/** * REST POST - Change a users profile details, this requires a table called 'user' and 'banned' in your db with various fields as per header * @param $data The data to update the users profile with * @return message as complete or error */ public function post($data) { // check we have a logged in user if ((int) $this->user['access_level'] < 1) { $this->response('You do not have permission to perform that action', 'json', 401); } if (empty($data)) { $this->response('Invalid data', 'json', 400); } if ($this->user["id"] != $data["id"]) { $this->response('You do not have permission to alter that account', 'json', 401); } // check password $user_password_check = $this->rars_db->get_first('user', '*', array('id' => $this->user['id'])); if (!$user_password_check) { $this->response('Permission denied', 'json', 401); } if (RarsAPI::create_hash($data['password'], substr($user_password_check['password'], 0, strlen($user_password_check['password']) / 2), 'sha1') !== $user_password_check['password']) { $this->response('Permission denied, password incorrect', 'json', 401); } // check if we are doing a deletion if (isset($data['delete']) && $data['delete'] == 1) { $this->rars_db->delete_data('user', array('id' => $this->user['id'])); $this->response('Account deleted, logging you out...', 'json', 202); // reset content as deleted } // check email is unique if changed if ($data["email_address"] != $this->user["email_address"]) { $user_email_check = $this->rars_db->get_first('user', '*', array('email_address' => $data["email_address"])); if (!empty($user)) { $this->response('Email address already registered', 'json', 409); } } // if this is your account, alter name and email $row = array("name" => $data["name"], "email_address" => $data["email_address"]); if (isset($data["new_password"]) && !empty($data["new_password"])) { $row["password"] = $this->create_hash($data["new_password"]); } $this->rars_db->edit_data('user', $row, array('id' => $this->user['id'])); if (isset($row["password"])) { $this->response('User account updated, logging you out...', 'json', 202); } else { $this->response('User account updated', 'json'); } }
/** * REST POST - Log in user, this requires a table called 'user' nad 'banned' in your db with various fields as per header * @param $data The login data via rest request containing 'username' and 'password', note username contains the email_address * @return array Basic user details of varified account against the username and password, also sets correct return Autherization header for token generated */ public function post($data) { // check if email set if (!isset($data["username"]) || !isset($data['password'])) { $this->response('Login failed: username or password missmatch', 'json', 401); } $ip_address = preg_replace("/[^0-9.]/", '', substr($_SERVER["REMOTE_ADDR"], 0, 50)); $user_agent = preg_replace("/[^0-9a-zA-Z.:;-_]/", '', substr($_SERVER["HTTP_USER_AGENT"], 0, 250)); // check ban list if active before doing anything else if (RARS_ACCESS_BAN_ATTEMPS > 0) { // find banned rows $banned = $this->rars_db->get_first('banned', '*', array('ip_address' => $ip_address, 'user_agent' => $user_agent)); if (!empty($banned)) { $this->response('Login failed: ip banned', 'json', 401); } } /* carry on with login */ // find user $user = $this->rars_db->get_first('user', '*', array('email_address' => $data['username'])); // check user found if (empty($user)) { $this->response('Login failed: username or password missmatch', 'json', 401); } // check if user is locked out here if (!empty($user['lock_until']) && strtotime($user['lock_until']) > time()) { $this->response('Login failed: user locked out please try later', 'json', 401); } // check active user if (!$user['active']) { $this->response('Login failed: user not active', 'json', 401); } // now check if password ok (we need password first to get salt from it before we can check it), if not then send response if (RarsAPI::create_hash($data['password'], substr($user['password'], 0, strlen($user['password']) / 2), 'sha1') !== $user['password']) { // data to update $update_data = array('failed_attempts' => $user['failed_attempts']++); if ($user['failed_attempts'] > 0 && $user['failed_attempts'] % RARS_ACCESS_ATTEMPTS == 0) { $update_data['lock_until'] = date('Y-m-d H:i:s', time() + RARS_ACCESS_LOCKOUT); } // update $this->rars_db->edit_data('user', $update_data, array('id' => $user['id'])); // add to banned list if banned active and too many attempts if (RARS_ACCESS_BAN_ATTEMPS > 0 && $user['failed_attempts'] + 1 >= RARS_ACCESS_BAN_ATTEMPS) { // add ip and agent to banned $this->rars_db->add_data('banned', array('ip_address' => $ip_address, 'user_agent' => $user_agent, 'created' => date('Y-m-d H:i:s', time()))); } $this->response('Login failed: username or password missmatch', 'json', 401); } /* we are now authenticated, respond and send token back */ // need to create a token and last logged stamp and save it in the db $last_logged = date('Y-m-d H:i:s', time()); $pass_hash = $user['password']; $token = sha1($last_logged . $user_agent . $ip_address . $pass_hash) . '_' . $user['id']; // update data $update_data = array('id' => $user['id'], 'last_logged_in' => $last_logged, 'last_accessed' => $last_logged, 'ip_address' => $ip_address); $user = $this->rars_db->edit_data('user', $update_data, array('id' => $user['id']), '*'); // collect user data $user_data = array('id' => $user[0]['id'], 'name' => $user[0]['name'], 'email_address' => $user[0]['email_address'], 'last_logged_in' => $user[0]['last_logged_in'], 'access_level' => $user[0]['access_level']); // setup response with authorization token $_SERVER['HTTP_AUTHORIZATION'] = $token; $this->response($user_data, 'json'); }