1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
|
<?php
/**
* Rest endpoint.
* The API REST endpoint.
*
* @package Elgg
* @subpackage API
* @license http://www.gnu.org/licenses/old-licenses/gpl-2.0.html GNU Public License version 2
* @author Marcus Povey <marcus@dushka.co.uk>
* @copyright Curverider Ltd 2008
* @link http://elgg.org/
*/
// Include required files
require_once('../engine/start.php');
global $ApiEnvironment;
// Register the error handler
error_reporting(E_ALL);
set_error_handler('__php_api_error_handler');
// Register a default exception handler
set_exception_handler('__php_api_exception_handler');
// Get parameter variables
$format = get_input('format', 'php');
$method = get_input('method');
$result = null;
// See if we have a session
/**
* If we have a session then we can assume that this is being called by AJAX from
* within an already logged on browser.
*
* NB. This may be a gaping security hole, but hey ho.
*/
if (!isloggedin())
{
// Get api header
$api_header = get_and_validate_api_headers();
$ApiEnvironment->api_header = $api_header;
// Get site
// Pull API user details
$ApiEnvironment->api_user = get_api_user($api_header->api_key);
if ($ApiEnvironment->api_user)
{
// Get the secret key
$secret_key = $ApiEnvironment->api_user->secret;
// Validate HMAC
$hmac = calculate_hmac($api_header->hmac_algo,
$api_header->time,
$api_header->api_key,
$secret_key,
$api_header->get_variables,
$api_header->method == 'POST' ? $api_header->posthash : "");
if (strcmp(
$api_header->hmac,
$hmac
)==0)
{
// Now make sure this is not a replay
if (!cache_hmac_check_replay($hmac))
{
$postdata = "";
$token = "";
$params = $_REQUEST;
// Validate post data
if ($api_header->method=="POST")
{
$postdata = get_post_data();
$calculated_posthash = calculate_posthash($postdata, $api_header->posthash_algo);
if (strcmp($api_header->posthash, $calculated_posthash)!=0)
throw new SecurityException("POST data hash is invalid - Expected $calculated_posthash but got {$api_header->posthash}.");
}
// Execute
if (isset($params['auth_token']))
$result = execute_method($method, $params, $token);
}
else
throw new SecurityException("Packet signature already seen.");
}
else
throw new SecurityException("HMAC is invalid. {$api_header->hmac} != [calc]$hmac = {$api_header->hmac_algo}(**SECRET KEY**, time:{$api_header->time}, apikey:{$api_header->api_key}, get_vars:{$api_header->get_variables}" . ($api_header->method=="POST"? "posthash:$api_header->posthash}" : ")"));
}
else
throw new SecurityException("Invalid or missing API Key.",ErrorResult::$RESULT_FAIL_APIKEY_INVALID);
}
else
{
// TODO: set site environment
// User is logged in, just execute
if (isset($params['auth_token'])) $token = $params['auth_token'];
$result = execute_method($method, $params, $token);
}
// Finally output
if (!($result instanceof GenericResult))
throw new APIException("API Result is of an unknown type, this should never happen.");
output_result($result, $format);
?>
|