license GNU AGPL version 3 or any later version
7 * This program is free software: you can redistribute it and/or modify
8 * it under the terms of the GNU Affero General Public License as
9 * published by the Free Software Foundation, either version 3 of the
10 * License, or (at your option) any later version.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU Affero General Public License for more details.
17 * You should have received a copy of the GNU Affero General Public License
18 * along with this program. If not, see <https://www.gnu.org/licenses/>.
22 namespace Friendica\Security;
25 use Friendica\Core\Hook;
26 use Friendica\Core\Logger;
27 use Friendica\Core\Session;
28 use Friendica\Database\DBA;
30 use Friendica\Model\User;
31 use Friendica\Network\HTTPException\UnauthorizedException;
32 use Friendica\Util\DateTimeFormat;
35 * Authentification via the basic auth method
42 protected static $current_user_id = 0;
46 protected static $current_token = [];
49 * Get current user id, returns 0 if $login is set to false and not logged in.
50 * When $login is true, the execution will stop when not logged in.
52 * @param bool $login Perform a login request if "true"
56 public static function getCurrentUserID(bool $login)
58 if (empty(self::$current_user_id)) {
59 self::$current_user_id = self::getUserIdByAuth($login);
62 return (int)self::$current_user_id;
65 public static function setCurrentUserID(int $uid = null)
67 self::$current_user_id = $uid;
71 * Fetch a dummy application token
75 public static function getCurrentApplicationToken()
77 if (empty(self::getCurrentUserID(true))) {
81 //if (!empty(self::$current_token)) {
82 // return self::$current_token;
85 $source = $_REQUEST['source'] ?? '';
87 // Support for known clients that doesn't send a source name
88 if (empty($source) && !empty($_SERVER['HTTP_USER_AGENT'])) {
89 if(strpos($_SERVER['HTTP_USER_AGENT'], "Twidere") !== false) {
93 Logger::info('Unrecognized user-agent', ['http_user_agent' => $_SERVER['HTTP_USER_AGENT']]);
95 Logger::info('Empty user-agent');
102 self::$current_token = [
103 'uid' => self::$current_user_id,
107 'created_at' => DBA::NULL_DATETIME,
113 return self::$current_token;
117 * Fetch the user id via the auth header information
119 * @param boolean $do_login Perform a login request if not logged in
121 * @return integer User ID
123 private static function getUserIdByAuth(bool $do_login = true):int
126 self::$current_user_id = 0;
128 // workaround for HTTP-auth in CGI mode
129 if (!empty($_SERVER['REDIRECT_REMOTE_USER'])) {
130 $userpass = base64_decode(substr($_SERVER["REDIRECT_REMOTE_USER"], 6));
131 if (!empty($userpass) && strpos($userpass, ':')) {
132 list($name, $password) = explode(':', $userpass);
133 $_SERVER['PHP_AUTH_USER'] = $name;
134 $_SERVER['PHP_AUTH_PW'] = $password;
138 $user = $_SERVER['PHP_AUTH_USER'] ?? '';
139 $password = $_SERVER['PHP_AUTH_PW'] ?? '';
141 // allow "user@server" login (but ignore 'server' part)
142 $at = strstr($user, "@", true);
147 // next code from mod/auth.php. needs better solution
151 'username' => trim($user),
152 'password' => trim($password),
153 'authenticated' => 0,
154 'user_record' => null,
158 * An addon indicates successful login by setting 'authenticated' to non-zero value and returning a user record
159 * Addons should never set 'authenticated' except to indicate success - as hooks may be chained
160 * and later addons should not interfere with an earlier one that succeeded.
162 Hook::callAll('authenticate', $addon_auth);
164 if ($addon_auth['authenticated'] && !empty($addon_auth['user_record'])) {
165 $record = $addon_auth['user_record'];
168 $user_id = User::getIdFromPasswordAuthentication(trim($user), trim($password), true);
169 $record = DBA::selectFirst('user', [], ['uid' => $user_id]);
170 } catch (Exception $ex) {
175 if (empty($record)) {
179 Logger::debug('Access denied', ['parameters' => $_SERVER]);
180 // Checking for commandline for the tests, we have to avoid to send a header
181 if (php_sapi_name() !== 'cli') {
182 header('WWW-Authenticate: Basic realm="Friendica"');
184 throw new UnauthorizedException("This API requires login");
187 // Don't refresh the login date more often than twice a day to spare database writes
188 $login_refresh = strcmp(DateTimeFormat::utc('now - 12 hours'), $record['login_date']) > 0;
190 DI::auth()->setForUser($a, $record, false, false, $login_refresh);
192 Hook::callAll('logged_in', $record);
194 self::$current_user_id = local_user();
196 return self::$current_user_id;