/**
* perform authentication, redirect user on non successful auth
* @return bool
*/
public function doAuth()
{
if ($this->session->has("Username") == false) {
// user unknown
$this->getLogger()->error("no active session, user not found");
$this->response->redirect("/", true);
return false;
} elseif ($this->session->has("last_access") && $this->session->get("last_access") < time() - 14400) {
// session expired (todo, use config timeout)
$this->getLogger()->error("session expired");
// cleanup session data
$this->session->remove("Username");
$this->session->remove("last_access");
$this->response->redirect("/", true);
return false;
}
$this->session->set("last_access", time());
// Authorization using legacy acl structure
$acl = new ACL();
if (!$acl->isPageAccessible($this->session->get("Username"), $_SERVER['REQUEST_URI'])) {
$this->getLogger()->error("uri " . $_SERVER['REQUEST_URI'] . " not accessible for user " . $this->session->get("Username"));
$this->response->redirect("/", true);
return false;
}
return true;
}
/**
* before routing event.
* Handles authentication and authentication of user requests
* In case of API calls, also prevalidates if request can be executed to return a more readable response
* to the user.
* @param Dispatcher $dispatcher
* @return null|bool
*/
public function beforeExecuteRoute($dispatcher)
{
// handle authentication / authorization
if (!empty($this->request->getHeader('Authorization'))) {
// Authorization header send, handle API request
$authHeader = explode(' ', $this->request->getHeader('Authorization'));
if (count($authHeader) > 1) {
$key_secret_hash = $authHeader[1];
$key_secret = explode(':', base64_decode($key_secret_hash));
if (count($key_secret) > 1) {
$apiKey = $key_secret[0];
$apiSecret = $key_secret[1];
$authFactory = new AuthenticationFactory();
$authenticator = $authFactory->get("Local API");
if ($authenticator->authenticate($apiKey, $apiSecret)) {
$authResult = $authenticator->getLastAuthProperties();
if (array_key_exists('username', $authResult)) {
// check ACL if user is returned by the Authenticator object
$acl = new ACL();
if (!$acl->isPageAccessible($authResult['username'], $_SERVER['REQUEST_URI'])) {
$this->getLogger()->error("uri " . $_SERVER['REQUEST_URI'] . " not accessible for user " . $authResult['username'] . " using api key " . $apiKey);
} else {
// authentication + authorization successful.
// pre validate request and communicate back to the user on errors
$callMethodName = $dispatcher->getActionName() . 'Action';
$dispatchError = null;
// check number of parameters using reflection
$object_info = new \ReflectionObject($this);
$req_c = $object_info->getMethod($callMethodName)->getNumberOfRequiredParameters();
if ($req_c > count($dispatcher->getParams())) {
$dispatchError = 'action ' . $dispatcher->getActionName() . ' expects at least ' . $req_c . ' parameter(s)';
} else {
// if body is send as json data, parse to $_POST first
$dispatchError = $this->parseJsonBodyData();
}
if ($dispatchError != null) {
// send error to client
$this->response->setStatusCode(400, "Bad Request");
$this->response->setContentType('application/json', 'UTF-8');
$this->response->setJsonContent(array('message' => $dispatchError, 'status' => 400));
$this->response->send();
return false;
}
return true;
}
}
}
}
}
// not authenticated
$this->response->setStatusCode(401, "Unauthorized");
$this->response->setContentType('application/json', 'UTF-8');
$this->response->setJsonContent(array('status' => 401, 'message' => 'Authentication Failed'));
$this->response->send();
return false;
} else {
// handle UI ajax requests
// use session data and ACL to validate request.
if (!$this->doAuth()) {
return false;
}
// check for valid csrf on post requests
$csrf_tokenkey = $this->request->getHeader('X_CSRFTOKENKEY');
$csrf_token = $this->request->getHeader('X_CSRFTOKEN');
$csrf_valid = $this->security->checkToken($csrf_tokenkey, $csrf_token, false);
if (($this->request->isPost() || $this->request->isPut() || $this->request->isDelete()) && !$csrf_valid) {
// missing csrf, exit.
$this->getLogger()->error("no matching csrf found for request");
return false;
}
}
}
