2021-06-08 06:32:24 +00:00
|
|
|
<?php
|
2024-08-24 13:27:00 +00:00
|
|
|
|
|
|
|
// Copyright (C) 2010-2024, the Friendica project
|
|
|
|
// SPDX-FileCopyrightText: 2010-2024 the Friendica project
|
|
|
|
//
|
|
|
|
// SPDX-License-Identifier: AGPL-3.0-or-later
|
2021-06-08 06:32:24 +00:00
|
|
|
|
|
|
|
namespace Friendica\Security;
|
|
|
|
|
2021-06-08 17:32:41 +00:00
|
|
|
use Exception;
|
|
|
|
use Friendica\Core\Hook;
|
|
|
|
use Friendica\Core\Logger;
|
2021-06-08 06:32:24 +00:00
|
|
|
use Friendica\Database\DBA;
|
|
|
|
use Friendica\DI;
|
2021-06-08 17:32:41 +00:00
|
|
|
use Friendica\Model\User;
|
|
|
|
use Friendica\Network\HTTPException\UnauthorizedException;
|
|
|
|
use Friendica\Util\DateTimeFormat;
|
2021-06-08 06:32:24 +00:00
|
|
|
|
|
|
|
/**
|
2023-03-26 21:56:14 +00:00
|
|
|
* Authentication via the basic auth method
|
2021-06-08 06:32:24 +00:00
|
|
|
*/
|
|
|
|
class BasicAuth
|
|
|
|
{
|
|
|
|
/**
|
|
|
|
* @var bool|int
|
|
|
|
*/
|
|
|
|
protected static $current_user_id = 0;
|
|
|
|
/**
|
|
|
|
* @var array
|
|
|
|
*/
|
|
|
|
protected static $current_token = [];
|
|
|
|
|
2021-06-08 08:56:01 +00:00
|
|
|
/**
|
|
|
|
* Get current user id, returns 0 if $login is set to false and not logged in.
|
|
|
|
* When $login is true, the execution will stop when not logged in.
|
|
|
|
*
|
|
|
|
* @param bool $login Perform a login request if "true"
|
|
|
|
*
|
|
|
|
* @return int User ID
|
|
|
|
*/
|
2021-06-08 09:11:56 +00:00
|
|
|
public static function getCurrentUserID(bool $login)
|
2021-06-08 08:56:01 +00:00
|
|
|
{
|
|
|
|
if (empty(self::$current_user_id)) {
|
2021-06-08 17:32:41 +00:00
|
|
|
self::$current_user_id = self::getUserIdByAuth($login);
|
2021-06-08 08:56:01 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
return (int)self::$current_user_id;
|
|
|
|
}
|
|
|
|
|
2021-11-17 22:50:43 +00:00
|
|
|
public static function setCurrentUserID(int $uid = null)
|
2021-11-17 22:12:21 +00:00
|
|
|
{
|
|
|
|
self::$current_user_id = $uid;
|
|
|
|
}
|
|
|
|
|
2021-06-08 06:32:24 +00:00
|
|
|
/**
|
|
|
|
* Fetch a dummy application token
|
|
|
|
*
|
|
|
|
* @return array token
|
|
|
|
*/
|
|
|
|
public static function getCurrentApplicationToken()
|
|
|
|
{
|
2021-06-08 09:11:56 +00:00
|
|
|
if (empty(self::getCurrentUserID(true))) {
|
2021-06-08 06:32:24 +00:00
|
|
|
return [];
|
|
|
|
}
|
|
|
|
|
2021-11-24 07:29:29 +00:00
|
|
|
//if (!empty(self::$current_token)) {
|
|
|
|
// return self::$current_token;
|
|
|
|
//}
|
2021-06-08 06:32:24 +00:00
|
|
|
|
2021-06-08 17:48:41 +00:00
|
|
|
$source = $_REQUEST['source'] ?? '';
|
|
|
|
|
|
|
|
// Support for known clients that doesn't send a source name
|
|
|
|
if (empty($source) && !empty($_SERVER['HTTP_USER_AGENT'])) {
|
|
|
|
if(strpos($_SERVER['HTTP_USER_AGENT'], "Twidere") !== false) {
|
|
|
|
$source = 'Twidere';
|
|
|
|
}
|
|
|
|
|
|
|
|
Logger::info('Unrecognized user-agent', ['http_user_agent' => $_SERVER['HTTP_USER_AGENT']]);
|
|
|
|
} else {
|
|
|
|
Logger::info('Empty user-agent');
|
|
|
|
}
|
|
|
|
|
|
|
|
if (empty($source)) {
|
|
|
|
$source = 'api';
|
|
|
|
}
|
|
|
|
|
2021-06-08 06:32:24 +00:00
|
|
|
self::$current_token = [
|
|
|
|
'uid' => self::$current_user_id,
|
|
|
|
'id' => 0,
|
2021-06-08 17:48:41 +00:00
|
|
|
'name' => $source,
|
2021-06-08 06:32:24 +00:00
|
|
|
'website' => '',
|
|
|
|
'created_at' => DBA::NULL_DATETIME,
|
|
|
|
'read' => true,
|
2021-06-08 07:37:28 +00:00
|
|
|
'write' => true,
|
|
|
|
'follow' => true,
|
2021-06-08 06:32:24 +00:00
|
|
|
'push' => false];
|
|
|
|
|
|
|
|
return self::$current_token;
|
|
|
|
}
|
2021-06-08 17:32:41 +00:00
|
|
|
|
|
|
|
/**
|
|
|
|
* Fetch the user id via the auth header information
|
|
|
|
*
|
|
|
|
* @param boolean $do_login Perform a login request if not logged in
|
|
|
|
*
|
|
|
|
* @return integer User ID
|
|
|
|
*/
|
|
|
|
private static function getUserIdByAuth(bool $do_login = true):int
|
|
|
|
{
|
|
|
|
$a = DI::app();
|
|
|
|
self::$current_user_id = 0;
|
|
|
|
|
|
|
|
// workaround for HTTP-auth in CGI mode
|
|
|
|
if (!empty($_SERVER['REDIRECT_REMOTE_USER'])) {
|
|
|
|
$userpass = base64_decode(substr($_SERVER["REDIRECT_REMOTE_USER"], 6));
|
2021-06-16 19:39:51 +00:00
|
|
|
if (!empty($userpass) && strpos($userpass, ':')) {
|
2021-06-08 17:32:41 +00:00
|
|
|
list($name, $password) = explode(':', $userpass);
|
|
|
|
$_SERVER['PHP_AUTH_USER'] = $name;
|
|
|
|
$_SERVER['PHP_AUTH_PW'] = $password;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-06-08 17:48:41 +00:00
|
|
|
$user = $_SERVER['PHP_AUTH_USER'] ?? '';
|
2021-06-08 17:32:41 +00:00
|
|
|
$password = $_SERVER['PHP_AUTH_PW'] ?? '';
|
2021-06-08 17:48:41 +00:00
|
|
|
|
2021-06-08 17:32:41 +00:00
|
|
|
// allow "user@server" login (but ignore 'server' part)
|
|
|
|
$at = strstr($user, "@", true);
|
|
|
|
if ($at) {
|
|
|
|
$user = $at;
|
|
|
|
}
|
2021-06-08 17:48:41 +00:00
|
|
|
|
2021-06-08 17:32:41 +00:00
|
|
|
// next code from mod/auth.php. needs better solution
|
|
|
|
$record = null;
|
2021-06-08 17:48:41 +00:00
|
|
|
|
2021-06-08 17:32:41 +00:00
|
|
|
$addon_auth = [
|
|
|
|
'username' => trim($user),
|
|
|
|
'password' => trim($password),
|
|
|
|
'authenticated' => 0,
|
|
|
|
'user_record' => null,
|
|
|
|
];
|
2021-06-08 17:48:41 +00:00
|
|
|
|
2021-06-08 17:32:41 +00:00
|
|
|
/*
|
|
|
|
* An addon indicates successful login by setting 'authenticated' to non-zero value and returning a user record
|
|
|
|
* Addons should never set 'authenticated' except to indicate success - as hooks may be chained
|
|
|
|
* and later addons should not interfere with an earlier one that succeeded.
|
|
|
|
*/
|
|
|
|
Hook::callAll('authenticate', $addon_auth);
|
2021-06-08 17:48:41 +00:00
|
|
|
|
2021-06-08 17:32:41 +00:00
|
|
|
if ($addon_auth['authenticated'] && !empty($addon_auth['user_record'])) {
|
|
|
|
$record = $addon_auth['user_record'];
|
|
|
|
} else {
|
|
|
|
try {
|
|
|
|
$user_id = User::getIdFromPasswordAuthentication(trim($user), trim($password), true);
|
|
|
|
$record = DBA::selectFirst('user', [], ['uid' => $user_id]);
|
|
|
|
} catch (Exception $ex) {
|
|
|
|
$record = [];
|
2021-06-08 17:48:41 +00:00
|
|
|
}
|
2021-06-08 17:32:41 +00:00
|
|
|
}
|
2021-06-08 17:48:41 +00:00
|
|
|
|
2021-06-08 17:32:41 +00:00
|
|
|
if (empty($record)) {
|
|
|
|
if (!$do_login) {
|
|
|
|
return 0;
|
|
|
|
}
|
2021-06-08 17:48:41 +00:00
|
|
|
Logger::debug('Access denied', ['parameters' => $_SERVER]);
|
2021-11-18 08:03:50 +00:00
|
|
|
// Checking for commandline for the tests, we have to avoid to send a header
|
2023-04-30 11:53:32 +00:00
|
|
|
if (DI::config()->get('system', 'basicauth') && (php_sapi_name() !== 'cli')) {
|
2021-11-18 08:03:50 +00:00
|
|
|
header('WWW-Authenticate: Basic realm="Friendica"');
|
|
|
|
}
|
2021-06-08 17:32:41 +00:00
|
|
|
throw new UnauthorizedException("This API requires login");
|
|
|
|
}
|
2021-06-08 17:48:41 +00:00
|
|
|
|
2024-03-05 14:06:26 +00:00
|
|
|
DI::auth()->setForUser($a, $record, false, false, false);
|
2021-06-08 17:48:41 +00:00
|
|
|
|
2021-08-08 10:14:56 +00:00
|
|
|
Hook::callAll('logged_in', $record);
|
2021-06-08 17:48:41 +00:00
|
|
|
|
2022-10-20 19:22:47 +00:00
|
|
|
self::$current_user_id = DI::userSession()->getLocalUserId();
|
2021-11-18 07:14:23 +00:00
|
|
|
|
2021-06-08 17:32:41 +00:00
|
|
|
return self::$current_user_id;
|
2021-06-08 17:48:41 +00:00
|
|
|
}
|
2021-06-08 06:32:24 +00:00
|
|
|
}
|