$path_parts = explode("/", $_GET["path"]); $filename = ""; $classname = ""; $found = false; $c = 0; foreach ($path_parts as $pp) { $c++; $filename .= "/" . preg_replace("/[^a-z0-9_-]/", '', strtolower($pp)); $classname .= ucfirst(preg_replace("/[^a-z0-9_]/", '', strtolower($pp))); if (is_file(RARS_BASE_PATH . "api{$filename}.php")) { $found = true; break; } } if (!$found) { RazorAPI::response(null, null, $code = 404); } // grab any data or id's data if ($method == "delete" || $method == "get") { $data = count($path_parts) == $c + 1 ? RazorAPI::clean_data($path_parts[$c]) : (count($path_parts) == $c + 2 ? RazorAPI::clean_data($path_parts[$c + 1]) : null); } else { $data = RazorAPI::clean_data(!empty($_POST) ? $_POST : json_decode(file_get_contents('php://input'))); } // load resource or throw error include RARS_BASE_PATH . "api{$filename}.php"; $resource = new $classname(); if (!method_exists($resource, $method)) { RazorAPI::response(null, null, $code = 405); } $response = $resource->{$method}($data); /* EOF */
public function login($data) { // check if email set if (!isset($data["username"])) { throw new Exception("No Login username"); } if (!isset($data["password"])) { throw new Exception("No Login password"); } $ip_address = preg_replace("/[^0-9.]/", '', substr($_SERVER["REMOTE_ADDR"], 0, 50)); $user_agent = preg_replace("/[^0-9a-zA-Z.:;-_]/", '', substr($_SERVER["HTTP_USER_AGENT"], 0, 250)); // check ban list if active before doing anything else if (RARS_ACCESS_BAN_ATTEMPS > 0) { // find banned rows $db = new RazorDB(); $db->connect("banned"); $search = array(array("column" => "ip_address", "value" => $ip_address), array("column" => "user_agent", "value" => $user_agent, "and" => true)); $count = $db->get_rows($search); $count = $count["count"]; $db->disconnect(); if ($count > 0) { return RazorAPI::response(array("message" => "Login failed: ip banned", "login_error_code" => 104), "json"); } } /* carry on with login */ // find user $db = new RazorDB(); $db->connect("user"); $search = array("column" => "email_address", "value" => $data["username"]); $options = array("amount" => 1); $res = $db->get_rows($search, $options); $db->disconnect(); // check user found if ($res["count"] != 1) { return RazorAPI::response(array("message" => "Login failed: username or password missmatch", "login_error_code" => 101), "json"); } // grab user details $user = $res["result"][0]; // check if user is locked out here if (!empty($user["lock_until"]) && $user["lock_until"] > time()) { return RazorAPI::response(array("message" => "Login failed: user locked out please try later", "login_error_code" => 102, "time_left" => $user["lock_until"] - time()), "json"); } // check active user if (!$user["active"]) { return RazorAPI::response(array("message" => "Login failed: user not active", "login_error_code" => 103), "json"); } // now check if password ok (we need password first to get salt from it before we can check it), if not then send response if (RazorAPI::create_hash($data["password"], substr($user["password"], 0, strlen($user["password"]) / 2), 'sha1') !== $user["password"]) { // update failed attempts and lockout $db = new RazorDB(); $db->connect("user"); $search = array("column" => "id", "value" => $user["id"]); $changes = array("failed_attempts" => $user["failed_attempts"] + 1); if ($user["failed_attempts"] > 0 && $user["failed_attempts"] % RARS_ACCESS_ATTEMPTS == 0) { $changes["lock_until"] = time() + RARS_ACCESS_LOCKOUT; } $db->edit_rows($search, $changes); $db->disconnect(); // add to banned list if banned active and too many attempts if (RARS_ACCESS_BAN_ATTEMPS > 0 && $user["failed_attempts"] + 1 >= RARS_ACCESS_BAN_ATTEMPS) { $db = new RazorDB(); $db->connect("banned"); $row = array("ip_address" => $ip_address, "user_agent" => $user_agent); $db->add_rows($row); $db->disconnect(); } return RazorAPI::response(array("message" => "Login failed: username or password missmatch", "login_error_code" => 101), "json"); } /* we are now authenticated, respond and send token back */ // need to create a token and last logged stamp and save it in the db $last_logged = time(); $pass_hash = $user["password"]; $token = sha1($last_logged . $user_agent . $ip_address . $pass_hash) . "_" . $user["id"]; // store last logged and reset lockout/attempts $db = new RazorDB(); $db->connect("user"); $search = array("column" => "id", "value" => $user["id"]); $changes = array("last_logged_in" => $last_logged, "last_accessed" => $last_logged, "failed_attempts" => 0, "lock_until" => null, "ip_address" => $ip_address); $db->edit_rows($search, $changes); $db->disconnect(); // collect user data $user = array("id" => $user["id"], "name" => $user["name"], "email_address" => $user["email_address"], "last_logged_in" => $user["last_logged_in"], "access_level" => $user["access_level"]); // setup response return RazorAPI::response(array("token" => $token, "user" => $user), "json"); }
public function login($data) { // check if email set if (!isset($data["username"])) { throw new Exception("No Login username"); } if (!isset($data["password"])) { throw new Exception("No Login password"); } $ip_address = preg_replace("/[^0-9.]/", '', substr($_SERVER["REMOTE_ADDR"], 0, 50)); $user_agent = preg_replace("/[^0-9a-zA-Z.:;-_]/", '', substr($_SERVER["HTTP_USER_AGENT"], 0, 250)); // check ban list if active before doing anything else if (RARS_ACCESS_BAN_ATTEMPS > 0) { // find banned rows $banned = $this->razor_db->get_first('banned', '*', array('ip_address' => $ip_address, 'user_agent' => $user_agent)); if (!empty($banned)) { return RazorAPI::response(array("message" => "Login failed: ip banned", "login_error_code" => 104), "json"); } } /* carry on with login */ // find user $user = $this->razor_db->get_first('user', '*', array('email_address' => $data['username'])); // check user found if (empty($user)) { return RazorAPI::response(array("message" => "Login failed: username or password missmatch", "login_error_code" => 101), "json"); } // check if user is locked out here if (!empty($user["lock_until"]) && $user["lock_until"] > time()) { return RazorAPI::response(array("message" => "Login failed: user locked out please try later", "login_error_code" => 102, "time_left" => $user["lock_until"] - time()), "json"); } // check active user if (!$user["active"]) { return RazorAPI::response(array("message" => "Login failed: user not active", "login_error_code" => 103), "json"); } // now check if password ok (we need password first to get salt from it before we can check it), if not then send response if (RazorAPI::create_hash($data["password"], substr($user["password"], 0, strlen($user["password"]) / 2), 'sha1') !== $user["password"]) { // data to update $update_data = array('failed_attempts' => $user['failed_attempts']++); if ($user["failed_attempts"] > 0 && $user["failed_attempts"] % RARS_ACCESS_ATTEMPTS == 0) { $update_data['lock_until'] = time() + RARS_ACCESS_LOCKOUT; } // update $this->razor_db->edit_data('user', $update_data, array('id' => $user['id'])); // add to banned list if banned active and too many attempts if (RARS_ACCESS_BAN_ATTEMPS > 0 && $user["failed_attempts"] + 1 >= RARS_ACCESS_BAN_ATTEMPS) { // add ip and agent to banned $this->razor_db->add_data('banned', array('ip_address' => $ip_address, 'user_agent' => $user_agent)); } return RazorAPI::response(array("message" => "Login failed: username or password missmatch", "login_error_code" => 101), "json"); } /* we are now authenticated, respond and send token back */ // need to create a token and last logged stamp and save it in the db $last_logged = time(); $pass_hash = $user["password"]; $token = sha1($last_logged . $user_agent . $ip_address . $pass_hash) . "_" . $user["id"]; // update data $update_data = array('id' => $user['id'], 'last_logged_in' => $last_logged, 'last_accessed' => $last_logged, 'ip_address' => $ip_address); $user = $this->razor_db->edit_data('user', $update_data, array('id' => $user['id']), '*'); $user = $user[0]; // collect user data $user = array("id" => $user["id"], "name" => $user["name"], "email_address" => $user["email_address"], "last_logged_in" => $user["last_logged_in"], "access_level" => $user["access_level"]); // setup response return RazorAPI::response(array("token" => $token, "user" => $user), "json"); }
/** * Handle Error * Handles all errors and exceptions * * @param string $error_type Type of error * @param string $error_string Actual error string * @param string $error_file File error happened in * @param string $error_line Line error happened on * @return bool True on pass */ public function handle_error($error_type = "", $error_string = "", $error_file = "", $error_line = "") { $error_group = 'log'; // changeing log type to chrome php $type = ''; if (is_int($error_type)) { switch ($error_type) { case E_ERROR: // 1 // $error_group = 'error'; $type = 'E_ERROR'; break; case E_WARNING: // 2 // $error_group = 'warn'; $type = 'E_WARNING'; break; case E_PARSE: // 4 // $type = 'E_PARSE'; break; case E_NOTICE: // 8 // $type = 'E_NOTICE'; break; case E_CORE_ERROR: // 16 // $error_group = 'error'; $type = 'E_CORE_ERROR'; break; case E_CORE_WARNING: // 32 // $error_group = 'warn'; $type = 'E_CORE_WARNING'; break; case E_CORE_ERROR: // 64 // $error_group = 'error'; $type = 'E_COMPILE_ERROR'; break; case E_CORE_WARNING: // 128 // $error_group = 'warn'; $type = 'E_COMPILE_WARNING'; break; case E_USER_ERROR: // 256 // $error_group = 'error'; $type = 'E_USER_ERROR'; break; case E_USER_WARNING: // 512 // $error_group = 'warn'; $type = 'E_USER_WARNING'; break; case E_USER_NOTICE: // 1024 // $type = 'E_USER_NOTICE'; break; case E_STRICT: // 2048 // $type = 'E_STRICT'; break; case E_RECOVERABLE_ERROR: // 4096 // $error_group = 'error'; $type = 'E_RECOVERABLE_ERROR'; break; case E_DEPRECATED: // 8192 // $type = 'E_DEPRECATED'; break; case E_USER_DEPRECATED: // 16384 // $type = 'E_USER_DEPRECATED'; break; } } $error['error'] = $type; $error['type'] = $error_type; $error['file'] = $error_file; $error['line'] = $error_line; $error['string'] = $error_string; $error['group'] = $error_group; // log error $this->log_error($error); // log error to chromephp $this->chrome_php($error, false); // display error on screen $this->display_error($error); if (class_exists("RazorAPI")) { RazorAPI::response(null, null, 500); } else { return true; } }