Skip to content

Commit fbc2d3b

Browse files
marcocesaratomarcocesarato
committed
Fixed some bugs and improved auth system
1 parent 2e433d9 commit fbc2d3b

3 files changed

Lines changed: 59 additions & 38 deletions

File tree

README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
# PHP Database Web API
22
![](cover.png)
33

4-
**Version:** 0.6.125 beta
4+
**Version:** 0.6.127 beta
55

66
**Github:** https://github.com/marcocesarato/Database-Web-API
77

includes/classes/API.php

Lines changed: 11 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1215,11 +1215,10 @@ public function renderJson($data) {
12151215
* @param $data
12161216
*/
12171217
public function renderHtml($data) {
1218-
require_once(__API_ROOT__ . '/includes/template/header.php');
1218+
include(__API_ROOT__ . '/includes/template/header.php');
12191219
//err out if no results
12201220
if(empty($data)) {
12211221
Response::error('No results found', 404);
1222-
12231222
return;
12241223
}
12251224
//render readable array data serialized
@@ -1255,7 +1254,7 @@ public function renderHtml($data) {
12551254
echo "</tr>";
12561255
}
12571256
echo "</table>";
1258-
require_once(__API_ROOT__ . '/includes/template/footer.php');
1257+
include(__API_ROOT__ . '/includes/template/footer.php');
12591258
die();
12601259
}
12611260

@@ -1284,8 +1283,10 @@ public function renderXml($data) {
12841283
*/
12851284
public function checkTable($query_table, $db = null) {
12861285

1287-
if(empty($db)) {
1288-
$db = $this->getDatabase($this->query['db']);
1286+
if(!empty($db)) {
1287+
$db = $this->getDatabase($db);
1288+
} else {
1289+
$db = $this->getDatabase();
12891290
}
12901291

12911292
if($this->auth->authenticated && (!$this->auth->is_admin)) {
@@ -1312,7 +1313,7 @@ public function checkTable($query_table, $db = null) {
13121313
* @param string $db the database to check
13131314
* @return bool true if table exists, otherwise false
13141315
*/
1315-
private function tableExists($query_table, $db = null) {
1316+
public function tableExists($query_table, $db = null) {
13161317
$tables = $this->getTables($db);
13171318

13181319
return in_array($query_table, $tables);
@@ -1361,8 +1362,10 @@ public function getTables($db = null) {
13611362
*/
13621363
public function checkColumn($column, $table, $db = null) {
13631364

1364-
if(empty($db)) {
1365-
$db = $this->getDatabase($this->query['db']);
1365+
if(!empty($db)) {
1366+
$db = $this->getDatabase($db);
1367+
} else {
1368+
$db = $this->getDatabase();
13661369
}
13671370

13681371
if(!$this->auth->is_admin || Request::method() == 'PUT') {

includes/classes/Auth.php

Lines changed: 47 additions & 29 deletions
Original file line numberDiff line numberDiff line change
@@ -37,12 +37,6 @@ public function __construct() {
3737
self::$instance = &$this;
3838
$this->logger = Logger::getInstance();
3939
$this->hooks = Hooks::getInstance();
40-
if(defined('__API_AUTH__')) {
41-
self::$settings = unserialize(__API_AUTH__);
42-
if(!empty(self::$settings['api_table'])) {
43-
self::$api_table = preg_replace('/\s+/', '', self::$settings['api_table']);
44-
}
45-
}
4640
}
4741

4842
/**
@@ -76,20 +70,18 @@ public function validate($query) {
7670
$this->table_readonly = $db_settings->table_readonly;
7771
}
7872

79-
if(self::$settings['sqlite']) {
80-
$this->db = new PDO('sqlite:' . self::$settings['sqlite_filename'] . '.sqlite');
81-
} else {
82-
$this->db = &$this->api->connect(self::$settings['api_database']);
83-
$this->api->setDatabase(self::$settings['api_database']);
84-
}
85-
8673
$this->query = $query;
8774

88-
if(empty(self::$settings)) {
75+
if(defined('__API_AUTH__')) {
76+
self::$settings = unserialize(__API_AUTH__);
77+
if(!empty(self::$settings['api_table'])) {
78+
self::$api_table = preg_replace('/\s+/', '', self::$settings['api_table']);
79+
}
80+
} else {
8981
return true;
9082
}
9183

92-
if(!$this->api->checkTable(self::$api_table)) {
84+
if(!$this->api->tableExists(self::$api_table, self::$settings['api_database'])) {
9385
$this->createAPITable(); //create the table
9486
} else {
9587
$this->checkAPITable();
@@ -129,34 +121,34 @@ public function validate($query) {
129121
$where_sql = (!empty($where_sql) ? " ($where_sql) AND " : "") . implode(" OR ", $where);
130122
}
131123

132-
$this->api = API::getInstance();
133-
$this->db = &$this->api->connect(self::$settings['users']['database']);
124+
$this->api = API::getInstance();
125+
$this->users_db = $this->getUsersDatabase();
134126

135-
$sth = $this->db->prepare("SELECT * FROM $users_table WHERE $where_sql");
127+
$sth = $this->users_db->prepare("SELECT * FROM $users_table WHERE $where_sql");
136128
foreach($bind_values as $col => $value) {
137129
$sth->bindParam(":$col", $value);
138130
}
139131

140132
$sth->execute();
133+
141134
$user_row = $sth->fetch();
142135

143136
$is_valid = $this->hooks->apply_filters('auth_validate_token', !empty($user_row), $user_row);
144137

145138
if($is_valid) {
146-
$password = strtolower($query['password']);
139+
$password = $query['password'];
147140
if($user_row[$users_columns['password']] == $password) {
148141
$token = $this->generateToken($user_row[$users_columns['id']], $user_row[$users_columns['username']]);
149142
$this->user_id = $user_row[$users_columns['id']];
150143
$this->is_admin = !empty($users_columns['admin']) ? $user_row[key(reset($users_columns['admin']))] : false;
151144
// Render
152-
$results = array(
145+
$results = array(
153146
(object) array(
154147
"token" => $token,
155148
),
156149
);
157-
$results = $this->hooks->apply_filters('auth_login', $results);
158-
$renderer = 'render_' . $query['format'];
159-
die($this->api->$renderer($results, $query));
150+
$results = $this->hooks->apply_filters('auth_login', $results);
151+
die($this->api->render($results));
160152
}
161153
}
162154
Response::error("Invalid authentication!", 401);
@@ -167,6 +159,26 @@ public function validate($query) {
167159
return false;
168160
}
169161

162+
/**
163+
* Get API Database
164+
* @return PDO
165+
*/
166+
public function getAPIDatabase() {
167+
if(self::$settings['sqlite']) {
168+
return new PDO('sqlite:' . self::$settings['sqlite_filename'] . '.sqlite');
169+
}
170+
171+
return $this->api->connect(self::$settings['api_database']);
172+
}
173+
174+
/**
175+
* Get Users database
176+
* @return mixed
177+
*/
178+
public function getUsersDatabase() {
179+
return $this->api->connect(self::$settings['users']['database']);
180+
}
181+
170182
/**
171183
* Create database table
172184
*/
@@ -191,6 +203,7 @@ private function createAPITable() {
191203
* Check database table
192204
*/
193205
private function checkAPITable() {
206+
$this->db = $this->getAPIDatabase();
194207
try {
195208
$date = date("Y-m-d H:i:s", strtotime('-1 month'));
196209
$this->db->exec("DELETE FROM " . self::$api_table . " WHERE last_access != date_created AND last_access < '" . $date . "'");
@@ -213,6 +226,8 @@ private function validateToken($token) {
213226
$users_table = self::$settings['users']['table'];
214227
$users_columns = self::$settings['users']['columns'];
215228

229+
$this->db = $this->getAPIDatabase();
230+
216231
try {
217232
$sth = $this->db->prepare("SELECT * FROM " . self::$api_table . " WHERE token = :token");
218233
$sth->bindParam(':token', $token);
@@ -225,7 +240,7 @@ private function validateToken($token) {
225240
$auth_bypass = $this->hooks->apply_filters('auth_bypass', $auth_bypass);
226241

227242
// Bypass
228-
if(!$exists && $auth_bypass && !isset($this->query['force_validation'])) {
243+
if(!$exists && $auth_bypass && empty($this->query['force_validation'])) {
229244
$exists = true;
230245
$token_row = array();
231246
$token_row['user_id'] = '1';
@@ -234,16 +249,17 @@ private function validateToken($token) {
234249

235250
if($exists) {
236251

237-
$this->api = API::getInstance();
238-
$this->db = &$this->api->connect(self::$settings['api_database']);
239-
$sth = $this->db->prepare("SELECT * FROM $users_table WHERE " . $users_columns['id'] . " = :user_id");
252+
$this->api = API::getInstance();
253+
$this->users_db = $this->getUsersDatabase();
254+
$sth = $this->users_db->prepare("SELECT * FROM $users_table WHERE " . $users_columns['id'] . " = :user_id");
240255
$sth->bindParam(':user_id', $token_row['user_id']);
241256

242257
$sth->execute();
243258
$user_row = $sth->fetch();
244259

245260
if(!empty($user_row)) {
246261

262+
$this->db = $this->getAPIDatabase();
247263
$sth = $this->db->prepare("UPDATE " . self::$api_table . " SET last_access = :last_access, counter = :counter WHERE token = :token");
248264
$last_access = date('Y-m-d H:i:s');
249265
$counter = $this->needIncrementCounter() ? intval($token_row['counter']) + 1 : intval($token_row['counter']);
@@ -252,8 +268,8 @@ private function validateToken($token) {
252268
$sth->bindParam(':token', $token);
253269
$sth->execute();
254270

255-
$this->user = $user_row;
256-
$this->user_id = $user_row['id'];
271+
$this->user = $user_row;
272+
$this->user_id = $user_row['id'];
257273
if(!empty($users_columns['admin'])) {
258274
$this->is_admin = (($user_row[key($users_columns['admin'])] == reset($users_columns['admin'])) ? true : false);
259275
}
@@ -276,6 +292,7 @@ private function validateToken($token) {
276292
* Check counter
277293
*/
278294
private function checkCounter() {
295+
$this->db = $this->getAPIDatabase();
279296
try {
280297
$sth = $this->db->prepare("SELECT user_id, user_name, SUM(counter) as counter FROM " . self::$api_table . " GROUP BY user_id, user_name");
281298
$sth->execute();
@@ -314,6 +331,7 @@ private function checkToken() {
314331
* @return null|string
315332
*/
316333
public function generateToken($user_id, $user_name) {
334+
$this->db = $this->getAPIDatabase();
317335
try {
318336
$token = md5(uniqid(rand(), true));
319337
$sth = $this->db->prepare("INSERT INTO " . self::$api_table . " (token,user_id,user_name,user_agent) VALUES (:token,:user_id,:user_name,:user_agent)");

0 commit comments

Comments
 (0)