Merge remote-tracking branch 'upstream/2021.06-rc' into http-options

doc/API-Mastodon.md

@@ -11,7 +11,7 @@ Authentication is the same as described in [Using the APIs](help/api#Authenticat
 
 ## Clients
 
-Supported mobile apps:
+Supported apps:
 
 - [AndStatus](http://andstatus.org)
 - [Husky](https://husky.fwgs.ru)
@@ -20,11 +20,17 @@ Supported mobile apps:
 - [Twidere](https://github.com/TwidereProject/)
 - [twitlatte](https://github.com/moko256/twitlatte)
 - [Yuito](https://github.com/accelforce/Yuito)
+- [Amaroq](https://github.com/ReticentJohn/Amaroq/tree/master)
 
-Unsupported mobile apps:
+Unsupported apps:
 
 - [Fedilab](https://framagit.org/tom79/fedilab) Automatically uses the legacy API, see issue: https://framagit.org/tom79/fedilab/-/issues/520
 - [Mammut](https://github.com/jamiesanson/Mammut) There are problems with the token request, see issue https://github.com/jamiesanson/Mammut/issues/19
+- [Mast](https://github.com/Beesitech/Mast) Doesn't accept the entered instance name. Claims that it is invalid (Message is: "Not a valid instance (may be closed or dead)")
+- [Pinafore](https://github.com/nolanlawson/pinafore) Returns message "Error: NetworkError when attempting to fetch resource.. Is this a valid Mastodon instance?"
+- [Mastonaut](https://mastonaut.app/)
+- [Toot!](https://apps.apple.com/app/toot/id1229021451)
+- [Halycon](https://www.halcyon.social/) Doesn't load content, creates masses of HTTP requests
 
 ## Entities
 

src/Module/BaseApi.php

@@ -61,52 +61,44 @@ class BaseApi extends BaseModule
 
 	public static function delete(array $parameters = [])
 	{
-		if (!api_user()) {
+		self::checkAllowedScope(self::SCOPE_WRITE);
-			throw new HTTPException\UnauthorizedException(DI::l10n()->t('Permission denied.'));
-		}
 
 		$a = DI::app();
 
-		if (!empty($a->user['uid']) && $a->user['uid'] != api_user()) {
+		if (!empty($a->user['uid']) && $a->user['uid'] != self::getCurrentUserID()) {
 			throw new HTTPException\ForbiddenException(DI::l10n()->t('Permission denied.'));
 		}
 	}
 
 	public static function patch(array $parameters = [])
 	{
-		if (!api_user()) {
+		self::checkAllowedScope(self::SCOPE_WRITE);
-			throw new HTTPException\UnauthorizedException(DI::l10n()->t('Permission denied.'));
-		}
 
 		$a = DI::app();
 
-		if (!empty($a->user['uid']) && $a->user['uid'] != api_user()) {
+		if (!empty($a->user['uid']) && $a->user['uid'] != self::getCurrentUserID()) {
 			throw new HTTPException\ForbiddenException(DI::l10n()->t('Permission denied.'));
 		}
 	}
 
 	public static function post(array $parameters = [])
 	{
-		if (!api_user()) {
+		self::checkAllowedScope(self::SCOPE_WRITE);
-			throw new HTTPException\UnauthorizedException(DI::l10n()->t('Permission denied.'));
-		}
 
 		$a = DI::app();
 
-		if (!empty($a->user['uid']) && $a->user['uid'] != api_user()) {
+		if (!empty($a->user['uid']) && $a->user['uid'] != self::getCurrentUserID()) {
 			throw new HTTPException\ForbiddenException(DI::l10n()->t('Permission denied.'));
 		}
 	}
 
 	public static function put(array $parameters = [])
 	{
-		if (!api_user()) {
+		self::checkAllowedScope(self::SCOPE_WRITE);
-			throw new HTTPException\UnauthorizedException(DI::l10n()->t('Permission denied.'));
-		}
 
 		$a = DI::app();
 
-		if (!empty($a->user['uid']) && $a->user['uid'] != api_user()) {
+		if (!empty($a->user['uid']) && $a->user['uid'] != self::getCurrentUserID()) {
 			throw new HTTPException\ForbiddenException(DI::l10n()->t('Permission denied.'));
 		}
 	}
@@ -189,7 +181,7 @@ class BaseApi extends BaseModule
 	 *
 	 * @return int User ID
 	 */
-	public static function getCurrentUserID()
+	protected static function getCurrentUserID()
 	{
 		$uid = OAuth::getCurrentUserID();
 

src/Security/BasicAuth.php

@@ -21,8 +21,15 @@
 
 namespace Friendica\Security;
 
+use Exception;
+use Friendica\Core\Hook;
+use Friendica\Core\Logger;
+use Friendica\Core\Session;
 use Friendica\Database\DBA;
 use Friendica\DI;
+use Friendica\Model\User;
+use Friendica\Network\HTTPException\UnauthorizedException;
+use Friendica\Util\DateTimeFormat;
 
 /**
  * Authentification via the basic auth method
@@ -49,9 +56,7 @@ class BasicAuth
 	public static function getCurrentUserID(bool $login)
 	{
 		if (empty(self::$current_user_id)) {
-			api_login(DI::app(), $login);
+			self::$current_user_id = self::getUserIdByAuth($login);
-
-			self::$current_user_id = api_user();
 		}
 
 		return (int)self::$current_user_id;
@@ -72,10 +77,27 @@ class BasicAuth
 			return self::$current_token;
 		}
 
+		$source = $_REQUEST['source'] ?? '';
+
+		// Support for known clients that doesn't send a source name
+		if (empty($source) && !empty($_SERVER['HTTP_USER_AGENT'])) {
+			if(strpos($_SERVER['HTTP_USER_AGENT'], "Twidere") !== false) {
+				$source = 'Twidere';
+			}
+
+			Logger::info('Unrecognized user-agent', ['http_user_agent' => $_SERVER['HTTP_USER_AGENT']]);
+		} else {
+			Logger::info('Empty user-agent');
+		}
+
+		if (empty($source)) {
+			$source = 'api';
+		}
+
 		self::$current_token = [
 			'uid'        => self::$current_user_id,
 			'id'         => 0,
-			'name'       => api_source(),
+			'name'       => $source,
 			'website'    => '',
 			'created_at' => DBA::NULL_DATETIME,
 			'read'       => true,
@@ -85,4 +107,90 @@ class BasicAuth
 
 		return self::$current_token;
 	}
+
+	/**
+	 * Fetch the user id via the auth header information
+	 *
+	 * @param boolean $do_login Perform a login request if not logged in
+	 *
+	 * @return integer User ID
+	 */
+	private static function getUserIdByAuth(bool $do_login = true):int
+	{
+		$a = DI::app();
+		Session::set('allow_api', false);
+		self::$current_user_id = 0;
+
+		// workaround for HTTP-auth in CGI mode
+		if (!empty($_SERVER['REDIRECT_REMOTE_USER'])) {
+			$userpass = base64_decode(substr($_SERVER["REDIRECT_REMOTE_USER"], 6));
+			if (strlen($userpass)) {
+				list($name, $password) = explode(':', $userpass);
+				$_SERVER['PHP_AUTH_USER'] = $name;
+				$_SERVER['PHP_AUTH_PW'] = $password;
+			}
+		}
+
+		$user     = $_SERVER['PHP_AUTH_USER'] ?? '';
+		$password = $_SERVER['PHP_AUTH_PW'] ?? '';
+
+		// allow "user@server" login (but ignore 'server' part)
+		$at = strstr($user, "@", true);
+		if ($at) {
+			$user = $at;
+		}
+
+		// next code from mod/auth.php. needs better solution
+		$record = null;
+
+		$addon_auth = [
+			'username' => trim($user),
+			'password' => trim($password),
+			'authenticated' => 0,
+			'user_record' => null,
+		];
+
+		/*
+		* An addon indicates successful login by setting 'authenticated' to non-zero value and returning a user record
+		* Addons should never set 'authenticated' except to indicate success - as hooks may be chained
+		* and later addons should not interfere with an earlier one that succeeded.
+		*/
+		Hook::callAll('authenticate', $addon_auth);
+
+		if ($addon_auth['authenticated'] && !empty($addon_auth['user_record'])) {
+			$record = $addon_auth['user_record'];
+		} else {
+			try {
+				$user_id = User::getIdFromPasswordAuthentication(trim($user), trim($password), true);
+				$record = DBA::selectFirst('user', [], ['uid' => $user_id]);
+			} catch (Exception $ex) {
+				$record = [];
+			}
+		}
+
+		if (empty($record)) {
+			if (!$do_login) {
+				return 0;
+			}
+			Logger::debug('Access denied', ['parameters' => $_SERVER]);
+			header('WWW-Authenticate: Basic realm="Friendica"');
+			throw new UnauthorizedException("This API requires login");
+		}
+
+		// Don't refresh the login date more often than twice a day to spare database writes
+		$login_refresh = strcmp(DateTimeFormat::utc('now - 12 hours'), $record['login_date']) > 0;
+
+		DI::auth()->setForUser($a, $record, false, false, $login_refresh);
+
+		Session::set('allow_api', true);
+
+		Hook::callAll('logged_in', $a->user);
+
+		if (Session::get('allow_api')) {
+			self::$current_user_id = local_user();
+		} else {
+			self::$current_user_id = 0;
+		}
+		return self::$current_user_id;
+	}
 }