mirror/zoneminder
1
0
Fork 0
mirror of https://github.com/ZoneMinder/zoneminder.git synced 2026-03-05 22:48:53 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
fc27393a96ac4ae3e622c0a664df9d7dbe5d25fb
zoneminder/web/api/app/Controller/AppController.php
Pliable Pixels fc27393a96 Replace MySQL Password() with bcrypt, allow for alternate JWT tokens (#2598) 
* added sha1 and bcrypt submodules

* added bcrypt and sha to src build process

* added test sha1 and bcrypt code to validate working

* bcrypt auth migration in PHP land

* added include path

* add sha source

* added bcrypt to others

* put link_dir ahead of add_executable

* fixed typo

* try add_library instead

* absolute path

* absolute path

* build bcrypt as static

* move to wrapper

* move to fork

* logs tweak

* added lib-ssl/dev for JWT signing

* Moved to openSSL SHA1, initial JWT plugin

* removed vog

* fixed SHA1 algo

* typo

* use php-jwt, use proper way to add PHP modules, via composer

* fixed module path

* first attempt to fix cast error

* own fork

* own fork

* add composer vendor directory

* go back to jwt-cpp as PR merged

* moved to jwt-cpp after PR merge

* New token= query for JWT

* Add JWT token creation, move old code to a different function for future deprecation, simplified code for ZM_XX parameter reading

* JWT integration, validate JWT token via validateToken

* added token validation to zms/zmu/zmuser

* add token to command line for zmu

* move decode inside try/catch

* exception handling for try/catch

* fix db read, forgot to exec query

* remove allowing auth_hash_ip for token

* support refresh tokens as well for increased security

* remove auth_hash_ip

* Error out if used did not create an AUTH_HASH_SECRET

* fixed type conversion

* make sure refresh token login doesn't generate another refresh token

* fix absolute path

* move JWT/Bcrypt inside zm_crypt

* move sha headers out

* move out sha header

* handle case when supplied password is hashed, fix wrong params in AppController

* initial baby step for api tab

* initial plumbing to introduce token expiry and API bans per user

* remove M typo

* display user table in api

* added revoke all tokens code, removed test code

* use strtoul for conversion

* use strtoul for conversion

* use strtoul for conversion

* more fixes

* more fixes

* add mintokenexpiry to DB seek

* typo

* add ability to revoke tokens and enable/disable APIs per user

* moved API enable back to system

* comma

* enable API options only if API enabled

* move user creation to bcrypt

* added password_compat for PHP >=5.3 <5.5

* add Password back so User object indexes don't change

* move token index after adding password

* demote logs

* make old API auth optional, on by default

* make old API auth mechanism optional

* removed stale code

* forgot to checkin update file

* bulk overlay hash mysql encoded passwords

* add back ssl_dev, got deleted

* fix update script

* added token support to index.php

* reworked API document for new changes in 2.0

* Migrate from libdigest to crypt-eks-blowfish due to notice

* merge typo

* css classess for text that disappear

* fixed html typo

* added deps to ubuntu control files

* spaces

* removed extra line

* when regenerating using refresh tokens, username needs to be derived from the refresh token, as no session would exist

* add libssl1.0.0 for ubuntu 16/12

* small API fixes

* clean up of API, remove redundant sections

* moved to ZM fork for bcrypt

* whitespace and google code style

* regenerate auth hash if doing password migration

* dont need AUTH HASH LOGIN to be on

* Add auth hash verification to the user logged in already case

* fix missing ]

* reject requests if per user API disabled
2019-05-24 13:48:40 -04:00

131 lines
4.6 KiB
PHP
Raw Blame History

<?php
/**
* Application level Controller
*
* This file is application-wide controller file. You can put all
* application-wide controller-related methods here.
*
* CakePHP(tm) : Rapid Development Framework (http://cakephp.org)
* Copyright (c) Cake Software Foundation, Inc. (http://cakefoundation.org)
*
* Licensed under The MIT License
* For full copyright and license information, please see the LICENSE.txt
* Redistributions of files must retain the above copyright notice.
*
* @copyright Copyright (c) Cake Software Foundation, Inc. (http://cakefoundation.org)
* @link http://cakephp.org CakePHP(tm) Project
* @package app.Controller
* @since CakePHP(tm) v 0.2.9
* @license http://www.opensource.org/licenses/mit-license.php MIT License
*/
App::uses('Controller', 'Controller');
App::uses('CrudControllerTrait', 'Crud.Lib');
/**
* Application Controller
*
* Add your application-wide methods in the class below, your controllers
* will inherit them.
*
* @package app.Controller
* @link http://book.cakephp.org/2.0/en/controllers.html#the-app-controller
*/
class AppController extends Controller {
use CrudControllerTrait;
public $components = [
'Session', // We are going to use SessionHelper to check PHP session vars
'RequestHandler',
'Crud.Crud' => [
'actions' => [
'index' => 'Crud.Index',
'add' => 'Crud.Add',
'edit' => 'Crud.Edit',
'view' => 'Crud.View',
'keyvalue' => 'Crud.List',
'category' => 'Crud.Category'
],
'listeners' => ['Api', 'ApiTransformation']
#],
#'DebugKit.Toolbar' => [
# 'bootstrap' => true, 'routes' => true
]
];
// Global beforeFilter function
//Zoneminder sets the username session variable
// to the logged in user. If this variable is set
// then you are logged in
// its pretty simple to extend this to also check
// for role and deny API access in future
// Also checking to do this only if ZM_OPT_USE_AUTH is on
public function beforeFilter() {
if ( ! ZM_OPT_USE_API ) {
throw new UnauthorizedException(__('API Disabled'));
return;
}
# For use throughout the app. If not logged in, this will be null.
global $user;
if ( ZM_OPT_USE_AUTH ) {
require_once __DIR__ .'/../../../includes/auth.php';
$mUser = $this->request->query('user') ? $this->request->query('user') : $this->request->data('user');
$mPassword = $this->request->query('pass') ? $this->request->query('pass') : $this->request->data('pass');
$mToken = $this->request->query('token') ? $this->request->query('token') : $this->request->data('token');
if ( $mUser and $mPassword ) {
// log (user, pass, nothashed, api based login so skip recaptcha)
$user = userLogin($mUser, $mPassword, false, true);
if ( !$user ) {
throw new UnauthorizedException(__('Incorrect credentials or API disabled'));
return;
}
} else if ( $mToken ) {
// if you pass a token to login, we should only allow
// refresh tokens to regenerate new access and refresh tokens
if ( !strcasecmp($this->params->action, 'login') ) {
$only_allow_token_type='refresh';
} else {
// for any other methods, don't allow refresh tokens
// they are supposed to be infrequently used for security
// purposes
$only_allow_token_type='access';
}
$ret = validateToken($mToken, $only_allow_token_type, true);
$user = $ret[0];
$retstatus = $ret[1];
if ( !$user ) {
throw new UnauthorizedException(__($retstatus));
return;
}
} else if ( $mAuth ) {
$user = getAuthUser($mAuth, true);
if ( !$user ) {
throw new UnauthorizedException(__('Invalid Auth Key'));
return;
}
}
// We need to reject methods that are not authenticated
// besides login and logout
if ( strcasecmp($this->params->action, 'logout') ) {
if ( !( $user and $user['Username'] ) ) {
throw new UnauthorizedException(__('Not Authenticated'));
return;
} else if ( !( $user and $user['Enabled'] ) ) {
throw new UnauthorizedException(__('User is not enabled'));
return;
}
} # end if ! login or logout
} # end if ZM_OPT_AUTH
// make sure populated user object has APIs enabled
if ($user['APIEnabled'] == 0 ) {
throw new UnauthorizedException(__('API Disabled'));
return;
}
} # end function beforeFilter()
}
Reference in New Issue View Git Blame Copy Permalink