/**
* Check that this token is either a user token or the
* site's API token, and auth the current request for that user if so.
*
* @return \Idno\Entities\User user on success
*/
private static function authenticate()
{
$access_token = \Idno\Core\Input::getInput('access_token');
$headers = \Idno\Common\Page::getallheaders();
if (!empty($headers['Authorization'])) {
$token = $headers['Authorization'];
$token = trim(str_replace('Bearer', '', $token));
} else {
if ($token = \Idno\Core\Input::getInput('access_token')) {
$token = trim($token);
}
}
if (!empty($token)) {
$found = Token::findUserForToken($token);
if (!empty($found)) {
\Idno\Core\Idno::site()->session()->setIsAPIRequest(true);
$user = $found['user'];
\Idno\Core\Idno::site()->session()->refreshSessionUser($user);
return $user;
}
$user = \Idno\Entities\User::getOne(array('admin' => true));
if ($token == $user->getAPIkey()) {
\Idno\Core\Idno::site()->session()->setIsAPIRequest(true);
\Idno\Core\Idno::site()->session()->refreshSessionUser($user);
return $user;
}
}
return false;
}
function init()
{
// Load the config.ini file in the root folder, if it exists.
// If not, we'll use default values. No skin off our nose.
$this->path = dirname(dirname(dirname(__FILE__)));
// Base path
$this->url = (\Idno\Common\Page::isSSL() ? 'https://' : 'http://') . $_SERVER['SERVER_NAME'] . '/';
// A naive default base URL
$this->title = 'New Known site';
// A default name for the site
$this->description = 'A social website powered by Known';
// Default description
$this->timezone = 'UTC';
$this->host = parse_url($this->url, PHP_URL_HOST);
// The site hostname, without parameters etc
$this->feed = $this->url . '?_t=rss';
$this->indieweb_citation = false;
$this->indieweb_reference = false;
$this->known_hub = false;
$this->loadIniFiles();
if ($this->multitenant) {
$dbname = $this->dbname;
$this->host = str_replace('www.', '', $this->host);
//$this->sessionname = preg_replace('/[^\da-z]/i', '', $this->host);
$this->dbname = preg_replace('/[^0-9a-z\\.\\-\\_]/i', '', $this->host);
// Known now defaults to not including periods in database names for multitenant installs. Add
// 'multitenant_periods = true' if you wish to override this.
if (empty($this->multitenant_periods)) {
$this->dbname = str_replace('.', '_', $this->dbname);
}
if (empty($this->dbname)) {
$this->dbname = $dbname;
}
}
if (!empty($this->initial_plugins)) {
if (!empty($this->default_plugins)) {
$this->default_plugins = array_merge($this->default_plugins, $this->initial_plugins);
} else {
$this->default_plugins = $this->initial_plugins;
}
}
if (!empty($this->default_plugins)) {
$this->plugins = $this->default_plugins;
}
date_default_timezone_set($this->timezone);
//setlocale(LC_ALL, 'en_US.UTF8');
}
function init()
{
// Load the config.ini file in the root folder, if it exists.
// If not, we'll use default values. No skin off our nose.
// @TODO override settings from the database
$this->path = dirname(dirname(dirname(__FILE__)));
// Base path
$this->url = (\Idno\Common\Page::isSSL() ? 'https://' : 'http://') . $_SERVER['SERVER_NAME'] . '/';
// A naive default base URL
$this->title = 'New idno site';
// A default name for the site
$this->timezone = 'UTC';
$this->host = parse_url($this->url, PHP_URL_HOST);
// The site hostname, without parameters etc
if ($config = @parse_ini_file($this->path . '/config.ini')) {
$this->config = array_merge($this->config, $config);
}
date_default_timezone_set($this->timezone);
setlocale(LC_ALL, 'en_US.UTF8');
}
/**
* Checks HTTP request headers to see if the request has been properly
* signed for API access, and if so, log the user on and return the user
*
* @return \Idno\Entities\User|false The logged-in user, or false otherwise
*/
function APIlogin()
{
if (!empty($_SERVER['HTTP_X_KNOWN_USERNAME']) && !empty($_SERVER['HTTP_X_KNOWN_SIGNATURE'])) {
\Idno\Core\site()->session()->setIsAPIRequest(true);
if (!\Idno\Common\Page::isSSL() && !\Idno\Core\site()->config()->disable_cleartext_warning) {
\Idno\Core\site()->session()->addErrorMessage("Warning: Access credentials were sent over a non-secured connection! To disable this warning set disable_cleartext_warning in your config.ini");
}
$t = site()->currentPage()->getInput('_t');
if (empty($t)) {
site()->template()->setTemplateType('json');
}
if ($user = \Idno\Entities\User::getByHandle($_SERVER['HTTP_X_KNOWN_USERNAME'])) {
// Short circuit authentication, since this user is already logged in. Needed to resolve #595
if (\Idno\Core\site()->session()->currentUser() && \Idno\Core\site()->session()->currentUser()->getUUID() == $user->getUUID()) {
return $user;
}
$key = $user->getAPIkey();
$hmac = trim($_SERVER['HTTP_X_KNOWN_SIGNATURE']);
$compare_hmac = base64_encode(hash_hmac('sha256', $_SERVER['REQUEST_URI'], $key, true));
if ($hmac == $compare_hmac) {
\Idno\Core\site()->session()->logUserOn($user);
return $user;
}
}
}
// We're not logged in yet, so try and authenticate using other mechanism
if ($return = site()->triggerEvent('user/auth/api', [], false)) {
\Idno\Core\site()->session()->setIsAPIRequest(true);
if (!\Idno\Common\Page::isSSL() && !\Idno\Core\site()->config()->disable_cleartext_warning) {
\Idno\Core\site()->session()->addErrorMessage("Warning: Access credentials were sent over a non-secured connection! To disable this warning set disable_cleartext_warning in your config.ini");
}
}
// If this is an API request but we're not logged in, set page response code to access denied
if ($this->isAPIRequest() && !$return) {
site()->currentPage()->setResponse(403);
}
return $return;
}
/**
* Attempt to detect your known configuration's server name.
*/
protected function detectBaseURL()
{
// If Sandstorm has supplied a base URL (called a base path in their nomenclature), use this
if (!empty($_SERVER['X-Sandstorm-Base-Path'])) {
$base_url = $_SERVER['X-Sandstorm-Base-Path'];
if (substr($base_url, -1) != '/') {
$base_url .= '/';
}
return $base_url;
}
// Otherwise, use the standard server name header
if (!empty($_SERVER['SERVER_NAME'])) {
// Servername specified, so we can construct things in the normal way.
$url = (\Idno\Common\Page::isSSL() ? 'https://' : 'http://') . $_SERVER['SERVER_NAME'];
if (!empty($_SERVER['SERVER_PORT'])) {
if ($_SERVER['SERVER_PORT'] != 80 && $_SERVER['SERVER_PORT'] != 443) {
$url .= ':' . $_SERVER['SERVER_PORT'];
}
}
if (defined('KNOWN_SUBDIRECTORY')) {
$url .= '/' . KNOWN_SUBDIRECTORY;
}
$url .= '/';
// A naive default base URL
return $url;
}
// No servername set, try something else
// TODO: Detect servername using other methods (but don't use HTTP_HOST)
// Default to root relative urls
return '/';
}
/**
* Attempt to detect your known configuration's server name.
*/
protected function detectBaseURL()
{
if (!empty($_SERVER['SERVER_NAME'])) {
// Servername specified, so we can construct things in the normal way.
$url = (\Idno\Common\Page::isSSL() ? 'https://' : 'http://') . $_SERVER['SERVER_NAME'];
if (!empty($_SERVER['SERVER_PORT'])) {
if ($_SERVER['SERVER_PORT'] != 80 && $_SERVER['SERVER_PORT'] != 443) {
$url .= ':' . $_SERVER['SERVER_PORT'];
}
}
if (defined('KNOWN_SUBDIRECTORY')) {
$url .= '/' . KNOWN_SUBDIRECTORY;
}
$url .= '/';
// A naive default base URL
return $url;
}
// No servername set, try something else
// TODO: Detect servername using other methods (but don't use HTTP_HOST)
// Default to root relative urls
return '/';
}
/**
* Attempt to detect your known configuration's server name.
*/
protected function detectBaseURL()
{
if (!empty($_SERVER['SERVER_NAME'])) {
// Servername specified, so we can construct things in the normal way.
return (\Idno\Common\Page::isSSL() ? 'https://' : 'http://') . $_SERVER['SERVER_NAME'] . '/';
// A naive default base URL
}
// No servername set, try something else
// TODO: Detect servername using other methods (but don't use HTTP_HOST)
// Default to root relative urls
return '/';
}
/**
* Called at the beginning of each request handler, attempts to authorize the request.
*
* Checks HTTP request headers to see if the request has been properly
* signed for API access.
*
* If this is not an API request, then check the session for the logged in user's credentials.
*
* Triggers "user/auth/request" to give plugins an opportunity to implement their own auth mechanism.
* Then "user/auth/success" or "user/auth/failure" depending on if a user was found for the provided credentials.
*
* @return \Idno\Entities\User|false The logged-in user, or false otherwise
*/
function tryAuthUser()
{
// attempt to delegate auth to a plugin (note: plugin is responsible for calling setIsAPIRequest or not)
$return = \Idno\Core\Idno::site()->triggerEvent('user/auth/request', [], false);
// auth standard API requests
if (!$return && !empty($_SERVER['HTTP_X_KNOWN_USERNAME']) && !empty($_SERVER['HTTP_X_KNOWN_SIGNATURE'])) {
\Idno\Core\Idno::site()->logging()->log("Attempting to auth via API credentials", LOGLEVEL_DEBUG);
$this->setIsAPIRequest(true);
$t = \Idno\Core\Idno::site()->currentPage()->getInput('_t');
if (empty($t)) {
\Idno\Core\Idno::site()->template()->setTemplateType('json');
}
if ($user = \Idno\Entities\User::getByHandle($_SERVER['HTTP_X_KNOWN_USERNAME'])) {
\Idno\Core\Idno::site()->logging()->log("API auth found user by username: "******"API auth verified signature for user: "******"API auth failed signature validation for user: "******"Warning: Access credentials were sent over a non-secured connection! To disable this warning set disable_cleartext_warning in your config.ini");
}
// If this is an API request but we're not logged in, set page response code to access denied
if (!$return) {
$ip = $_SERVER['REMOTE_ADDR'];
if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$proxies = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
// We are behind a proxy
$ip = trim($proxies[0]);
}
\Idno\Core\Idno::site()->logging()->log("API Login failure from {$ip}", LOGLEVEL_ERROR);
\Idno\Core\Idno::site()->currentPage()->deniedContent();
}
}
$return = \Idno\Core\Idno::site()->triggerEvent($return ? "user/auth/success" : "user/auth/failure", array("user" => $return, "is api" => $this->isAPIRequest()), $return);
return $return;
}
/**
* Checks HTTP request headers to see if the request has been properly
* signed for API access, and if so, log the user on and return the user
*
* @return \Idno\Entities\User|false The logged-in user, or false otherwise
*/
function APIlogin()
{
if (!empty($_SERVER['HTTP_X_KNOWN_USERNAME']) && !empty($_SERVER['HTTP_X_KNOWN_SIGNATURE'])) {
\Idno\Core\Idno::site()->session()->setIsAPIRequest(true);
if (!\Idno\Common\Page::isSSL() && !\Idno\Core\Idno::site()->config()->disable_cleartext_warning) {
\Idno\Core\Idno::site()->session()->addErrorMessage("Warning: Access credentials were sent over a non-secured connection! To disable this warning set disable_cleartext_warning in your config.ini");
}
$t = \Idno\Core\Idno::site()->currentPage()->getInput('_t');
if (empty($t)) {
\Idno\Core\Idno::site()->template()->setTemplateType('json');
}
if ($user = \Idno\Entities\User::getByHandle($_SERVER['HTTP_X_KNOWN_USERNAME'])) {
$key = $user->getAPIkey();
$hmac = trim($_SERVER['HTTP_X_KNOWN_SIGNATURE']);
//$compare_hmac = base64_encode(hash_hmac('sha256', explode('?', $_SERVER['REQUEST_URI'])[0], $key, true));
$compare_hmac = base64_encode(hash_hmac('sha256', $_SERVER['REQUEST_URI'], $key, true));
if ($hmac == $compare_hmac) {
\Idno\Core\Idno::site()->session()->logUserOn($user);
return $user;
}
}
}
// We're not logged in yet, so try and authenticate using other mechanism
if ($return = \Idno\Core\Idno::site()->triggerEvent('user/auth/api', [], false)) {
\Idno\Core\Idno::site()->session()->setIsAPIRequest(true);
if (!\Idno\Common\Page::isSSL() && !\Idno\Core\Idno::site()->config()->disable_cleartext_warning) {
\Idno\Core\Idno::site()->session()->addErrorMessage("Warning: Access credentials were sent over a non-secured connection! To disable this warning set disable_cleartext_warning in your config.ini");
}
}
// If this is an API request but we're not logged in, set page response code to access denied
if ($this->isAPIRequest() && !$return) {
$ip = $_SERVER['REMOTE_ADDR'];
if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$proxies = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
// We are behind a proxy
$ip = trim($proxies[0]);
}
\Idno\Core\Idno::site()->logging()->log("API Login failure from {$ip}", LOGLEVEL_ERROR);
//\Idno\Core\Idno::site()->triggerEvent('login/failure/api'); // Can't be used until #918 is fixed.
\Idno\Core\Idno::site()->currentPage()->deniedContent();
}
return $return;
}
