private function check_throttle($method_underscore, $request)
 {
     $app_info = application_get_info($this->app_id);
     if ($app_info['desktop']) {
         if ($throttle && ($ec = api_desktop_check_call_limit($this->app_id, $this->session_key)) !== API_EC_SUCCESS) {
             return $ec;
         }
     } else {
         if ($app_info['ip_list'] && !iplist_contains_ip($app_info['ip_list'], $_SERVER['REMOTE_ADDR'])) {
             return API_EC_BAD_IP;
         }
         // FBOPEN: NOTE - you may wish to throttle only certain methods here.
         if (($ec = api_server_check_call_limit($this->app_id)) !== API_EC_SUCCESS) {
             return $ec;
         }
     }
     return API_EC_SUCCESS;
 }
Exemple #2
0
/**
 * Validate an API request from a vendor - check that it has a valid api_key, the correct
 * signature, and that it has an active session.  Retrieve the application_id
 * and user_id associated with the request.
 *
 * @param $request The array of arguments (name=>values) passed to us (e.g. $_REQUEST).
 * To successfully validate, $message it must contain 'api_key', 'session_key', 'method', and 'sig'.
 * @param $app_id gets filled in with the appropriate application id on success.
 * @param $uid gets filled in with the user id associated with the session on success.
 * @param $config optional array of flags to disable various checks
 * @return API_EC_SUCCESS on success, or another API_EC_* if the request failed validation.
 */
function api_validate_api_request($request, &$app_id, &$uid, $throttle = true, $use_session_secret = false)
{
    $api_key = isset($request['api_key']) ? $request['api_key'] : null;
    if (!$api_key || !($app_info = application_get_info_from_key($api_key))) {
        return API_EC_PARAM_API_KEY;
    }
    $app_id = $app_info['application_id'];
    // If application is disabled, their api_key is no longer valid,
    // though we may store it for future request tracking.
    if ($app_info['approved'] == -1) {
        return API_EC_PARAM_API_KEY;
    }
    // Similarly, if the app is deleted, the api_key is no good.  If
    // we've done everything else right, deleted apps shouldn't be
    // returned by the application_get_info_* functions, but better safe
    // than sorry.
    if ($app_info['deleted']) {
        return API_EC_PARAM_API_KEY;
    }
    $session_key = isset($request['session_key']) ? $request['session_key'] : null;
    if ($app_info['desktop']) {
        if ($throttle && ($ec = api_desktop_check_call_limit($app_id, $session_key)) !== API_EC_SUCCESS) {
            return $ec;
        }
    } else {
        if ($app_info['ip_list'] && !iplist_contains_ip($app_info['ip_list'], $_SERVER['REMOTE_ADDR'])) {
            return API_EC_BAD_IP;
        }
        if ($throttle && ($ec = api_server_check_call_limit($app_id)) !== API_EC_SUCCESS) {
            return $ec;
        }
    }
    //If $use_session_secret is true, then session_key must be provided
    if ($use_session_secret && !$session_key) {
        return API_EC_PARAM_SESSION_KEY;
    }
    $secret = $app_info['secret'];
    // will sig check after checking the session, since some apps have a session secret
    $method = isset($request['method']) ? $request['method'] : null;
    if (!$method) {
        return API_EC_METHOD;
    }
    $method_requires_session = api_method_requires_session($method);
    // Some methods don't require a session key but still work with session key.
    // Even if the method doesn't require a session key and the session key is passed in, the session key
    // should be respected, it's up to the individual method to figure out the tangled mess for itself...
    if ($method_requires_session || $session_key) {
        // If the method requires a session and one isn't provided, FAIL fast...
        if ($method_requires_session && !$session_key) {
            return API_EC_PARAM_SESSION_KEY;
        }
        if ($app_info['desktop'] || $use_session_secret) {
            $session_info = api_session_get_info($session_key, $app_id);
            $secret = $session_info['session_secret'];
        }
        // If the developer provides a session key even if it's not required, fail if it's not valid...
        if ($session_key && false == ($uid = api_session_extract_uid($session_key, $app_id))) {
            return API_EC_PARAM_SESSION_KEY;
        }
        if ($session_key && ($ec = api_session_check_valid($session_key, $app_id)) !== API_EC_SUCCESS) {
            return $ec;
        }
        /* The request has now been validated! */
        $GLOBALS['user'] = $uid;
        // a bunch of utility functions expect a global $user to be set
    }
    $sig = isset($request['sig']) ? $request['sig'] : null;
    if (!api_request_is_properly_signed($request, $secret, $sig)) {
        return API_EC_PARAM_SIGNATURE;
    }
    return API_EC_SUCCESS;
}