Properly abort API calls if api_key is invalid
* Fixes an issue where any api_key would be validated * Now returns user ID upon success, aborts script processing with error on fail
This commit is contained in:
Sebastian Grewe
parent
ee01bd0df0
commit
69b2c2f517
@ -232,10 +232,13 @@ class User {
|
||||
**/
|
||||
public function checkApiKey($key) {
|
||||
$this->debug->append("STA " . __METHOD__, 4);
|
||||
$stmt = $this->mysqli->prepare("SELECT api_key FROM $this->table WHERE api_key = ?");
|
||||
if ($this->checkStmt($stmt) && $stmt->bind_param("s", $key) && $stmt->execute() && $stmt->bind_result($api_key) && $stmt->fetch())
|
||||
return $key === $api_key;
|
||||
return false;
|
||||
$stmt = $this->mysqli->prepare("SELECT api_key, id FROM $this->table WHERE api_key = ? LIMIT 1");
|
||||
if ($this->checkStmt($stmt) && $stmt->bind_param("s", $key) && $stmt->execute() && $stmt->bind_result($api_key, $id) && $stmt->fetch()) {
|
||||
if ($api_key === $key)
|
||||
return $id;
|
||||
}
|
||||
header("HTTP/1.1 401 Unauthorized");
|
||||
die('Access denied');
|
||||
}
|
||||
|
||||
private function checkUserPassword($username, $password) {
|
||||
@ -326,12 +329,12 @@ class User {
|
||||
$stmt = $this->mysqli->prepare("
|
||||
INSERT INTO $this->table (username, pass, email, pin, api_key)
|
||||
VALUES (?, ?, ?, ?, ?)
|
||||
");
|
||||
");
|
||||
} else {
|
||||
$stmt = $this->mysqli->prepare("
|
||||
INSERT INTO $this->table (username, pass, email, pin, api_key, admin)
|
||||
VALUES (?, ?, ?, ?, ?, 1)
|
||||
");
|
||||
");
|
||||
}
|
||||
if ($this->checkStmt($stmt)) {
|
||||
$stmt->bind_param('sssss', $username, hash("sha256", $password1.$this->salt), $email1, hash("sha256", $pin.$this->salt), $apikey);
|
||||
@ -393,14 +396,14 @@ class User {
|
||||
$headers .= "MIME-Version: 1.0\n";
|
||||
$headers .= "Content-Type: text/html; charset=ISO-8859-1\r\n";
|
||||
if (mail($email,
|
||||
$smarty->fetch('templates/mail/subject.tpl'),
|
||||
$smarty->fetch('templates/mail/body.tpl'),
|
||||
$headers)) {
|
||||
return true;
|
||||
} else {
|
||||
$this->setErrorMessage("Unable to send mail to your address");
|
||||
return false;
|
||||
}
|
||||
$smarty->fetch('templates/mail/subject.tpl'),
|
||||
$smarty->fetch('templates/mail/body.tpl'),
|
||||
$headers)) {
|
||||
return true;
|
||||
} else {
|
||||
$this->setErrorMessage("Unable to send mail to your address");
|
||||
return false;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
@ -5,7 +5,7 @@ if (!defined('SECURITY'))
|
||||
die('Hacking attempt');
|
||||
|
||||
// Check for valid API key
|
||||
$user->checkApiKey($_REQUEST['api_key']);
|
||||
$id = $user->checkApiKey($_REQUEST['api_key']);
|
||||
|
||||
header('HTTP/1.1 400 Bad Request');
|
||||
die('400 Bad Request');
|
||||
|
||||
@ -5,7 +5,7 @@ if (!defined('SECURITY'))
|
||||
die('Hacking attempt');
|
||||
|
||||
// Check user token
|
||||
$user->checkApiKey($_REQUEST['api_key']);
|
||||
$id = $user->checkApiKey($_REQUEST['api_key']);
|
||||
|
||||
if ($bitcoin->can_connect() === true){
|
||||
if (!$iBlock = $memcache->get('iBlock')) {
|
||||
|
||||
@ -5,7 +5,7 @@ if (!defined('SECURITY'))
|
||||
die('Hacking attempt');
|
||||
|
||||
// Check user token
|
||||
$user->checkApiKey($_REQUEST['api_key']);
|
||||
$id = $user->checkApiKey($_REQUEST['api_key']);
|
||||
|
||||
// Set a sane limit, overwrite with URL parameter
|
||||
$iLimit = 10;
|
||||
|
||||
@ -5,7 +5,7 @@ if (!defined('SECURITY'))
|
||||
die('Hacking attempt');
|
||||
|
||||
// Check user token
|
||||
$user->checkApiKey($_REQUEST['api_key']);
|
||||
$id = $user->checkApiKey($_REQUEST['api_key']);
|
||||
|
||||
// Output JSON format
|
||||
echo json_encode(array('getcurrentworkers' => $worker->getCountAllActiveWorkers()));
|
||||
|
||||
@ -5,7 +5,7 @@ if (!defined('SECURITY'))
|
||||
die('Hacking attempt');
|
||||
|
||||
// Check user token
|
||||
$user->checkApiKey($_REQUEST['api_key']);
|
||||
$id = $user->checkApiKey($_REQUEST['api_key']);
|
||||
|
||||
// Fetch data from litecoind
|
||||
if ($bitcoin->can_connect() === true){
|
||||
|
||||
@ -5,7 +5,7 @@ if (!defined('SECURITY'))
|
||||
die('Hacking attempt');
|
||||
|
||||
// Check user token
|
||||
$user->checkApiKey($_REQUEST['api_key']);
|
||||
$id = $user->checkApiKey($_REQUEST['api_key']);
|
||||
|
||||
// Estimated time to find the next block
|
||||
$iCurrentPoolHashrate = $statistics->getCurrentHashrate() * 1000;
|
||||
|
||||
@ -5,7 +5,7 @@ if (!defined('SECURITY'))
|
||||
die('Hacking attempt');
|
||||
|
||||
// Check user token
|
||||
$user->checkApiKey($_REQUEST['api_key']);
|
||||
$id = $user->checkApiKey($_REQUEST['api_key']);
|
||||
|
||||
// Output JSON format
|
||||
echo json_encode(array('getpoolhashrate' => $statistics->getCurrentHashrate()));
|
||||
|
||||
@ -5,7 +5,7 @@ if (!defined('SECURITY'))
|
||||
die('Hacking attempt');
|
||||
|
||||
// Check user token
|
||||
$user->checkApiKey($_REQUEST['api_key']);
|
||||
$id = $user->checkApiKey($_REQUEST['api_key']);
|
||||
|
||||
// Output JSON format
|
||||
echo json_encode(array('getpoolsharerate' => $statistics->getCurrentShareRate()));
|
||||
|
||||
@ -5,7 +5,7 @@ if (!defined('SECURITY'))
|
||||
die('Hacking attempt');
|
||||
|
||||
// Check user token
|
||||
$user->checkApiKey($_REQUEST['api_key']);
|
||||
$id = $user->checkApiKey($_REQUEST['api_key']);
|
||||
|
||||
// Fetch our last block found
|
||||
$aBlocksFoundData = $statistics->getBlocksFound(1);
|
||||
|
||||
Loading…
Reference in New Issue
Block a user