From: Jon Langseth Date: Sat, 21 Jan 2012 20:23:56 +0000 (+0100) Subject: Changed from GET to POST on all parameter passing. Fixed a nasty bug in previous... X-Git-Url: https://git.defcon.no/?a=commitdiff_plain;h=60bf626a9d34dee29c5644a2a5c8c24829c87f13;hp=49718d337c37e2a3c06d751dc980fe9401277c2a;p=hermes Changed from GET to POST on all parameter passing. Fixed a nasty bug in previous commit against lib/user_functions.php .. --- diff --git a/api/alias.php b/api/alias.php index 5bbdbf2..6a5981e 100644 --- a/api/alias.php +++ b/api/alias.php @@ -34,9 +34,9 @@ token_auth(); $dest_username = ""; $dest_domain = ""; $e164_only = false; - if ( array_key_exists( 'destination', $_GET) ) + if ( array_key_exists( 'destination', $_POST) ) { - $tmp = split_sipaddress($_GET['destination']); + $tmp = split_sipaddress($_POST['destination']); if ( !$tmp ) { print json_encode ( array( 'response' => 'failed', 'cause' => 'invalid', 'detail' => 'Invalid SIP address') ); @@ -44,9 +44,9 @@ token_auth(); } list ( $dest_username, $dest_domain ) = $tmp; - if ( array_key_exists( 'e164', $_GET ) ) + if ( array_key_exists( 'e164', $_POST ) ) { - if ( strtolower($_GET['e164']) == "true" ) $e164_only = true; + if ( strtolower($_POST['e164']) == "true" ) $e164_only = true; $list = get_e164_alias( $dest_username, $dest_domain ); } else if ( $dest_username && $dest_domain ) @@ -54,9 +54,9 @@ token_auth(); $list = get_aliases( $dest_username, $dest_domain ); } } - else if ( array_key_exists( 'alias', $_GET) ) + else if ( array_key_exists( 'alias', $_POST) ) { - $tmp = split_sipaddress($_GET['alias']); + $tmp = split_sipaddress($_POST['alias']); if ( !$tmp ) { print json_encode ( array( 'response' => 'failed', 'cause' => 'invalid', 'detail' => 'Invalid SIP address') ); @@ -73,19 +73,19 @@ token_auth(); print json_encode ( array( 'response' => 'ok', 'aliases' => $list ) ); break; case "/add": - if ( array_key_exists( 'destination', $_GET) - && ( ( array_key_exists( 'alias_username', $_GET) && array_key_exists( 'alias_domain', $_GET ) ) || array_key_exists('alias', $_GET) ) ) + if ( array_key_exists( 'destination', $_POST) + && ( ( array_key_exists( 'alias_username', $_POST) && array_key_exists( 'alias_domain', $_POST ) ) || array_key_exists('alias', $_POST) ) ) { $alias_username = ""; $alias_domain = ""; - if ( array_key_exists('alias_username', $_GET) ) + if ( array_key_exists('alias_username', $_POST) ) { - $alias_username = $_GET['alias_username']; - $alias_domain = $_GET['alias_domain']; + $alias_username = $_POST['alias_username']; + $alias_domain = $_POST['alias_domain']; } else { - $alias = split_sipaddress($_GET['alias']); + $alias = split_sipaddress($_POST['alias']); if ( !$alias ) { print json_encode ( array( 'response' => 'failed', 'cause' => 'invalid', 'detail' => 'Invalid SIP address') ); @@ -94,7 +94,7 @@ token_auth(); list ( $alias_username, $alias_domain ) = $alias; } - if ( !verify_sipadress($_GET['destination']) ) + if ( !verify_sipadress($_POST['destination']) ) { // TODO: Provide a better response.. print json_encode ( array( 'response' => 'invalid', 'cause' => 'destination' ) ); @@ -114,7 +114,7 @@ token_auth(); break; } - list ( $dest_username, $dest_domain ) = split_sipaddress( $_GET['destination']); + list ( $dest_username, $dest_domain ) = split_sipaddress( $_POST['destination']); if ( (!$dest_username)||(!$dest_domain)) { @@ -166,18 +166,18 @@ token_auth(); } break; case "/remove": - if ( ( array_key_exists( 'alias_username', $_GET) && array_key_exists( 'alias_domain', $_GET ) ) || array_key_exists('alias', $_GET) ) + if ( ( array_key_exists( 'alias_username', $_POST) && array_key_exists( 'alias_domain', $_POST ) ) || array_key_exists('alias', $_POST) ) { $alias_username = ""; $alias_domain = ""; - if ( array_key_exists('alias_username', $_GET) ) + if ( array_key_exists('alias_username', $_POST) ) { - $alias_username = $_GET['alias_username']; - $alias_domain = $_GET['alias_domain']; + $alias_username = $_POST['alias_username']; + $alias_domain = $_POST['alias_domain']; } else { - $alias = split_sipaddress($_GET['alias']); + $alias = split_sipaddress($_POST['alias']); if ( !$alias ) { print json_encode ( array( 'response' => 'failed', 'cause' => 'invalid', 'detail' => 'Invalid SIP address') ); diff --git a/api/auth.php b/api/auth.php index 50050e5..ad8650f 100644 --- a/api/auth.php +++ b/api/auth.php @@ -32,13 +32,13 @@ if ( ( $_SERVER['PATH_INFO'] == "/login" ) || ( $_SERVER['PATH_INFO'] == "/logou $type = false; $authid = false; - if ( array_key_exists('username', $_GET) - && array_key_exists('password', $_GET) ) + if ( array_key_exists('username', $_POST) + && array_key_exists('password', $_POST) ) { - if ( 1 == authuser_verify( sql_clean($_GET['username']), sql_clean($_GET['password']))) + if ( 1 == authuser_verify( sql_clean($_POST['username']), sql_clean($_POST['password']))) { $type = "user"; - $authid = $_GET['username']; + $authid = $_POST['username']; } else { @@ -46,12 +46,12 @@ if ( ( $_SERVER['PATH_INFO'] == "/login" ) || ( $_SERVER['PATH_INFO'] == "/logou exit; } } - else if ( array_key_exists('api_key', $_GET) ) + else if ( array_key_exists('api_key', $_POST) ) { - if ( verify_apikey( sql_clean( $_GET['api_key'] ) ) == 1 ) + if ( verify_apikey( sql_clean( $_POST['api_key'] ) ) == 1 ) { $type = "key"; - $authid = $_GET['api_key']; + $authid = $_POST['api_key']; } else { @@ -72,8 +72,8 @@ if ( ( $_SERVER['PATH_INFO'] == "/login" ) || ( $_SERVER['PATH_INFO'] == "/logou // De-authenticate/deauthorize the ongoing session. // I.e. destroy session data, remove session cookies. $session_name = ""; - if ( array_key_exists('session', $_GET ) ) - $session_name = $_GET['session']; + if ( array_key_exists('session', $_POST ) ) + $session_name = $_POST['session']; session_name($session_name); session_start(); clear_credentials($session_name); @@ -101,7 +101,7 @@ else // The ping required a valid session... // A successful ping returns a 'response' => 'pong' // along with the new auth_key. - $session_name = $_GET['session']; + $session_name = $_POST['session']; $authid = $_SESSION['authid']; $auth_key = update_authkey( $session_name, $authid ); print json_encode( array( 'response' => 'pong', 'auth_key' => $auth_key )); @@ -112,11 +112,11 @@ else if ( ! can_write() ) simple_authfail(); - if ( array_key_exists('host_ip', $_GET ) - && array_key_exists('access', $_GET )) + if ( array_key_exists('host_ip', $_POST ) + && array_key_exists('access', $_POST )) { - $host = $_GET['host_ip']; - $access = $_GET['access']; + $host = $_POST['host_ip']; + $access = $_POST['access']; if (! preg_match("/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/", $host) || ! authlevel_value( $access ) ) { @@ -141,9 +141,9 @@ else if ( ! can_write() ) simple_authfail(); - if ( array_key_exists('api_key', $_GET ) ) + if ( array_key_exists('api_key', $_POST ) ) { - $key = sql_clean( $_GET['api_key'] ); + $key = sql_clean( $_POST['api_key'] ); // Perform a key-verification, skipping host/remote-address check. if ( ! verify_apikey( $key, true ) ) { @@ -178,11 +178,11 @@ else if ( ! can_write() ) simple_authfail(); - if ( array_key_exists('username', $_GET ) - && array_key_exists('access', $_GET )) + if ( array_key_exists('username', $_POST ) + && array_key_exists('access', $_POST )) { - $user = $_GET['username']; - $access = $_GET['access']; + $user = $_POST['username']; + $access = $_POST['access']; $level = authlevel_value( $access ); if ( ! $level ) @@ -215,9 +215,9 @@ else if ( ! can_write() ) simple_authfail(); - if ( array_key_exists('username', $_GET )) + if ( array_key_exists('username', $_POST )) { - $user = $_GET['username']; + $user = $_POST['username']; $t_level = get_authorization( "user", $user ); diff --git a/api/domain.php b/api/domain.php index 7c8a797..08629b8 100644 --- a/api/domain.php +++ b/api/domain.php @@ -32,9 +32,9 @@ token_auth(); print json_encode ( array( 'response' => 'ok', 'list' => $domains ) ); break; case "/get_servers": - if ( array_key_exists('domain', $_GET)) + if ( array_key_exists('domain', $_POST)) { - $domain = $_GET['domain']; + $domain = $_POST['domain']; if ( !$domain || $domain == "" ) print json_encode ( array( 'response' => 'invalid', 'cause' => 'parameters') ); @@ -52,19 +52,19 @@ token_auth(); break; case "/set_servers": - if ( array_key_exists('domain', $_GET) - && array_key_exists('registrar', $_GET) - && array_key_exists('r_port', $_GET) - && array_key_exists('proxy', $_GET) - && array_key_exists('p_port', $_GET) - && array_key_exists('prov_url', $_GET)) + if ( array_key_exists('domain', $_POST) + && array_key_exists('registrar', $_POST) + && array_key_exists('r_port', $_POST) + && array_key_exists('proxy', $_POST) + && array_key_exists('p_port', $_POST) + && array_key_exists('prov_url', $_POST)) { - $domain = $_GET['domain']; - $registrar = $_GET['registrar']; - $r_port = $_GET['r_port']; - $proxy = $_GET['proxy']; - $p_port = $_GET['p_port']; - $prov_url = $_GET['prov_url']; + $domain = $_POST['domain']; + $registrar = $_POST['registrar']; + $r_port = $_POST['r_port']; + $proxy = $_POST['proxy']; + $p_port = $_POST['p_port']; + $prov_url = $_POST['prov_url']; if (!($domain && $registrar && $r_port && $proxy && $p_port && $prov_url )) { diff --git a/api/lib/auth_base.php b/api/lib/auth_base.php index bb3c26f..e2ed932 100644 --- a/api/lib/auth_base.php +++ b/api/lib/auth_base.php @@ -73,17 +73,17 @@ function simple_authfail() function token_auth( ) { - global $_GET; + global $_POST; // TODO: Part of ping/pong requirement. // Run a function to clear all authkeys older than 5 minutes. expire_authkeys(); - if ( array_key_exists('session', $_GET ) - && array_key_exists('auth_key', $_GET ) ) + if ( array_key_exists('session', $_POST ) + && array_key_exists('auth_key', $_POST ) ) { - if ( ! check_session($_GET['session'] ) ) simple_authfail(); - if ( ! check_authkey($_GET['auth_key'] ) ) simple_authfail(); + if ( ! check_session($_POST['session'] ) ) simple_authfail(); + if ( ! check_authkey($_POST['auth_key'] ) ) simple_authfail(); } else simple_authfail(); } diff --git a/api/lib/user_functions.php b/api/lib/user_functions.php index 5aa1cfb..a1a9b0c 100644 --- a/api/lib/user_functions.php +++ b/api/lib/user_functions.php @@ -13,7 +13,7 @@ function generate_password( $length = 24 ) while ( strlen( $string ) < $length ) { $string .= crypt(substr(md5(rand().rand()), 0, $length+1)); - $string = preg_replace( '/\W/', '', $string+1); + $string = preg_replace( '/\W/', '', $string); } return substr( $string, 1, $length ); @@ -240,9 +240,9 @@ function list_users ( $search = null ) global $config; $query = sprintf("SELECT CONCAT(username, '@', domain), displayname FROM %s ORDER BY username,domain", $config['provision_users_table'] ); - if ( array_key_exists ( 'search', $_GET ) ) + if ( array_key_exists ( 'search', $_POST ) ) { - $search = $_GET['search']; // TODO: Add some sanitation and input validation! + $search = $_POST['search']; // TODO: Add some sanitation and input validation! $query = sprintf("SELECT CONCAT(username, '@', domain) FROM %s WHERE CONCAT(username, '@', domain) LIKE '%%%s%%' ORDER BY username,domain", $config['provision_users_table'], sql_clean( $search ) ); } diff --git a/api/numbers.php b/api/numbers.php index 7874394..9f24107 100644 --- a/api/numbers.php +++ b/api/numbers.php @@ -28,12 +28,12 @@ token_auth(); $limit = 0; $random = false; $search = null; - if ( array_key_exists('limit', $_GET ) && is_numeric( $_GET['limit'])) - $limit = $_GET['limit']; + if ( array_key_exists('limit', $_POST ) && is_numeric( $_POST['limit'])) + $limit = $_POST['limit']; - if ( array_key_exists('search', $_GET ) ) - $search = $_GET['search']; - else if ( array_key_exists('random', $_GET ) && (strtolower( $_GET['random'] ) === 'true')) + if ( array_key_exists('search', $_POST ) ) + $search = $_POST['search']; + else if ( array_key_exists('random', $_POST ) && (strtolower( $_POST['random'] ) === 'true')) $random = true; $numbers = null; @@ -55,10 +55,10 @@ token_auth(); print json_encode( array( 'response' => 'failed', 'cause' => 'empty', 'detail' => 'Empty result.' )); break; case "/add_range": - if ( array_key_exists('start', $_GET) && array_key_exists('end', $_GET) ) + if ( array_key_exists('start', $_POST) && array_key_exists('end', $_POST) ) { - $start = $_GET['start']; - $end = sql_clean( $_GET['end'] ); + $start = $_POST['start']; + $end = sql_clean( $_POST['end'] ); $result = add_range( $start, $end ); if ( $result === 'ok' ) { @@ -73,9 +73,9 @@ token_auth(); case "/add": // TODO: This should return better responses! // Currently, it will fail with "invalid" - if ( array_key_exists('number', $_GET)) + if ( array_key_exists('number', $_POST)) { - $number = $_GET['number']; + $number = $_POST['number']; if (! verify_e164( $number ) ) { @@ -102,9 +102,9 @@ token_auth(); print json_encode ( array( 'response' => 'invalid') ); break; case "/remove": - if ( array_key_exists('number', $_GET)) + if ( array_key_exists('number', $_POST)) { - $number = $_GET['number']; + $number = $_POST['number']; if (! verify_e164( $number ) ) { @@ -127,9 +127,9 @@ token_auth(); print json_encode ( array( 'response' => 'invalid') ); break; case "/inpool": - if ( array_key_exists('number', $_GET)) + if ( array_key_exists('number', $_POST)) { - $number = $_GET['number']; + $number = $_POST['number']; if ( number_inpool( $number ) ) print json_encode ( array( 'response' => 'ok', 'number' => $number ) ); else diff --git a/api/phone.php b/api/phone.php index a47c494..12ae057 100644 --- a/api/phone.php +++ b/api/phone.php @@ -27,9 +27,9 @@ token_auth(); // Required GET parameters: // user: authentication username, SIP-username without domain component // domain: Domain/realm of the user. username + '@' + domain == SIP address. - if ( array_key_exists( 'mac', $_GET) ) + if ( array_key_exists( 'mac', $_POST) ) { - $mac = $_GET['mac']; + $mac = $_POST['mac']; $relations = get_phone_users ( $mac ); if ( $relations ) { @@ -37,18 +37,18 @@ token_auth(); } else print json_encode( array ( 'response' => 'failed', 'cause' => 'nonexistant', 'detail' => 'No results.')); } - else if ( ( array_key_exists( 'username', $_GET) && array_key_exists( 'domain', $_GET ) ) || array_key_exists('user', $_GET) ) + else if ( ( array_key_exists( 'username', $_POST) && array_key_exists( 'domain', $_POST ) ) || array_key_exists('user', $_POST) ) { $username = ""; $domain = ""; - if ( array_key_exists('username', $_GET) ) + if ( array_key_exists('username', $_POST) ) { - $username = $_GET['username']; - $domain = $_GET['domain']; + $username = $_POST['username']; + $domain = $_POST['domain']; } else { - $user = split_sipaddress($_GET['user']); + $user = split_sipaddress($_POST['user']); if ( !$user ) { print json_encode ( array( 'response' => 'failed', 'cause' => 'invalid', 'detail' => 'Invalid SIP address') ); @@ -71,8 +71,8 @@ token_auth(); case "/list": // List all (distinct) phone MAC-adresses registered... $search = null; - if ( array_key_exists('search', $_GET ) ) - $search = $_GET['search']; + if ( array_key_exists('search', $_POST ) ) + $search = $_POST['search']; $phones = list_phones( $search ); print json_encode( array( 'response' => 'ok', 'list' => $phones )); @@ -89,20 +89,20 @@ token_auth(); domain A valid domain .. to form a registered user@domain combo :) */ - if ( array_key_exists('mac', $_GET ) && - ( array_key_exists('user', $_GET) || - ( array_key_exists('username', $_GET) && array_key_exists('domain', $_GET )))) + if ( array_key_exists('mac', $_POST ) && + ( array_key_exists('user', $_POST) || + ( array_key_exists('username', $_POST) && array_key_exists('domain', $_POST )))) { $username = ""; $domain = ""; - if ( array_key_exists('username', $_GET) ) + if ( array_key_exists('username', $_POST) ) { - $username = $_GET['username']; - $domain = $_GET['domain']; + $username = $_POST['username']; + $domain = $_POST['domain']; } else { - $user = split_sipaddress($_GET['user']); + $user = split_sipaddress($_POST['user']); if ( !$user ) { print json_encode ( array( 'response' => 'failed', 'cause' => 'invalid', 'detail' => 'Invalid SIP address') ); @@ -110,7 +110,7 @@ token_auth(); } list ( $username, $domain ) = $user; } - $mac = clean_mac($_GET['mac']); + $mac = clean_mac($_POST['mac']); if ( !$mac ) { print json_encode ( array( 'response' => 'failed', 'cause' => 'invalid', 'detail' => 'No valid MAC address given.') ); @@ -159,20 +159,20 @@ token_auth(); domain A valid domain .. to form a registered user@domain combo :) */ - if ( array_key_exists('mac', $_GET ) && - ( array_key_exists('user', $_GET) || - ( array_key_exists('username', $_GET) && array_key_exists('domain', $_GET )))) + if ( array_key_exists('mac', $_POST ) && + ( array_key_exists('user', $_POST) || + ( array_key_exists('username', $_POST) && array_key_exists('domain', $_POST )))) { $username = ""; $domain = ""; - if ( array_key_exists('username', $_GET) ) + if ( array_key_exists('username', $_POST) ) { - $username = $_GET['username']; - $domain = $_GET['domain']; + $username = $_POST['username']; + $domain = $_POST['domain']; } else { - $user = split_sipaddress($_GET['user']); + $user = split_sipaddress($_POST['user']); if ( !$user ) { print json_encode ( array( 'response' => 'failed', 'cause' => 'invalid', 'detail' => 'Invalid SIP address') ); @@ -180,7 +180,7 @@ token_auth(); } list ( $username, $domain ) = $user; } - $mac = clean_mac($_GET['mac']); + $mac = clean_mac($_POST['mac']); if ( !$mac ) { print json_encode ( array( 'response' => 'failed', 'cause' => 'invalid', 'detail' => 'No valid MAC address given.') ); diff --git a/api/t/auth.t b/api/t/auth.t index d01c52b..4ff72df 100644 --- a/api/t/auth.t +++ b/api/t/auth.t @@ -92,7 +92,7 @@ logout(); ok( !$session, 'logged out, session cleared'); login_apikey(); -$data = exec_apinode("auth/remove_user", { "&username" => $test_username }); +$data = exec_apinode("auth/remove_user", { "username" => $test_username }); is( $data->{'response'}, 'ok', 'auth/remove_user as user ok'); is( $data->{'user'}, $test_username, 'auth/remove_user removed ' . $test_username); undef $data; diff --git a/api/t/run_tests.sh b/api/t/run_tests.sh new file mode 100755 index 0000000..d11b8d8 --- /dev/null +++ b/api/t/run_tests.sh @@ -0,0 +1,7 @@ +#!/bin/bash -xe + +perl auth.t +perl user.t +perl domain.t +perl alias.t +perl numbers.t diff --git a/api/t/tests_common.pm b/api/t/tests_common.pm index 9c2ec83..59a43e8 100644 --- a/api/t/tests_common.pm +++ b/api/t/tests_common.pm @@ -40,15 +40,12 @@ sub exec_apinode($$) $session = "" if not defined $session; $auth_key = "" if not defined $auth_key; - my $url = $api_base . $node . - "?session=" . $session . - "&auth_key=" . $auth_key; + my $url = $api_base . $node; - foreach my $key ( keys %$param ) - { - $url .= "&" . $key . "=" . $param->{$key}; - } - $response = $g_ua->get( $url ); + $param->{'session'} = $session; + $param->{'auth_key'} = $auth_key; + + $response = $g_ua->post( $url, $param ); if ( $response->is_success ) { if ( $response->content =~ m/\s*{/ ) @@ -66,8 +63,9 @@ sub exec_apinode($$) sub login_apikey { - my $response = $g_ua->get( $api_base . "auth/login" . - "?api_key=" . $api_key ); + my $response = $g_ua->post( $api_base . "auth/login", + [ "api_key" => $api_key ] ); + ok ($response->is_success, 'login_apikey request is_success'); my $data = decode_json( $response->content) if $response->is_success; die("HTTP error") unless $response->is_success; @@ -89,9 +87,10 @@ sub login_apikey sub login_user { - my $response = $g_ua->get( $api_base . "auth/login" . - "?username=" . $test_username . - "&password=" . $test_password ); + my $response = $g_ua->post( $api_base . "auth/login", + [ "username" => $test_username, + "password" => $test_password ] ); + ok ($response->is_success, 'login_user request is_success'); my $data = decode_json( $response->content) if $response->is_success; @@ -114,8 +113,8 @@ sub login_user sub logout { - my $response = $g_ua->get( $api_base . "auth/logout" . - "?session=" . $session ); + my $response = $g_ua->post( $api_base . "auth/logout", + [ "session" => $session ] ); ok ($response->is_success, 'logout request is_success'); die("HTTP error") unless $response->is_success; diff --git a/api/user.php b/api/user.php index a601d77..c5926bc 100644 --- a/api/user.php +++ b/api/user.php @@ -29,19 +29,19 @@ token_auth(); // user: authentication username, SIP-username without domain component // domain: Domain/realm of the user. username + '@' + domain == SIP address. - if ( array_key_exists('user', $_GET) || - ( array_key_exists('username', $_GET) && array_key_exists('domain', $_GET ))) + if ( array_key_exists('user', $_POST) || + ( array_key_exists('username', $_POST) && array_key_exists('domain', $_POST ))) { $username = ""; $domain = ""; - if ( array_key_exists('username', $_GET) ) + if ( array_key_exists('username', $_POST) ) { - $username = $_GET['username']; - $domain = $_GET['domain']; + $username = $_POST['username']; + $domain = $_POST['domain']; } else { - $user = split_sipaddress($_GET['user']); + $user = split_sipaddress($_POST['user']); if ( !$user ) { print json_encode ( array( 'response' => 'failed', 'cause' => 'invalid', 'detail' => 'Invalid SIP address') ); @@ -87,8 +87,8 @@ token_auth(); * SQL SELECT CONCAT() WHERE CONCAT() must be used *shrug* */ $search = null; - if ( array_key_exists ( 'search', $_GET ) ) - $search = $_GET['search']; // TODO: Add some sanitation and input validation! + if ( array_key_exists ( 'search', $_POST ) ) + $search = $_POST['search']; // TODO: Add some sanitation and input validation! $list = list_users( $search ); print json_encode( array( 'response' => 'ok', 'list' => $list )); break; @@ -124,20 +124,20 @@ token_auth(); */ // Test required parameters: if ( - ( ( array_key_exists( 'username', $_GET) && array_key_exists( 'domain', $_GET ) ) || array_key_exists('user', $_GET) ) - && array_key_exists( 'displayname', $_GET ) - && array_key_exists( 'email', $_GET ) ) + ( ( array_key_exists( 'username', $_POST) && array_key_exists( 'domain', $_POST ) ) || array_key_exists('user', $_POST) ) + && array_key_exists( 'displayname', $_POST ) + && array_key_exists( 'email', $_POST ) ) { $username = ""; $domain = ""; - if ( array_key_exists('username', $_GET) ) + if ( array_key_exists('username', $_POST) ) { - $username = $_GET['username']; - $domain = $_GET['domain']; + $username = $_POST['username']; + $domain = $_POST['domain']; } else { - $user = split_sipaddress($_GET['user']); + $user = split_sipaddress($_POST['user']); if ( !$user ) { print json_encode ( array( 'response' => 'failed', 'cause' => 'invalid', 'detail' => 'Invalid SIP address') ); @@ -147,8 +147,8 @@ token_auth(); } $password = generate_password(); - $displayname = $_GET['displayname']; - $email = $_GET['email']; + $displayname = $_POST['displayname']; + $email = $_POST['email']; if ( !is_kamailio_domain( $domain ) ) { @@ -257,21 +257,21 @@ token_auth(); // Test required parameters: if ( - ( ( array_key_exists( 'username', $_GET) && array_key_exists( 'domain', $_GET ) ) || array_key_exists('user', $_GET) ) - && array_key_exists( 'displayname', $_GET ) - && array_key_exists( 'password', $_GET ) - && array_key_exists( 'registrar', $_GET ) ) + ( ( array_key_exists( 'username', $_POST) && array_key_exists( 'domain', $_POST ) ) || array_key_exists('user', $_POST) ) + && array_key_exists( 'displayname', $_POST ) + && array_key_exists( 'password', $_POST ) + && array_key_exists( 'registrar', $_POST ) ) { $username = ""; $domain = ""; - if ( array_key_exists('username', $_GET) ) + if ( array_key_exists('username', $_POST) ) { - $username = $_GET['username']; - $domain = $_GET['domain']; + $username = $_POST['username']; + $domain = $_POST['domain']; } else { - $user = split_sipaddress($_GET['user']); + $user = split_sipaddress($_POST['user']); if ( !$user ) { print json_encode ( array( 'response' => 'failed', 'cause' => 'invalid', 'detail' => 'Invalid SIP address') ); @@ -280,16 +280,16 @@ token_auth(); list ( $username, $domain ) = $user; } - $password = $_GET['password']; - $displayname = $_GET['displayname']; - $registrar = $_GET['registrar']; - $r_port = ( array_key_exists('r_port', $_GET) ) ? $_GET['r_port'] : 5060; + $password = $_POST['password']; + $displayname = $_POST['displayname']; + $registrar = $_POST['registrar']; + $r_port = ( array_key_exists('r_port', $_POST) ) ? $_POST['r_port'] : 5060; - $proxy = ( array_key_exists('proxy', $_GET) ) ? $_GET['proxy'] : $registrar; - $p_port = ( array_key_exists('p_port', $_GET) ) ? $_GET['p_port'] : $r_port; - $authid = ( array_key_exists('authid', $_GET) ) ? $_GET['authid'] : $username; - $dialplan = ( array_key_exists('dialplan', $_GET) ) ? $_GET['dialplan'] : $config['standard_dialplan']; - $linetext = ( array_key_exists('linetext', $_GET) ) ? $_GET['linetext'] : $username . '@' . $domain; + $proxy = ( array_key_exists('proxy', $_POST) ) ? $_POST['proxy'] : $registrar; + $p_port = ( array_key_exists('p_port', $_POST) ) ? $_POST['p_port'] : $r_port; + $authid = ( array_key_exists('authid', $_POST) ) ? $_POST['authid'] : $username; + $dialplan = ( array_key_exists('dialplan', $_POST) ) ? $_POST['dialplan'] : $config['standard_dialplan']; + $linetext = ( array_key_exists('linetext', $_POST) ) ? $_POST['linetext'] : $username . '@' . $domain; if ( is_kamailio_domain( $domain ) ) { @@ -354,20 +354,20 @@ token_auth(); * If no such user exists, return 'response' => 'failed' with 'cause' => 'nonexistant' * On other failures, return 'response' => 'failed' with 'cause' => 'error' (may set 'detail' => 'message') */ - if ( ( array_key_exists( 'username', $_GET) && array_key_exists( 'domain', $_GET ) ) - || array_key_exists('user', $_GET) ) + if ( ( array_key_exists( 'username', $_POST) && array_key_exists( 'domain', $_POST ) ) + || array_key_exists('user', $_POST) ) { $username = ""; $domain = ""; - if ( array_key_exists('username', $_GET) ) + if ( array_key_exists('username', $_POST) ) { - $username = $_GET['username']; - $domain = $_GET['domain']; + $username = $_POST['username']; + $domain = $_POST['domain']; } else { - $user = split_sipaddress($_GET['user']); + $user = split_sipaddress($_POST['user']); if ( !$user ) { print json_encode ( array( 'response' => 'failed', 'cause' => 'invalid', 'detail' => 'Invalid SIP address') ); @@ -413,21 +413,21 @@ token_auth(); * Update user passwords in 'provision' and 'kamailio' as appropriate * On other failures, return 'response' => 'failed' with 'cause' => 'error' (may set 'detail' => 'message') */ - if ( array_key_exists('password', $_GET) && - ( ( array_key_exists( 'username', $_GET) && array_key_exists( 'domain', $_GET ) ) - || array_key_exists('user', $_GET) )) + if ( array_key_exists('password', $_POST) && + ( ( array_key_exists( 'username', $_POST) && array_key_exists( 'domain', $_POST ) ) + || array_key_exists('user', $_POST) )) { $username = ""; $domain = ""; - if ( array_key_exists('username', $_GET) ) + if ( array_key_exists('username', $_POST) ) { - $username = $_GET['username']; - $domain = $_GET['domain']; + $username = $_POST['username']; + $domain = $_POST['domain']; } else { - $user = split_sipaddress($_GET['user']); + $user = split_sipaddress($_POST['user']); if ( !$user ) { print json_encode ( array( 'response' => 'failed', 'cause' => 'invalid', 'detail' => 'Invalid SIP address') ); @@ -435,7 +435,7 @@ token_auth(); } list ( $username, $domain ) = $user; } - $password = $_GET['password']; + $password = $_POST['password']; // Check compatibility of password? TODO... // Fetch old password for rollback? TODO... @@ -478,21 +478,21 @@ token_auth(); ( username & domain ) | user email */ - if ( array_key_exists('email', $_GET) && - ( ( array_key_exists( 'username', $_GET) && array_key_exists( 'domain', $_GET ) ) - || array_key_exists('user', $_GET) )) + if ( array_key_exists('email', $_POST) && + ( ( array_key_exists( 'username', $_POST) && array_key_exists( 'domain', $_POST ) ) + || array_key_exists('user', $_POST) )) { $username = ""; $domain = ""; - if ( array_key_exists('username', $_GET) ) + if ( array_key_exists('username', $_POST) ) { - $username = $_GET['username']; - $domain = $_GET['domain']; + $username = $_POST['username']; + $domain = $_POST['domain']; } else { - $user = split_sipaddress($_GET['user']); + $user = split_sipaddress($_POST['user']); if ( !$user ) { print json_encode ( array( 'response' => 'failed', 'cause' => 'invalid', 'detail' => 'Invalid SIP address') ); @@ -500,7 +500,7 @@ token_auth(); } list ( $username, $domain ) = $user; } - $email = $_GET['email']; + $email = $_POST['email']; // Check for user in kamailio if ( is_kamailio_subscriber( $username, $domain ) ) @@ -538,20 +538,20 @@ token_auth(); * Get update parameters, and change as appropriate ;) * On other failures, return 'response' => 'failed' with 'cause' => 'error' (may set 'detail' => 'message') */ - if ( ( array_key_exists( 'username', $_GET) && array_key_exists( 'domain', $_GET ) ) - || array_key_exists('user', $_GET) ) + if ( ( array_key_exists( 'username', $_POST) && array_key_exists( 'domain', $_POST ) ) + || array_key_exists('user', $_POST) ) { $username = ""; $domain = ""; - if ( array_key_exists('username', $_GET) ) + if ( array_key_exists('username', $_POST) ) { - $username = $_GET['username']; - $domain = $_GET['domain']; + $username = $_POST['username']; + $domain = $_POST['domain']; } else { - $user = split_sipaddress($_GET['user']); + $user = split_sipaddress($_POST['user']); if ( !$user ) { print json_encode ( array( 'response' => 'failed', 'cause' => 'invalid', 'detail' => 'Invalid SIP address') ); @@ -571,9 +571,9 @@ token_auth(); $params = array('displayname', 'dialplan', 'linetext', 'registrar', 'r_port', 'proxy', 'p_port'); foreach ( $params as $p ) { - if ( array_key_exists($p, $_GET ) ) + if ( array_key_exists($p, $_POST ) ) { - $data = $_GET[$p]; + $data = $_POST[$p]; $t = update_provision_data($p, $username, $domain, $data); if ( $t != true ) { @@ -617,20 +617,20 @@ token_auth(); print json_encode( array( 'response' => 'invalid', 'cause' => 'parameters' ) ); break; case "/available": - if ( ( array_key_exists( 'username', $_GET) && array_key_exists( 'domain', $_GET ) ) - || array_key_exists('user', $_GET) ) + if ( ( array_key_exists( 'username', $_POST) && array_key_exists( 'domain', $_POST ) ) + || array_key_exists('user', $_POST) ) { $username = ""; $domain = ""; - if ( array_key_exists('username', $_GET) ) + if ( array_key_exists('username', $_POST) ) { - $username = $_GET['username']; - $domain = $_GET['domain']; + $username = $_POST['username']; + $domain = $_POST['domain']; } else { - $user = split_sipaddress($_GET['user']); + $user = split_sipaddress($_POST['user']); if ( !$user ) { print json_encode ( array( 'response' => 'failed', 'cause' => 'invalid', 'detail' => 'Invalid SIP address') ); diff --git a/doc/api-nodes.txt b/doc/api-nodes.txt index fd8d3b9..03b82b6 100644 --- a/doc/api-nodes.txt +++ b/doc/api-nodes.txt @@ -1,6 +1,6 @@ General description on API protocol: ========================================================================= -All API nodes currently use GET requests for all parameters. +All API nodes currently use POST requests for all parameters. All API nodes return JSON data unless explicitly noted , and all JSON results will contain a 'response' element. The 'response' may be set to: @@ -706,10 +706,6 @@ Some TODO's listed above ... Permissions! (user/permissions?user=...) -Change all GET to POST - -Implement test-tool for POST-based communication ;) - Improve robustness of change_pw: fetch old password for rollback/testing. Check for locations where sql_dbexec_rows is more appropriate/correct than sql_dbexec