/**
* REST POST - Change a users profile details, this requires a table called 'user' and 'banned' in your db with various fields as per header
* @param $data The data to update the users profile with
* @return message as complete or error
*/
public function post($data)
{
// check we have a logged in user
if ((int) $this->user['access_level'] < 1) {
$this->response('You do not have permission to perform that action', 'json', 401);
}
if (empty($data)) {
$this->response('Invalid data', 'json', 400);
}
if ($this->user["id"] != $data["id"]) {
$this->response('You do not have permission to alter that account', 'json', 401);
}
// check password
$user_password_check = $this->rars_db->get_first('user', '*', array('id' => $this->user['id']));
if (!$user_password_check) {
$this->response('Permission denied', 'json', 401);
}
if (RarsAPI::create_hash($data['password'], substr($user_password_check['password'], 0, strlen($user_password_check['password']) / 2), 'sha1') !== $user_password_check['password']) {
$this->response('Permission denied, password incorrect', 'json', 401);
}
// check if we are doing a deletion
if (isset($data['delete']) && $data['delete'] == 1) {
$this->rars_db->delete_data('user', array('id' => $this->user['id']));
$this->response('Account deleted, logging you out...', 'json', 202);
// reset content as deleted
}
// check email is unique if changed
if ($data["email_address"] != $this->user["email_address"]) {
$user_email_check = $this->rars_db->get_first('user', '*', array('email_address' => $data["email_address"]));
if (!empty($user)) {
$this->response('Email address already registered', 'json', 409);
}
}
// if this is your account, alter name and email
$row = array("name" => $data["name"], "email_address" => $data["email_address"]);
if (isset($data["new_password"]) && !empty($data["new_password"])) {
$row["password"] = $this->create_hash($data["new_password"]);
}
$this->rars_db->edit_data('user', $row, array('id' => $this->user['id']));
if (isset($row["password"])) {
$this->response('User account updated, logging you out...', 'json', 202);
} else {
$this->response('User account updated', 'json');
}
}
/**
* REST POST - Log in user, this requires a table called 'user' nad 'banned' in your db with various fields as per header
* @param $data The login data via rest request containing 'username' and 'password', note username contains the email_address
* @return array Basic user details of varified account against the username and password, also sets correct return Autherization header for token generated
*/
public function post($data)
{
// check if email set
if (!isset($data["username"]) || !isset($data['password'])) {
$this->response('Login failed: username or password missmatch', 'json', 401);
}
$ip_address = preg_replace("/[^0-9.]/", '', substr($_SERVER["REMOTE_ADDR"], 0, 50));
$user_agent = preg_replace("/[^0-9a-zA-Z.:;-_]/", '', substr($_SERVER["HTTP_USER_AGENT"], 0, 250));
// check ban list if active before doing anything else
if (RARS_ACCESS_BAN_ATTEMPS > 0) {
// find banned rows
$banned = $this->rars_db->get_first('banned', '*', array('ip_address' => $ip_address, 'user_agent' => $user_agent));
if (!empty($banned)) {
$this->response('Login failed: ip banned', 'json', 401);
}
}
/* carry on with login */
// find user
$user = $this->rars_db->get_first('user', '*', array('email_address' => $data['username']));
// check user found
if (empty($user)) {
$this->response('Login failed: username or password missmatch', 'json', 401);
}
// check if user is locked out here
if (!empty($user['lock_until']) && strtotime($user['lock_until']) > time()) {
$this->response('Login failed: user locked out please try later', 'json', 401);
}
// check active user
if (!$user['active']) {
$this->response('Login failed: user not active', 'json', 401);
}
// now check if password ok (we need password first to get salt from it before we can check it), if not then send response
if (RarsAPI::create_hash($data['password'], substr($user['password'], 0, strlen($user['password']) / 2), 'sha1') !== $user['password']) {
// data to update
$update_data = array('failed_attempts' => $user['failed_attempts']++);
if ($user['failed_attempts'] > 0 && $user['failed_attempts'] % RARS_ACCESS_ATTEMPTS == 0) {
$update_data['lock_until'] = date('Y-m-d H:i:s', time() + RARS_ACCESS_LOCKOUT);
}
// update
$this->rars_db->edit_data('user', $update_data, array('id' => $user['id']));
// add to banned list if banned active and too many attempts
if (RARS_ACCESS_BAN_ATTEMPS > 0 && $user['failed_attempts'] + 1 >= RARS_ACCESS_BAN_ATTEMPS) {
// add ip and agent to banned
$this->rars_db->add_data('banned', array('ip_address' => $ip_address, 'user_agent' => $user_agent, 'created' => date('Y-m-d H:i:s', time())));
}
$this->response('Login failed: username or password missmatch', 'json', 401);
}
/* we are now authenticated, respond and send token back */
// need to create a token and last logged stamp and save it in the db
$last_logged = date('Y-m-d H:i:s', time());
$pass_hash = $user['password'];
$token = sha1($last_logged . $user_agent . $ip_address . $pass_hash) . '_' . $user['id'];
// update data
$update_data = array('id' => $user['id'], 'last_logged_in' => $last_logged, 'last_accessed' => $last_logged, 'ip_address' => $ip_address);
$user = $this->rars_db->edit_data('user', $update_data, array('id' => $user['id']), '*');
// collect user data
$user_data = array('id' => $user[0]['id'], 'name' => $user[0]['name'], 'email_address' => $user[0]['email_address'], 'last_logged_in' => $user[0]['last_logged_in'], 'access_level' => $user[0]['access_level']);
// setup response with authorization token
$_SERVER['HTTP_AUTHORIZATION'] = $token;
$this->response($user_data, 'json');
}
