From 3830c405a80e7581e778f2a7894e5fa5e2b5ec0d Mon Sep 17 00:00:00 2001 From: jfefe Date: Tue, 22 Nov 2016 23:41:46 +0100 Subject: [PATCH 1/2] =?UTF-8?q?Disable=20CSRF=20check=20for=20REST=C2=A0AP?= =?UTF-8?q?I?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This allow to do POST requests from another website. --- htdocs/api/index.php | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/htdocs/api/index.php b/htdocs/api/index.php index 660c90d3476..a390ecfa6e3 100644 --- a/htdocs/api/index.php +++ b/htdocs/api/index.php @@ -26,6 +26,7 @@ * */ if (! defined("NOLOGIN")) define("NOLOGIN",'1'); +if (! defined("NOCSRFCHECK")) define("NOCSRFCHECK",'1'); $res=0; if (! $res && file_exists("../main.inc.php")) $res=include '../main.inc.php'; @@ -121,9 +122,9 @@ foreach ($modulesdir as $dir) $classname = str_replace('Api_','',ucwords($reg[1])).'Api'; $classname = ucfirst($classname); require_once $dir_part.$file_searched; - if (class_exists($classname)) + if (class_exists($classname)) { - dol_syslog("Found API classname=".$classname); + dol_syslog("Found API classname=".$classname); $api->r->addAPIClass($classname,''); $listofapis[]=array('classname'=>$classname, 'fullpath'=>$file_searched); } @@ -142,7 +143,3 @@ foreach ($modulesdir as $dir) // Call API (we suppose we found it) $api->r->handle(); - - - - From b436df32029999604d1021b70d5b34e0c56eb2a9 Mon Sep 17 00:00:00 2001 From: jfefe Date: Tue, 22 Nov 2016 23:44:10 +0100 Subject: [PATCH 2/2] Allow HTTP POST request for login API method. This is more secure than do the request with sensitive value like password into URL parameters. --- htdocs/api/class/api_generic.class.php | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/htdocs/api/class/api_generic.class.php b/htdocs/api/class/api_generic.class.php index 9a630a9da47..e2874de369a 100644 --- a/htdocs/api/class/api_generic.class.php +++ b/htdocs/api/class/api_generic.class.php @@ -45,11 +45,14 @@ class GenericApi extends DolibarrApi * @return array Response status and user token * * @throws RestException + * + * @url POST /login + * @url GET /login */ public function login($login, $password, $entity=0, $reset=0) { global $conf, $dolibarr_main_authentication, $dolibarr_auto_user; - + // Authentication mode if (empty($dolibarr_main_authentication)) $dolibarr_main_authentication = 'http,dolibarr'; @@ -67,21 +70,21 @@ class GenericApi extends DolibarrApi } $token = 'failedtogenerateorgettoken'; - + $tmpuser=new User($this->db); $tmpuser->fetch(0, $login); - + // Renew the hash if (empty($tmpuser->api_key) || $reset) { // Generate token for user $token = dol_hash($login.uniqid().$conf->global->MAIN_API_KEY,1); - + // We store API token into database $sql = "UPDATE ".MAIN_DB_PREFIX."user"; $sql.= " SET api_key = '".$this->db->escape($token)."'"; $sql.= " WHERE login = '".$this->db->escape($login)."'"; - + dol_syslog(get_class($this)."::login", LOG_DEBUG); // No log $result = $this->db->query($sql); if (!$result) @@ -93,7 +96,7 @@ class GenericApi extends DolibarrApi { $token = $tmpuser->api_key; } - + //return token return array( 'success' => array(