public function action_show()
{
$status = $this->error instanceof HttpException ? $this->error->getStatus() : '500 Internal Server Error';
$data = $this->error instanceof HttpException ? $this->error->getData() : [];
$this->response->add_header('HTTP/1.1 ' . $status);
$this->response->body = array_merge(['message' => $this->error->getMessage(), 'code' => $this->error->getCode()], $data);
}
public function authenticate()
{
$headers = getallheaders();
$token = null;
// Fetch token from headers or query string.
if ($headers['Authorization'] && strpos($headers['Authorization'], 'Token ') === 0) {
$parts = preg_split('/\\s+/', $headers['Authorization'], 2, PREG_SPLIT_NO_EMPTY);
$token = $parts[1];
} else {
if ($this->controller->request->get('_token')) {
$token = $this->controller->request->get('_token');
}
}
//error_log("Rest Token: " . $token);
// If token is correct, just proceed request.
if ($token) {
/** @var User $user */
$user = $this->pixie->orm->get('User')->where('rest_token', $token)->find();
if (!$user->loaded()) {
throw new UnauthorizedException();
}
$this->controller->setUser($user);
return;
}
// Else require basic authorization request from client to get token.
if ($this->controller->request->param('controller') == 'auth') {
/**
* @var User $user
* @var boolean $logged
*/
list($user, $logged) = array_values($this->requireBasicCredentials());
if ($logged) {
$this->controller->setUser($user);
if (!$user->rest_token || $this->controller->request->get('refresh')) {
$token = sha1($user->username . time() . self::SALT);
$user->rest_token = $token;
$user->save();
} else {
$token = $user->rest_token;
}
$responseException = new HttpException('Your token is established.', 200, null, 'OK');
$responseException->setParameter('token', $token);
throw $responseException;
}
}
$this->askForBasicCredentials("Please provide your credentials using url /api/auth");
}
public function filterHeaders($headers, $contentType)
{
if ($contentType == self::JSON_CONTENT_TYPE) {
if ($this->exception) {
if ($this->exception instanceof \App\Exception\HttpException) {
$headers['HTTP/1.1 ' . $this->exception->getStatus()] = '';
} else {
$headers['HTTP/1.1 500 Internal Server Error'] = '';
}
}
$headers['Content-Type'] = 'application/json';
}
return $headers;
}
protected function checkHasExcessFields($data)
{
$keys = array_keys($data);
$dataFields = array_diff($this->modelFields(), [$this->model->id_field]);
$excessRequestFields = array_diff($keys, $dataFields);
if (count($excessRequestFields)) {
$exception = new HttpException('Remove excess fields: ' . implode(', ', $excessRequestFields), 400, null, 'Bad Request');
// Inject XMLExternalEntity vulnerability
$isVulnerable = $this->pixie->vulnService->getConfig()->getCurrentContext()->isVulnerableTo('XMLExternalEntity');
if ($isVulnerable) {
$exception->setParameter('invalidFields', $data);
}
throw $exception;
}
}
public function action_show()
{
$status = $this->error instanceof HttpException ? $this->error->getStatus() : '500 Internal Server Error';
$data = $this->error instanceof HttpException ? $this->error->getData() : [];
$this->response->add_header('HTTP/1.1 ' . $status);
$displayErrors = $this->pixie->getParameter('parameters.display_errors', false);
$showErrors = false;
if ($this->error instanceof HttpException) {
$message = $this->error->getMessage();
if ($this->error->getCode() >= 400 || $this->error->getCode() < 100) {
$showErrors = $displayErrors;
}
} else {
if ($this->error instanceof SQLException) {
if ($this->error->isVulnerable() && !$this->error->isBlind()) {
$showErrors = true;
$message = $this->error->getMessage();
} else {
$message = "Error";
}
} else {
$message = $this->error->getMessage();
$showErrors = $displayErrors;
}
}
$this->response->body = array_merge(['message' => $message, 'code' => $this->error->getCode(), 'trace' => $showErrors ? $this->error->getTraceAsString() : ""], $data);
}
