AUTH OK, fix headers coors

7 years ago · c26cffc249
parent 05c416f0e8
commit c26cffc249
7 changed files with 123 additions and 29 deletions
--- a/_prepend.php
+++ b/_prepend.php
@ -0,0 +1,7 @@
+<?php
+global $__autoload;
+
+$__autoload['ApiKey'] = dirname(__FILE__).'/inc/class.rest.key.php';
+$__autoload['restAuth'] = dirname(__FILE__).'/inc/class.rest.auth.php';
+$__autoload['RestQuery'] = dirname(__FILE__).'/inc/class.rest.query.php';
+$__autoload['RestQueryGetBlogs'] = dirname(__FILE__).'/inc/class.rest.query.get.blogs.php';
--- a/_public.php
+++ b/_public.php
@ -1,7 +1,7 @@
 <?php
 if (!defined('DC_RC_PATH')) { return; }

-$core->url->register('rest','rest','^rest(?:/(.+))?$',array('rest','getResponse'));
+$core->url->register('rest','rest','^rest(?:/(.*))?$',array('rest','getResponse'));
 class rest extends dcUrlHandlers
 {
 	public static function getResponse($args)
@ -16,16 +16,33 @@ class rest extends dcUrlHandlers
 		//coors headers
 		if($core->blog->settings->rest->rest_send_cors_headers){
 			header('Access-Control-Allow-Origin: *');
-			header('Access-Control-Allow-Methods: GET, POST'); 
-			header('Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept');
+			header('Access-Control-Allow-Methods: GET, POST, PATCH, PUT, DELETE'); 
+			header('Access-Control-Allow-Headers: Content-Type, authorization, x_dc_key');
 		}
 		header('Content-Type: application/json');
 		
+		$apiKey = rest::get_api_key_sended();
 	
-	
-	
+		if($apiKey){
+			$user = new restAuth($core);
+			;
+			
+			
+			//test:
+			if($user->checkUser('','',$apiKey) === false){
+				error_log("wrong key");
+				
+			}else{
+				error_log($user->userID());
+			}
+			
+		
+		
+		}
+	}
 	private function get_api_key_sended(){
-		$headers = getallheaders();
+		//to do: test it on nginx
+		$headers = apache_request_headers();
 		if(isset($headers['x_dc_key'])){
 			return $headers['x_dc_key'];
 		}else{
--- a/documentation/definition.yaml
+++ b/documentation/definition.yaml
@ -4,13 +4,13 @@ info:
  description: Manage your(s) blogs with this API
  version: "0.0.1"
 # the domain of the service
-host: your.blog.com
+host: dotclear.localhost
 # array of all schemes that your API supports
 schemes:
-  - https
+  - http
 # will be prefixed to all paths
 # (part of plugin url)
-basePath: /rest
+basePath: /dotclear/index.php?rest/
 produces:
  - application/json
 paths:
@ -20,8 +20,8 @@ paths:
      parameters:
        - name: x_dc_key
          in: header
-          type: string
          required: false
+          type: string
      responses:
        200:
          description: array serving blogs properties
--- a/inc/class.rest.auth.php
+++ b/inc/class.rest.auth.php
@ -5,20 +5,82 @@ class restAuth extends dcAuth
 	# L'utilisateur n'a pas le droit de changer son mot de passe
 	protected $allow_pass_change = false;
 
-	# La méthode de vérification du mot de passe
-	public function checkUser($api_key)
+	/**
+	* Méthode de vérification de la clef d'api_key
+	* Remplace la méthode chekUser (id: password)
+	* Only use $user_key (all others parameters are for compatibility with the parent function)
+	* input: $user_key STRING
+	* output: boolean
+	*/
+	
+	public function checkUser($user_id, $pwd = NULL, $user_key = NULL, $check_blog = true) 
 	{
+	
+		global $core;

- 
-		# Si un mot de passe a été donné, nous allons le vérifier avec la
-		# méthode auth.login XML-RPC.
+		//Check for the user api key
+		$sqlStr = "	SELECT setting_id 
+								FROM dc_setting 
+								WHERE setting_ns='rest'
+								AND setting_id LIKE 'rest_key_%'
+								AND setting_value = md5('".$core->con->escape($user_key)."');";
+								
+		try {
+			$rs = $core->con->select($sqlStr);
+		} catch (Exception $e) {
+			$err = $e->getMessage();
+			return false;
+		}
+
+		if ($rs->isEmpty()) {
+			sleep(rand(2,5));
+			return false;
+		}

+		//get the user ID from the previous query
+		$userId = explode("_", $rs->setting_id)[2];
+		
+		//get USER infos
+		
+		$strReq = 'SELECT user_id, user_super, user_pwd, user_change_pwd, '.
+		'user_name, user_firstname, user_displayname, user_email, '.
+		'user_url, user_default_blog, user_options, '.
+		'user_lang, user_tz, user_post_status, user_creadt, user_upddt '.
+		'FROM '.$this->con->escapeSystem($this->user_table).' '.
+		"WHERE user_id = '".$this->con->escape($userId)."'";
+		
+		try {
+			$rs = $core->con->select($strReq);
+		} catch (Exception $e) {
+			$err = $e->getMessage();
+			return false;
+		}

-			# Les opérations précédentes se sont déroulées sans erreur, nous
-			# pouvons maintenant appeler la méthode parente afin d'initialiser
-			# l'utilisateur dans l'object $core->auth
-			return parent::checkUser($user_id,$pwd);
+		if ($rs->isEmpty()) {
+			sleep(rand(2,5));
+			return false;
+		}
 		

+		$this->user_id = $rs->user_id;
+		$this->user_change_pwd = (boolean) $rs->user_change_pwd;
+		$this->user_admin = (boolean) $rs->user_super;
+		$this->user_info['user_pwd'] = $rs->user_pwd;
+		$this->user_info['user_name'] = $rs->user_name;
+		$this->user_info['user_firstname'] = $rs->user_firstname;
+		$this->user_info['user_displayname'] = $rs->user_displayname;
+		$this->user_info['user_email'] = $rs->user_email;
+		$this->user_info['user_url'] = $rs->user_url;
+		$this->user_info['user_default_blog'] = $rs->user_default_blog;
+		$this->user_info['user_lang'] = $rs->user_lang;
+		$this->user_info['user_tz'] = $rs->user_tz;
+		$this->user_info['user_post_status'] = $rs->user_post_status;
+		$this->user_info['user_creadt'] = $rs->user_creadt;
+		$this->user_info['user_upddt'] = $rs->user_upddt;
+		$this->user_info['user_cn'] = dcUtils::getUserCN($rs->user_id, $rs->user_name,
+		$rs->user_firstname, $rs->user_displayname);
+		//$this->user_options = array_merge($this->core->userDefaults(),$rs->options());
+		$this->user_prefs = new dcPrefs($this->core,$this->user_id);		
+		return true;
 	}
 }
--- a/inc/class.rest.query.get.blogs.php
+++ b/inc/class.rest.query.get.blogs.php
@ -0,0 +1,11 @@
+<?php
+
+class RestQueryGetBlogs
+{
+	public function __construct($apiKey){
+	
+	
+	}
+
+
+}
--- a/inc/class.rest.query.php
+++ b/inc/class.rest.query.php
@ -5,11 +5,16 @@ class RestQuery{
 	public $response_message; //array
 	private $queryObj;
 	
-	public function __construct($httpMethod,$params){
+	public function __construct($httpMethod,$args,$apiKey = ''){
 	
 		//définir la methode API (pas HTML) appelée
 		switch($httpMethod){
 			case "get":
+				if($args='blogs'){
+					
+				
+				}
+			
 			
 				break;
 			case "post":
@ -107,14 +112,6 @@ class RestQuery{
 	}


-}
-class QueryGetBlogs extends RestQuery
-{
-
-}
-class QueryPostBlogs extends RestQuery
-{
-
 }

 //etc...
--- a/index.php
+++ b/index.php
@ -2,7 +2,7 @@

 if (!defined('DC_CONTEXT_ADMIN')) { return; }

-require_once(dirname(__FILE__).'/inc/class.rest.key.php');
+
 $apiKey = new ApiKey;

 // Setting default parameters if missing configuration