diff options
author | icewing <icewing@36083f99-b078-4883-b0ff-0f9b5a30f544> | 2008-03-07 17:58:11 +0000 |
---|---|---|
committer | icewing <icewing@36083f99-b078-4883-b0ff-0f9b5a30f544> | 2008-03-07 17:58:11 +0000 |
commit | 06bca872ab35a415621f75601c3c5fe8824ebb5d (patch) | |
tree | 3ab73f5381873c8c9c718dce6eb352f94d3818b0 /endpoints | |
parent | 4318e9697253546e8bb4f76166ac92ee6918e94e (diff) | |
download | elgg-06bca872ab35a415621f75601c3c5fe8824ebb5d.tar.gz elgg-06bca872ab35a415621f75601c3c5fe8824ebb5d.tar.bz2 |
Marcus Povey <marcus@dushka.co.uk>
* Initial work on API
git-svn-id: https://code.elgg.org/elgg/trunk@106 36083f99-b078-4883-b0ff-0f9b5a30f544
Diffstat (limited to 'endpoints')
-rw-r--r-- | endpoints/rest.php | 109 |
1 files changed, 109 insertions, 0 deletions
diff --git a/endpoints/rest.php b/endpoints/rest.php new file mode 100644 index 000000000..483971eb4 --- /dev/null +++ b/endpoints/rest.php @@ -0,0 +1,109 @@ +<?php + /** + * Rest endpoint. + * The API REST endpoint. + * + * @package Elgg + * @subpackage API + * @license http://www.gnu.org/licenses/old-licenses/gpl-2.0.html GNU Public License version 2 + * @author Marcus Povey <marcus@dushka.co.uk> + * @copyright Curverider Ltd 2008 + * @link http://elgg.org/ + */ + + // Include required files + require_once('../engine/start.php'); + global $ApiEnvironment; + + // Register the error handler + error_reporting(E_ALL); + set_error_handler('__php_error_handler'); + + // Register a default exception handler + set_exception_handler('__php_exception_handler'); + + // Get parameter variables + $format = get_input('format', 'php'); + $method = get_input('method'); + $result = null; + + + // See if we have a session + /** + * If we have a session then we can assume that this is being called by AJAX from + * within an already logged on browser. + * + * NB. This may be a gaping security hole, but hey ho. + */ + if (!isloggedin()) + { + // Get api header + $api_header = get_and_validate_api_headers(); + $ApiEnvironment->api_header = $api_header; + + // Pull API user details + $ApiEnvironment->api_user = get_api_user($api_header->api_key); + + if ($ApiEnvironment->api_user) + { + // Get the secret key + $secret_key = $ApiEnvironment->api_user->secret; + + // Validate HMAC + $hmac = calculate_hmac($api_header->hmac_algo, + $api_header->time, + $api_header->api_key, + $secret_key, + $api_header->get_variables, + $api_header->method == 'POST' ? $api_header->posthash : ""); + + if (strcmp( + $api_header->hmac, + $hmac + )==0) + { + // Now make sure this is not a replay + if (!cache_hmac_check_replay($hmac)) + { + $postdata = ""; + $token = ""; + $params = $_REQUEST; + + // Validate post data + if ($api_header->method=="POST") + { + $postdata = get_post_data(); + $calculated_posthash = calculate_posthash($postdata, $api_header->posthash_algo); + + if (strcmp($api_header->posthash, $calculated_posthash)!=0) + throw new SecurityException("POST data hash is invalid - Expected $calculated_posthash but got {$api_header->posthash}."); + } + + // Execute + if (isset($params['auth_token'])) + $result = execute_method($method, $params, $token); + } + else + throw new SecurityException("Packet signature already seen."); + } + else + throw new SecurityException("HMAC is invalid. {$api_header->hmac} != [calc]$hmac = {$api_header->hmac_algo}(**SECRET KEY**, time:{$api_header->time}, apikey:{$api_header->api_key}, get_vars:{$api_header->get_variables}" . ($api_header->method=="POST"? "posthash:$api_header->posthash}" : ")")); + } + else + throw new SecurityException("Invalid or missing API Key.",ErrorResult::$RESULT_FAIL_APIKEY_INVALID); + } + else + { + // User is logged in, just execute + if (isset($params['auth_token'])) $token = $params['auth_token']; + $result = execute_method($method, $params, $token); + } + + + // Finally output + if (!($result instanceof GenericResult)) + throw new APIException("API Result is of an unknown type, this should never happen."); + + output_result($result, $format); + +?>
\ No newline at end of file |