function api_auth_oauth2_has_auth(&$method, $key_row = null) { $access_token = api_auth_oauth2_get_access_token($method); if (!$access_token) { return array('ok' => 0, 'error' => 'Required access token missing', 'error_code' => 400); } $token_row = api_oauth2_access_tokens_get_by_token($access_token); if (!$token_row) { return array('ok' => 0, 'error' => 'Invalid access token', 'error_code' => 400); } if ($token_row['disabled']) { return array('ok' => 0, 'error' => 'Access token is disabled', 'error_code' => 502); } if ($token_row['expires'] && $token_row['expires'] < time()) { return array('ok' => 0, 'error' => 'Access token has expired', 'error_code' => 400); } # I find it singularly annoying that we have to do this here # but OAuth gets what [redacted] wants. See also: notes in # lib_api.php around ln 65 (20121026/straup) $key_row = api_keys_get_by_id($token_row['api_key_id']); $rsp = api_keys_utils_is_valid_key($key_row); if (!$rsp['ok']) { return $rsp; } if (isset($method['requires_perms'])) { if ($token_row['perms'] < $method['requires_perms']) { $perms_map = api_oauth2_access_tokens_permissions_map(); $required = $perms_map[$method['requires_perms']]; return array('ok' => 0, 'error' => "Insufficient permissions, method requires a token with '{$required}' permissions", 'error_code' => 403); } } # Ensure user-iness - this may seem like a no-brainer until you think # about how the site itself uses the API in the absence of a logged-in # user (20130508/straup) $ensure_user = 1; $user = null; if (!$token_row['user_id'] && $key_row && features_is_enabled("api_oauth2_tokens_null_users")) { $key_role_id = $key_row['role_id']; $roles_map = api_keys_roles_map('string keys'); $valid_roles = $GLOBALS['cfg']['api_oauth2_tokens_null_users_allowed_roles']; $valid_roles_ids = array(); foreach ($valid_roles as $role) { $valid_roles_ids[] = $roles_map[$role]; } $ensure_user = $key_role_id && in_array($key_role_id, $valid_roles_ids) ? 0 : 1; } if ($ensure_user) { $user = users_get_by_id($token_row['user_id']); if (!$user || $user['deleted']) { return array('ok' => 0, 'error' => 'Not a valid user', 'error_code' => 400); } } # return array('ok' => 1, 'access_token' => $token_row, 'api_key' => $key_row, 'user' => $user); }
function api_auth_oauth2_has_auth(&$method, $key_row = null) { $access_token = api_auth_oauth2_get_access_token($method); if (!$access_token) { return array('ok' => 0, 'error' => 'Required access token missing', 'error_code' => 400); } $token_row = api_oauth2_access_tokens_get_by_token($access_token); if (!$token_row) { return array('ok' => 0, 'error' => 'Invalid access token', 'error_code' => 400); } if ($token_row['expires'] && $token_row['expires'] < time()) { return array('ok' => 0, 'error' => 'Access token has expired', 'error_code' => 400); } # I find it singularly annoying that we have to do this here # but OAuth gets what [redacted] wants. See also: notes in # lib_api.php around ln 65 (20121026/straup) $key_row = api_keys_get_by_id($token_row['api_key_id']); $rsp = api_keys_utils_is_valid_key($key_row); if (!$rsp['ok']) { return $rsp; } if (isset($method['requires_perms'])) { if ($token_row['perms'] < $method['requires_perms']) { return array('ok' => 0, 'error' => 'Insufficient permissions', 'error_code' => 403); } } # Ensure user-iness - this may seem like a no-brainer until you think # about how the site itself uses the API in the absence of a logged-in # user (20130508/straup) $ensure_user = 1; $user = null; if (features_is_enabled("api_site_keys", "api_site_tokens")) { # check that API key is a site key $ensure_user = $token_row['user_id'] ? 1 : 0; } if ($ensure_user) { $user = users_get_by_id($token_row['user_id']); if (!$user || $user['deleted']) { return array('ok' => 0, 'error' => 'Not a valid user', 'error_code' => 400); } } # return array('ok' => 1, 'access_token' => $token_row, 'api_key' => $key_row, 'user' => $user); }
<?php include "include/init.php"; loadlib("api_keys"); loadlib("api_oauth2_access_tokens"); features_ensure_enabled("api"); login_ensure_loggedin(); $more = array(); if ($page = get_int32("page")) { $more['page'] = $page; } $rsp = api_oauth2_access_tokens_for_user($GLOBALS['cfg']['user'], $more); $tokens = array(); foreach ($rsp['rows'] as $row) { $row['app'] = api_keys_get_by_id($row['api_key_id']); $tokens[] = $row; } $GLOBALS['smarty']->assign_by_ref("tokens", $tokens); $perms_map = api_oauth2_access_tokens_permissions_map(); $GLOBALS['smarty']->assign_by_ref("permissions", $perms_map); $GLOBALS['smarty']->display("page_api_oauth2_tokens.txt"); exit;
function api_oauth2_access_tokens_fetch_site_token($user = null) { $now = time(); $site_token = api_oauth2_access_tokens_get_site_token($user); if ($site_token) { $valid_key = 1; $valid_token = 1; $key = api_keys_get_by_id($site_token['api_key_id']); if (!$key) { $valid_key = 0; } else { if ($key['deleted']) { $valid_key = 0; } else { if ($key['expires'] && $key['expires'] <= $now) { $valid_key = 0; } else { if ($site_token['expires'] <= $now) { $valid_token = 0; } else { $ttl_key = $key['expires'] - $now; $ttl_token = $site_token['expires'] - $now; if ($ttl_key < 300) { $valid_key = 0; } if ($ttl_token < 300) { $valid_token = 0; } } } } } if (!$valid_key || !$valid_token) { $rsp = api_oauth2_access_tokens_delete($site_token); $user_id = $user ? $user['id'] : 0; $cache_key = "oauth2_access_token_site_{$user_id}"; cache_unset($cache_key); $site_token = null; } } # TO DO: error handling / reporting if (!$site_token) { $rsp = api_oauth2_access_tokens_create_site_token($user); $site_token = $rsp['token']; } return $site_token; }