X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=src%2FSecurity%2FBasicAuth.php;h=7b6a6b082502d982e0827141434a7c31df437b84;hb=0165811f09260a61af6dd947015be40df52d7b67;hp=002ecd6eb3ca461117c944b7de8718c6cc29b8b1;hpb=acbe9ebf9e8755b90413f8b8d3dbc338ccd597e9;p=friendica.git diff --git a/src/Security/BasicAuth.php b/src/Security/BasicAuth.php index 002ecd6eb3..7b6a6b0825 100644 --- a/src/Security/BasicAuth.php +++ b/src/Security/BasicAuth.php @@ -21,8 +21,15 @@ namespace Friendica\Security; +use Exception; +use Friendica\Core\Hook; +use Friendica\Core\Logger; +use Friendica\Core\Session; use Friendica\Database\DBA; use Friendica\DI; +use Friendica\Model\User; +use Friendica\Network\HTTPException\UnauthorizedException; +use Friendica\Util\DateTimeFormat; /** * Authentification via the basic auth method @@ -38,6 +45,28 @@ class BasicAuth */ protected static $current_token = []; + /** + * Get current user id, returns 0 if $login is set to false and not logged in. + * When $login is true, the execution will stop when not logged in. + * + * @param bool $login Perform a login request if "true" + * + * @return int User ID + */ + public static function getCurrentUserID(bool $login) + { + if (empty(self::$current_user_id)) { + self::$current_user_id = self::getUserIdByAuth($login); + } + + return (int)self::$current_user_id; + } + + public static function setCurrentUserID(int $uid = null) + { + self::$current_user_id = $uid; + } + /** * Fetch a dummy application token * @@ -45,41 +74,125 @@ class BasicAuth */ public static function getCurrentApplicationToken() { - if (empty(self::getCurrentUserID())) { + if (empty(self::getCurrentUserID(true))) { return []; } - if (!empty(self::$current_token)) { - return self::$current_token; + //if (!empty(self::$current_token)) { + // return self::$current_token; + //} + + $source = $_REQUEST['source'] ?? ''; + + // Support for known clients that doesn't send a source name + if (empty($source) && !empty($_SERVER['HTTP_USER_AGENT'])) { + if(strpos($_SERVER['HTTP_USER_AGENT'], "Twidere") !== false) { + $source = 'Twidere'; + } + + Logger::info('Unrecognized user-agent', ['http_user_agent' => $_SERVER['HTTP_USER_AGENT']]); + } else { + Logger::info('Empty user-agent'); + } + + if (empty($source)) { + $source = 'api'; } self::$current_token = [ 'uid' => self::$current_user_id, 'id' => 0, - 'name' => api_source(), + 'name' => $source, 'website' => '', 'created_at' => DBA::NULL_DATETIME, 'read' => true, - 'write' => true, - 'follow' => true, + 'write' => true, + 'follow' => true, 'push' => false]; return self::$current_token; } /** - * Get current user id, returns 0 if not logged in + * Fetch the user id via the auth header information * - * @return int User ID + * @param boolean $do_login Perform a login request if not logged in + * + * @return integer User ID */ - public static function getCurrentUserID(bool $login = true) + private static function getUserIdByAuth(bool $do_login = true):int { - if (empty(self::$current_user_id)) { - api_login(DI::app(), $login); + $a = DI::app(); + self::$current_user_id = 0; - self::$current_user_id = api_user(); + // workaround for HTTP-auth in CGI mode + if (!empty($_SERVER['REDIRECT_REMOTE_USER'])) { + $userpass = base64_decode(substr($_SERVER["REDIRECT_REMOTE_USER"], 6)); + if (!empty($userpass) && strpos($userpass, ':')) { + list($name, $password) = explode(':', $userpass); + $_SERVER['PHP_AUTH_USER'] = $name; + $_SERVER['PHP_AUTH_PW'] = $password; + } } - return (int)self::$current_user_id; + $user = $_SERVER['PHP_AUTH_USER'] ?? ''; + $password = $_SERVER['PHP_AUTH_PW'] ?? ''; + + // allow "user@server" login (but ignore 'server' part) + $at = strstr($user, "@", true); + if ($at) { + $user = $at; + } + + // next code from mod/auth.php. needs better solution + $record = null; + + $addon_auth = [ + 'username' => trim($user), + 'password' => trim($password), + 'authenticated' => 0, + 'user_record' => null, + ]; + + /* + * An addon indicates successful login by setting 'authenticated' to non-zero value and returning a user record + * Addons should never set 'authenticated' except to indicate success - as hooks may be chained + * and later addons should not interfere with an earlier one that succeeded. + */ + Hook::callAll('authenticate', $addon_auth); + + if ($addon_auth['authenticated'] && !empty($addon_auth['user_record'])) { + $record = $addon_auth['user_record']; + } else { + try { + $user_id = User::getIdFromPasswordAuthentication(trim($user), trim($password), true); + $record = DBA::selectFirst('user', [], ['uid' => $user_id]); + } catch (Exception $ex) { + $record = []; + } + } + + if (empty($record)) { + if (!$do_login) { + return 0; + } + Logger::debug('Access denied', ['parameters' => $_SERVER]); + // Checking for commandline for the tests, we have to avoid to send a header + if (php_sapi_name() !== 'cli') { + header('WWW-Authenticate: Basic realm="Friendica"'); + } + throw new UnauthorizedException("This API requires login"); + } + + // Don't refresh the login date more often than twice a day to spare database writes + $login_refresh = strcmp(DateTimeFormat::utc('now - 12 hours'), $record['login_date']) > 0; + + DI::auth()->setForUser($a, $record, false, false, $login_refresh); + + Hook::callAll('logged_in', $record); + + self::$current_user_id = local_user(); + + return self::$current_user_id; } }