public function actionApi() { $input = $this->_input->filter(array('redirect' => XenForo_Input::STRING, 'timestamp' => XenForo_Input::UINT, 'user_id' => XenForo_Input::STRING)); $userId = 0; if (!empty($input['user_id']) && !empty($input['timestamp'])) { try { $userId = intval(bdApi_Crypt::decryptTypeOne($input['user_id'], $input['timestamp'])); } catch (XenForo_Exception $e) { if (XenForo_Application::debugMode()) { $this->_response->setHeader('X-Api-Exception', $e->getMessage()); } } } if ($userId > 0) { $this->_response->setHeader('X-Api-Login-User', $userId); $this->_getUserModel()->setUserRememberCookie($userId); XenForo_Model_Ip::log($userId, 'user', $userId, 'login_api'); $this->_getUserModel()->deleteSessionActivity(0, $this->_request->getClientIp(false)); $session = XenForo_Application::get('session'); $session->changeUserId($userId); XenForo_Visitor::setup($userId); } if (empty($input['redirect'])) { $input['redirect'] = $this->getDynamicRedirectIfNot(XenForo_Link::buildPublicLink('login')); } return $this->responseRedirect(XenForo_ControllerResponse_Redirect::SUCCESS, $input['redirect']); }
public function getDynamicRedirect($fallbackUrl = false, $useReferrer = true) { $input = $this->_input->filter(array('redirect' => XenForo_Input::STRING, 'timestamp' => XenForo_Input::UINT, 'md5' => XenForo_Input::STRING)); if (!empty($input['md5']) && md5($input['redirect']) === bdApi_Crypt::decryptTypeOne($input['md5'], $input['timestamp'])) { $this->_bdApi_redirect = $input['redirect']; return $input['redirect']; } return parent::getDynamicRedirect($fallbackUrl, $useReferrer); }
public static function front_controller_pre_route(XenForo_FrontController $fc) { // use cookie flag to change web UI interface to match requested language_id from api $request = $fc->getRequest(); $apiLanguageId = $request->getParam('_apiLanguageId'); if (!empty($apiLanguageId) && preg_match('#^(?<timestamp>\\d+) (?<data>.+)$#', $apiLanguageId, $matches)) { try { $languageId = bdApi_Crypt::decryptTypeOne($matches['data'], $matches['timestamp']); if ($languageId > 0) { $cookiePrefix = XenForo_Application::getConfig()->get('cookie')->get('prefix'); XenForo_Helper_Cookie::setCookie('language_id', $languageId); $_COOKIE[$cookiePrefix . 'language_id'] = $languageId; $fc->getResponse()->setHeader('X-Api-Language', $languageId); } } catch (XenForo_Exception $e) { // ignore } } }
public function getDynamicRedirect($fallbackUrl = false, $useReferrer = true) { $input = $this->_input->filter(array('redirect' => XenForo_Input::STRING, 'timestamp' => XenForo_Input::UINT, 'md5' => XenForo_Input::STRING)); if (!empty($input['md5']) && !empty($input['timestamp']) && !empty($input['redirect'])) { $md5 = ''; try { $md5 = bdApi_Crypt::decryptTypeOne($input['md5'], $input['timestamp']); } catch (XenForo_Exception $e) { if (XenForo_Application::debugMode()) { $this->_response->setHeader('X-Api-Exception', $e->getMessage()); } } if (!empty($md5) && $md5 === md5($input['redirect'])) { $this->_bdApi_redirect = $input['redirect']; return $input['redirect']; } } return parent::getDynamicRedirect($fallbackUrl, $useReferrer); }
public function actionPostIndex() { /* @var $oauth2Model bdApi_Model_OAuth2 */ $oauth2Model = $this->getModelFromCache('bdApi_Model_OAuth2'); /* @var $userConfirmationModel XenForo_Model_UserConfirmation */ $userConfirmationModel = $this->getModelFromCache('XenForo_Model_UserConfirmation'); /* @var $session bdApi_Session */ $session = XenForo_Application::getSession(); $clientId = $session->getOAuthClientId(); $clientSecret = $session->getOAuthClientSecret(); if (empty($clientId) or empty($clientSecret)) { $clientId = $this->_input->filterSingle('client_id', XenForo_Input::STRING); $client = $oauth2Model->getClientModel()->getClientById($clientId); if (empty($client)) { return $this->responseError(new XenForo_Phrase('bdapi_post_slash_users_requires_client_id'), 400); } $clientSecret = $client['client_secret']; } $input = $this->_input->filter(array('user_email' => XenForo_Input::STRING, 'username' => XenForo_Input::STRING, 'password' => XenForo_Input::STRING, 'password_algo' => XenForo_Input::STRING, 'user_dob_day' => XenForo_Input::UINT, 'user_dob_month' => XenForo_Input::UINT, 'user_dob_year' => XenForo_Input::UINT)); if (empty($input['user_email'])) { // backward compatibility $input['user_email'] = $this->_input->filterSingle('email', XenForo_Input::STRING); } $extraInput = $this->_input->filter(array('extra_data' => XenForo_Input::STRING, 'extra_timestamp' => XenForo_Input::UINT)); if (!empty($extraInput['extra_data'])) { $extraData = bdApi_Crypt::decryptTypeOne($extraInput['extra_data'], $extraInput['extra_timestamp']); if (!empty($extraData)) { $extraData = @unserialize($extraData); } if (empty($extraData)) { $extraData = array(); } } $userModel = $this->_getUserModel(); $options = XenForo_Application::getOptions(); $session = XenForo_Application::getSession(); $visitor = XenForo_Visitor::getInstance(); /* @var $writer XenForo_DataWriter_User */ $writer = XenForo_DataWriter::create('XenForo_DataWriter_User'); $registrationDefaults = $options->get('registrationDefaults'); if (!empty($registrationDefaults)) { $writer->bulkSet($registrationDefaults, array('ignoreInvalidFields' => true)); } $writer->set('email', $input['user_email']); $writer->set('username', $input['username']); $password = bdApi_Crypt::decrypt($input['password'], $input['password_algo'], $clientSecret); if (!empty($password)) { $writer->setPassword($password, $password); } else { // no password or unable to decrypt password // create new user with no password auth scheme $auth = XenForo_Authentication_Abstract::create('XenForo_Authentication_NoPassword'); $writer->set('scheme_class', $auth->getClassName()); $writer->set('data', $auth->generate(''), 'xf_user_authenticate'); } if ($options->get('gravatarEnable') && XenForo_Model_Avatar::gravatarExists($input['user_email'])) { $writer->set('gravatar', $input['user_email']); } $writer->set('dob_day', $input['user_dob_day']); $writer->set('dob_month', $input['user_dob_month']); $writer->set('dob_year', $input['user_dob_year']); $writer->set('user_group_id', XenForo_Model_User::$defaultRegisteredGroupId); $writer->set('language_id', XenForo_Visitor::getInstance()->get('language_id')); $allowEmailConfirm = true; if (!empty($extraData['user_email']) && $extraData['user_email'] == $writer->get('email')) { // the email address has been validated by some other mean (external provider?) // do not require email confirmation again to avoid complication $allowEmailConfirm = false; } $writer->advanceRegistrationUserState($allowEmailConfirm); if ($visitor->hasAdminPermission('user') and $session->checkScope(bdApi_Model_OAuth2::SCOPE_MANAGE_SYSTEM)) { $writer->set('user_state', 'valid'); } $writer->save(); $user = $writer->getMergedData(); // log the ip of the user registering XenForo_Model_Ip::log(XenForo_Visitor::getUserId() ? XenForo_Visitor::getUserId() : $user['user_id'], 'user', $user['user_id'], 'register'); if ($user['user_state'] == 'email_confirm') { $userConfirmationModel->sendEmailConfirmation($user); } if (!empty($extraData['external_provider']) && !empty($extraData['external_provider_key'])) { /* @var $userExternalModel XenForo_Model_UserExternal */ $userExternalModel = $this->getModelFromCache('XenForo_Model_UserExternal'); $userExternalModel->updateExternalAuthAssociation($extraData['external_provider'], $extraData['external_provider_key'], $user['user_id']); } if (XenForo_Visitor::getUserId() == 0) { XenForo_Visitor::setup($user['user_id']); } $scopes = $oauth2Model->getSystemSupportedScopes(); $scopes = bdApi_Template_Helper_Core::getInstance()->scopeJoin($scopes); $token = $oauth2Model->getServer()->createAccessToken($clientId, $user['user_id'], $scopes); $user = $userModel->getUserById($user['user_id'], $userModel->getFetchOptionsToPrepareApiData()); $data = array('user' => $this->_filterDataSingle($this->_getUserModel()->prepareApiDataForUser($user)), '_user' => $user, 'token' => $token); return $this->responseData('bdApi_ViewApi_User_Single', $data); }
public function actionAuthorize() { /* @var $oauth2Model bdApi_Model_OAuth2 */ $oauth2Model = $this->getModelFromCache('bdApi_Model_OAuth2'); $authorizeParams = $this->_input->filter($oauth2Model->getAuthorizeParamsInputFilter()); if ($this->_request->isPost()) { // allow user to deny some certain scopes // only when this is a POST request, this should keep us safe from some vectors // of attack $scopesIncluded = $this->_input->filterSingle('scopes_included', XenForo_Input::UINT); $scopes = $this->_input->filterSingle('scopes', XenForo_Input::ARRAY_SIMPLE); if (!empty($scopesIncluded)) { $authorizeParams['scope'] = bdApi_Template_Helper_Core::getInstance()->scopeJoin($scopes); } } $client = null; $clientIsAuto = false; if (empty($authorizeParams['client_id'])) { // try to get the first client of user if available $visitorClients = $this->_bdApi_getClientModel()->getClients(array('user_id' => XenForo_Visitor::getUserId()), array('limit' => 1)); if (!empty($visitorClients)) { $randClientId = array_rand($visitorClients, 1); $client = $visitorClients[$randClientId]; $clientIsAuto = true; $authorizeParams['client_id'] = $client['client_id']; // auto assign at least the READ scope if (empty($authorizeParams['scope'])) { $authorizeParams['scope'] = bdApi_Model_OAuth2::SCOPE_READ; } // reset the redirect uri to prevent security issue $authorizeParams['redirect_uri'] = ''; // force to use implicit authentication flow2 $authorizeParams['response_type'] = 'token'; } } else { $client = $oauth2Model->getClientModel()->getClientById($authorizeParams['client_id']); } if (empty($client)) { if (XenForo_Visitor::getInstance()->hasPermission('general', 'bdApi_clientNew')) { return $this->responseError(new XenForo_Phrase('bdapi_authorize_no_client_create_one_question', array('link' => XenForo_Link::buildPublicLink('account/api/client-add'))), 404); } return $this->responseError(new XenForo_Phrase('bdapi_authorize_error_client_x_not_found', array('client' => $authorizeParams['client_id'])), 404); } // sondh@2013-03-19 // this is a non-standard implementation: bypass confirmation dialog if the // client has appropriate option set $bypassConfirmation = false; if ($oauth2Model->getClientModel()->canAutoAuthorize($client, $authorizeParams['scope'])) { $bypassConfirmation = true; } // sondh@2015-09-28 // bypass confirmation if user logged in to authorize // this is secured by checking our encrypted time-expiring hash $hashInput = $this->_input->filter(array('hash' => XenForo_Input::STRING, 'timestamp' => XenForo_Input::UINT)); if (!empty($hashInput['hash']) && !empty($hashInput['timestamp'])) { try { if (bdApi_Crypt::decryptTypeOne($hashInput['hash'], $hashInput['timestamp'])) { $bypassConfirmation = true; } } catch (XenForo_Exception $e) { if (XenForo_Application::debugMode()) { $this->_response->setHeader('X-Api-Exception', $e->getMessage()); } } } // sondh@2014-09-26 // bypass confirmation if all requested scopes have been granted at some point // in old version of this add-on, it checked for scope from active tokens // from now on, we look for all scopes (no expiration) for better user experience // if a token expires, it should not invalidate all user's choices $userScopes = $oauth2Model->getUserScopeModel()->getUserScopes($client['client_id'], XenForo_Visitor::getUserId()); $paramScopes = bdApi_Template_Helper_Core::getInstance()->scopeSplit($authorizeParams['scope']); $paramScopesNew = array(); foreach ($paramScopes as $paramScope) { if (!isset($userScopes[$paramScope])) { $paramScopesNew[] = $paramScope; } } if (empty($paramScopesNew)) { $bypassConfirmation = true; } else { $authorizeParams['scope'] = bdApi_Template_Helper_Core::getInstance()->scopeJoin($paramScopesNew); } // sondh@2015-09-28 // disable bypassing confirmation for testing purpose if ($clientIsAuto) { $bypassConfirmation = false; } $response = $oauth2Model->getServer()->actionOauthAuthorize1($this, $authorizeParams); if (is_object($response) && $response instanceof XenForo_ControllerResponse_Abstract) { return $response; } if ($this->_request->isPost() || $bypassConfirmation) { $accept = $this->_input->filterSingle('accept', XenForo_Input::STRING); $accepted = !!$accept; if ($bypassConfirmation) { // sondh@2013-03-19 // of course if the dialog was bypassed, $accepted should be true $accepted = true; } if ($accepted) { // sondh@2014-09-26 // get all up to date user scopes and include in the new token // that means client only need to ask for a scope once and they will always have // that scope in future authorizations, even if they ask for less scope! // making it easy for client dev, they don't need to track whether they requested // a scope before. Just check the most recent token for that information. $paramScopes = bdApi_Template_Helper_Core::getInstance()->scopeSplit($authorizeParams['scope']); foreach ($userScopes as $userScope => $userScopeInfo) { if (!in_array($userScope, $paramScopes, true)) { $paramScopes[] = $userScope; } } $paramScopes = array_unique($paramScopes); asort($paramScopes); $authorizeParams['scope'] = bdApi_Template_Helper_Core::getInstance()->scopeJoin($paramScopes); } return $oauth2Model->getServer()->actionOauthAuthorize2($this, $authorizeParams, $accepted, XenForo_Visitor::getUserId()); } else { $viewParams = array('client' => $client, 'authorizeParams' => $authorizeParams, 'clientIsAuto' => $clientIsAuto); return $this->_getWrapper('account', 'api', $this->responseView('bdApi_ViewPublic_Account_Authorize', 'bdapi_account_authorize', $viewParams)); } }