aboutsummaryrefslogtreecommitdiff
path: root/engine/lib/api.php
diff options
context:
space:
mode:
Diffstat (limited to 'engine/lib/api.php')
-rw-r--r--engine/lib/api.php88
1 files changed, 13 insertions, 75 deletions
diff --git a/engine/lib/api.php b/engine/lib/api.php
index 38b93cd3a..5372c0214 100644
--- a/engine/lib/api.php
+++ b/engine/lib/api.php
@@ -411,7 +411,7 @@ function authenticate_method($method) {
// check API authentication if required
if ($API_METHODS[$method]["require_api_auth"] == true) {
- if (api_authenticate() == false) {
+ if (pam_authenticate(null, "api") == false) {
throw new APIException(elgg_echo('APIException:APIAuthenticationFailed'));
}
}
@@ -426,65 +426,6 @@ function authenticate_method($method) {
return true;
}
-$API_AUTH_HANDLERS = array();
-
-/**
- * Register an API authorization handler
- *
- * @param $handler
- * @param $importance
- * @return bool
- */
-function register_api_auth_handler($handler, $importance = "sufficient") {
- global $API_AUTH_HANDLERS;
-
- if (is_callable($handler)) {
- $API_AUTH_HANDLERS[$handler] = new stdClass;
-
- $API_AUTH_HANDLERS[$handler]->handler = $handler;
- $API_AUTH_HANDLERS[$handler]->importance = strtolower($importance);
-
- return true;
- }
-
- return false;
-}
-
-/**
- * Authenticate an API method call
- *
- * @return bool
- */
-function api_authenticate() {
- global $API_AUTH_HANDLERS;
-
- $authenticated = false;
-
- foreach ($API_AUTH_HANDLERS as $k => $v) {
- $handler = $v->handler;
- $importance = $v->importance;
-
- try {
- // Execute the handler
- if ($handler()) {
- $authenticated = true;
- } else {
- // If this is required then abort.
- if ($importance == 'required') {
- return false;
- }
- }
- } catch (Exception $e) {
- // If this is required then abort.
- if ($importance == 'required') {
- return false;
- }
- }
- }
-
- return $authenticated;
-}
-
/**
* Executes a method.
* A method is a function which you have previously exposed using expose_function.
@@ -758,7 +699,7 @@ function api_auth_hmac() {
// Get api header
$api_header = get_and_validate_api_headers();
-
+
// Pull API user details
$api_user = get_api_user($CONFIG->site_id, $api_header->api_key);
@@ -777,7 +718,7 @@ function api_auth_hmac() {
$api_header->time,
$api_header->api_key,
$secret_key,
- $params,
+ $query,
$api_header->method == 'POST' ? $api_header->posthash : "");
@@ -842,7 +783,7 @@ function get_and_validate_api_headers() {
}
// Basic timecheck, think about making this smaller if we get loads of users and the cache gets really big.
- if (($result->time<(microtime(true)-86400.00)) || ($result->time>(microtime(true)+86400.00))) {
+ if (($result->time<(time()-86400)) || ($result->time>(time()+86400))) {
throw new APIException(elgg_echo('APIException:TemporalDrift'));
}
@@ -899,7 +840,7 @@ function map_api_hash($algo) {
* @param $time string String representation of unix time as stored in X-Searunner-time.
* @param $api_key string Your api key.
* @param $secret string Your secret key.
- * @param $get_variables string URLEncoded string representation of the get variable parameters, eg "format=php&method=searunner.test".
+ * @param $get_variables string URLEncoded string representation of the get variable parameters, eg "method=user&guid=2"
* @param $post_hash string Optional sha1 hash of the post data.
* @return string The HMAC string.
*/
@@ -1036,8 +977,11 @@ function pam_auth_usertoken($credentials = NULL) {
global $CONFIG;
$token = get_input('auth_token');
-
- $validated_userid = validate_user_token($token);
+ if (!$token) {
+ return false;
+ }
+
+ $validated_userid = validate_user_token($token, $CONFIG->site_id);
if ($validated_userid) {
$u = get_entity($validated_userid);
@@ -1218,17 +1162,11 @@ function send_api_call(array $keys, $url, array $call, $method = 'GET', $post_da
}
// Time
- $time = microtime(true);
+ $time = time();
- // URL encode all the parameters, ensuring auth_token (if present) is at the end!
+ // URL encode all the parameters
foreach ($call as $k => $v){
- if ($k!='auth_token') {
- $encoded_params[] = urlencode($k).'='.urlencode($v);
- }
- }
-
- if ($call['auth_token']) {
- $encoded_params[] = urlencode('auth_token').'='.urlencode($call['auth_token']);
+ $encoded_params[] = urlencode($k).'='.urlencode($v);
}
$params = implode('&', $encoded_params);