/** * perform authentication, redirect user on non successful auth * @return bool */ public function doAuth() { if ($this->session->has("Username") == false) { // user unknown $this->getLogger()->error("no active session, user not found"); $this->response->redirect("/", true); return false; } elseif ($this->session->has("last_access") && $this->session->get("last_access") < time() - 14400) { // session expired (todo, use config timeout) $this->getLogger()->error("session expired"); // cleanup session data $this->session->remove("Username"); $this->session->remove("last_access"); $this->response->redirect("/", true); return false; } $this->session->set("last_access", time()); // Authorization using legacy acl structure $acl = new ACL(); if (!$acl->isPageAccessible($this->session->get("Username"), $_SERVER['REQUEST_URI'])) { $this->getLogger()->error("uri " . $_SERVER['REQUEST_URI'] . " not accessible for user " . $this->session->get("Username")); $this->response->redirect("/", true); return false; } return true; }
/** * before routing event. * Handles authentication and authentication of user requests * In case of API calls, also prevalidates if request can be executed to return a more readable response * to the user. * @param Dispatcher $dispatcher * @return null|bool */ public function beforeExecuteRoute($dispatcher) { // handle authentication / authorization if (!empty($this->request->getHeader('Authorization'))) { // Authorization header send, handle API request $authHeader = explode(' ', $this->request->getHeader('Authorization')); if (count($authHeader) > 1) { $key_secret_hash = $authHeader[1]; $key_secret = explode(':', base64_decode($key_secret_hash)); if (count($key_secret) > 1) { $apiKey = $key_secret[0]; $apiSecret = $key_secret[1]; $authFactory = new AuthenticationFactory(); $authenticator = $authFactory->get("Local API"); if ($authenticator->authenticate($apiKey, $apiSecret)) { $authResult = $authenticator->getLastAuthProperties(); if (array_key_exists('username', $authResult)) { // check ACL if user is returned by the Authenticator object $acl = new ACL(); if (!$acl->isPageAccessible($authResult['username'], $_SERVER['REQUEST_URI'])) { $this->getLogger()->error("uri " . $_SERVER['REQUEST_URI'] . " not accessible for user " . $authResult['username'] . " using api key " . $apiKey); } else { // authentication + authorization successful. // pre validate request and communicate back to the user on errors $callMethodName = $dispatcher->getActionName() . 'Action'; $dispatchError = null; // check number of parameters using reflection $object_info = new \ReflectionObject($this); $req_c = $object_info->getMethod($callMethodName)->getNumberOfRequiredParameters(); if ($req_c > count($dispatcher->getParams())) { $dispatchError = 'action ' . $dispatcher->getActionName() . ' expects at least ' . $req_c . ' parameter(s)'; } else { // if body is send as json data, parse to $_POST first $dispatchError = $this->parseJsonBodyData(); } if ($dispatchError != null) { // send error to client $this->response->setStatusCode(400, "Bad Request"); $this->response->setContentType('application/json', 'UTF-8'); $this->response->setJsonContent(array('message' => $dispatchError, 'status' => 400)); $this->response->send(); return false; } return true; } } } } } // not authenticated $this->response->setStatusCode(401, "Unauthorized"); $this->response->setContentType('application/json', 'UTF-8'); $this->response->setJsonContent(array('status' => 401, 'message' => 'Authentication Failed')); $this->response->send(); return false; } else { // handle UI ajax requests // use session data and ACL to validate request. if (!$this->doAuth()) { return false; } // check for valid csrf on post requests $csrf_tokenkey = $this->request->getHeader('X_CSRFTOKENKEY'); $csrf_token = $this->request->getHeader('X_CSRFTOKEN'); $csrf_valid = $this->security->checkToken($csrf_tokenkey, $csrf_token, false); if (($this->request->isPost() || $this->request->isPut() || $this->request->isDelete()) && !$csrf_valid) { // missing csrf, exit. $this->getLogger()->error("no matching csrf found for request"); return false; } } }