X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=lib%2Fapiauth.php;h=8b0a3da17bb61abb449673f0a429b078588ca0fe;hb=698f5c7a20d5792b629404ce513d2fa2c2bab907;hp=431f3ac4fdbe9bcc32545ed653ef7660aa9a04f7;hpb=42a82a024a77fa1605769079dc436118a559e763;p=quix0rs-gnu-social.git diff --git a/lib/apiauth.php b/lib/apiauth.php index 431f3ac4fd..8b0a3da17b 100644 --- a/lib/apiauth.php +++ b/lib/apiauth.php @@ -29,16 +29,34 @@ * @author mEDI * @author Sarven Capadisli * @author Zach Copley - * @copyright 2009 StatusNet, Inc. + * @copyright 2009-2010 StatusNet, Inc. + * @copyright 2009 Free Software Foundation, Inc http://www.fsf.org * @license http://www.fsf.org/licensing/licenses/agpl-3.0.html GNU Affero General Public License version 3.0 * @link http://status.net/ */ +/* External API usage documentation. Please update when you change how this method works. */ + +/*! @page authentication Authentication + + StatusNet supports HTTP Basic Authentication and OAuth for API calls. + + @warning Currently, users who have created accounts without setting a + password via OpenID, Facebook Connect, etc., cannot use the API until + they set a password with their account settings panel. + + @section HTTP Basic Auth + + + + @section OAuth + +*/ + if (!defined('STATUSNET')) { exit(1); } -require_once INSTALLDIR . '/lib/api.php'; require_once INSTALLDIR . '/lib/apioauth.php'; /** @@ -50,127 +68,167 @@ require_once INSTALLDIR . '/lib/apioauth.php'; * @license http://www.fsf.org/licensing/licenses/agpl-3.0.html GNU Affero General Public License version 3.0 * @link http://status.net/ */ - class ApiAuthAction extends ApiAction { - var $access_token; - var $oauth_access_type; + var $auth_user_nickname = null; + var $auth_user_password = null; /** - * Take arguments for running, and output basic auth header if needed + * Take arguments for running, looks for an OAuth request, + * and outputs basic auth header if needed * * @param array $args $_REQUEST args * * @return boolean success flag * */ - function prepare($args) { parent::prepare($args); - if ($this->requiresAuth()) { + // NOTE: $this->auth_user has to get set in prepare(), not handle(), + // because subclasses do stuff with it in their prepares. - $this->consumer_key = $this->arg('oauth_consumer_key'); - $this->access_token = $this->arg('oauth_token'); + $oauthReq = $this->getOAuthRequest(); - if (!empty($this->access_token)) { - $this->checkOAuthRequest(); + if (!$oauthReq) { + if ($this->requiresAuth()) { + $this->checkBasicAuthUser(true); } else { - $this->checkBasicAuthUser(); + // Check to see if a basic auth user is there even + // if one's not required + $this->checkBasicAuthUser(false); + } + } else { + $this->checkOAuthRequest($oauthReq); + } + + // Reject API calls with the wrong access level + + if ($this->isReadOnly($args) == false) { + if ($this->access != self::READ_WRITE) { + // TRANS: Client error 401. + $msg = _('API resource requires read-write access, ' . + 'but you only have read access.'); + $this->clientError($msg, 401, $this->format); + exit; } } return true; } - function checkOAuthRequest() + /** + * Determine whether the request is an OAuth request. + * This is to avoid doign any unnecessary DB lookups. + * + * @return mixed the OAuthRequest or false + */ + function getOAuthRequest() { - common_debug("We have an OAuth request."); + ApiOauthAction::cleanRequest(); + + $req = OAuthRequest::from_request(); + + $consumer = $req->get_parameter('oauth_consumer_key'); + $accessToken = $req->get_parameter('oauth_token'); + + // XXX: Is it good enough to assume it's not meant to be an + // OAuth request if there is no consumer or token? --Z + + if (empty($consumer) || empty($accessToken)) { + return false; + } + + return $req; + } + /** + * Verifies the OAuth request signature, sets the auth user + * and access type (read-only or read-write) + * + * @param OAuthRequest $request the OAuth Request + * + * @return nothing + */ + function checkOAuthRequest($request) + { $datastore = new ApiStatusNetOAuthDataStore(); $server = new OAuthServer($datastore); $hmac_method = new OAuthSignatureMethod_HMAC_SHA1(); $server->add_signature_method($hmac_method); - ApiOauthAction::cleanRequest(); - try { + $server->verify_request($request); - $req = OAuthRequest::from_request(); - $server->verify_request($req); + $consumer = $request->get_parameter('oauth_consumer_key'); + $access_token = $request->get_parameter('oauth_token'); - common_debug("Good OAuth request!"); - - $app = Oauth_application::getByConsumerKey($this->consumer_key); + $app = Oauth_application::getByConsumerKey($consumer); if (empty($app)) { - - // this should really not happen - common_log(LOG_WARN, - "Couldn't find the OAuth app for consumer key: $this->consumer_key"); - - throw new OAuthException('No application for that consumer key.'); + common_log(LOG_WARNING, + 'Couldn\'t find the OAuth app for consumer key: ' . + $consumer); + // TRANS: OAuth exception thrown when no application is found for a given consumer key. + throw new OAuthException(_('No application for that consumer key.')); } - $appUser = Oauth_application_user::staticGet('token', - $this->access_token); + // set the source attr - // XXX: check that app->id and appUser->application_id and consumer all - // match? + $this->source = $app->name; - if (!empty($appUser)) { - - // read or read-write - $this->oauth_access_type = $appUser->access_type; + $appUser = Oauth_application_user::staticGet('token', $access_token); + if (!empty($appUser)) { // If access_type == 0 we have either a request token // or a bad / revoked access token - if ($this->oauth_access_type != 0) { + if ($appUser->access_type != 0) { + // Set the access level for the api call + $this->access = ($appUser->access_type & Oauth_application::$writeAccess) + ? self::READ_WRITE : self::READ_ONLY; - $this->auth_user = User::staticGet('id', $appUser->profile_id); + // Set the auth user + if (Event::handle('StartSetApiUser', array(&$user))) { + $this->auth_user = User::staticGet('id', $appUser->profile_id); + Event::handle('EndSetApiUser', array($user)); + } $msg = "API OAuth authentication for user '%s' (id: %d) on behalf of " . - "application '%s' (id: %d)."; + "application '%s' (id: %d) with %s access."; common_log(LOG_INFO, sprintf($msg, $this->auth_user->nickname, $this->auth_user->id, $app->name, - $app->id)); - return true; + $app->id, + ($this->access = self::READ_WRITE) ? + 'read-write' : 'read-only' + )); } else { - throw new OAuthException('Bad access token.'); + // TRANS: OAuth exception given when an incorrect access token was given for a user. + throw new OAuthException(_('Bad access token.')); } } else { - - // also should not happen - throw new OAuthException('No user for that token.'); - } + // Also should not happen + // TRANS: OAuth exception given when no user was found for a given token (no token was found). + throw new OAuthException(_('No user for that token.')); + } } catch (OAuthException $e) { - common_log(LOG_WARN, 'API OAuthException - ' . $e->getMessage()); - common_debug(var_export($req, true)); - $this->showOAuthError($e->getMessage()); - exit(); + common_log(LOG_WARNING, 'API OAuthException - ' . $e->getMessage()); + $this->clientError($e->getMessage(), 401, $this->format); + exit; } } - function showOAuthError($msg) - { - header('HTTP/1.1 401 Unauthorized'); - header('Content-Type: text/html; charset=utf-8'); - print $msg . "\n"; - } - /** * Does this API resource require authentication? * * @return boolean true */ - function requiresAuth() { return true; @@ -182,45 +240,57 @@ class ApiAuthAction extends ApiAction * * @return boolean true or false */ - - function checkBasicAuthUser() + function checkBasicAuthUser($required = true) { $this->basicAuthProcessHeader(); - $realm = common_config('site', 'name') . ' API'; + $realm = common_config('api', 'realm'); + + if (empty($realm)) { + $realm = common_config('site', 'name') . ' API'; + } - if (!isset($this->auth_user)) { + if (empty($this->auth_user_nickname) && $required) { header('WWW-Authenticate: Basic realm="' . $realm . '"'); // show error if the user clicks 'cancel' - - $this->showBasicAuthError(); + // TRANS: Client error thrown when authentication fails becaus a user clicked "Cancel". + $this->clientError(_("Could not authenticate you."), 401, $this->format); exit; } else { - $nickname = $this->auth_user; - $password = $this->auth_pw; - $user = common_check_user($nickname, $password); + + $user = common_check_user($this->auth_user_nickname, + $this->auth_user_password); + if (Event::handle('StartSetApiUser', array(&$user))) { - $this->auth_user = $user; + + if (!empty($user)) { + $this->auth_user = $user; + } + Event::handle('EndSetApiUser', array($user)); } - if (empty($this->auth_user)) { + // By default, basic auth users have rw access + $this->access = self::READ_WRITE; - // basic authentication failed + if (empty($this->auth_user) && ($required || isset($_SERVER['PHP_AUTH_USER']))) { + // basic authentication failed list($proxy, $ip) = common_client_ip(); - common_log( - LOG_WARNING, - 'Failed API auth attempt, nickname = ' . - "$nickname, proxy = $proxy, ip = $ip." - ); - $this->showBasicAuthError(); + + $msg = sprintf( 'Failed API auth attempt, nickname = %1$s, ' . + 'proxy = %2$s, ip = %3$s', + $this->auth_user_nickname, + $proxy, + $ip); + common_log(LOG_WARNING, $msg); + // TRANS: Client error thrown when authentication fails. + $this->clientError(_("Could not authenticate you."), 401, $this->format); exit; } } - return true; } /** @@ -229,69 +299,37 @@ class ApiAuthAction extends ApiAction * * @return void */ - function basicAuthProcessHeader() { - if (isset($_SERVER['AUTHORIZATION']) - || isset($_SERVER['HTTP_AUTHORIZATION']) - ) { - $authorization_header = isset($_SERVER['HTTP_AUTHORIZATION']) - ? $_SERVER['HTTP_AUTHORIZATION'] : $_SERVER['AUTHORIZATION']; + $authHeaders = array('AUTHORIZATION', + 'HTTP_AUTHORIZATION', + 'REDIRECT_HTTP_AUTHORIZATION'); // rewrite for CGI + $authorization_header = null; + foreach ($authHeaders as $header) { + if (isset($_SERVER[$header])) { + $authorization_header = $_SERVER[$header]; + break; + } } if (isset($_SERVER['PHP_AUTH_USER'])) { - $this->auth_user = $_SERVER['PHP_AUTH_USER']; - $this->auth_pw = $_SERVER['PHP_AUTH_PW']; + $this->auth_user_nickname = $_SERVER['PHP_AUTH_USER']; + $this->auth_user_password = $_SERVER['PHP_AUTH_PW']; } elseif (isset($authorization_header) && strstr(substr($authorization_header, 0, 5), 'Basic')) { - // decode the HTTP_AUTHORIZATION header on php-cgi server self + // Decode the HTTP_AUTHORIZATION header on php-cgi server self // on fcgid server the header name is AUTHORIZATION - $auth_hash = base64_decode(substr($authorization_header, 6)); - list($this->auth_user, $this->auth_pw) = explode(':', $auth_hash); + list($this->auth_user_nickname, + $this->auth_user_password) = explode(':', $auth_hash); - // set all to null on a empty basic auth request + // Set all to null on a empty basic auth request - if ($this->auth_user == "") { - $this->auth_user = null; - $this->auth_pw = null; + if (empty($this->auth_user_nickname)) { + $this->auth_user_nickname = null; + $this->auth_password = null; } - } else { - $this->auth_user = null; - $this->auth_pw = null; } } - - /** - * Output an authentication error message. Use XML or JSON if one - * of those formats is specified, otherwise output plain text - * - * @return void - */ - - function showBasicAuthError() - { - header('HTTP/1.1 401 Unauthorized'); - $msg = 'Could not authenticate you.'; - - if ($this->format == 'xml') { - header('Content-Type: application/xml; charset=utf-8'); - $this->startXML(); - $this->elementStart('hash'); - $this->element('error', null, $msg); - $this->element('request', null, $_SERVER['REQUEST_URI']); - $this->elementEnd('hash'); - $this->endXML(); - } elseif ($this->format == 'json') { - header('Content-Type: application/json; charset=utf-8'); - $error_array = array('error' => $msg, - 'request' => $_SERVER['REQUEST_URI']); - print(json_encode($error_array)); - } else { - header('Content-type: text/plain'); - print "$msg\n"; - } - } - }