'failed', 'cause' => 'error', 'detail' => 'Database connection failed.')); exit; } //************************************************************************************* if ( ( $_SERVER['PATH_INFO'] == "/login" ) || ( $_SERVER['PATH_INFO'] == "/logout" ) ) { switch ( $_SERVER['PATH_INFO'] ) { case "/login": // Allow login using username and password, or API key. // On successful login, a named session should be started, // some data related to the session should be stored, // and the name of the session provided to the user // in the result. $type = false; $authid = false; if ( array_key_exists('username', $_GET) && array_key_exists('password', $_GET) ) { if ( 1 == authuser_verify( sql_clean($_GET['username']), sql_clean($_GET['password']))) { $type = "user"; $authid = $_GET['username']; } else { print json_encode( array( 'response' => 'failed', 'cause' => 'unauthorized', 'description' => 'Login failed') ); exit; } } else if ( array_key_exists('api_key', $_GET) ) { if ( verify_apikey( sql_clean( $_GET['api_key'] ) ) == 1 ) { $type = "key"; $authid = $_GET['api_key']; } else { print json_encode( array( 'response' => 'failed', 'cause' => 'unauthorized', 'description' => 'Login failed') ); exit; } } else { print json_encode ( array( 'response' => 'invalid') ); break; } $session_name = set_credentials( $authid, $type ); $auth_key = update_authkey( $session_name, $authid ); print json_encode( array( 'response' => 'ok', 'session' => $session_name, 'auth_key' => $auth_key )); break; case "/logout": // De-authenticate/deauthorize the ongoing session. // I.e. destroy session data, remove session cookies. $session_name = ""; if ( array_key_exists('session', $_GET ) ) $session_name = $_GET['session']; session_name($session_name); session_start(); clear_credentials($session_name); if ( $_SESSION ) print json_encode ( array( 'response' => 'wtffailed?') ); else print json_encode ( array( 'response' => 'ok') ); break; default: print json_encode ( array( 'response' => 'invalid') ); } } else { token_auth(); switch ( $_SERVER['PATH_INFO'] ) { case "/ping": // API clients are required to periodically ping the server // The time between pings (interval) is 5 minutes? // A ping call refreshes cookie lifetimes, then // generates and stores a new auth_key // The ping required a valid session... // A successful ping returns a 'response' => 'pong' // along with the new auth_key. $session_name = $_GET['session']; $authid = $_SESSION['authid']; $auth_key = update_authkey( $session_name, $authid ); print json_encode( array( 'response' => 'pong', 'auth_key' => $auth_key )); break; case "/new_apikey": // If the current authorization has write access, create // a new API key with requested access (ro/rw). if ( ! can_write() ) simple_authfail(); if ( array_key_exists('host_ip', $_GET ) && array_key_exists('access', $_GET )) { $host = $_GET['host_ip']; $access = $_GET['access']; if (! preg_match("/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/", $host) || ! authlevel_value( $access ) ) { print json_encode ( array( 'response' => 'invalid', 'cause' => 'parameters' ) ); break; } $level = authlevel_value( $access ); $key = add_apikey( $host, $level ); if ( ! $key ) { print json_encode( array( 'response' => 'failed', 'cause' => 'error', 'detail' => 'Database error.')); break; } print json_encode( array( 'response' => 'ok', 'key' => $key, 'host' => $host, 'access' => authlevel_name( get_authorization( "key", $key ) ) ) ); break; } else print json_encode ( array( 'response' => 'invalid') ); break; case "/remove_apikey": // If the current authorization has write access, // remove the given API key. if ( ! can_write() ) simple_authfail(); if ( array_key_exists('api_key', $_GET ) ) { $key = sql_clean( $_GET['api_key'] ); // Perform a key-verification, skipping host/remote-address check. if ( ! verify_apikey( $key, true ) ) { print json_encode( array ( 'response' => 'failed', 'cause' => 'nonexistant')); break; } if ( ! remove_apikey( $key ) ) { print json_encode( array( 'response' => 'failed', 'cause' => 'error', 'detail' => 'Database error.')); break; } print json_encode( array( 'response' => 'ok', 'key' => $key ) ); break; } else print json_encode ( array( 'response' => 'invalid') ); break; case "/list_apikeys": // List valid API keys. // Fail is current authorization does not have write access. if ( ! can_write() ) simple_authfail(); $list = list_apikeys(); print json_encode( array( 'response' => 'ok', 'list' => $list ) ); break; case "/authorize_user": // Add or update a valid back-end user in authorization // if the current authentication has write access. // Since the user exists in backend, the only // needed parameters should be username and access level // If the authorization does not exist, add it. // If the user is already authorized, replace access level. if ( ! can_write() ) simple_authfail(); if ( array_key_exists('username', $_GET ) && array_key_exists('access', $_GET )) { $user = $_GET['username']; $access = $_GET['access']; $level = authlevel_value( $access ); if ( ! $level ) { print json_encode ( array( 'response' => 'invalid', 'cause' => 'parameters' ) ); break; } if ( ! authuser_getinfo( $user ) ) { print json_encode( array ( 'response' => 'failed', 'cause' => 'nonexistant')); break; } if ( ! update_authorization( "user", $user, $level ) ) { print json_encode( array( 'response' => 'failed', 'cause' => 'error', 'detail' => 'Database error.')); break; } print json_encode( array( 'response' => 'ok', 'user' => $user, 'access' => authlevel_name( get_authorization( "user", $user ) ) ) ); break; } else print json_encode ( array( 'response' => 'invalid') ); break; case "/remove_user": // If the current authentication has write access: // Remove authorization for the given users. // Delete user from backend if backend is read-write. if ( ! can_write() ) simple_authfail(); if ( array_key_exists('username', $_GET )) { $user = $_GET['username']; $t_level = get_authorization( "user", $user ); if ( $t_level && ! remove_authorization( $user ) ) { print json_encode( array( 'response' => 'failed', 'cause' => 'error', 'detail' => 'Database error.')); break; } if ( ! authmethod_readonly() ) { if ( !authuser_getinfo( $user ) ) { print json_encode( array ( 'response' => 'failed', 'cause' => 'nonexistant')); break; } if ( !authuser_delete( $user ) ) { print json_encode( array( 'response' => 'failed', 'cause' => 'error', 'detail' => 'Database error.')); break; } } print json_encode( array( 'response' => 'ok', 'user' => $user, 'access' => authlevel_name( get_authorization( "user", $user ) ) ) ); break; } else print json_encode ( array( 'response' => 'invalid') ); break; case "/list_users": // List valid API user-acounts. // Fail with notauthorized if current authentication // does not have write access. // Should not return users from backend, // but should only return users with authorization. if ( ! can_write() ) simple_authfail(); $list = list_users(); print json_encode( array( 'response' => 'ok', 'list' => $list ) ); break; case "/add_user": // Add user to backend if backend is read-write and // the current authentication has write access. // The created user should be added to authorizations // with an access level of "limited_read (1)" case "/update_user": // Update the given user in the backend, if the backend // is read-write, and the current authentication has // write access. print json_encode ( array( 'response' => 'notimplemented') ); break; default: print json_encode ( array( 'response' => 'invalid') ); } } //************************************************************************************* mysql_close( $config['sql_link'] ); ?>