New : API key authentication
One key is stored by user when login API method is called. Each API request must have api_key parameter
This commit is contained in:
jfefe
parent
8027759304
commit
fa494369b8
@ -18,6 +18,7 @@
|
||||
use Luracast\Restler\Restler;
|
||||
use Luracast\Restler\RestException;
|
||||
|
||||
require_once DOL_DOCUMENT_ROOT.'/user/class/user.class.php';
|
||||
|
||||
/**
|
||||
* Class for API
|
||||
@ -84,20 +85,25 @@ class DolibarrApi {
|
||||
*/
|
||||
class DolibarrApiInit extends DolibarrApi {
|
||||
|
||||
|
||||
|
||||
function __construct() {
|
||||
|
||||
global $db;
|
||||
$this->db = $db;
|
||||
}
|
||||
|
||||
/**
|
||||
* Log user with login and password
|
||||
* Login
|
||||
*
|
||||
* Log user with username and password
|
||||
* @todo : to finish!
|
||||
*
|
||||
* @param string $login
|
||||
* @param string $password
|
||||
* @param int $entity
|
||||
* @throws RestException
|
||||
* @param string $login Username
|
||||
* @param string $password User password
|
||||
* @param int $entity User entity
|
||||
* @throws RestException
|
||||
*/
|
||||
public function login($login, $password, $entity = '') {
|
||||
public function login($login, $password, $entity = 0) {
|
||||
|
||||
// Authentication mode
|
||||
if (empty($dolibarr_main_authentication))
|
||||
@ -114,10 +120,27 @@ class DolibarrApiInit extends DolibarrApi {
|
||||
{
|
||||
throw new RestException(403, 'Access denied');
|
||||
}
|
||||
|
||||
|
||||
// Generate token for user
|
||||
$token = dol_hash($login.uniqid().$conf->global->MAIN_API_KEY,1);
|
||||
|
||||
// We store API token into database
|
||||
$sql = "UPDATE ".MAIN_DB_PREFIX."user";
|
||||
$sql.= " SET api_key = '".$this->db->escape($token)."'";
|
||||
$sql.= " WHERE login = '".$this->db->escape($login)."'";
|
||||
|
||||
dol_syslog(get_class($this)."::login", LOG_DEBUG); // No log
|
||||
$result = $this->db->query($sql);
|
||||
if (!$result)
|
||||
{
|
||||
throw new RestException(500, 'Error when updating user :'.$this->db->error_msg);
|
||||
}
|
||||
|
||||
//return token
|
||||
return array(
|
||||
'success' => array(
|
||||
'code' => 200,
|
||||
'token' => $token,
|
||||
'message' => 'Welcome ' . $login
|
||||
)
|
||||
);
|
||||
@ -127,7 +150,7 @@ class DolibarrApiInit extends DolibarrApi {
|
||||
* @access protected
|
||||
* @class DolibarrApiAccess {@requires admin}
|
||||
*/
|
||||
public function status() {
|
||||
function status() {
|
||||
require_once DOL_DOCUMENT_ROOT . '/core/lib/functions.lib.php';
|
||||
return array(
|
||||
'success' => array(
|
||||
|
||||
@ -14,49 +14,73 @@ require_once DOL_DOCUMENT_ROOT.'/user/class/user.class.php';
|
||||
class DolibarrApiAccess implements iAuthenticate
|
||||
{
|
||||
const REALM = 'Restricted Dolibarr API';
|
||||
const TEST_KEY = 'changeme';
|
||||
|
||||
/**
|
||||
*
|
||||
* @var string $role user / external / admin
|
||||
* @var string $requires
|
||||
* @var string $requires role required by API method user / external / admin
|
||||
*/
|
||||
public static $requires = 'user';
|
||||
|
||||
/**
|
||||
* @var string $role user role
|
||||
*/
|
||||
public static $role = 'user';
|
||||
|
||||
/**
|
||||
* Check access
|
||||
*
|
||||
* @return boolean
|
||||
*/
|
||||
public function __isAllowed()
|
||||
{
|
||||
global $db;
|
||||
|
||||
//@todo hardcoded api_key=>role for brevity
|
||||
//
|
||||
$roles = array('123' => 'user', '456' => 'external', '789' => 'admin');
|
||||
$stored_key = '';
|
||||
|
||||
$userClass = Defaults::$userIdentifierClass;
|
||||
|
||||
// for dev @todo : remove this!
|
||||
static::$role = 'user';
|
||||
|
||||
if( isset($_GET['test_key'])) {
|
||||
if( ! $_GET['test_key'] == DolibarrApiAccess::TEST_KEY) {
|
||||
$userClass::setCacheIdentifier($_GET['test_key']);
|
||||
return false;
|
||||
}
|
||||
}
|
||||
elseif (isset($_GET['api_key'])) {
|
||||
if (isset($_GET['api_key'])) {
|
||||
// @todo : check from database
|
||||
if (!array_key_exists($_GET['api_key'], $roles)) {
|
||||
$sql = "SELECT u.login, u.datec, u.api_key, ";
|
||||
$sql.= " u.tms as date_modification, u.entity";
|
||||
$sql.= " FROM ".MAIN_DB_PREFIX."user as u";
|
||||
$sql.= " WHERE u.api_key = '".$db->escape($_GET['api_key'])."'";
|
||||
|
||||
$result=$db->query($sql);
|
||||
|
||||
if ($result)
|
||||
{
|
||||
if ($db->num_rows($result))
|
||||
{
|
||||
$obj = $db->fetch_object($result);
|
||||
$login = $obj->login;
|
||||
$stored_key = $obj->api_key;
|
||||
}
|
||||
}
|
||||
|
||||
if ( $stored_key != $_GET['api_key']) {
|
||||
$userClass::setCacheIdentifier($_GET['api_key']);
|
||||
return false;
|
||||
}
|
||||
static::$role = $roles[$_GET['api_key']];
|
||||
|
||||
$fuser = new User($db);
|
||||
$result = $fuser->fetch('',$login);
|
||||
|
||||
if($fuser->societe_id)
|
||||
static::$role = 'external';
|
||||
|
||||
if($fuser->admin)
|
||||
static::$role = 'admin';
|
||||
}
|
||||
else
|
||||
{
|
||||
return false;
|
||||
}
|
||||
|
||||
|
||||
|
||||
$userClass::setCacheIdentifier(static::$role);
|
||||
Resources::$accessControlFunction = 'DolibarrApiAccess::verifyAccess';
|
||||
return static::$requires == static::$role || static::$role == 'admin';
|
||||
@ -64,7 +88,7 @@ class DolibarrApiAccess implements iAuthenticate
|
||||
|
||||
public function __getWWWAuthenticateString()
|
||||
{
|
||||
return 'Query name="api_key"';
|
||||
return '';
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@ -46,7 +46,7 @@
|
||||
discoveryUrl:"../resources.json",
|
||||
apiKey:"",
|
||||
dom_id:"swagger-ui-container",
|
||||
supportHeaderParams: false,
|
||||
supportHeaderParams: true,
|
||||
supportedSubmitMethods: ['get', 'post', 'put', 'patch', 'delete'],
|
||||
onComplete: function(swaggerApi, swaggerUi){
|
||||
if(console) {
|
||||
|
||||
@ -23,6 +23,7 @@
|
||||
* API class for thirdparty object
|
||||
*
|
||||
* @smart-auto-routing false
|
||||
* @access protected
|
||||
*
|
||||
*/
|
||||
class ThirdpartyApi extends DolibarrApi {
|
||||
|
||||
Loading…
Reference in New Issue
Block a user