public function actionApi()
{
$input = $this->_input->filter(array('redirect' => XenForo_Input::STRING, 'timestamp' => XenForo_Input::UINT, 'user_id' => XenForo_Input::STRING));
$userId = 0;
if (!empty($input['user_id']) && !empty($input['timestamp'])) {
try {
$userId = intval(bdApi_Crypt::decryptTypeOne($input['user_id'], $input['timestamp']));
} catch (XenForo_Exception $e) {
if (XenForo_Application::debugMode()) {
$this->_response->setHeader('X-Api-Exception', $e->getMessage());
}
}
}
if ($userId > 0) {
$this->_response->setHeader('X-Api-Login-User', $userId);
$this->_getUserModel()->setUserRememberCookie($userId);
XenForo_Model_Ip::log($userId, 'user', $userId, 'login_api');
$this->_getUserModel()->deleteSessionActivity(0, $this->_request->getClientIp(false));
$session = XenForo_Application::get('session');
$session->changeUserId($userId);
XenForo_Visitor::setup($userId);
}
if (empty($input['redirect'])) {
$input['redirect'] = $this->getDynamicRedirectIfNot(XenForo_Link::buildPublicLink('login'));
}
return $this->responseRedirect(XenForo_ControllerResponse_Redirect::SUCCESS, $input['redirect']);
}
public function getDynamicRedirect($fallbackUrl = false, $useReferrer = true)
{
$input = $this->_input->filter(array('redirect' => XenForo_Input::STRING, 'timestamp' => XenForo_Input::UINT, 'md5' => XenForo_Input::STRING));
if (!empty($input['md5']) && md5($input['redirect']) === bdApi_Crypt::decryptTypeOne($input['md5'], $input['timestamp'])) {
$this->_bdApi_redirect = $input['redirect'];
return $input['redirect'];
}
return parent::getDynamicRedirect($fallbackUrl, $useReferrer);
}
public static function front_controller_pre_route(XenForo_FrontController $fc)
{
// use cookie flag to change web UI interface to match requested language_id from api
$request = $fc->getRequest();
$apiLanguageId = $request->getParam('_apiLanguageId');
if (!empty($apiLanguageId) && preg_match('#^(?<timestamp>\\d+) (?<data>.+)$#', $apiLanguageId, $matches)) {
try {
$languageId = bdApi_Crypt::decryptTypeOne($matches['data'], $matches['timestamp']);
if ($languageId > 0) {
$cookiePrefix = XenForo_Application::getConfig()->get('cookie')->get('prefix');
XenForo_Helper_Cookie::setCookie('language_id', $languageId);
$_COOKIE[$cookiePrefix . 'language_id'] = $languageId;
$fc->getResponse()->setHeader('X-Api-Language', $languageId);
}
} catch (XenForo_Exception $e) {
// ignore
}
}
}
public function getDynamicRedirect($fallbackUrl = false, $useReferrer = true)
{
$input = $this->_input->filter(array('redirect' => XenForo_Input::STRING, 'timestamp' => XenForo_Input::UINT, 'md5' => XenForo_Input::STRING));
if (!empty($input['md5']) && !empty($input['timestamp']) && !empty($input['redirect'])) {
$md5 = '';
try {
$md5 = bdApi_Crypt::decryptTypeOne($input['md5'], $input['timestamp']);
} catch (XenForo_Exception $e) {
if (XenForo_Application::debugMode()) {
$this->_response->setHeader('X-Api-Exception', $e->getMessage());
}
}
if (!empty($md5) && $md5 === md5($input['redirect'])) {
$this->_bdApi_redirect = $input['redirect'];
return $input['redirect'];
}
}
return parent::getDynamicRedirect($fallbackUrl, $useReferrer);
}
public function actionPostIndex()
{
/* @var $oauth2Model bdApi_Model_OAuth2 */
$oauth2Model = $this->getModelFromCache('bdApi_Model_OAuth2');
/* @var $userConfirmationModel XenForo_Model_UserConfirmation */
$userConfirmationModel = $this->getModelFromCache('XenForo_Model_UserConfirmation');
/* @var $session bdApi_Session */
$session = XenForo_Application::getSession();
$clientId = $session->getOAuthClientId();
$clientSecret = $session->getOAuthClientSecret();
if (empty($clientId) or empty($clientSecret)) {
$clientId = $this->_input->filterSingle('client_id', XenForo_Input::STRING);
$client = $oauth2Model->getClientModel()->getClientById($clientId);
if (empty($client)) {
return $this->responseError(new XenForo_Phrase('bdapi_post_slash_users_requires_client_id'), 400);
}
$clientSecret = $client['client_secret'];
}
$input = $this->_input->filter(array('user_email' => XenForo_Input::STRING, 'username' => XenForo_Input::STRING, 'password' => XenForo_Input::STRING, 'password_algo' => XenForo_Input::STRING, 'user_dob_day' => XenForo_Input::UINT, 'user_dob_month' => XenForo_Input::UINT, 'user_dob_year' => XenForo_Input::UINT));
if (empty($input['user_email'])) {
// backward compatibility
$input['user_email'] = $this->_input->filterSingle('email', XenForo_Input::STRING);
}
$extraInput = $this->_input->filter(array('extra_data' => XenForo_Input::STRING, 'extra_timestamp' => XenForo_Input::UINT));
if (!empty($extraInput['extra_data'])) {
$extraData = bdApi_Crypt::decryptTypeOne($extraInput['extra_data'], $extraInput['extra_timestamp']);
if (!empty($extraData)) {
$extraData = @unserialize($extraData);
}
if (empty($extraData)) {
$extraData = array();
}
}
$userModel = $this->_getUserModel();
$options = XenForo_Application::getOptions();
$session = XenForo_Application::getSession();
$visitor = XenForo_Visitor::getInstance();
/* @var $writer XenForo_DataWriter_User */
$writer = XenForo_DataWriter::create('XenForo_DataWriter_User');
$registrationDefaults = $options->get('registrationDefaults');
if (!empty($registrationDefaults)) {
$writer->bulkSet($registrationDefaults, array('ignoreInvalidFields' => true));
}
$writer->set('email', $input['user_email']);
$writer->set('username', $input['username']);
$password = bdApi_Crypt::decrypt($input['password'], $input['password_algo'], $clientSecret);
if (!empty($password)) {
$writer->setPassword($password, $password);
} else {
// no password or unable to decrypt password
// create new user with no password auth scheme
$auth = XenForo_Authentication_Abstract::create('XenForo_Authentication_NoPassword');
$writer->set('scheme_class', $auth->getClassName());
$writer->set('data', $auth->generate(''), 'xf_user_authenticate');
}
if ($options->get('gravatarEnable') && XenForo_Model_Avatar::gravatarExists($input['user_email'])) {
$writer->set('gravatar', $input['user_email']);
}
$writer->set('dob_day', $input['user_dob_day']);
$writer->set('dob_month', $input['user_dob_month']);
$writer->set('dob_year', $input['user_dob_year']);
$writer->set('user_group_id', XenForo_Model_User::$defaultRegisteredGroupId);
$writer->set('language_id', XenForo_Visitor::getInstance()->get('language_id'));
$allowEmailConfirm = true;
if (!empty($extraData['user_email']) && $extraData['user_email'] == $writer->get('email')) {
// the email address has been validated by some other mean (external provider?)
// do not require email confirmation again to avoid complication
$allowEmailConfirm = false;
}
$writer->advanceRegistrationUserState($allowEmailConfirm);
if ($visitor->hasAdminPermission('user') and $session->checkScope(bdApi_Model_OAuth2::SCOPE_MANAGE_SYSTEM)) {
$writer->set('user_state', 'valid');
}
$writer->save();
$user = $writer->getMergedData();
// log the ip of the user registering
XenForo_Model_Ip::log(XenForo_Visitor::getUserId() ? XenForo_Visitor::getUserId() : $user['user_id'], 'user', $user['user_id'], 'register');
if ($user['user_state'] == 'email_confirm') {
$userConfirmationModel->sendEmailConfirmation($user);
}
if (!empty($extraData['external_provider']) && !empty($extraData['external_provider_key'])) {
/* @var $userExternalModel XenForo_Model_UserExternal */
$userExternalModel = $this->getModelFromCache('XenForo_Model_UserExternal');
$userExternalModel->updateExternalAuthAssociation($extraData['external_provider'], $extraData['external_provider_key'], $user['user_id']);
}
if (XenForo_Visitor::getUserId() == 0) {
XenForo_Visitor::setup($user['user_id']);
}
$scopes = $oauth2Model->getSystemSupportedScopes();
$scopes = bdApi_Template_Helper_Core::getInstance()->scopeJoin($scopes);
$token = $oauth2Model->getServer()->createAccessToken($clientId, $user['user_id'], $scopes);
$user = $userModel->getUserById($user['user_id'], $userModel->getFetchOptionsToPrepareApiData());
$data = array('user' => $this->_filterDataSingle($this->_getUserModel()->prepareApiDataForUser($user)), '_user' => $user, 'token' => $token);
return $this->responseData('bdApi_ViewApi_User_Single', $data);
}
public function actionAuthorize()
{
/* @var $oauth2Model bdApi_Model_OAuth2 */
$oauth2Model = $this->getModelFromCache('bdApi_Model_OAuth2');
$authorizeParams = $this->_input->filter($oauth2Model->getAuthorizeParamsInputFilter());
if ($this->_request->isPost()) {
// allow user to deny some certain scopes
// only when this is a POST request, this should keep us safe from some vectors
// of attack
$scopesIncluded = $this->_input->filterSingle('scopes_included', XenForo_Input::UINT);
$scopes = $this->_input->filterSingle('scopes', XenForo_Input::ARRAY_SIMPLE);
if (!empty($scopesIncluded)) {
$authorizeParams['scope'] = bdApi_Template_Helper_Core::getInstance()->scopeJoin($scopes);
}
}
$client = null;
$clientIsAuto = false;
if (empty($authorizeParams['client_id'])) {
// try to get the first client of user if available
$visitorClients = $this->_bdApi_getClientModel()->getClients(array('user_id' => XenForo_Visitor::getUserId()), array('limit' => 1));
if (!empty($visitorClients)) {
$randClientId = array_rand($visitorClients, 1);
$client = $visitorClients[$randClientId];
$clientIsAuto = true;
$authorizeParams['client_id'] = $client['client_id'];
// auto assign at least the READ scope
if (empty($authorizeParams['scope'])) {
$authorizeParams['scope'] = bdApi_Model_OAuth2::SCOPE_READ;
}
// reset the redirect uri to prevent security issue
$authorizeParams['redirect_uri'] = '';
// force to use implicit authentication flow2
$authorizeParams['response_type'] = 'token';
}
} else {
$client = $oauth2Model->getClientModel()->getClientById($authorizeParams['client_id']);
}
if (empty($client)) {
if (XenForo_Visitor::getInstance()->hasPermission('general', 'bdApi_clientNew')) {
return $this->responseError(new XenForo_Phrase('bdapi_authorize_no_client_create_one_question', array('link' => XenForo_Link::buildPublicLink('account/api/client-add'))), 404);
}
return $this->responseError(new XenForo_Phrase('bdapi_authorize_error_client_x_not_found', array('client' => $authorizeParams['client_id'])), 404);
}
// sondh@2013-03-19
// this is a non-standard implementation: bypass confirmation dialog if the
// client has appropriate option set
$bypassConfirmation = false;
if ($oauth2Model->getClientModel()->canAutoAuthorize($client, $authorizeParams['scope'])) {
$bypassConfirmation = true;
}
// sondh@2015-09-28
// bypass confirmation if user logged in to authorize
// this is secured by checking our encrypted time-expiring hash
$hashInput = $this->_input->filter(array('hash' => XenForo_Input::STRING, 'timestamp' => XenForo_Input::UINT));
if (!empty($hashInput['hash']) && !empty($hashInput['timestamp'])) {
try {
if (bdApi_Crypt::decryptTypeOne($hashInput['hash'], $hashInput['timestamp'])) {
$bypassConfirmation = true;
}
} catch (XenForo_Exception $e) {
if (XenForo_Application::debugMode()) {
$this->_response->setHeader('X-Api-Exception', $e->getMessage());
}
}
}
// sondh@2014-09-26
// bypass confirmation if all requested scopes have been granted at some point
// in old version of this add-on, it checked for scope from active tokens
// from now on, we look for all scopes (no expiration) for better user experience
// if a token expires, it should not invalidate all user's choices
$userScopes = $oauth2Model->getUserScopeModel()->getUserScopes($client['client_id'], XenForo_Visitor::getUserId());
$paramScopes = bdApi_Template_Helper_Core::getInstance()->scopeSplit($authorizeParams['scope']);
$paramScopesNew = array();
foreach ($paramScopes as $paramScope) {
if (!isset($userScopes[$paramScope])) {
$paramScopesNew[] = $paramScope;
}
}
if (empty($paramScopesNew)) {
$bypassConfirmation = true;
} else {
$authorizeParams['scope'] = bdApi_Template_Helper_Core::getInstance()->scopeJoin($paramScopesNew);
}
// sondh@2015-09-28
// disable bypassing confirmation for testing purpose
if ($clientIsAuto) {
$bypassConfirmation = false;
}
$response = $oauth2Model->getServer()->actionOauthAuthorize1($this, $authorizeParams);
if (is_object($response) && $response instanceof XenForo_ControllerResponse_Abstract) {
return $response;
}
if ($this->_request->isPost() || $bypassConfirmation) {
$accept = $this->_input->filterSingle('accept', XenForo_Input::STRING);
$accepted = !!$accept;
if ($bypassConfirmation) {
// sondh@2013-03-19
// of course if the dialog was bypassed, $accepted should be true
$accepted = true;
}
if ($accepted) {
// sondh@2014-09-26
// get all up to date user scopes and include in the new token
// that means client only need to ask for a scope once and they will always have
// that scope in future authorizations, even if they ask for less scope!
// making it easy for client dev, they don't need to track whether they requested
// a scope before. Just check the most recent token for that information.
$paramScopes = bdApi_Template_Helper_Core::getInstance()->scopeSplit($authorizeParams['scope']);
foreach ($userScopes as $userScope => $userScopeInfo) {
if (!in_array($userScope, $paramScopes, true)) {
$paramScopes[] = $userScope;
}
}
$paramScopes = array_unique($paramScopes);
asort($paramScopes);
$authorizeParams['scope'] = bdApi_Template_Helper_Core::getInstance()->scopeJoin($paramScopes);
}
return $oauth2Model->getServer()->actionOauthAuthorize2($this, $authorizeParams, $accepted, XenForo_Visitor::getUserId());
} else {
$viewParams = array('client' => $client, 'authorizeParams' => $authorizeParams, 'clientIsAuto' => $clientIsAuto);
return $this->_getWrapper('account', 'api', $this->responseView('bdApi_ViewPublic_Account_Authorize', 'bdapi_account_authorize', $viewParams));
}
}
