public static function read($service_answer, $query_vars, $app_id) { $service_answer = array(); $auth_params = WpakWebServiceContext::getClientAppParams(); if (!empty($auth_params['auth_action'])) { $app_id = WpakApps::get_app_id($app_id); $auth_engine = AuthenticationSettings::get_auth_engine_instance(); $service_answer = $auth_engine->get_webservice_answer($app_id); } else { $service_answer = array('error' => 'no-auth-action'); //This will set webservice answer status to 0. } return (object) $service_answer; }
/** * Retrieve "Live query" web service answer. * * Any custom input params passed through the web service GET data can be * retrieved via WpakWebServiceContext::getClientAppParam( 'my_param' ); * * The following input params are automatically recognized and interpreted : * - 'wpak_component_slug' : if present, the WS automatically retrieve data * about the given component * - 'wpak_query_action' : optionnaly use along with 'wpak_component_slug'. Can be : * -- 'get-component' : default value : retrieves default component data * -- 'get-items' : retrieves only the 'wpak_items_ids' items * - 'wpak_items_ids' : array of items ids to retrieve (when wpak_query_action = get-items) * * @return array $service_answer Web service answer : Advised answer structure : * By default, app core automatically knows what to do with an answer containing * the following keys : * - 'globals' * - 'component' or 'components' * But the answer structure can be totally overriden, provided it is understood on * app side using the dedicated hooks. */ public static function read($service_answer, $query_vars, $app_id) { $app_id = WpakApps::get_app_id($app_id); $component_slug = WpakWebServiceContext::getClientAppParam('wpak_component_slug'); $action = WpakWebServiceContext::getClientAppParam('wpak_query_action'); $action = empty($action) || !in_array($action, array('get-component', 'get-items')) ? 'get-component' : $action; if (!empty($component_slug)) { $service_answer = array('globals' => array(), 'component' => array()); if (is_array($component_slug)) { //The only valid action is 'get-component' if $component_slug is an array : if ($action == 'get-component') { //Retrieve data for all given components and merge globals : unset($service_answer['component']); $service_answer['components'] = array(); foreach ($component_slug as $slug) { $component_data = WpakComponents::get_component_data($app_id, $slug); if (!empty($component_data)) { foreach ($component_data['globals'] as $global => $items) { foreach ($items as $k => $item) { $service_answer['globals'][$global][$k] = $item; } } $service_answer['components'][$slug] = $component_data['component']; } } } } else { //Only one component given : simply retrieve its data : switch ($action) { case 'get-component': $service_answer = WpakComponents::get_component_data($app_id, $component_slug); break; case 'get-items': $items_ids = WpakWebServiceContext::getClientAppParam('wpak_items_ids'); if (!empty($items_ids)) { $items_ids = !is_array($items_ids) && is_numeric($items_ids) ? array(intval($items_ids)) : array_map('intval', $items_ids); $service_answer = WpakComponents::get_component_items($app_id, $component_slug, $items_ids); } break; } } } $query_params = WpakWebServiceContext::getClientAppParams(); $service_answer = apply_filters('wpak_live_query', $service_answer, $query_params, $app_id, $query_vars); return (object) $service_answer; }
public function get_webservice_answer($app_id) { $service_answer = array(); $auth_params = WpakWebServiceContext::getClientAppParams(); $debug_mode = WpakBuild::get_app_debug_mode($app_id) === 'on'; switch ($auth_params['auth_action']) { case "get_public_key": if (!empty($auth_params['user'])) { $user = $auth_params['user']; $user_wp = get_user_by('login', $user); if ($user_wp) { //Check the user is not banned : if ($this->check_user_is_allowed_to_authenticate($user_wp->ID, $app_id)) { if (!empty($auth_params['control']) && !empty($auth_params['control_key']) && !empty($auth_params['timestamp'])) { $user = $auth_params['user']; $control = $auth_params['control']; $control_key = $auth_params['control_key']; $timestamp = $auth_params['timestamp']; //First, check that sent data has not been modified : if ($this->check_hmac($auth_params['auth_action'] . $user . $timestamp, $control_key, $control)) { if ($this->check_query_time($timestamp)) { if (function_exists('openssl_pkey_get_private')) { $public_key = $this->get_app_public_key($app_id); if (!empty($public_key)) { //Return public key : $service_answer['public_key'] = $public_key; //Add control key : $service_answer['control'] = $this->generate_hmac($public_key . $user, $control_key); } else { //If not in debug mode, don't give error details for security concern : $service_answer['auth_error'] = $debug_mode ? 'empty-public-key' : 'auth-error'; //Don't give more details for security concern } } else { $service_answer['auth_error'] = $debug_mode ? 'php-openssl-not-found' : 'auth-error'; //Don't give more details for security concern } } else { //If not in debug mode, don't give error details for security concern : $service_answer['auth_error'] = $debug_mode ? 'wrong-query-time' : 'auth-error'; //Don't give more details for security concern } } else { //If not in debug mode, don't give error details for security concern : $service_answer['auth_error'] = $debug_mode ? 'wrong-hmac' : 'auth-error'; //Don't give more details for security concern } } else { //If not in debug mode, don't give error details for security concern : $service_answer['auth_error'] = $debug_mode ? 'wrong-data' : 'auth-error'; //Don't give more details for security concern } } else { $service_answer['auth_error'] = 'user-banned'; } } else { $service_answer['auth_error'] = 'wrong-user'; } } else { $service_answer['auth_error'] = 'empty-user'; } break; case "connect_user": if (!empty($auth_params['user']) && !empty($auth_params['control']) && !empty($auth_params['timestamp']) && !empty($auth_params['encrypted'])) { $service_answer = array('authenticated' => 0); $user = $auth_params['user']; $control = $auth_params['control']; $timestamp = $auth_params['timestamp']; $encrypted = $auth_params['encrypted']; //Decrypt data to retrieve user HMAC secret key : $decrypted = $this->decrypt($app_id, $encrypted); if (is_array($decrypted) && !empty($decrypted['secret'])) { $user_secret_key = $control_key = $decrypted['secret']; if ($this->check_secret_format($user_secret_key)) { if ($this->check_hmac($auth_params['auth_action'] . $user . $timestamp . $encrypted, $control_key, $control) && $user == $decrypted['user']) { if ($this->check_query_time($timestamp)) { //Check user data : $user = $decrypted['user']; $user_wp = get_user_by('login', $user); if ($user_wp) { //Check the user is not banned : if ($this->check_user_is_allowed_to_authenticate($user_wp->ID, $app_id)) { //Check password : $pass = $decrypted['pass']; if (wp_check_password($pass, $user_wp->data->user_pass, $user_wp->ID)) { //Memorize user as registered and store its secret control key $this->authenticate_user($user_wp->ID, $user_secret_key, $app_id); //Return authentication result to client : $service_answer['authenticated'] = 1; //Get user permissions : $service_answer['permissions'] = $this->get_user_permissions($user_wp->ID, $app_id); //Add control key : $service_answer['control'] = $this->generate_hmac('authenticated' . $user, $user_secret_key); } else { $service_answer['auth_error'] = 'wrong-pass'; } } else { $service_answer['auth_error'] = 'user-banned'; } } else { $service_answer['auth_error'] = 'wrong-user'; } } else { //If not in debug mode, don't give error details for security concern : $service_answer['auth_error'] = $debug_mode ? 'wrong-query-time' : 'auth-error'; } } else { //If not in debug mode, don't give error details for security concern : $service_answer['auth_error'] = $debug_mode ? 'wrong-hmac' : 'auth-error'; //Don't give more details for security concern } } else { //If not in debug mode, don't give error details for security concern : $service_answer['auth_error'] = $debug_mode ? 'wrong-secret' : 'auth-error'; //Don't give more details for security concern } } else { //If not in debug mode, don't give error details for security concern : $service_answer['auth_error'] = $debug_mode ? 'wrong-decryption' : 'auth-error'; //Don't give more details for security concern } } else { $service_answer['auth_error'] = 'wrong-auth-data'; } break; case 'check_user_auth': $service_answer['user_auth_ok'] = 0; //Check authentication if (!empty($auth_params['user']) && !empty($auth_params['control']) && !empty($auth_params['timestamp'])) { if (!empty($auth_params['hash']) && !empty($auth_params['hasher'])) { $result = $this->check_authenticated_action($app_id, 'check_user_auth', $auth_params, array($auth_params['hash'], $auth_params['hasher'])); if ($result['ok']) { //Means that the user is authenticated ok on server side, with secret ok. //Now, check that the public key has not changed : $app_public_key = $this->get_app_public_key($app_id); $hash = $this->generate_hmac($app_public_key, $auth_params['hasher']); if ($auth_params['hash'] === $hash) { $service_answer['user_auth_ok'] = 1; } else { $service_answer['auth_error'] = 'wrong-public-key'; } } else { //Depending on $result['auth_error'], can mean that the user //is not authenticated or that his secret has changed (if hmac check failed). $service_answer['auth_error'] = $result['auth_error']; } } else { $service_answer['auth_error'] = 'no-hash'; } } else { $service_answer['auth_error'] = 'wrong-auth-data'; } break; default: $service_answer = array('error' => 'wrong-action'); //This will set webservice answer status to 0. break; } //Note : deliberately don't add hook here to filter $service_answer //so that malicious code can not modify authentication process. return $service_answer; }