aboutsummaryrefslogtreecommitdiff
path: root/endpoints/rest.php
blob: e00d2755510e9aded5b8edb7716358429d20503c (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
<?php
	/**
	 * Rest endpoint.
	 * The API REST endpoint.
	 * 
	 * @package Elgg
	 * @subpackage API
	 * @license http://www.gnu.org/licenses/old-licenses/gpl-2.0.html GNU Public License version 2
	 * @author Marcus Povey <marcus@dushka.co.uk>
	 * @copyright Curverider Ltd 2008
	 * @link http://elgg.org/
	 */

	// Include required files
	require_once('../engine/start.php');
	global $CONFIG, $ApiEnvironment;
	
	// Register the error handler
	error_reporting(E_ALL); 
	set_error_handler('__php_api_error_handler');
	
	// Register a default exception handler
	set_exception_handler('__php_api_exception_handler'); 
	
	// Get parameter variables
	$format = get_input('format', 'php');
	$method = get_input('method');
	$result = null;
	
	
	// See if we have a session
	/**
	 * If we have a session then we can assume that this is being called by AJAX from 
	 * within an already logged on browser.
	 * 
	 * NB. This may be a gaping security hole, but hey ho. 
	 */
	if (!isloggedin())
	{
		// Get api header
		$api_header = get_and_validate_api_headers();
		$ApiEnvironment->api_header = $api_header;
		
		// Pull API user details
		$ApiEnvironment->api_user = get_api_user($api_header->api_key);
		
		// Get site
		$ApiEnvironment->site_id = $ApiEnvironment->api_user->side_id;	
		
		if ($ApiEnvironment->api_user)
		{
			// Get the secret key
			$secret_key = $ApiEnvironment->api_user->secret;
				
			// Validate HMAC
			$hmac = calculate_hmac($api_header->hmac_algo, 
					$api_header->time, 
					$api_header->api_key, 
					$secret_key, 
					$api_header->get_variables, 
					$api_header->method == 'POST' ? $api_header->posthash : "");
				
			if (strcmp(
				$api_header->hmac,
				$hmac	
			)==0)
			{
				// Now make sure this is not a replay
				if (!cache_hmac_check_replay($hmac)) 
				{
					$postdata = "";
					$token = "";
					$params = $_REQUEST;
					
					// Validate post data
					if ($api_header->method=="POST")
					{
						$postdata = get_post_data();
						$calculated_posthash = calculate_posthash($postdata, $api_header->posthash_algo);

						if (strcmp($api_header->posthash, $calculated_posthash)!=0)
							throw new SecurityException("POST data hash is invalid - Expected $calculated_posthash but got {$api_header->posthash}.");
					}
					
					// Execute 
					if (isset($params['auth_token'])) 
					$result = execute_method($method, $params, $token);
				}
				else
					throw new SecurityException("Packet signature already seen.");
			}
			else 
				throw new SecurityException("HMAC is invalid.  {$api_header->hmac} != [calc]$hmac = {$api_header->hmac_algo}(**SECRET KEY**, time:{$api_header->time}, apikey:{$api_header->api_key}, get_vars:{$api_header->get_variables}" . ($api_header->method=="POST"? "posthash:$api_header->posthash}" : ")"));
		}
		else
			throw new SecurityException("Invalid or missing API Key.",ErrorResult::$RESULT_FAIL_APIKEY_INVALID);
	}
	else
	{
		// Set site environment
		$ApiEnvironment->site_id = $CONFIG->site_id;
		
		// User is logged in, just execute 
		if (isset($params['auth_token'])) $token = $params['auth_token'];
		$result = execute_method($method, $params, $token);	
	}


	// Finally output
	if (!($result instanceof GenericResult))
		throw new APIException("API Result is of an unknown type, this should never happen.");
		
	output_result($result, $format);
		
?>