/* If the user ID doesn't exist deny them */
if (!$GLOBALS['user']->id && !AmpConfig::get('demo_mode')) {
Auth::logout(session_id());
exit;
}
/* Load preferences and theme */
$GLOBALS['user']->update_last_seen();
} elseif (!AmpConfig::get('use_auth')) {
$auth['success'] = 1;
$auth['username'] = '******';
$auth['fullname'] = "Ampache User";
$auth['id'] = -1;
$auth['offset_limit'] = 50;
$auth['access'] = AmpConfig::get('default_auth_level') ? User::access_name_to_level(AmpConfig::get('default_auth_level')) : '100';
if (!Session::exists('interface', $_COOKIE[AmpConfig::get('session_name')])) {
Session::create_cookie();
Session::create($auth);
Session::check();
$GLOBALS['user'] = new User($auth['username']);
$GLOBALS['user']->username = $auth['username'];
$GLOBALS['user']->fullname = $auth['fullname'];
$GLOBALS['user']->access = $auth['access'];
} else {
Session::check();
if ($_SESSION['userdata']['username']) {
$GLOBALS['user'] = User::get_from_username($_SESSION['userdata']['username']);
} else {
$GLOBALS['user'] = new User($auth['username']);
$GLOBALS['user']->id = '-1';
$GLOBALS['user']->username = $auth['username'];
$GLOBALS['user']->fullname = $auth['fullname'];
public static function auth_user()
{
$isLocal = self::is_local();
$headers = apache_request_headers();
$myplex_token = $headers['X-Plex-Token'];
if (empty($myplex_token)) {
$myplex_token = $_REQUEST['X-Plex-Token'];
}
if (!$isLocal) {
$match_users = AmpConfig::get('plex_match_email');
$myplex_username = $headers['X-Plex-Username'];
if (empty($myplex_token)) {
// Never fail OPTIONS requests
if ($_SERVER['REQUEST_METHOD'] == 'OPTIONS') {
self::setPlexHeader($headers);
exit;
} else {
debug_event('Access Control', 'Authentication token is missing.', '3');
self::createError(401);
}
}
$createSession = false;
Session::gc();
$username = "";
$email = trim(Session::read((string) $myplex_token));
if (empty($email)) {
$createSession = true;
$xml = self::get_server_authtokens();
$validToken = false;
foreach ($xml->access_token as $tk) {
if ((string) $tk['token'] == $myplex_token) {
$username = (string) $tk['username'];
// We should apply filter and access restriction to shared sections only, but that's not easily possible with current Ampache architecture
$validToken = true;
break;
}
}
if (!$validToken) {
debug_event('Access Control', 'Auth-Token ' . $myplex_token . ' invalid for this server.', '3');
self::createError(401);
}
}
// Need to get a match between Plex and Ampache users
if ($match_users) {
if (!AmpConfig::get('access_control')) {
debug_event('Access Control', 'Error Attempted to use Plex with Access Control turned off and plex/ampache link enabled.', '3');
self::createError(401);
}
if (empty($email)) {
$xml = self::get_users_account();
if ((string) $xml->username == $username) {
$email = (string) $xml->email;
} else {
$xml = self::get_server_friends();
foreach ($xml->User as $xuser) {
if ((string) $xuser['username'] == $username) {
$email = (string) $xuser['email'];
}
}
}
}
if (!empty($email)) {
$user = User::get_from_email($email);
}
if (!isset($user) || !$user->id) {
debug_event('Access Denied', 'Unable to get an Ampache user match for email ' . $email, '3');
self::createError(401);
} else {
$username = $user->username;
if (!Access::check_network('init-api', $username, 5)) {
debug_event('Access Denied', 'Unauthorized access attempt to Plex [' . $_SERVER['REMOTE_ADDR'] . ']', '3');
self::createError(401);
} else {
$GLOBALS['user'] = $user;
$GLOBALS['user']->load_playlist();
}
}
} else {
$email = $username;
$username = null;
$GLOBALS['user'] = new User();
$GLOBALS['user']->load_playlist();
}
if ($createSession) {
// Create an Ampache session from Plex authtoken
Session::create(array('type' => 'api', 'sid' => $myplex_token, 'username' => $username, 'value' => $email));
}
} else {
AmpConfig::set('cookie_path', '/', true);
$sid = $_COOKIE[AmpConfig::get('session_name')];
if (!$sid) {
$sid = $myplex_token;
if ($sid) {
session_id($sid);
Session::create_cookie();
}
}
if (!empty($sid) && Session::exists('api', $sid)) {
Session::check();
$GLOBALS['user'] = User::get_from_username($_SESSION['userdata']['username']);
} else {
$GLOBALS['user'] = new User();
$data = array('type' => 'api', 'sid' => $sid);
Session::create($data);
Session::check();
}
$GLOBALS['user']->load_playlist();
}
}
public static function auth_remember()
{
$auth = false;
$cname = AmpConfig::get('session_name') . '_remember';
if (isset($_COOKIE[$cname])) {
list($username, $token, $mac) = explode(':', $_COOKIE[$cname]);
if ($mac === hash_hmac('sha256', $username . ':' . $token, AmpConfig::get('secret_key'))) {
$sql = "SELECT * FROM `session_remember` WHERE `username` = ? AND `token` = ? AND `expire` >= ?";
$db_results = Dba::read($sql, array($username, $token, time()));
if (Dba::num_rows($db_results) > 0) {
Session::create_cookie();
self::create(array('type' => 'mysql', 'username' => $username));
$_SESSION['userdata']['username'] = $username;
$auth = true;
}
}
}
return $auth;
}
