From ad39ccaa2fa0b277d1eee2c0928f6b9f5b0f4a8f Mon Sep 17 00:00:00 2001 From: Christoph Dunkake Date: Tue, 8 Oct 2019 15:32:36 +0200 Subject: [PATCH 1/6] basic setup --- private/functions_api.php | 17 +++++++++++++++++ private/meta.php | 5 +++-- public/api/index.php | 3 +++ public/api/tickets.php | 9 +++++++++ 4 files changed, 32 insertions(+), 2 deletions(-) create mode 100644 private/functions_api.php create mode 100644 public/api/index.php create mode 100644 public/api/tickets.php diff --git a/private/functions_api.php b/private/functions_api.php new file mode 100644 index 0000000..5608199 --- /dev/null +++ b/private/functions_api.php @@ -0,0 +1,17 @@ + REQX_RELEASENO, + "error_type" => "Invalid parameter" + ]); + } + + function responseOk() { + http_response_code(200); + echo json_encode([ + "releaseNo" => REQX_RELEASENO, + "error_type" => "(none)" + ]); + } \ No newline at end of file diff --git a/private/meta.php b/private/meta.php index 18bc235..cbe0f26 100644 --- a/private/meta.php +++ b/private/meta.php @@ -1,5 +1,6 @@ Date: Thu, 10 Oct 2019 16:04:13 +0200 Subject: [PATCH 2/6] json response --- private/functions_api.php | 3 ++- private/initialize.php | 1 + private/meta.php | 2 +- public/api/tickets.php | 14 ++++++++++++-- 4 files changed, 16 insertions(+), 4 deletions(-) diff --git a/private/functions_api.php b/private/functions_api.php index 5608199..0ae9a41 100644 --- a/private/functions_api.php +++ b/private/functions_api.php @@ -14,4 +14,5 @@ function responseOk() { "releaseNo" => REQX_RELEASENO, "error_type" => "(none)" ]); - } \ No newline at end of file + } + diff --git a/private/initialize.php b/private/initialize.php index beba9a0..193325c 100644 --- a/private/initialize.php +++ b/private/initialize.php @@ -27,6 +27,7 @@ require_once('functions_user.php'); require_once('functions_request.php'); require_once('functions_selection.php'); + require_once('functions_api.php'); require_once('mail.class.php'); diff --git a/private/meta.php b/private/meta.php index cbe0f26..5eb3e1d 100644 --- a/private/meta.php +++ b/private/meta.php @@ -2,5 +2,5 @@ define("REQX_VERSION", '1.6.0 alpha'); define("REQX_RELEASENO", '97'); - define("REQX_RELEASENO_API", '1'); + define("REQX_RELEASENO_API", '2'); define("REQX_RELEASEDATE", '2019-10-08'); diff --git a/public/api/tickets.php b/public/api/tickets.php index c82c391..2db1187 100644 --- a/public/api/tickets.php +++ b/public/api/tickets.php @@ -1,4 +1,4 @@ - true, + "response" => array( + "name" => 'Georg', + "age" => 34 + ) + ); + + echo json_encode($return); \ No newline at end of file From 805427566f7d5301fce67d8007aba57156598256 Mon Sep 17 00:00:00 2001 From: Christoph Dunkake Date: Sat, 19 Oct 2019 10:26:40 +0200 Subject: [PATCH 3/6] json for all tickets --- private/meta.php | 2 +- public/api/tickets.php | 39 +++++++++++++++++++++++++++++---------- 2 files changed, 30 insertions(+), 11 deletions(-) diff --git a/private/meta.php b/private/meta.php index 5eb3e1d..fd564a2 100644 --- a/private/meta.php +++ b/private/meta.php @@ -2,5 +2,5 @@ define("REQX_VERSION", '1.6.0 alpha'); define("REQX_RELEASENO", '97'); - define("REQX_RELEASENO_API", '2'); + define("REQX_RELEASENO_API", '3'); define("REQX_RELEASEDATE", '2019-10-08'); diff --git a/public/api/tickets.php b/public/api/tickets.php index 2db1187..9b30d3f 100644 --- a/public/api/tickets.php +++ b/public/api/tickets.php @@ -1,19 +1,38 @@ $request['kp_request'], + "description" => $request['description'], + "category" => find_selectiontext_by_kp(h($request['category'])), + "priority" => find_selectiontext_by_kp(h($request['priority'])), + "source" => find_userabbr_by_kp(h($request['source'])), + "status" => find_selectiontext_by_kp(h($request['status'])), + "responsible" => find_userabbr_by_kp(h($request['responsible'])) + ) + ); + while($request = mysqli_fetch_assoc($request_set)) { + $tickets[] = array( + "id" => $request['kp_request'], + "description" => $request['description'], + "category" => find_selectiontext_by_kp(h($request['category'])), + "priority" => find_selectiontext_by_kp(h($request['priority'])), + "source" => find_userabbr_by_kp(h($request['source'])), + "status" => find_selectiontext_by_kp(h($request['status'])), + "responsible" => find_userabbr_by_kp(h($request['responsible'])) + ); + } - - - $return = array( + $response = array( "success" => true, - "response" => array( - "name" => 'Georg', - "age" => 34 - ) + "tickets" => $tickets ); - echo json_encode($return); \ No newline at end of file + echo json_encode($response); From c61413269671bb912a292b191b6d2c93735606cc Mon Sep 17 00:00:00 2001 From: Christoph Dunkake Date: Sat, 19 Oct 2019 11:56:37 +0200 Subject: [PATCH 4/6] PHP auth --- public/.htaccess | 3 ++- public/api/tickets.php | 41 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 43 insertions(+), 1 deletion(-) diff --git a/public/.htaccess b/public/.htaccess index 109918b..65df8b2 100644 --- a/public/.htaccess +++ b/public/.htaccess @@ -3,4 +3,5 @@ RewriteEngine On RewriteCond %{REQUEST_FILENAME} !-f RewriteRule ^([^\.]+)$ $1.php [NC,L] -RewriteRule ^([^\.]+)$ $1.html [NC,L] \ No newline at end of file +RewriteRule ^([^\.]+)$ $1.html [NC,L] +RewriteRule .* - [E=REMOTE_USER:%{HTTP:Authorization},L] \ No newline at end of file diff --git a/public/api/tickets.php b/public/api/tickets.php index 9b30d3f..d9021df 100644 --- a/public/api/tickets.php +++ b/public/api/tickets.php @@ -1,5 +1,46 @@ '; +// echo 'PHP_AUTH_PW =' . $_SERVER['PHP_AUTH_PW'] . '
'; +$token = substr($_SERVER['REMOTE_USER'], 7); + +http_response_code(200); +echo json_encode(array( + "token" => $token +)); + + + +// echo $token; +// echo 'REMOTE_USER =' . $_SERVER['REMOTE_USER']; +exit(); + +$_SESSION['Test'] = 'successful'; + +$user = $_SERVER['PHP_AUTH_USER']; +$user = $_SERVER['REMOTE_USER']; +// $user = 'something'; + +echo json_encode($_SERVER); +echo json_encode($_SESSION); + +exit(); + + + // header('Access-Control-Allow: *'); header('Content-Type: application/json'); // header('Access-Control-Allow-Methods: GET'); From 2d4cc89bac447de1004378a991836a0540e45730 Mon Sep 17 00:00:00 2001 From: Christoph Dunkake Date: Sat, 19 Oct 2019 15:21:21 +0200 Subject: [PATCH 5/6] create and reset api keys --- private/functions_user.php | 14 ++++++++++++++ private/subs_user/details_get_edit.php | 23 ++++++++++++++++++++++- 2 files changed, 36 insertions(+), 1 deletion(-) diff --git a/private/functions_user.php b/private/functions_user.php index 41f37bd..1d052f7 100644 --- a/private/functions_user.php +++ b/private/functions_user.php @@ -107,6 +107,20 @@ function delete_password($key) { return $result; } +function new_apikey($key) { + global $db; + + $sql = "UPDATE users SET "; + $sql .= "apikey='" . get_uid() . "', "; + $sql .= "utl_modification_user_kp='" . $_SESSION['kp_user'] . "' "; + + $sql .= "WHERE kp_user='" . $key . "' "; + $sql .= "LIMIT 1"; + + $result = mysqli_query($db, $sql); + return $result; +} + function update_user($user) { global $db; diff --git a/private/subs_user/details_get_edit.php b/private/subs_user/details_get_edit.php index 3abba40..3ac91ce 100644 --- a/private/subs_user/details_get_edit.php +++ b/private/subs_user/details_get_edit.php @@ -2,6 +2,7 @@ $key = $_GET['key']; $user = find_user_by_kp($key); $pwreset = $_GET['pwreset'] === 'true'; + $apikeyreset = $_GET['apikeyreset'] === 'true'; ?> Abbrechen » @@ -61,8 +62,28 @@ } } + if($apikeyreset) { + + $result = new_apikey($key); + + if( $result === true ) { + header('Location: details?key=' . $key . '&action=edit'); + exit; + } else { + $errors = $result; + echo 'Error DB: ' . $errors; + } + } ?> + +
+
API-Key
+
+
Neuen Key erzeugen »
+

+ + Wenn Sie das Passwort eines Benutzers zurücksetzen, wird das Passowort des Benutzers in der Datenbank gelöscht und, wie bei neuen Benutzern, wird das Passwort, das der Benutzer beim ersten Login eingibt, verschlüsselt gespeichert und ist für spätere Logins notwendig.

+ echo '

Wenn Sie das Passwort eines Benutzers zurücksetzen, wird das Passwort des Benutzers in der Datenbank gelöscht und, wie bei neuen Benutzern, wird das Passwort, das der Benutzer beim ersten Login eingibt, verschlüsselt gespeichert und ist für spätere Logins notwendig.

Passwort zurücksetzen »'; } else { From 6fc215a202dd28807ced766228d76bed3bb43fac Mon Sep 17 00:00:00 2001 From: Christoph Dunkake Date: Sat, 19 Oct 2019 15:40:31 +0200 Subject: [PATCH 6/6] access token validation --- private/functions_user.php | 10 ++++ public/api/tickets.php | 97 +++++++++++++++----------------------- 2 files changed, 49 insertions(+), 58 deletions(-) diff --git a/private/functions_user.php b/private/functions_user.php index 1d052f7..0a02993 100644 --- a/private/functions_user.php +++ b/private/functions_user.php @@ -59,6 +59,16 @@ function find_user_by_nameuser($name_user) { return $request; } +function find_user_by_apikey($apikey) { + global $db; + $sql = "SELECT * FROM users "; + $sql .= "WHERE apikey = '" . $apikey . "' "; +// $sql .= "AND flg_active = 1"; + $result = mysqli_query($db, $sql); + $request = mysqli_fetch_assoc($result); + return $request; +} + function validate_user($user) { $errors = []; diff --git a/public/api/tickets.php b/public/api/tickets.php index d9021df..5cc72b2 100644 --- a/public/api/tickets.php +++ b/public/api/tickets.php @@ -6,9 +6,6 @@ header('Content-Type: application/json'); header("WWW-Authenticate: Basic realm=\"My Realm\""); -// session_regenerate_id(); - - // $a = base64_decode( substr($_SERVER["REMOTE_USER"],6)) ; // list($name, $password) = explode(':', $a); // $_SERVER['PHP_AUTH_USER'] = $name; @@ -17,63 +14,47 @@ // echo 'PHP_AUTH_PW =' . $_SERVER['PHP_AUTH_PW'] . '
'; $token = substr($_SERVER['REMOTE_USER'], 7); -http_response_code(200); -echo json_encode(array( - "token" => $token -)); - - - -// echo $token; -// echo 'REMOTE_USER =' . $_SERVER['REMOTE_USER']; -exit(); - -$_SESSION['Test'] = 'successful'; +$user = find_user_by_apikey($token); +// TODO: sanitize $token +if(!$user) { + http_response_code(401); + echo json_encode(array( + "message" => "Valid access token missing" + )); + exit(); +} -$user = $_SERVER['PHP_AUTH_USER']; -$user = $_SERVER['REMOTE_USER']; -// $user = 'something'; - -echo json_encode($_SERVER); -echo json_encode($_SESSION); - -exit(); - - - -// header('Access-Control-Allow: *'); - header('Content-Type: application/json'); -// header('Access-Control-Allow-Methods: GET'); +http_response_code(200); - // return all tickets - $request_set = find_all_requests(); - $request = mysqli_fetch_assoc($request_set); - $tickets = array( - array( - "id" => $request['kp_request'], - "description" => $request['description'], - "category" => find_selectiontext_by_kp(h($request['category'])), - "priority" => find_selectiontext_by_kp(h($request['priority'])), - "source" => find_userabbr_by_kp(h($request['source'])), - "status" => find_selectiontext_by_kp(h($request['status'])), - "responsible" => find_userabbr_by_kp(h($request['responsible'])) - ) +// return all tickets +$request_set = find_all_requests(); +$request = mysqli_fetch_assoc($request_set); +$tickets = array( + array( + "id" => $request['kp_request'], + "description" => $request['description'], + "category" => find_selectiontext_by_kp(h($request['category'])), + "priority" => find_selectiontext_by_kp(h($request['priority'])), + "source" => find_userabbr_by_kp(h($request['source'])), + "status" => find_selectiontext_by_kp(h($request['status'])), + "responsible" => find_userabbr_by_kp(h($request['responsible'])) + ) +); +while($request = mysqli_fetch_assoc($request_set)) { + $tickets[] = array( + "id" => $request['kp_request'], + "description" => $request['description'], + "category" => find_selectiontext_by_kp(h($request['category'])), + "priority" => find_selectiontext_by_kp(h($request['priority'])), + "source" => find_userabbr_by_kp(h($request['source'])), + "status" => find_selectiontext_by_kp(h($request['status'])), + "responsible" => find_userabbr_by_kp(h($request['responsible'])) ); - while($request = mysqli_fetch_assoc($request_set)) { - $tickets[] = array( - "id" => $request['kp_request'], - "description" => $request['description'], - "category" => find_selectiontext_by_kp(h($request['category'])), - "priority" => find_selectiontext_by_kp(h($request['priority'])), - "source" => find_userabbr_by_kp(h($request['source'])), - "status" => find_selectiontext_by_kp(h($request['status'])), - "responsible" => find_userabbr_by_kp(h($request['responsible'])) - ); - } +} - $response = array( - "success" => true, - "tickets" => $tickets - ); +$response = array( + "success" => true, + "tickets" => $tickets +); - echo json_encode($response); +echo json_encode($response);