public function authorise()
{
// If there's a valid session already, allow access
$user_type = \Input::param('user_type') ?: 'Admin\\Model_User';
if (\CMF\Auth::logged_in(null, $user_type)) {
return;
}
$auth = explode(' ', \Input::headers('Authorization', ' '));
$sent_key = \Arr::get($auth, 1);
// Try and find a valid key
$key = \CMF\Model\User\Apikey::select('item')->where('item.access_token = :key')->andWhere('item.expires_at > :now')->setParameter('key', $sent_key)->setParameter('now', new \DateTime())->getQuery()->getResult();
// Check the scope of the key, if one was found
if (count($key)) {
$key = $key[0];
if ($key->scope == 'api') {
return;
}
}
throw new \HttpException('Login Required', \HttpException::UNAUTHORIZED);
}
/**
* Prints a list of all HTTP request headers.
*
* @access public
* @static
*
*/
public static function headers()
{
// get the current request headers and dump them
return static::dump(\Input::headers());
}
/**
* read a cookie
*
* @access private
* @return void
*/
protected function _get_cookie()
{
// was the cookie value posted?
$cookie = \Input::post($this->config['post_cookie_name'], false);
// if not found, fetch the regular cookie
if ($cookie === false) {
$cookie = \Cookie::get($this->config['cookie_name'], false);
}
// if not found, was a session-id present in the HTTP header?
if ($cookie === false) {
$cookie = \Input::headers($this->config['http_header_name'], false);
}
// if not found, check the URL for a cookie
if ($cookie === false) {
$cookie = \Input::get($this->config['cookie_name'], false);
}
if ($cookie !== false) {
// fetch the payload
$this->config['encrypt_cookie'] and $cookie = \Crypt::decode($cookie);
$cookie = $this->_unserialize($cookie);
// validate the cookie format: must be an array
if (is_array($cookie)) {
// cookies use nested arrays, other drivers have a string value
if ($this->config['driver'] === 'cookie' and !is_array($cookie[0]) or $this->config['driver'] !== 'cookie' and !is_string($cookie[0])) {
// invalid specific format
logger('DEBUG', 'Error: Invalid session cookie specific format');
$cookie = false;
}
} elseif (is_string($cookie) and strlen($cookie) == 32) {
$cookie = array($cookie);
} else {
logger('DEBUG', 'Error: Invalid session cookie general format');
$cookie = false;
}
}
// and the result
return $cookie;
}
/**
* Initializes the framework. This can only be called once.
*
* @access public
* @return void
*/
public static function init($config)
{
if (static::$initialized) {
throw new \FuelException("You can't initialize Fuel more than once.");
}
static::$_paths = array(APPPATH, COREPATH);
// Is Fuel running on the command line?
static::$is_cli = (bool) defined('STDIN');
\Config::load($config);
// Disable output compression if the client doesn't support it
if (static::$is_cli or !in_array('gzip', explode(', ', \Input::headers('Accept-Encoding', '')))) {
\Config::set('ob_callback', null);
}
// Start up output buffering
static::$is_cli or ob_start(\Config::get('ob_callback'));
if (\Config::get('caching', false)) {
\Finder::instance()->read_cache('FuelFileFinder');
}
static::$profiling = \Config::get('profiling', false);
static::$profiling and \Profiler::init();
// set a default timezone if one is defined
try {
static::$timezone = \Config::get('default_timezone') ?: date_default_timezone_get();
date_default_timezone_set(static::$timezone);
} catch (\Exception $e) {
date_default_timezone_set('UTC');
throw new \PHPErrorException($e->getMessage());
}
static::$encoding = \Config::get('encoding', static::$encoding);
MBSTRING and mb_internal_encoding(static::$encoding);
static::$locale = \Config::get('locale', static::$locale);
// Set locale, log warning when it fails
if (static::$locale) {
setlocale(LC_ALL, static::$locale) or logger(\Fuel::L_WARNING, 'The configured locale ' . static::$locale . ' is not installed on your system.', __METHOD__);
}
if (!static::$is_cli) {
if (\Config::get('base_url') === null) {
\Config::set('base_url', static::generate_base_url());
}
}
// Run Input Filtering
\Security::clean_input();
\Event::register('fuel-shutdown', 'Fuel::finish');
// Always load classes, config & language set in always_load.php config
static::always_load();
// Load in the routes
\Config::load('routes', true);
\Router::add(\Config::get('routes'));
// BC FIX FOR APPLICATIONS <= 1.6.1, makes Redis_Db available as Redis,
// like it was in versions before 1.7
class_exists('Redis', false) or class_alias('Redis_Db', 'Redis');
static::$initialized = true;
// fire any app created events
\Event::instance()->has_events('app_created') and \Event::instance()->trigger('app_created', '', 'none');
if (static::$profiling) {
\Profiler::mark(__METHOD__ . ' End');
}
}
/**
* Authenticate to the desired account.
*
* @return boolean True if the authentication was successful, false otherwise.
*/
public static function authenticate()
{
$auth = \Input::headers('X-Authorization');
// If we're trying to run a JS call...
if (empty($auth) && \V1\APIRequest::get('consumer_key', null) !== null) {
// We're making a public call through JS, so we'll mark it as a reduced functionality call.
\Session::set('public', true);
// This session variable aids in logging and API functionality later.
\Session::set('consumer_key', \V1\APIRequest::get('consumer_key'));
$account_data = \V1\Model\Account::get_account();
// If the account is invalid, fail.
if (empty($account_data)) {
return false;
}
/*
* If the account holder wishes to allow for JS based calls, we'll allow safe calls to run
* with their API key by turning on public mode.
*/
if ($account_data['js_calls_allowed'] === 0) {
return false;
}
/**
* @TODO JS calls go through the client's IP, so we can't use a whitelist.
* In the future, perhaps a blacklist deadicated to client IPs is in order?
* If the account holder uses a whitelist, then they've just disabled their
* blacklist of the client IPs. It really should be separated, but for now
* it's unimplemented.
*/
// IP ACL
if ($account_data['acl_type'] === 0 && static::ip_acl_check() === false) {
return false;
}
// We're clear for lift off.
return true;
} elseif (!empty($auth)) {
// Give the call full account access if we succeed in validating the request.
\Session::set('public', false);
// Is it an OAuth authorization header?
if (\Str::sub($auth, 0, 5) !== 'OAuth') {
return false;
}
// Parse the OAuth header into an array
parse_str(\Str::sub($auth, 6, strlen($auth)), $tokens);
$required_keys = array('oauth_signature', 'oauth_nonce', 'oauth_timestamp', 'oauth_consumer_key');
// This session variable aids in logging and API functionality later.
if (empty($tokens['oauth_consumer_key'])) {
return false;
}
\Session::set('consumer_key', $tokens['oauth_consumer_key']);
// IP ACL
if (static::ip_acl_check() === false) {
return false;
}
// Do we have all the correct keys?
if (count(array_intersect_key(array_flip($required_keys), $tokens)) !== count($required_keys)) {
return false;
}
// Verify the data integrity of the header's components, including if the timestamp is new enough.
if (!(isset($tokens['oauth_consumer_key'], $tokens['oauth_signature'], $tokens['oauth_nonce']) && static::valid_timestamp($tokens['oauth_timestamp']) === true)) {
return false;
}
// Do we have a valid nonce?
if (static::valid_nonce($tokens) === false) {
return false;
}
// Verify that the signature matches the content.
if (static::valid_signature($tokens) === false) {
return false;
}
// If we haven't failed yet, then it's valid.
return true;
}
return false;
}
