public function authorise() { // If there's a valid session already, allow access $user_type = \Input::param('user_type') ?: 'Admin\\Model_User'; if (\CMF\Auth::logged_in(null, $user_type)) { return; } $auth = explode(' ', \Input::headers('Authorization', ' ')); $sent_key = \Arr::get($auth, 1); // Try and find a valid key $key = \CMF\Model\User\Apikey::select('item')->where('item.access_token = :key')->andWhere('item.expires_at > :now')->setParameter('key', $sent_key)->setParameter('now', new \DateTime())->getQuery()->getResult(); // Check the scope of the key, if one was found if (count($key)) { $key = $key[0]; if ($key->scope == 'api') { return; } } throw new \HttpException('Login Required', \HttpException::UNAUTHORIZED); }
/** * Prints a list of all HTTP request headers. * * @access public * @static * */ public static function headers() { // get the current request headers and dump them return static::dump(\Input::headers()); }
/** * read a cookie * * @access private * @return void */ protected function _get_cookie() { // was the cookie value posted? $cookie = \Input::post($this->config['post_cookie_name'], false); // if not found, fetch the regular cookie if ($cookie === false) { $cookie = \Cookie::get($this->config['cookie_name'], false); } // if not found, was a session-id present in the HTTP header? if ($cookie === false) { $cookie = \Input::headers($this->config['http_header_name'], false); } // if not found, check the URL for a cookie if ($cookie === false) { $cookie = \Input::get($this->config['cookie_name'], false); } if ($cookie !== false) { // fetch the payload $this->config['encrypt_cookie'] and $cookie = \Crypt::decode($cookie); $cookie = $this->_unserialize($cookie); // validate the cookie format: must be an array if (is_array($cookie)) { // cookies use nested arrays, other drivers have a string value if ($this->config['driver'] === 'cookie' and !is_array($cookie[0]) or $this->config['driver'] !== 'cookie' and !is_string($cookie[0])) { // invalid specific format logger('DEBUG', 'Error: Invalid session cookie specific format'); $cookie = false; } } elseif (is_string($cookie) and strlen($cookie) == 32) { $cookie = array($cookie); } else { logger('DEBUG', 'Error: Invalid session cookie general format'); $cookie = false; } } // and the result return $cookie; }
/** * Initializes the framework. This can only be called once. * * @access public * @return void */ public static function init($config) { if (static::$initialized) { throw new \FuelException("You can't initialize Fuel more than once."); } static::$_paths = array(APPPATH, COREPATH); // Is Fuel running on the command line? static::$is_cli = (bool) defined('STDIN'); \Config::load($config); // Disable output compression if the client doesn't support it if (static::$is_cli or !in_array('gzip', explode(', ', \Input::headers('Accept-Encoding', '')))) { \Config::set('ob_callback', null); } // Start up output buffering static::$is_cli or ob_start(\Config::get('ob_callback')); if (\Config::get('caching', false)) { \Finder::instance()->read_cache('FuelFileFinder'); } static::$profiling = \Config::get('profiling', false); static::$profiling and \Profiler::init(); // set a default timezone if one is defined try { static::$timezone = \Config::get('default_timezone') ?: date_default_timezone_get(); date_default_timezone_set(static::$timezone); } catch (\Exception $e) { date_default_timezone_set('UTC'); throw new \PHPErrorException($e->getMessage()); } static::$encoding = \Config::get('encoding', static::$encoding); MBSTRING and mb_internal_encoding(static::$encoding); static::$locale = \Config::get('locale', static::$locale); // Set locale, log warning when it fails if (static::$locale) { setlocale(LC_ALL, static::$locale) or logger(\Fuel::L_WARNING, 'The configured locale ' . static::$locale . ' is not installed on your system.', __METHOD__); } if (!static::$is_cli) { if (\Config::get('base_url') === null) { \Config::set('base_url', static::generate_base_url()); } } // Run Input Filtering \Security::clean_input(); \Event::register('fuel-shutdown', 'Fuel::finish'); // Always load classes, config & language set in always_load.php config static::always_load(); // Load in the routes \Config::load('routes', true); \Router::add(\Config::get('routes')); // BC FIX FOR APPLICATIONS <= 1.6.1, makes Redis_Db available as Redis, // like it was in versions before 1.7 class_exists('Redis', false) or class_alias('Redis_Db', 'Redis'); static::$initialized = true; // fire any app created events \Event::instance()->has_events('app_created') and \Event::instance()->trigger('app_created', '', 'none'); if (static::$profiling) { \Profiler::mark(__METHOD__ . ' End'); } }
/** * Authenticate to the desired account. * * @return boolean True if the authentication was successful, false otherwise. */ public static function authenticate() { $auth = \Input::headers('X-Authorization'); // If we're trying to run a JS call... if (empty($auth) && \V1\APIRequest::get('consumer_key', null) !== null) { // We're making a public call through JS, so we'll mark it as a reduced functionality call. \Session::set('public', true); // This session variable aids in logging and API functionality later. \Session::set('consumer_key', \V1\APIRequest::get('consumer_key')); $account_data = \V1\Model\Account::get_account(); // If the account is invalid, fail. if (empty($account_data)) { return false; } /* * If the account holder wishes to allow for JS based calls, we'll allow safe calls to run * with their API key by turning on public mode. */ if ($account_data['js_calls_allowed'] === 0) { return false; } /** * @TODO JS calls go through the client's IP, so we can't use a whitelist. * In the future, perhaps a blacklist deadicated to client IPs is in order? * If the account holder uses a whitelist, then they've just disabled their * blacklist of the client IPs. It really should be separated, but for now * it's unimplemented. */ // IP ACL if ($account_data['acl_type'] === 0 && static::ip_acl_check() === false) { return false; } // We're clear for lift off. return true; } elseif (!empty($auth)) { // Give the call full account access if we succeed in validating the request. \Session::set('public', false); // Is it an OAuth authorization header? if (\Str::sub($auth, 0, 5) !== 'OAuth') { return false; } // Parse the OAuth header into an array parse_str(\Str::sub($auth, 6, strlen($auth)), $tokens); $required_keys = array('oauth_signature', 'oauth_nonce', 'oauth_timestamp', 'oauth_consumer_key'); // This session variable aids in logging and API functionality later. if (empty($tokens['oauth_consumer_key'])) { return false; } \Session::set('consumer_key', $tokens['oauth_consumer_key']); // IP ACL if (static::ip_acl_check() === false) { return false; } // Do we have all the correct keys? if (count(array_intersect_key(array_flip($required_keys), $tokens)) !== count($required_keys)) { return false; } // Verify the data integrity of the header's components, including if the timestamp is new enough. if (!(isset($tokens['oauth_consumer_key'], $tokens['oauth_signature'], $tokens['oauth_nonce']) && static::valid_timestamp($tokens['oauth_timestamp']) === true)) { return false; } // Do we have a valid nonce? if (static::valid_nonce($tokens) === false) { return false; } // Verify that the signature matches the content. if (static::valid_signature($tokens) === false) { return false; } // If we haven't failed yet, then it's valid. return true; } return false; }