/**
* Every API request comes with a sha512 hash included in a X-Kem-Signature HTTP header. This function will compare that signature with a similar signature generated using the private key stored on our side.
*/
protected function cheakApiRequestValidity()
{
// We use this function as getallheaders() is not available on nginx
function parseRequestHeaders()
{
$headers = array();
foreach ($_SERVER as $key => $value) {
if (substr($key, 0, 5) != 'HTTP_') {
continue;
}
$header = str_replace(' ', '-', ucwords(str_replace('_', ' ', strtolower(substr($key, 5)))));
$headers[$header] = $value;
}
return $headers;
}
$headers = parseRequestHeaders();
if (isset($headers['X-Kem-Signature'])) {
$signature = $headers['X-Kem-Signature'];
} else {
$signature = null;
}
if (isset($headers["X-Kem-Salt"])) {
$salt = $headers["X-Kem-Salt"];
} else {
$salt = null;
}
if (isset($headers["X-Kem-User"])) {
$client = $headers["X-Kem-User"];
} else {
$client = null;
}
$body = Yii::app()->request->getRawBody($client);
if ($this->public_api) {
// This is a public api call
$user = User::model()->findByPk($client);
if ($this->require_authentification) {
// This call requires authentification
#TODO Implement
} else {
// This is a public api call with no authentification
return true;
}
} else {
// Private APIs require full authentication with KEM secret
// Generate a signature combining salt+body+secret
$concatenated_string = $salt . $body . Yii::app()->params['inbound_api_secret'];
$generated_signature = hash('sha512', $concatenated_string);
// Check if the generated signature on both sides match.
// NEVER trust that simple mechanism for any sensitive transaction (anything regarding payments)
if ($generated_signature === $signature && $client === Yii::app()->params['inbound_api_user']) {
return true;
}
}
return false;
}
<?php
/* Do not modify this line because of request limits set for Azure. */
ini_set('memory_limit', '1024K');
/* Do not modify above this line. */
$user_agent = 'AnyOrigin/1.0; Public API';
$user_domain = 'http://46.101.40.191/';
/* It is recommended that you keep this value to prevent requests looking like they are all from you if hosting multiple sites */
$incoming_headers = parseRequestHeaders();
$incoming_type = "";
$ao_user_origin = "";
if (isset($incoming_headers["origin"])) {
$ao_user_origin = $incoming_headers["origin"];
$incoming_type = "origin";
} else {
if (isset($incoming_headers["x-requested-with"])) {
$ao_user_origin = $incoming_headers["x-requested-with"];
$incoming_type = "x-requested-with";
}
}
$allowed_hosts = array('*');
/* Do not modify below this line */
$user_agent_full = "{$user_agent} ({$user_domain})";
$client_referer = isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '';
$client_referer = parse_url($client_referer);
$client_host = $client_referer['host'];
$client_url = $_GET['u'];
$client_allowed = 1000;
if (in_array(strtolower($client_host), $allowed_hosts) || $allowed_hosts[0] == '*') {
$client_allowed = 1;
}
/**
* Parse HTTP request headers
*/
function parseRequestHeaders()
{
$headers = array();
foreach ($_SERVER as $key => $value) {
if (substr($key, 0, 5) != 'HTTP_') {
continue;
}
$header = str_replace(' ', '-', ucwords(str_replace('_', ' ', strtolower(substr($key, 5)))));
$headers[$header] = $value;
}
return $headers;
}
$headers = parseRequestHeaders();
/**
* If User-Agent header has VoxImplant value then create new session
* and return session id in Set-Cookie header
*/
if (isset($headers['User-Agent'])) {
session_start();
if ($headers['User-Agent'] == "VoxImplant") {
header("Set-Cookie: PHPSESSID=" . session_id() . "; path=/");
}
} else {
session_start();
}
/**
* Database Interface and Web Services for Conference
*/
{
header("Access-Control-Allow-Origin: *");
}
/*
* handle pre-flighted requests. Needed for CORS operation
*/
function handlePreflight()
{
handleCorsRequest();
header("Access-Control-Allow-Methods: POST, DELETE");
header("Access-Control-Allow-Credentials: true");
header("Access-Control-Allow-Headers: Content-Type, X-Requested-With, Cache-Control");
}
// Determine whether we are dealing with a regular ol' XMLHttpRequest, or
// an XDomainRequest
$_HEADERS = parseRequestHeaders();
$iframeRequest = false;
if (!isset($_HEADERS['X-Requested-With']) || $_HEADERS['X-Requested-With'] != "XMLHttpRequest") {
$iframeRequest = true;
}
/*
* handle the preflighted OPTIONS request. Needed for CORS operation.
*/
if ($method == "OPTIONS") {
handlePreflight();
} else {
if ($method == "DELETE") {
handleCorsRequest();
$result = $uploader->handleDelete("files");
// iframe uploads require the content-type to be 'text/html' and
// return some JSON along with self-executing javascript (iframe.ss.response)
<?php
require_once "secret.php";
// PHP is a terrible language. But I don't want to fire up a web server for automated deployment scripts. So, whatever.
// thank you based stack overflow
function parseRequestHeaders()
{
$headers = array();
foreach ($_SERVER as $key => $value) {
if (substr($key, 0, 5) != 'HTTP_') {
continue;
}
$header = str_replace(' ', '-', ucwords(str_replace('_', ' ', strtolower(substr($key, 5)))));
$headers[$header] = $value;
}
return $headers;
}
$h = parseRequestHeaders();
$event = $h["X-Github-Event"];
$sig = $h["X-Hub-Signature"];
switch ($event) {
case "ping":
echo "pong!";
break;
case "push":
$d = shell_exec("cd /var/www/morganbaz.com/www && git reset --hard HEAD && git pull 2>&1");
echo "all right dude, {$d}";
break;
}
if (function_exists('apache_request_headers')) {
$ajax = apache_request_headers();
} else {
function parseRequestHeaders()
{
$headers = array();
foreach ($_SERVER as $key => $value) {
if (substr($key, 0, 5) != 'HTTP_') {
continue;
}
$header = str_replace(' ', '-', ucwords(str_replace('_', ' ', strtolower(substr($key, 5)))));
$headers[$header] = $value;
}
return $headers;
}
$ajax = parseRequestHeaders();
}
$lng = $ajax["accept-language"] ?? $ajax["Accept-Language"] ?? "ru";
// echo json_encode($lng);
// die("");
switch ($request) {
default:
$http_response_code = 404;
// Not Found
$api["error"] = ["code" => 404, "message" => "Not Found", "type" => "ServerException", "url" => "http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.5"];
break;
case "index":
$api["identity"] = "index";
$api["data"] = ["first_name" => "Anton", "last_name" => "Trofimenko", "email" => "*****@*****.**", "session_id" => "djbncdslkjdnlfkjhlkdjhcdfklhjk"];
break;
case "account/signin":
