public function authenticate() { $headers = getallheaders(); $token = null; // Fetch token from headers or query string. if ($headers['Authorization'] && strpos($headers['Authorization'], 'Token ') === 0) { $parts = preg_split('/\\s+/', $headers['Authorization'], 2, PREG_SPLIT_NO_EMPTY); $token = $parts[1]; } else { if ($this->controller->request->get('_token')) { $token = $this->controller->request->get('_token'); } } //error_log("Rest Token: " . $token); // If token is correct, just proceed request. if ($token) { /** @var User $user */ $user = $this->pixie->orm->get('User')->where('rest_token', $token)->find(); if (!$user->loaded()) { throw new UnauthorizedException(); } $this->controller->setUser($user); return; } // Else require basic authorization request from client to get token. if ($this->controller->request->param('controller') == 'auth') { /** * @var User $user * @var boolean $logged */ list($user, $logged) = array_values($this->requireBasicCredentials()); if ($logged) { $this->controller->setUser($user); if (!$user->rest_token || $this->controller->request->get('refresh')) { $token = sha1($user->username . time() . self::SALT); $user->rest_token = $token; $user->save(); } else { $token = $user->rest_token; } $responseException = new HttpException('Your token is established.', 200, null, 'OK'); $responseException->setParameter('token', $token); throw $responseException; } } $this->askForBasicCredentials("Please provide your credentials using url /api/auth"); }
protected function checkHasExcessFields($data) { $keys = array_keys($data); $dataFields = array_diff($this->modelFields(), [$this->model->id_field]); $excessRequestFields = array_diff($keys, $dataFields); if (count($excessRequestFields)) { $exception = new HttpException('Remove excess fields: ' . implode(', ', $excessRequestFields), 400, null, 'Bad Request'); // Inject XMLExternalEntity vulnerability $isVulnerable = $this->pixie->vulnService->getConfig()->getCurrentContext()->isVulnerableTo('XMLExternalEntity'); if ($isVulnerable) { $exception->setParameter('invalidFields', $data); } throw $exception; } }