X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=src%2FSecurity%2FBasicAuth.php;h=7b6a6b082502d982e0827141434a7c31df437b84;hb=0165811f09260a61af6dd947015be40df52d7b67;hp=2f47a93378dcd31e5cc3be55ede8defd41c378a2;hpb=0f0a3012806e4ba8f154d575681c9cd6a6027e14;p=friendica.git diff --git a/src/Security/BasicAuth.php b/src/Security/BasicAuth.php index 2f47a93378..7b6a6b0825 100644 --- a/src/Security/BasicAuth.php +++ b/src/Security/BasicAuth.php @@ -62,6 +62,11 @@ class BasicAuth return (int)self::$current_user_id; } + public static function setCurrentUserID(int $uid = null) + { + self::$current_user_id = $uid; + } + /** * Fetch a dummy application token * @@ -73,14 +78,31 @@ class BasicAuth return []; } - if (!empty(self::$current_token)) { - return self::$current_token; + //if (!empty(self::$current_token)) { + // return self::$current_token; + //} + + $source = $_REQUEST['source'] ?? ''; + + // Support for known clients that doesn't send a source name + if (empty($source) && !empty($_SERVER['HTTP_USER_AGENT'])) { + if(strpos($_SERVER['HTTP_USER_AGENT'], "Twidere") !== false) { + $source = 'Twidere'; + } + + Logger::info('Unrecognized user-agent', ['http_user_agent' => $_SERVER['HTTP_USER_AGENT']]); + } else { + Logger::info('Empty user-agent'); + } + + if (empty($source)) { + $source = 'api'; } self::$current_token = [ 'uid' => self::$current_user_id, 'id' => 0, - 'name' => api_source(), + 'name' => $source, 'website' => '', 'created_at' => DBA::NULL_DATETIME, 'read' => true, @@ -101,45 +123,44 @@ class BasicAuth private static function getUserIdByAuth(bool $do_login = true):int { $a = DI::app(); - Session::set('allow_api', false); self::$current_user_id = 0; // workaround for HTTP-auth in CGI mode if (!empty($_SERVER['REDIRECT_REMOTE_USER'])) { $userpass = base64_decode(substr($_SERVER["REDIRECT_REMOTE_USER"], 6)); - if (strlen($userpass)) { + if (!empty($userpass) && strpos($userpass, ':')) { list($name, $password) = explode(':', $userpass); $_SERVER['PHP_AUTH_USER'] = $name; $_SERVER['PHP_AUTH_PW'] = $password; } } - $user = $_SERVER['PHP_AUTH_USER'] ?? ''; + $user = $_SERVER['PHP_AUTH_USER'] ?? ''; $password = $_SERVER['PHP_AUTH_PW'] ?? ''; - + // allow "user@server" login (but ignore 'server' part) $at = strstr($user, "@", true); if ($at) { $user = $at; } - + // next code from mod/auth.php. needs better solution $record = null; - + $addon_auth = [ 'username' => trim($user), 'password' => trim($password), 'authenticated' => 0, 'user_record' => null, ]; - + /* * An addon indicates successful login by setting 'authenticated' to non-zero value and returning a user record * Addons should never set 'authenticated' except to indicate success - as hooks may be chained * and later addons should not interfere with an earlier one that succeeded. */ Hook::callAll('authenticate', $addon_auth); - + if ($addon_auth['authenticated'] && !empty($addon_auth['user_record'])) { $record = $addon_auth['user_record']; } else { @@ -148,32 +169,30 @@ class BasicAuth $record = DBA::selectFirst('user', [], ['uid' => $user_id]); } catch (Exception $ex) { $record = []; - } + } } - + if (empty($record)) { if (!$do_login) { return 0; } - Logger::debug('failed', ['module' => 'api', 'action' => 'login', 'parameters' => $_SERVER]); - header('WWW-Authenticate: Basic realm="Friendica"'); + Logger::debug('Access denied', ['parameters' => $_SERVER]); + // Checking for commandline for the tests, we have to avoid to send a header + if (php_sapi_name() !== 'cli') { + header('WWW-Authenticate: Basic realm="Friendica"'); + } throw new UnauthorizedException("This API requires login"); } - + // Don't refresh the login date more often than twice a day to spare database writes $login_refresh = strcmp(DateTimeFormat::utc('now - 12 hours'), $record['login_date']) > 0; - + DI::auth()->setForUser($a, $record, false, false, $login_refresh); - - Session::set('allow_api', true); - - Hook::callAll('logged_in', $a->user); - - if (Session::get('allow_api')) { - self::$current_user_id = local_user(); - } else { - self::$current_user_id = 0; - } + + Hook::callAll('logged_in', $record); + + self::$current_user_id = local_user(); + return self::$current_user_id; - } + } }