/** * Check that this token is either a user token or the * site's API token, and auth the current request for that user if so. * * @return \Idno\Entities\User user on success */ private static function authenticate() { $access_token = \Idno\Core\Input::getInput('access_token'); $headers = \Idno\Common\Page::getallheaders(); if (!empty($headers['Authorization'])) { $token = $headers['Authorization']; $token = trim(str_replace('Bearer', '', $token)); } else { if ($token = \Idno\Core\Input::getInput('access_token')) { $token = trim($token); } } if (!empty($token)) { $found = Token::findUserForToken($token); if (!empty($found)) { \Idno\Core\Idno::site()->session()->setIsAPIRequest(true); $user = $found['user']; \Idno\Core\Idno::site()->session()->refreshSessionUser($user); return $user; } $user = \Idno\Entities\User::getOne(array('admin' => true)); if ($token == $user->getAPIkey()) { \Idno\Core\Idno::site()->session()->setIsAPIRequest(true); \Idno\Core\Idno::site()->session()->refreshSessionUser($user); return $user; } } return false; }
function init() { // Load the config.ini file in the root folder, if it exists. // If not, we'll use default values. No skin off our nose. $this->path = dirname(dirname(dirname(__FILE__))); // Base path $this->url = (\Idno\Common\Page::isSSL() ? 'https://' : 'http://') . $_SERVER['SERVER_NAME'] . '/'; // A naive default base URL $this->title = 'New Known site'; // A default name for the site $this->description = 'A social website powered by Known'; // Default description $this->timezone = 'UTC'; $this->host = parse_url($this->url, PHP_URL_HOST); // The site hostname, without parameters etc $this->feed = $this->url . '?_t=rss'; $this->indieweb_citation = false; $this->indieweb_reference = false; $this->known_hub = false; $this->loadIniFiles(); if ($this->multitenant) { $dbname = $this->dbname; $this->host = str_replace('www.', '', $this->host); //$this->sessionname = preg_replace('/[^\da-z]/i', '', $this->host); $this->dbname = preg_replace('/[^0-9a-z\\.\\-\\_]/i', '', $this->host); // Known now defaults to not including periods in database names for multitenant installs. Add // 'multitenant_periods = true' if you wish to override this. if (empty($this->multitenant_periods)) { $this->dbname = str_replace('.', '_', $this->dbname); } if (empty($this->dbname)) { $this->dbname = $dbname; } } if (!empty($this->initial_plugins)) { if (!empty($this->default_plugins)) { $this->default_plugins = array_merge($this->default_plugins, $this->initial_plugins); } else { $this->default_plugins = $this->initial_plugins; } } if (!empty($this->default_plugins)) { $this->plugins = $this->default_plugins; } date_default_timezone_set($this->timezone); //setlocale(LC_ALL, 'en_US.UTF8'); }
function init() { // Load the config.ini file in the root folder, if it exists. // If not, we'll use default values. No skin off our nose. // @TODO override settings from the database $this->path = dirname(dirname(dirname(__FILE__))); // Base path $this->url = (\Idno\Common\Page::isSSL() ? 'https://' : 'http://') . $_SERVER['SERVER_NAME'] . '/'; // A naive default base URL $this->title = 'New idno site'; // A default name for the site $this->timezone = 'UTC'; $this->host = parse_url($this->url, PHP_URL_HOST); // The site hostname, without parameters etc if ($config = @parse_ini_file($this->path . '/config.ini')) { $this->config = array_merge($this->config, $config); } date_default_timezone_set($this->timezone); setlocale(LC_ALL, 'en_US.UTF8'); }
/** * Checks HTTP request headers to see if the request has been properly * signed for API access, and if so, log the user on and return the user * * @return \Idno\Entities\User|false The logged-in user, or false otherwise */ function APIlogin() { if (!empty($_SERVER['HTTP_X_KNOWN_USERNAME']) && !empty($_SERVER['HTTP_X_KNOWN_SIGNATURE'])) { \Idno\Core\site()->session()->setIsAPIRequest(true); if (!\Idno\Common\Page::isSSL() && !\Idno\Core\site()->config()->disable_cleartext_warning) { \Idno\Core\site()->session()->addErrorMessage("Warning: Access credentials were sent over a non-secured connection! To disable this warning set disable_cleartext_warning in your config.ini"); } $t = site()->currentPage()->getInput('_t'); if (empty($t)) { site()->template()->setTemplateType('json'); } if ($user = \Idno\Entities\User::getByHandle($_SERVER['HTTP_X_KNOWN_USERNAME'])) { // Short circuit authentication, since this user is already logged in. Needed to resolve #595 if (\Idno\Core\site()->session()->currentUser() && \Idno\Core\site()->session()->currentUser()->getUUID() == $user->getUUID()) { return $user; } $key = $user->getAPIkey(); $hmac = trim($_SERVER['HTTP_X_KNOWN_SIGNATURE']); $compare_hmac = base64_encode(hash_hmac('sha256', $_SERVER['REQUEST_URI'], $key, true)); if ($hmac == $compare_hmac) { \Idno\Core\site()->session()->logUserOn($user); return $user; } } } // We're not logged in yet, so try and authenticate using other mechanism if ($return = site()->triggerEvent('user/auth/api', [], false)) { \Idno\Core\site()->session()->setIsAPIRequest(true); if (!\Idno\Common\Page::isSSL() && !\Idno\Core\site()->config()->disable_cleartext_warning) { \Idno\Core\site()->session()->addErrorMessage("Warning: Access credentials were sent over a non-secured connection! To disable this warning set disable_cleartext_warning in your config.ini"); } } // If this is an API request but we're not logged in, set page response code to access denied if ($this->isAPIRequest() && !$return) { site()->currentPage()->setResponse(403); } return $return; }
/** * Attempt to detect your known configuration's server name. */ protected function detectBaseURL() { // If Sandstorm has supplied a base URL (called a base path in their nomenclature), use this if (!empty($_SERVER['X-Sandstorm-Base-Path'])) { $base_url = $_SERVER['X-Sandstorm-Base-Path']; if (substr($base_url, -1) != '/') { $base_url .= '/'; } return $base_url; } // Otherwise, use the standard server name header if (!empty($_SERVER['SERVER_NAME'])) { // Servername specified, so we can construct things in the normal way. $url = (\Idno\Common\Page::isSSL() ? 'https://' : 'http://') . $_SERVER['SERVER_NAME']; if (!empty($_SERVER['SERVER_PORT'])) { if ($_SERVER['SERVER_PORT'] != 80 && $_SERVER['SERVER_PORT'] != 443) { $url .= ':' . $_SERVER['SERVER_PORT']; } } if (defined('KNOWN_SUBDIRECTORY')) { $url .= '/' . KNOWN_SUBDIRECTORY; } $url .= '/'; // A naive default base URL return $url; } // No servername set, try something else // TODO: Detect servername using other methods (but don't use HTTP_HOST) // Default to root relative urls return '/'; }
/** * Attempt to detect your known configuration's server name. */ protected function detectBaseURL() { if (!empty($_SERVER['SERVER_NAME'])) { // Servername specified, so we can construct things in the normal way. $url = (\Idno\Common\Page::isSSL() ? 'https://' : 'http://') . $_SERVER['SERVER_NAME']; if (!empty($_SERVER['SERVER_PORT'])) { if ($_SERVER['SERVER_PORT'] != 80 && $_SERVER['SERVER_PORT'] != 443) { $url .= ':' . $_SERVER['SERVER_PORT']; } } if (defined('KNOWN_SUBDIRECTORY')) { $url .= '/' . KNOWN_SUBDIRECTORY; } $url .= '/'; // A naive default base URL return $url; } // No servername set, try something else // TODO: Detect servername using other methods (but don't use HTTP_HOST) // Default to root relative urls return '/'; }
/** * Attempt to detect your known configuration's server name. */ protected function detectBaseURL() { if (!empty($_SERVER['SERVER_NAME'])) { // Servername specified, so we can construct things in the normal way. return (\Idno\Common\Page::isSSL() ? 'https://' : 'http://') . $_SERVER['SERVER_NAME'] . '/'; // A naive default base URL } // No servername set, try something else // TODO: Detect servername using other methods (but don't use HTTP_HOST) // Default to root relative urls return '/'; }
/** * Called at the beginning of each request handler, attempts to authorize the request. * * Checks HTTP request headers to see if the request has been properly * signed for API access. * * If this is not an API request, then check the session for the logged in user's credentials. * * Triggers "user/auth/request" to give plugins an opportunity to implement their own auth mechanism. * Then "user/auth/success" or "user/auth/failure" depending on if a user was found for the provided credentials. * * @return \Idno\Entities\User|false The logged-in user, or false otherwise */ function tryAuthUser() { // attempt to delegate auth to a plugin (note: plugin is responsible for calling setIsAPIRequest or not) $return = \Idno\Core\Idno::site()->triggerEvent('user/auth/request', [], false); // auth standard API requests if (!$return && !empty($_SERVER['HTTP_X_KNOWN_USERNAME']) && !empty($_SERVER['HTTP_X_KNOWN_SIGNATURE'])) { \Idno\Core\Idno::site()->logging()->log("Attempting to auth via API credentials", LOGLEVEL_DEBUG); $this->setIsAPIRequest(true); $t = \Idno\Core\Idno::site()->currentPage()->getInput('_t'); if (empty($t)) { \Idno\Core\Idno::site()->template()->setTemplateType('json'); } if ($user = \Idno\Entities\User::getByHandle($_SERVER['HTTP_X_KNOWN_USERNAME'])) { \Idno\Core\Idno::site()->logging()->log("API auth found user by username: "******"API auth verified signature for user: "******"API auth failed signature validation for user: "******"Warning: Access credentials were sent over a non-secured connection! To disable this warning set disable_cleartext_warning in your config.ini"); } // If this is an API request but we're not logged in, set page response code to access denied if (!$return) { $ip = $_SERVER['REMOTE_ADDR']; if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) { $proxies = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']); // We are behind a proxy $ip = trim($proxies[0]); } \Idno\Core\Idno::site()->logging()->log("API Login failure from {$ip}", LOGLEVEL_ERROR); \Idno\Core\Idno::site()->currentPage()->deniedContent(); } } $return = \Idno\Core\Idno::site()->triggerEvent($return ? "user/auth/success" : "user/auth/failure", array("user" => $return, "is api" => $this->isAPIRequest()), $return); return $return; }
/** * Checks HTTP request headers to see if the request has been properly * signed for API access, and if so, log the user on and return the user * * @return \Idno\Entities\User|false The logged-in user, or false otherwise */ function APIlogin() { if (!empty($_SERVER['HTTP_X_KNOWN_USERNAME']) && !empty($_SERVER['HTTP_X_KNOWN_SIGNATURE'])) { \Idno\Core\Idno::site()->session()->setIsAPIRequest(true); if (!\Idno\Common\Page::isSSL() && !\Idno\Core\Idno::site()->config()->disable_cleartext_warning) { \Idno\Core\Idno::site()->session()->addErrorMessage("Warning: Access credentials were sent over a non-secured connection! To disable this warning set disable_cleartext_warning in your config.ini"); } $t = \Idno\Core\Idno::site()->currentPage()->getInput('_t'); if (empty($t)) { \Idno\Core\Idno::site()->template()->setTemplateType('json'); } if ($user = \Idno\Entities\User::getByHandle($_SERVER['HTTP_X_KNOWN_USERNAME'])) { $key = $user->getAPIkey(); $hmac = trim($_SERVER['HTTP_X_KNOWN_SIGNATURE']); //$compare_hmac = base64_encode(hash_hmac('sha256', explode('?', $_SERVER['REQUEST_URI'])[0], $key, true)); $compare_hmac = base64_encode(hash_hmac('sha256', $_SERVER['REQUEST_URI'], $key, true)); if ($hmac == $compare_hmac) { \Idno\Core\Idno::site()->session()->logUserOn($user); return $user; } } } // We're not logged in yet, so try and authenticate using other mechanism if ($return = \Idno\Core\Idno::site()->triggerEvent('user/auth/api', [], false)) { \Idno\Core\Idno::site()->session()->setIsAPIRequest(true); if (!\Idno\Common\Page::isSSL() && !\Idno\Core\Idno::site()->config()->disable_cleartext_warning) { \Idno\Core\Idno::site()->session()->addErrorMessage("Warning: Access credentials were sent over a non-secured connection! To disable this warning set disable_cleartext_warning in your config.ini"); } } // If this is an API request but we're not logged in, set page response code to access denied if ($this->isAPIRequest() && !$return) { $ip = $_SERVER['REMOTE_ADDR']; if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) { $proxies = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']); // We are behind a proxy $ip = trim($proxies[0]); } \Idno\Core\Idno::site()->logging()->log("API Login failure from {$ip}", LOGLEVEL_ERROR); //\Idno\Core\Idno::site()->triggerEvent('login/failure/api'); // Can't be used until #918 is fixed. \Idno\Core\Idno::site()->currentPage()->deniedContent(); } return $return; }