AUTH OK, fix headers coors

This commit is contained in:
Gnieark 2017-04-30 17:38:07 +02:00
parent 05c416f0e8
commit c26cffc249
7 changed files with 123 additions and 29 deletions

View File

@ -0,0 +1,7 @@
<?php
global $__autoload;
$__autoload['ApiKey'] = dirname(__FILE__).'/inc/class.rest.key.php';
$__autoload['restAuth'] = dirname(__FILE__).'/inc/class.rest.auth.php';
$__autoload['RestQuery'] = dirname(__FILE__).'/inc/class.rest.query.php';
$__autoload['RestQueryGetBlogs'] = dirname(__FILE__).'/inc/class.rest.query.get.blogs.php';

View File

@ -1,7 +1,7 @@
<?php
if (!defined('DC_RC_PATH')) { return; }
$core->url->register('rest','rest','^rest(?:/(.+))?$',array('rest','getResponse'));
$core->url->register('rest','rest','^rest(?:/(.*))?$',array('rest','getResponse'));
class rest extends dcUrlHandlers
{
public static function getResponse($args)
@ -16,16 +16,33 @@ class rest extends dcUrlHandlers
//coors headers
if($core->blog->settings->rest->rest_send_cors_headers){
header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Methods: GET, POST');
header('Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept');
header('Access-Control-Allow-Methods: GET, POST, PATCH, PUT, DELETE');
header('Access-Control-Allow-Headers: Content-Type, authorization, x_dc_key');
}
header('Content-Type: application/json');
$apiKey = rest::get_api_key_sended();
if($apiKey){
$user = new restAuth($core);
;
//test:
if($user->checkUser('','',$apiKey) === false){
error_log("wrong key");
}else{
error_log($user->userID());
}
}
}
private function get_api_key_sended(){
$headers = getallheaders();
//to do: test it on nginx
$headers = apache_request_headers();
if(isset($headers['x_dc_key'])){
return $headers['x_dc_key'];
}else{

View File

@ -4,13 +4,13 @@ info:
description: Manage your(s) blogs with this API
version: "0.0.1"
# the domain of the service
host: your.blog.com
host: dotclear.localhost
# array of all schemes that your API supports
schemes:
- https
- http
# will be prefixed to all paths
# (part of plugin url)
basePath: /rest
basePath: /dotclear/index.php?rest/
produces:
- application/json
paths:
@ -20,8 +20,8 @@ paths:
parameters:
- name: x_dc_key
in: header
type: string
required: false
type: string
responses:
200:
description: array serving blogs properties

View File

@ -5,20 +5,82 @@ class restAuth extends dcAuth
# L'utilisateur n'a pas le droit de changer son mot de passe
protected $allow_pass_change = false;
# La méthode de vérification du mot de passe
public function checkUser($api_key)
/**
* Méthode de vérification de la clef d'api_key
* Remplace la méthode chekUser (id: password)
* Only use $user_key (all others parameters are for compatibility with the parent function)
* input: $user_key STRING
* output: boolean
*/
public function checkUser($user_id, $pwd = NULL, $user_key = NULL, $check_blog = true)
{
global $core;
# Si un mot de passe a été donné, nous allons le vérifier avec la
# méthode auth.login XML-RPC.
# Les opérations précédentes se sont déroulées sans erreur, nous
# pouvons maintenant appeler la méthode parente afin d'initialiser
# l'utilisateur dans l'object $core->auth
return parent::checkUser($user_id,$pwd);
//Check for the user api key
$sqlStr = " SELECT setting_id
FROM dc_setting
WHERE setting_ns='rest'
AND setting_id LIKE 'rest_key_%'
AND setting_value = md5('".$core->con->escape($user_key)."');";
try {
$rs = $core->con->select($sqlStr);
} catch (Exception $e) {
$err = $e->getMessage();
return false;
}
if ($rs->isEmpty()) {
sleep(rand(2,5));
return false;
}
//get the user ID from the previous query
$userId = explode("_", $rs->setting_id)[2];
//get USER infos
$strReq = 'SELECT user_id, user_super, user_pwd, user_change_pwd, '.
'user_name, user_firstname, user_displayname, user_email, '.
'user_url, user_default_blog, user_options, '.
'user_lang, user_tz, user_post_status, user_creadt, user_upddt '.
'FROM '.$this->con->escapeSystem($this->user_table).' '.
"WHERE user_id = '".$this->con->escape($userId)."'";
try {
$rs = $core->con->select($strReq);
} catch (Exception $e) {
$err = $e->getMessage();
return false;
}
if ($rs->isEmpty()) {
sleep(rand(2,5));
return false;
}
$this->user_id = $rs->user_id;
$this->user_change_pwd = (boolean) $rs->user_change_pwd;
$this->user_admin = (boolean) $rs->user_super;
$this->user_info['user_pwd'] = $rs->user_pwd;
$this->user_info['user_name'] = $rs->user_name;
$this->user_info['user_firstname'] = $rs->user_firstname;
$this->user_info['user_displayname'] = $rs->user_displayname;
$this->user_info['user_email'] = $rs->user_email;
$this->user_info['user_url'] = $rs->user_url;
$this->user_info['user_default_blog'] = $rs->user_default_blog;
$this->user_info['user_lang'] = $rs->user_lang;
$this->user_info['user_tz'] = $rs->user_tz;
$this->user_info['user_post_status'] = $rs->user_post_status;
$this->user_info['user_creadt'] = $rs->user_creadt;
$this->user_info['user_upddt'] = $rs->user_upddt;
$this->user_info['user_cn'] = dcUtils::getUserCN($rs->user_id, $rs->user_name,
$rs->user_firstname, $rs->user_displayname);
//$this->user_options = array_merge($this->core->userDefaults(),$rs->options());
$this->user_prefs = new dcPrefs($this->core,$this->user_id);
return true;
}
}

View File

@ -0,0 +1,11 @@
<?php
class RestQueryGetBlogs
{
public function __construct($apiKey){
}
}

View File

@ -5,11 +5,16 @@ class RestQuery{
public $response_message; //array
private $queryObj;
public function __construct($httpMethod,$params){
public function __construct($httpMethod,$args,$apiKey = ''){
//définir la methode API (pas HTML) appelée
switch($httpMethod){
case "get":
if($args='blogs'){
}
break;
case "post":
@ -107,14 +112,6 @@ class RestQuery{
}
}
class QueryGetBlogs extends RestQuery
{
}
class QueryPostBlogs extends RestQuery
{
}
//etc...

View File

@ -2,7 +2,7 @@
if (!defined('DC_CONTEXT_ADMIN')) { return; }
require_once(dirname(__FILE__).'/inc/class.rest.key.php');
$apiKey = new ApiKey;
// Setting default parameters if missing configuration