//*************************************************************************************
switch ( $_SERVER['PATH_INFO'] )
{
+ case "/login":
+ // Allow login using username and password, or API key.
+ // On successful login, a named session should be started,
+ // some data related to the session should be stored,
+ // and the name of the session provided to the user
+ // in the result.
+ $type = false;
+ $authid = false;
+
+ if ( array_key_exists('username', $_GET)
+ && array_key_exists('password', $_GET) )
+ {
+ if ( 1 == authuser_verify( sql_clean($_GET['username']), sql_clean($_GET['password'])))
+ {
+ $type = "user";
+ $authid = $_GET['username'];
+ }
+ else
+ {
+ print json_encode( array( 'response' => 'failed', 'cause' => 'unauthorized', 'description' => 'Login failed') );
+ exit;
+ }
+ }
+ else if ( array_key_exists('api_key', $_GET) )
+ {
+ if ( apikey_verify( sql_clean( $_GET['api_key'] ) ) == 1 )
+ {
+ $type = "key";
+ $authid = $_GET['api_key'];
+ }
+ else
+ {
+ print json_encode( array( 'response' => 'failed', 'cause' => 'unauthorized', 'description' => 'Login failed') );
+ exit;
+ }
+ }
+ else
+ {
+ print json_encode ( array( 'response' => 'invalid') );
+ break;
+ }
+ $session_name = set_credentials( $authid, $type );
+ $auth_key = update_authkey( $session_name, $authid );
+ print json_encode( array( 'response' => 'ok', 'session' => $session_name, 'auth_key' => $auth_key ));
+ break;
+ case "/ping":
+ // API clients are required to periodically ping the server
+ // The time between pings (interval) is 5 minutes?
+ // A ping call should refresh cookie lifetimes and
+ // generate and store a new auth_key
+ // The ping required a valid session...
+ // A successful ping returns a 'response' => 'pong'
+ // along with the new auth_key.
+ token_auth();
+ $session_name = $_GET['session'];
+ $authid = $_SESSION['authid'];
+ $auth_key = update_authkey( $session_name, $authid );
+ print json_encode( array( 'response' => 'pong', 'auth_key' => $auth_key ));
+ break;
+ case "/logout":
+ // De-authenticate/deauthorize the ongoing session.
+ // I.e. destroy session data, remove session cookies.
+ $session_name = "";
+ if ( array_key_exists('session', $_GET ) )
+ $session_name = $_GET['session'];
+ session_name($session_name);
+ session_start();
+ clear_credentials($session_name);
+
+ if ( $_SESSION )
+ print json_encode ( array( 'response' => 'wtffailed?') );
+ else
+ print json_encode ( array( 'response' => 'ok') );
+ break;
case "/list_users":
// List valid API user-acounts.
// Fail with notauthorized if current authentication
// does not have write access.
+ // Should not return users from backend,
+ // but should only return users with authorization.
case "/authorize_user":
// Add or update a valid back-end user in authorization
// if the current authentication has write access.
git.defcon.no / hermes / blobdiff