X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=src%2FModule%2FBaseApi.php;h=b6824140db632ab8b73afbff30f0042baf6af2ea;hb=35e2ae39252f6713a09c80026eeacf184f68437a;hp=015324569bcf43dc6480afd37f2e2d3194b81b2c;hpb=8a9f633ce26d4fcb74557891282572b372d5d223;p=friendica.git diff --git a/src/Module/BaseApi.php b/src/Module/BaseApi.php index 015324569b..b6824140db 100644 --- a/src/Module/BaseApi.php +++ b/src/Module/BaseApi.php @@ -1,6 +1,6 @@ getCommand(), -4) === '.xml') { - self::$format = 'xml'; - } - if (substr($arguments->getCommand(), -4) === '.rss') { - self::$format = 'rss'; - } - if (substr($arguments->getCommand(), -4) === '.atom') { - self::$format = 'atom'; - } - } + /** @var ApiResponse */ + protected $response; - public static function delete(array $parameters = []) + public function __construct(App $app, L10n $l10n, App\BaseURL $baseUrl, App\Arguments $args, LoggerInterface $logger, Profiler $profiler, ApiResponse $response, array $server, array $parameters = []) { - if (!api_user()) { - throw new HTTPException\UnauthorizedException(DI::l10n()->t('Permission denied.')); - } + parent::__construct($l10n, $baseUrl, $args, $logger, $profiler, $response, $server, $parameters); - $a = DI::app(); - - if (!empty($a->user['uid']) && $a->user['uid'] != api_user()) { - throw new HTTPException\ForbiddenException(DI::l10n()->t('Permission denied.')); - } + $this->app = $app; } - public static function patch(array $parameters = []) - { - if (!api_user()) { - throw new HTTPException\UnauthorizedException(DI::l10n()->t('Permission denied.')); - } - - $a = DI::app(); - - if (!empty($a->user['uid']) && $a->user['uid'] != api_user()) { - throw new HTTPException\ForbiddenException(DI::l10n()->t('Permission denied.')); - } - } - - public static function post(array $parameters = []) - { - if (!api_user()) { - throw new HTTPException\UnauthorizedException(DI::l10n()->t('Permission denied.')); - } - - $a = DI::app(); - - if (!empty($a->user['uid']) && $a->user['uid'] != api_user()) { - throw new HTTPException\ForbiddenException(DI::l10n()->t('Permission denied.')); - } - } - - public static function put(array $parameters = []) + /** + * Additionally checks, if the caller is permitted to do this action + * + * {@inheritDoc} + * + * @throws HTTPException\ForbiddenException + */ + public function run(array $request = [], bool $scopecheck = true): ResponseInterface { - if (!api_user()) { - throw new HTTPException\UnauthorizedException(DI::l10n()->t('Permission denied.')); + if ($scopecheck) { + switch ($this->args->getMethod()) { + case Router::DELETE: + case Router::PATCH: + case Router::POST: + case Router::PUT: + self::checkAllowedScope(self::SCOPE_WRITE); + + if (!self::getCurrentUserID()) { + throw new HTTPException\ForbiddenException($this->t('Permission denied.')); + } + break; + } } - $a = DI::app(); - - if (!empty($a->user['uid']) && $a->user['uid'] != api_user()) { - throw new HTTPException\ForbiddenException(DI::l10n()->t('Permission denied.')); - } + return parent::run($request); } /** - * Quit execution with the message that the endpoint isn't implemented + * Processes data from GET requests and sets defaults * - * @param string $method - * @return void + * @param array $defaults Associative array of expected request keys and their default typed value. A null + * value will remove the request key from the resulting value array. + * @param array $request Custom REQUEST array, superglobal instead + * @return array request data + * @throws \Exception */ - public static function unsupported(string $method = 'all') + public function getRequest(array $defaults, array $request): array { - $path = DI::args()->getQueryString(); - Logger::info('Unimplemented API call', ['method' => $method, 'path' => $path, 'agent' => $_SERVER['HTTP_USER_AGENT'] ?? '', 'request' => HTTPInputData::process()]); - $error = DI::l10n()->t('API endpoint %s %s is not implemented', strtoupper($method), $path); - $error_description = DI::l10n()->t('The API endpoint is currently not implemented but might be in the future.'); - $errorobj = new \Friendica\Object\Api\Mastodon\Error($error, $error_description); - System::jsonError(501, $errorobj->toArray()); + self::$request = $request; + self::$boundaries = []; + + unset(self::$request['pagename']); + + return $this->checkDefaults($defaults, $request); } /** - * Processes data from GET requests and sets defaults - * - * @return array request data + * Set boundaries for the "link" header + * @param array $boundaries + * @param int $id */ - public static function getRequest(array $defaults) + protected static function setBoundaries(int $id) { - $httpinput = HTTPInputData::process(); - $input = array_merge($httpinput['variables'], $httpinput['files'], $_REQUEST); - - $request = []; - - foreach ($defaults as $parameter => $defaultvalue) { - if (is_string($defaultvalue)) { - $request[$parameter] = $input[$parameter] ?? $defaultvalue; - } elseif (is_int($defaultvalue)) { - $request[$parameter] = (int)($input[$parameter] ?? $defaultvalue); - } elseif (is_float($defaultvalue)) { - $request[$parameter] = (float)($input[$parameter] ?? $defaultvalue); - } elseif (is_array($defaultvalue)) { - $request[$parameter] = $input[$parameter] ?? []; - } elseif (is_bool($defaultvalue)) { - $request[$parameter] = in_array(strtolower($input[$parameter] ?? ''), ['true', '1']); - } else { - Logger::notice('Unhandled default value type', ['parameter' => $parameter, 'type' => gettype($defaultvalue)]); - } + if (!isset(self::$boundaries['min'])) { + self::$boundaries['min'] = $id; } - foreach ($input ?? [] as $parameter => $value) { - if ($parameter == 'pagename') { - continue; - } - if (!in_array($parameter, array_keys($defaults))) { - Logger::notice('Unhandled request field', ['parameter' => $parameter, 'value' => $value, 'command' => DI::args()->getCommand()]); - } + if (!isset(self::$boundaries['max'])) { + self::$boundaries['max'] = $id; } - Logger::debug('Got request parameters', ['request' => $request, 'command' => DI::args()->getCommand()]); - return $request; + self::$boundaries['min'] = min(self::$boundaries['min'], $id); + self::$boundaries['max'] = max(self::$boundaries['max'], $id); } /** - * Log in user via OAuth1 or Simple HTTP Auth. - * - * Simple Auth allow username in form of 
user@server
, ignoring server part - * - * @param string $scope the requested scope (read, write, follow) - * - * @return bool Was a user authenticated? - * @throws HTTPException\ForbiddenException - * @throws HTTPException\UnauthorizedException - * @throws HTTPException\InternalServerErrorException - * @hook 'authenticate' - * array $addon_auth - * 'username' => username from login form - * 'password' => password from login form - * 'authenticated' => return status, - * 'user_record' => return authenticated user record + * Set the "link" header with "next" and "prev" links + * @return void */ - protected static function login(string $scope) + protected static function setLinkHeader() { - if (empty(self::$current_user_id)) { - self::$current_token = self::getTokenByBearer(); - if (!empty(self::$current_token['uid'])) { - self::$current_user_id = self::$current_token['uid']; - } else { - self::$current_user_id = 0; - } + if (empty(self::$boundaries)) { + return; } - if (!empty($scope) && !empty(self::$current_token)) { - if (empty(self::$current_token[$scope])) { - Logger::warning('The requested scope is not allowed', ['scope' => $scope, 'application' => self::$current_token]); - DI::mstdnError()->Forbidden(); - } - } + $request = self::$request; - if (empty(self::$current_user_id)) { - // The execution stops here if no one is logged in - api_login(DI::app()); - } + unset($request['min_id']); + unset($request['max_id']); + unset($request['since_id']); + + $prev_request = $next_request = $request; + + $prev_request['min_id'] = self::$boundaries['max']; + $next_request['max_id'] = self::$boundaries['min']; - self::$current_user_id = api_user(); + $command = DI::baseUrl() . '/' . DI::args()->getCommand(); - return (bool)self::$current_user_id; + $prev = $command . '?' . http_build_query($prev_request); + $next = $command . '?' . http_build_query($next_request); + + header('Link: <' . $next . '>; rel="next", <' . $prev . '>; rel="prev"'); } /** - * Get current application + * Get current application token * * @return array token */ - protected static function getCurrentApplication() + public static function getCurrentApplication() { - return self::$current_token; + $token = OAuth::getCurrentApplicationToken(); + + if (empty($token)) { + $token = BasicAuth::getCurrentApplicationToken(); + } + + return $token; } /** @@ -238,200 +187,122 @@ class BaseApi extends BaseModule * * @return int User ID */ - public static function getCurrentUserID(bool $nologin = false) + public static function getCurrentUserID() { - if (empty(self::$current_user_id)) { - self::$current_token = self::getTokenByBearer(); - if (!empty(self::$current_token['uid'])) { - self::$current_user_id = self::$current_token['uid']; - } else { - self::$current_user_id = 0; - } - } + $uid = OAuth::getCurrentUserID(); - if ($nologin) { - return (int)self::$current_user_id; + if (empty($uid)) { + $uid = BasicAuth::getCurrentUserID(false); } - if (empty(self::$current_user_id)) { - // Fetch the user id if logged in - but don't fail if not - api_login(DI::app(), false); - - self::$current_user_id = api_user(); - } - - return (int)self::$current_user_id; + return (int)$uid; } /** - * Get the user token via the Bearer token + * Check if the provided scope does exist. + * halts execution on missing scope or when not logged in. * - * @return array User Token + * @param string $scope the requested scope (read, write, follow, push) */ - private static function getTokenByBearer() + public static function checkAllowedScope(string $scope) { - $authorization = $_SERVER['HTTP_AUTHORIZATION'] ?? ''; + $token = self::getCurrentApplication(); - if (substr($authorization, 0, 7) != 'Bearer ') { - return []; + if (empty($token)) { + Logger::notice('Empty application token'); + DI::mstdnError()->Forbidden(); } - $bearer = trim(substr($authorization, 7)); - $condition = ['access_token' => $bearer]; - $token = DBA::selectFirst('application-view', ['uid', 'id', 'name', 'website', 'created_at', 'read', 'write', 'follow', 'push'], $condition); - if (!DBA::isResult($token)) { - Logger::warning('Token not found', $condition); - return []; + if (!isset($token[$scope])) { + Logger::warning('The requested scope does not exist', ['scope' => $scope, 'application' => $token]); + DI::mstdnError()->Forbidden(); + } + + if (empty($token[$scope])) { + Logger::warning('The requested scope is not allowed', ['scope' => $scope, 'application' => $token]); + DI::mstdnError()->Forbidden(); } - Logger::debug('Token found', $token); - return $token; } - /** - * Get the application record via the proved request header fields - * - * @param string $client_id - * @param string $client_secret - * @param string $redirect_uri - * @return array application record - */ - public static function getApplication(string $client_id, string $client_secret, string $redirect_uri) + public static function checkThrottleLimit() { - $condition = ['client_id' => $client_id]; - if (!empty($client_secret)) { - $condition['client_secret'] = $client_secret; - } - if (!empty($redirect_uri)) { - $condition['redirect_uri'] = $redirect_uri; + $uid = self::getCurrentUserID(); + + // Check for throttling (maximum posts per day, week and month) + $throttle_day = DI::config()->get('system', 'throttle_limit_day'); + if ($throttle_day > 0) { + $datefrom = date(DateTimeFormat::MYSQL, time() - 24*60*60); + + $condition = ["`gravity` = ? AND `uid` = ? AND `wall` AND `received` > ?", GRAVITY_PARENT, $uid, $datefrom]; + $posts_day = Post::countThread($condition); + + if ($posts_day > $throttle_day) { + Logger::info('Daily posting limit reached', ['uid' => $uid, 'posts' => $posts_day, 'limit' => $throttle_day]); + $error = DI::l10n()->t('Too Many Requests'); + $error_description = DI::l10n()->tt("Daily posting limit of %d post reached. The post was rejected.", "Daily posting limit of %d posts reached. The post was rejected.", $throttle_day); + $errorobj = new \Friendica\Object\Api\Mastodon\Error($error, $error_description); + System::jsonError(429, $errorobj->toArray()); + } } - $application = DBA::selectFirst('application', [], $condition); - if (!DBA::isResult($application)) { - Logger::warning('Application not found', $condition); - return []; + $throttle_week = DI::config()->get('system', 'throttle_limit_week'); + if ($throttle_week > 0) { + $datefrom = date(DateTimeFormat::MYSQL, time() - 24*60*60*7); + + $condition = ["`gravity` = ? AND `uid` = ? AND `wall` AND `received` > ?", GRAVITY_PARENT, $uid, $datefrom]; + $posts_week = Post::countThread($condition); + + if ($posts_week > $throttle_week) { + Logger::info('Weekly posting limit reached', ['uid' => $uid, 'posts' => $posts_week, 'limit' => $throttle_week]); + $error = DI::l10n()->t('Too Many Requests'); + $error_description = DI::l10n()->tt("Weekly posting limit of %d post reached. The post was rejected.", "Weekly posting limit of %d posts reached. The post was rejected.", $throttle_week); + $errorobj = new \Friendica\Object\Api\Mastodon\Error($error, $error_description); + System::jsonError(429, $errorobj->toArray()); + } } - return $application; - } - /** - * Check if an token for the application and user exists - * - * @param array $application - * @param integer $uid - * @return boolean - */ - public static function existsTokenForUser(array $application, int $uid) - { - return DBA::exists('application-token', ['application-id' => $application['id'], 'uid' => $uid]); - } + $throttle_month = DI::config()->get('system', 'throttle_limit_month'); + if ($throttle_month > 0) { + $datefrom = date(DateTimeFormat::MYSQL, time() - 24*60*60*30); - /** - * Fetch the token for the given application and user - * - * @param array $application - * @param integer $uid - * @return array application record - */ - public static function getTokenForUser(array $application, int $uid) - { - return DBA::selectFirst('application-token', [], ['application-id' => $application['id'], 'uid' => $uid]); - } + $condition = ["`gravity` = ? AND `uid` = ? AND `wall` AND `received` > ?", GRAVITY_PARENT, $uid, $datefrom]; + $posts_month = Post::countThread($condition); - /** - * Create and fetch an token for the application and user - * - * @param array $application - * @param integer $uid - * @param string $scope - * @return array application record - */ - public static function createTokenForUser(array $application, int $uid, string $scope) - { - $code = bin2hex(random_bytes(32)); - $access_token = bin2hex(random_bytes(32)); - - $fields = ['application-id' => $application['id'], 'uid' => $uid, 'code' => $code, 'access_token' => $access_token, 'scopes' => $scope, - 'read' => (stripos($scope, self::SCOPE_READ) !== false), - 'write' => (stripos($scope, self::SCOPE_WRITE) !== false), - 'follow' => (stripos($scope, self::SCOPE_FOLLOW) !== false), - 'push' => (stripos($scope, self::SCOPE_PUSH) !== false), - 'created_at' => DateTimeFormat::utcNow(DateTimeFormat::MYSQL)]; - - foreach ([self::SCOPE_READ, self::SCOPE_WRITE, self::SCOPE_WRITE, self::SCOPE_PUSH] as $scope) { - if ($fields[$scope] && !$application[$scope]) { - Logger::warning('Requested token scope is not allowed for the application', ['token' => $fields, 'application' => $application]); + if ($posts_month > $throttle_month) { + Logger::info('Monthly posting limit reached', ['uid' => $uid, 'posts' => $posts_month, 'limit' => $throttle_month]); + $error = DI::l10n()->t('Too Many Requests'); + $error_description = DI::l10n()->t("Monthly posting limit of %d post reached. The post was rejected.", "Monthly posting limit of %d posts reached. The post was rejected.", $throttle_month); + $errorobj = new \Friendica\Object\Api\Mastodon\Error($error, $error_description); + System::jsonError(429, $errorobj->toArray()); } } + } - if (!DBA::insert('application-token', $fields, Database::INSERT_UPDATE)) { - return []; + public static function getContactIDForSearchterm(string $screen_name = null, string $profileurl = null, int $cid = null, int $uid) + { + if (!empty($cid)) { + return $cid; } - return DBA::selectFirst('application-token', [], ['application-id' => $application['id'], 'uid' => $uid]); - } + if (!empty($profileurl)) { + return Contact::getIdForURL($profileurl); + } - /** - * Get user info array. - * - * @param int|string $contact_id Contact ID or URL - * @return array|bool - * @throws HTTPException\BadRequestException - * @throws HTTPException\InternalServerErrorException - * @throws HTTPException\UnauthorizedException - * @throws \ImagickException - */ - protected static function getUser($contact_id = null) - { - return api_get_user(DI::app(), $contact_id); - } + if (empty($cid) && !empty($screen_name)) { + if (strpos($screen_name, '@') !== false) { + return Contact::getIdForURL($screen_name, 0, false); + } - /** - * Formats the data according to the data type - * - * @param string $root_element - * @param array $data An array with a single element containing the returned result - * @return false|string - */ - protected static function format(string $root_element, array $data) - { - $return = api_format_data($root_element, self::$format, $data); - - switch (self::$format) { - case "xml": - header("Content-Type: text/xml"); - break; - case "json": - header("Content-Type: application/json"); - if (!empty($return)) { - $json = json_encode(end($return)); - if (!empty($_GET['callback'])) { - $json = $_GET['callback'] . "(" . $json . ")"; - } - $return = $json; - } - break; - case "rss": - header("Content-Type: application/rss+xml"); - $return = '' . "\n" . $return; - break; - case "atom": - header("Content-Type: application/atom+xml"); - $return = '' . "\n" . $return; - break; + $user = User::getByNickname($screen_name, ['uid']); + if (!empty($user['uid'])) { + return Contact::getPublicIdByUserId($user['uid']); + } } - return $return; - } + if ($uid != 0) { + return Contact::getPublicIdByUserId($uid); + } - /** - * Creates the XML from a JSON style array - * - * @param $data - * @param $root_element - * @return string - */ - protected static function createXml($data, $root_element) - { - return api_create_xml($data, $root_element); + return null; } }