We are no longer offering accounts on this server. Consider https://gitlab.freedesktop.org/ as a place to host projects.

Commit 7193e70d authored by Jonas Haraldsson's avatar Jonas Haraldsson

clean up 1.x/auth-utils.php

parent 5640d95b
...@@ -21,8 +21,15 @@ ...@@ -21,8 +21,15 @@
require_once($_SERVER['DOCUMENT_ROOT'] . '/config.php'); require_once($_SERVER['DOCUMENT_ROOT'] . '/config.php');
require_once($install_path . 'database.php'); require_once($install_path . 'database.php');
function check_web_auth($username, $token, $timestamp, $api_key, $sk) { /**
// Validates authentication using a web services token * Validate authentication using a web services token.
*
* @param string $username User name.
* @param string $api_key 32 character API key.
* @param string $sk Web services token.
* @return bool
*/
function check_web_auth($username, $api_key, $sk) {
global $adodb; global $adodb;
// Using the valid_api_key function from nixtape/2.0/index.php would be appropriate here // Using the valid_api_key function from nixtape/2.0/index.php would be appropriate here
...@@ -30,11 +37,9 @@ function check_web_auth($username, $token, $timestamp, $api_key, $sk) { ...@@ -30,11 +37,9 @@ function check_web_auth($username, $token, $timestamp, $api_key, $sk) {
return false; return false;
} }
$adodb->SetFetchMode(ADODB_FETCH_ASSOC); // this query should get the uniqueid and then return it on success $query = 'SELECT username FROM Auth WHERE sk = ?';
$result = $adodb->GetOne('SELECT username FROM Auth WHERE ' $params = array($sk);
//. 'expires > ' . time() . ' AND ' // session keys have an infinite lifetime $result = $adodb->GetOne($query, $params);
. 'sk = ' . $adodb->qstr($sk)
);
if (!$result) { if (!$result) {
// TODO: Log failures somewhere // TODO: Log failures somewhere
return false; return false;
...@@ -43,12 +48,21 @@ function check_web_auth($username, $token, $timestamp, $api_key, $sk) { ...@@ -43,12 +48,21 @@ function check_web_auth($username, $token, $timestamp, $api_key, $sk) {
return $result == $username; return $result == $username;
} }
/**
* Validates authentication using a standard authentication token.
*
* @param string $username User name.
* @param string $token Token.
* @param int $timestamp Timestamp in seconds since Epoch.
* @return bool
*/
function check_standard_auth($username, $token, $timestamp) { function check_standard_auth($username, $token, $timestamp) {
// Validates authentication using a standard authentication token // Validates authentication using a standard authentication token
global $adodb; global $adodb;
$adodb->SetFetchMode(ADODB_FETCH_ASSOC); // this query should get the uniqueid and then return it on success $query = 'SELECT password FROM Users WHERE lower(username) = lower(?)';
$pass = $adodb->GetOne('SELECT password FROM Users WHERE lower(username) = lower(' . $adodb->qstr($username) . ')'); $params = array($username);
$pass = $adodb->GetOne($query, $params);
if (!$pass) { if (!$pass) {
// TODO: Log failures somewhere // TODO: Log failures somewhere
return false; return false;
...@@ -60,15 +74,17 @@ function check_standard_auth($username, $token, $timestamp) { ...@@ -60,15 +74,17 @@ function check_standard_auth($username, $token, $timestamp) {
} }
/** /**
* Checks if the session is still valid. Assumes $sessionID is already quoted. * Checks if the session is still valid.
*
* @param $sessionid Scrobble session id.
* @return bool True if session exists and is still valid.
*/ */
function check_session($sessionID) { function check_session($sessionid) {
global $adodb; global $adodb;
$session = $adodb->GetOne('SELECT expires from Scrobble_Sessions WHERE sessionid = ' . $sessionID); $query = 'SELECT expires FROM Scrobble_Sessions WHERE sessionid = ? AND expires >= ?';
if (!$session) { $params = array($sessionid, time());
return(false); $session = $adodb->GetOne($query, $params);
}
return($session >= time()); return (bool) $session;
} }
...@@ -30,7 +30,7 @@ if (!isset($_POST['s']) || !isset($_POST['a']) || !isset($_POST['t'])) { ...@@ -30,7 +30,7 @@ if (!isset($_POST['s']) || !isset($_POST['a']) || !isset($_POST['t'])) {
} }
$sessionid = trim($_POST['s']); $sessionid = trim($_POST['s']);
if (!check_session($adodb->qstr($sessionid))) { if (!check_session($sessionid)) {
die("BADSESSION\n"); die("BADSESSION\n");
} }
......
...@@ -49,7 +49,7 @@ if (abs($timestamp - time()) > 300) { ...@@ -49,7 +49,7 @@ if (abs($timestamp - time()) > 300) {
} }
if (isset($_REQUEST['api_key']) && isset($_REQUEST['sk'])) { if (isset($_REQUEST['api_key']) && isset($_REQUEST['sk'])) {
$authed = check_web_auth($username, $auth_token, $timestamp, $_REQUEST['api_key'], $_REQUEST['sk']); $authed = check_web_auth($username, $_REQUEST['api_key'], $_REQUEST['sk']);
} else { } else {
$authed = check_standard_auth($username, $auth_token, $timestamp); $authed = check_standard_auth($username, $auth_token, $timestamp);
} }
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment