public function init($extra) { $this->startTime = microtime(true); if (!Z_CONFIG::$API_ENABLED) { $this->e503(Z_CONFIG::$MAINTENANCE_MESSAGE); } set_exception_handler(array($this, 'handleException')); // TODO: Throw error on some notices but allow DB/Memcached/etc. failures? //set_error_handler(array($this, 'handleError'), E_ALL | E_USER_ERROR | E_RECOVERABLE_ERROR); set_error_handler(array($this, 'handleError'), E_USER_ERROR | E_RECOVERABLE_ERROR); require_once '../model/Error.inc.php'; // On testing sites, include notifications in headers if (Z_CONFIG::$TESTING_SITE) { Zotero_NotifierObserver::addMessageReceiver(function ($topic, $msg) { $header = "Zotero-Debug-Notifications"; if (!empty($this->headers[$header])) { $notifications = json_decode(base64_decode($this->headers[$header])); } else { $notifications = []; } $notifications[] = $msg; $this->headers[$header] = base64_encode(json_encode($notifications)); }); } register_shutdown_function(array($this, 'checkDBTransactionState')); register_shutdown_function(array($this, 'logTotalRequestTime')); register_shutdown_function(array($this, 'checkForFatalError')); register_shutdown_function(array($this, 'addHeaders')); $this->method = $_SERVER['REQUEST_METHOD']; if (!in_array($this->method, array('HEAD', 'OPTIONS', 'GET', 'PUT', 'POST', 'DELETE', 'PATCH'))) { $this->e501(); } StatsD::increment("api.request.method." . strtolower($this->method), 0.25); // There doesn't seem to be a way for PHP to start processing the request // before the entire body is sent, so an Expect: 100 Continue will, // depending on the client, either fail or cause a delay while the client // waits for the 100 response. To make this explicit, we return an error. if (!empty($_SERVER['HTTP_EXPECT'])) { header("HTTP/1.1 417 Expectation Failed"); die("Expect header is not supported"); } // CORS if (isset($_SERVER['HTTP_ORIGIN'])) { header("Access-Control-Allow-Origin: *"); header("Access-Control-Allow-Methods: HEAD, GET, POST, PUT, PATCH, DELETE"); header("Access-Control-Allow-Headers: Content-Type, If-Match, If-None-Match, If-Modified-Since-Version, If-Unmodified-Since-Version, Zotero-API-Version, Zotero-Write-Token"); header("Access-Control-Expose-Headers: Backoff, ETag, Last-Modified-Version, Link, Retry-After, Total-Results, Zotero-API-Version"); } if ($this->method == 'OPTIONS') { $this->end(); } if (in_array($this->method, array('POST', 'PUT', 'PATCH'))) { $this->ifUnmodifiedSince = isset($_SERVER['HTTP_IF_UNMODIFIED_SINCE']) ? strtotime($_SERVER['HTTP_IF_UNMODIFIED_SINCE']) : false; $this->body = file_get_contents("php://input"); if ($this->body == "" && !in_array($this->action, array('clear', 'laststoragesync', 'removestoragefiles', 'itemContent'))) { $this->e400("{$this->method} data not provided"); } } if ($this->profile) { Zotero_DB::profileStart(); } // If HTTP Basic Auth credentials provided, authenticate if (isset($_SERVER['PHP_AUTH_USER'])) { $username = $_SERVER['PHP_AUTH_USER']; $password = $_SERVER['PHP_AUTH_PW']; if ($username == Z_CONFIG::$API_SUPER_USERNAME && $password == Z_CONFIG::$API_SUPER_PASSWORD) { $this->userID = 0; $this->permissions = new Zotero_Permissions(); $this->permissions->setSuper(); } else { if (!empty($extra['allowHTTP']) || !empty($extra['auth'])) { $userID = Zotero_Users::authenticate('password', array('username' => $username, 'password' => $password)); if (!$userID) { $this->e401('Invalid login'); } $this->httpAuth = true; $this->userID = $userID; $this->grantUserPermissions($userID); } } } if (!isset($this->userID)) { $key = false; // Allow Zotero-API-Key header if (!empty($_SERVER['HTTP_ZOTERO_API_KEY'])) { $key = $_SERVER['HTTP_ZOTERO_API_KEY']; } // Allow ?key=<apikey> if (isset($_GET['key'])) { if (!$key) { $key = $_GET['key']; } else { if ($_GET['key'] !== $key) { $this->e400("Zotero-API-Key header and 'key' parameter differ"); } } } // If neither of the above passed, allow "Authorization: Bearer <apikey>" // // Apache/mod_php doesn't seem to make Authorization available for auth schemes // other than Basic/Digest, so use an Apache-specific method to get the header if (!$key && function_exists('apache_request_headers')) { $headers = apache_request_headers(); if (isset($headers['Authorization'])) { // Look for "Authorization: Bearer" from OAuth 2.0, and ignore everything else if (preg_match('/^bearer/i', $headers['Authorization'], $matches)) { if (preg_match('/^bearer +([a-z0-9]+)$/i', $headers['Authorization'], $matches)) { $key = $matches[1]; } else { $this->e400("Invalid Authorization header format"); } } } } if ($key) { $keyObj = Zotero_Keys::authenticate($key); if (!$keyObj) { $this->e403('Invalid key'); } $this->apiKey = $key; $this->userID = $keyObj->userID; $this->permissions = $keyObj->getPermissions(); // Check Zotero-Write-Token if it exists to make sure // this isn't a duplicate request if ($this->isWriteMethod()) { if ($cacheKey = $this->getWriteTokenCacheKey()) { if (Z_Core::$MC->get($cacheKey)) { $this->e412("Write token already used"); } } } } else { if (!empty($_GET['session']) && ($this->userID = Zotero_Users::getUserIDFromSessionID($_GET['session']))) { // Users who haven't synced may not exist in our DB if (!Zotero_Users::exists($this->userID)) { Zotero_Users::add($this->userID); } $this->grantUserPermissions($this->userID); $this->cookieAuth = true; } else { if (!empty($_GET['auth']) || !empty($extra['auth'])) { $this->e401(); } // Explicit auth request or not a GET request // // /users/<id>/keys is an exception, since the key is embedded in the URL if ($this->method != "GET" && $this->action != 'keys') { $this->e403('An API key is required for write requests.'); } // Anonymous request $this->permissions = new Zotero_Permissions(); $this->permissions->setAnonymous(); } } } $this->uri = Z_CONFIG::$API_BASE_URI . substr($_SERVER["REQUEST_URI"], 1); // Get object user if (isset($this->objectUserID)) { if (!$this->objectUserID) { $this->e400("Invalid user ID", Z_ERROR_INVALID_INPUT); } try { $this->objectLibraryID = Zotero_Users::getLibraryIDFromUserID($this->objectUserID); } catch (Exception $e) { if ($e->getCode() == Z_ERROR_USER_NOT_FOUND) { try { Zotero_Users::addFromWWW($this->objectUserID); } catch (Exception $e) { if ($e->getCode() == Z_ERROR_USER_NOT_FOUND) { $this->e404("User {$this->objectUserID} not found"); } throw $e; } $this->objectLibraryID = Zotero_Users::getLibraryIDFromUserID($this->objectUserID); } else { throw $e; } } // Make sure user isn't banned if (!Zotero_Users::isValidUser($this->objectUserID)) { $this->e404(); } } else { if (isset($this->objectGroupID)) { if (!$this->objectGroupID) { $this->e400("Invalid group ID", Z_ERROR_INVALID_INPUT); } // Make sure group exists $group = Zotero_Groups::get($this->objectGroupID); if (!$group) { $this->e404(); } // Don't show groups owned by banned users if (!Zotero_Users::isValidUser($group->ownerUserID)) { $this->e404(); } $this->objectLibraryID = Zotero_Groups::getLibraryIDFromGroupID($this->objectGroupID); } } $apiVersion = !empty($_SERVER['HTTP_ZOTERO_API_VERSION']) ? (int) $_SERVER['HTTP_ZOTERO_API_VERSION'] : false; // Serve v1 to ZotPad 1.x, at Mikko's request if (!$apiVersion && !empty($_SERVER['HTTP_USER_AGENT']) && strpos($_SERVER['HTTP_USER_AGENT'], 'ZotPad 1') === 0) { $apiVersion = 1; } // For publications URLs (e.g., /users/:userID/publications/items), swap in // objectLibraryID of user's publications library if (!empty($extra['publications'])) { // Query parameters not yet parsed, so check version parameter if ($apiVersion && $apiVersion < 3 || !empty($_REQUEST['v']) && $_REQUEST['v'] < 3 || !empty($_REQUEST['version']) && $_REQUEST['version'] == 1) { $this->e404(); } $userLibraryID = $this->objectLibraryID; $this->objectLibraryID = Zotero_Users::getLibraryIDFromUserID($this->objectUserID, 'publications'); // If one doesn't exist, for write requests create a library if the key // has write permission to the user library. For read requests, just // return a 404. if (!$this->objectLibraryID) { if ($this->isWriteMethod()) { if (!$this->permissions->canAccess($userLibraryID) || !$this->permissions->canWrite($userLibraryID)) { $this->e403(); } $this->objectLibraryID = Zotero_Publications::add($this->objectUserID); } else { $this->objectLibraryID = 0; } } } // Return 409 if target library is locked switch ($this->method) { case 'POST': case 'PUT': case 'DELETE': switch ($this->action) { // Library lock doesn't matter for some admin requests case 'keys': case 'storageadmin': break; default: if ($this->objectLibraryID && Zotero_Libraries::isLocked($this->objectLibraryID)) { $this->e409("Target library is locked"); } break; } } $this->scopeObject = !empty($extra['scopeObject']) ? $extra['scopeObject'] : $this->scopeObject; $this->subset = !empty($extra['subset']) ? $extra['subset'] : $this->subset; $this->fileMode = !empty($extra['file']) ? !empty($_GET['info']) ? 'info' : 'download' : false; $this->fileView = !empty($extra['view']); $this->singleObject = $this->objectKey && !$this->subset; $this->checkLibraryIfModifiedSinceVersion($this->action); // If Accept header includes application/atom+xml, send Atom, as long as there's no 'format' $atomAccepted = false; if (!empty($_SERVER['HTTP_ACCEPT'])) { $accept = preg_split('/\\s*,\\s*/', $_SERVER['HTTP_ACCEPT']); $atomAccepted = in_array('application/atom+xml', $accept); } $this->queryParams = Zotero_API::parseQueryParams($_SERVER['QUERY_STRING'], $this->action, $this->singleObject, $apiVersion, $atomAccepted); // Sorting by Item Type or Added By currently require writing to shard tables, so don't // send those to the read replicas if ($this->queryParams['sort'] == 'itemType' || $this->queryParams['sort'] == 'addedBy') { Zotero_DB::readOnly(false); } $this->apiVersion = $version = $this->queryParams['v']; header("Zotero-API-Version: " . $version); StatsD::increment("api.request.version.v" . $version, 0.25); }
if ($_SERVER['REQUEST_URI'] == '*') { //error_log("Ignoring OPTIONS request"); exit; } // Get canonical URL without extension and query string preg_match("/[^?]+/", $_SERVER['REQUEST_URI'], $matches); define('Z_ENV_SELF', $matches[0]); // Load in core functions require 'DB.inc.php'; require 'IPAddress.inc.php'; require 'Shards.inc.php'; require 'config/dbconnect.inc.php'; require 'StatsD.inc.php'; // Use DB read replicas for GET requests if (isset($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] == 'GET') { Zotero_DB::readOnly(true); } // Database callbacks Zotero_DB::addCallback("begin", array("Zotero_Notifier", "begin")); Zotero_DB::addCallback("commit", array("Zotero_Notifier", "commit")); Zotero_DB::addCallback("callback", array("Zotero_Notifier", "reset")); Zotero_NotifierObserver::init(); // Memcached require 'Memcached.inc.php'; Z_Core::$MC = new Z_MemcachedClientLocal(Z_CONFIG::$SYNC_DOMAIN, array('disabled' => !Z_CONFIG::$MEMCACHED_ENABLED, 'servers' => Z_CONFIG::$MEMCACHED_SERVERS)); Zotero_DB::addCallback("begin", array(Z_Core::$MC, "begin")); Zotero_DB::addCallback("commit", array(Z_Core::$MC, "commit")); Zotero_DB::addCallback("reset", array(Z_Core::$MC, "reset")); // // Set up AWS service factory //
public function updated() { // Shards can use read-only mode Zotero_DB::readOnly(true); // Master remains writable for session/queue data Zotero_DB::readOnly(false, 0); if (empty($_REQUEST['lastsync'])) { $this->error(400, 'NO_LAST_SYNC_TIME', 'Last sync time not provided'); } $lastsync = false; if (is_numeric($_REQUEST['lastsync'])) { $lastsync = (int) $_REQUEST['lastsync']; } else { $this->error(400, 'INVALID_LAST_SYNC_TIME', 'Last sync time is invalid'); } $this->sessionCheck(); if (isset($_SERVER['HTTP_X_ZOTERO_VERSION'])) { require_once '../model/ToolkitVersionComparator.inc.php'; if (ToolkitVersionComparator::compare($_SERVER['HTTP_X_ZOTERO_VERSION'], "2.0.4") < 0) { $futureUsers = Z_Core::$MC->get('futureUsers'); if (!$futureUsers) { $futureUsers = Zotero_DB::columnQuery("SELECT userID FROM futureUsers"); Z_Core::$MC->set('futureUsers', $futureUsers, 1800); } if (in_array($this->userID, $futureUsers)) { Z_Core::logError("Blocking sync for future user " . $this->userID . " with version " . $_SERVER['HTTP_X_ZOTERO_VERSION']); $upgradeMessage = "Due to improvements made to sync functionality, you must upgrade to Zotero 2.0.6 or later (via Firefox's Tools menu -> Add-ons -> Extensions -> Find Updates or from zotero.org) to continue syncing your Zotero library."; $this->error(400, 'UPGRADE_REQUIRED', $upgradeMessage); } } } $doc = new DOMDocument(); $domResponse = dom_import_simplexml($this->responseXML); $domResponse = $doc->importNode($domResponse, true); $doc->appendChild($domResponse); try { $result = Zotero_Sync::getSessionDownloadResult($this->sessionID); } catch (Exception $e) { $this->handleUpdatedError($e); } // XML response if (is_string($result)) { $this->clearWaitTime($this->sessionID); $this->responseXML = new SimpleXMLElement($result); $this->end(); } // Queued if ($result === false) { $queued = $this->responseXML->addChild('locked'); $queued['wait'] = $this->getWaitTime($this->sessionID); $this->end(); } // Not queued if ($result == -1) { // See if we're locked Zotero_DB::beginTransaction(); if (Zotero_Sync::userIsWriteLocked($this->userID) || !empty($_REQUEST['upload']) && Zotero_Sync::userIsReadLocked($this->userID)) { Zotero_DB::commit(); $locked = $this->responseXML->addChild('locked'); $locked['wait'] = $this->getWaitTime($this->sessionID); $this->end(); } Zotero_DB::commit(); $queue = true; if (Z_ENV_TESTING_SITE && !empty($_GET['noqueue'])) { $queue = false; } // TEMP $cacheKeyExtra = (!empty($_POST['ft']) ? json_encode($_POST['ft']) : "") . (!empty($_POST['ftkeys']) ? json_encode($_POST['ftkeys']) : ""); // If we have a cached response, return that try { $startedTimestamp = microtime(true); $cached = Zotero_Sync::getCachedDownload($this->userID, $lastsync, $this->apiVersion, $cacheKeyExtra); // Not locked, so clear wait index $this->clearWaitTime($this->sessionID); if ($cached) { $this->responseXML = simplexml_load_string($cached, "SimpleXMLElement", LIBXML_COMPACT | LIBXML_PARSEHUGE); // TEMP if (!$this->responseXML) { error_log("Invalid cached XML data -- stripping control characters"); // Strip control characters in XML data $cached = preg_replace('/[\\x00-\\x08\\x0B\\x0C\\x0E-\\x1F\\x7F]/', '', $cached); $this->responseXML = simplexml_load_string($cached, "SimpleXMLElement", LIBXML_COMPACT | LIBXML_PARSEHUGE); } $duration = round((double) microtime(true) - $startedTimestamp, 2); Zotero_Sync::logDownload($this->userID, round($lastsync), strlen($cached), $this->ipAddress ? $this->ipAddress : 0, 0, $duration, $duration, (int) (!$this->responseXML)); StatsD::increment("sync.process.download.cache.hit"); if (!$this->responseXML) { $msg = "Error parsing cached XML for user " . $this->userID; error_log($msg); $this->handleUpdatedError(new Exception($msg)); } $this->end(); } } catch (Exception $e) { $msg = $e->getMessage(); if (strpos($msg, "Too many connections") !== false) { $msg = "'Too many connections' from MySQL"; } else { $msg = "'{$msg}'"; } Z_Core::logError("Warning: {$msg} getting cached download"); StatsD::increment("sync.process.download.cache.error"); } try { $num = Zotero_Items::countUpdated($this->userID, $lastsync, 5); } catch (Exception $e) { // We can get a MySQL lock timeout here if the upload starts // after the write lock check above but before we get here $this->handleUpdatedError($e); } // If nothing updated, or if just a few objects and processing is enabled, process synchronously if ($num == 0 || $num < 5 && Z_CONFIG::$PROCESSORS_ENABLED) { $queue = false; } $params = []; if (isset($_POST['ft'])) { $params['ft'] = $_POST['ft']; } if (isset($_POST['ftkeys'])) { $queue = true; $params['ftkeys'] = $_POST['ftkeys']; } if ($queue) { Zotero_Sync::queueDownload($this->userID, $this->sessionID, $lastsync, $this->apiVersion, $num, $params); try { Zotero_Processors::notifyProcessors('download'); } catch (Exception $e) { Z_Core::logError($e); } $locked = $this->responseXML->addChild('locked'); $locked['wait'] = 1000; } else { try { Zotero_Sync::processDownload($this->userID, $lastsync, $doc, $params); $this->responseXML = simplexml_import_dom($doc); StatsD::increment("sync.process.download.immediate.success"); } catch (Exception $e) { StatsD::increment("sync.process.download.immediate.error"); $this->handleUpdatedError($e); } } $this->end(); } throw new Exception("Unexpected session result {$result}"); }