aboutsummaryrefslogtreecommitdiff
path: root/endpoints
diff options
context:
space:
mode:
authoricewing <icewing@36083f99-b078-4883-b0ff-0f9b5a30f544>2008-03-07 17:58:11 +0000
committericewing <icewing@36083f99-b078-4883-b0ff-0f9b5a30f544>2008-03-07 17:58:11 +0000
commit06bca872ab35a415621f75601c3c5fe8824ebb5d (patch)
tree3ab73f5381873c8c9c718dce6eb352f94d3818b0 /endpoints
parent4318e9697253546e8bb4f76166ac92ee6918e94e (diff)
downloadelgg-06bca872ab35a415621f75601c3c5fe8824ebb5d.tar.gz
elgg-06bca872ab35a415621f75601c3c5fe8824ebb5d.tar.bz2
Marcus Povey <marcus@dushka.co.uk>
* Initial work on API git-svn-id: https://code.elgg.org/elgg/trunk@106 36083f99-b078-4883-b0ff-0f9b5a30f544
Diffstat (limited to 'endpoints')
-rw-r--r--endpoints/rest.php109
1 files changed, 109 insertions, 0 deletions
diff --git a/endpoints/rest.php b/endpoints/rest.php
new file mode 100644
index 000000000..483971eb4
--- /dev/null
+++ b/endpoints/rest.php
@@ -0,0 +1,109 @@
+<?php
+ /**
+ * Rest endpoint.
+ * The API REST endpoint.
+ *
+ * @package Elgg
+ * @subpackage API
+ * @license http://www.gnu.org/licenses/old-licenses/gpl-2.0.html GNU Public License version 2
+ * @author Marcus Povey <marcus@dushka.co.uk>
+ * @copyright Curverider Ltd 2008
+ * @link http://elgg.org/
+ */
+
+ // Include required files
+ require_once('../engine/start.php');
+ global $ApiEnvironment;
+
+ // Register the error handler
+ error_reporting(E_ALL);
+ set_error_handler('__php_error_handler');
+
+ // Register a default exception handler
+ set_exception_handler('__php_exception_handler');
+
+ // Get parameter variables
+ $format = get_input('format', 'php');
+ $method = get_input('method');
+ $result = null;
+
+
+ // See if we have a session
+ /**
+ * If we have a session then we can assume that this is being called by AJAX from
+ * within an already logged on browser.
+ *
+ * NB. This may be a gaping security hole, but hey ho.
+ */
+ if (!isloggedin())
+ {
+ // Get api header
+ $api_header = get_and_validate_api_headers();
+ $ApiEnvironment->api_header = $api_header;
+
+ // Pull API user details
+ $ApiEnvironment->api_user = get_api_user($api_header->api_key);
+
+ if ($ApiEnvironment->api_user)
+ {
+ // Get the secret key
+ $secret_key = $ApiEnvironment->api_user->secret;
+
+ // Validate HMAC
+ $hmac = calculate_hmac($api_header->hmac_algo,
+ $api_header->time,
+ $api_header->api_key,
+ $secret_key,
+ $api_header->get_variables,
+ $api_header->method == 'POST' ? $api_header->posthash : "");
+
+ if (strcmp(
+ $api_header->hmac,
+ $hmac
+ )==0)
+ {
+ // Now make sure this is not a replay
+ if (!cache_hmac_check_replay($hmac))
+ {
+ $postdata = "";
+ $token = "";
+ $params = $_REQUEST;
+
+ // Validate post data
+ if ($api_header->method=="POST")
+ {
+ $postdata = get_post_data();
+ $calculated_posthash = calculate_posthash($postdata, $api_header->posthash_algo);
+
+ if (strcmp($api_header->posthash, $calculated_posthash)!=0)
+ throw new SecurityException("POST data hash is invalid - Expected $calculated_posthash but got {$api_header->posthash}.");
+ }
+
+ // Execute
+ if (isset($params['auth_token']))
+ $result = execute_method($method, $params, $token);
+ }
+ else
+ throw new SecurityException("Packet signature already seen.");
+ }
+ else
+ throw new SecurityException("HMAC is invalid. {$api_header->hmac} != [calc]$hmac = {$api_header->hmac_algo}(**SECRET KEY**, time:{$api_header->time}, apikey:{$api_header->api_key}, get_vars:{$api_header->get_variables}" . ($api_header->method=="POST"? "posthash:$api_header->posthash}" : ")"));
+ }
+ else
+ throw new SecurityException("Invalid or missing API Key.",ErrorResult::$RESULT_FAIL_APIKEY_INVALID);
+ }
+ else
+ {
+ // User is logged in, just execute
+ if (isset($params['auth_token'])) $token = $params['auth_token'];
+ $result = execute_method($method, $params, $token);
+ }
+
+
+ // Finally output
+ if (!($result instanceof GenericResult))
+ throw new APIException("API Result is of an unknown type, this should never happen.");
+
+ output_result($result, $format);
+
+?> \ No newline at end of file