diff --git a/public/include/classes/user.class.php b/public/include/classes/user.class.php index abae79d4..120014e4 100644 --- a/public/include/classes/user.class.php +++ b/public/include/classes/user.class.php @@ -232,10 +232,13 @@ class User { **/ public function checkApiKey($key) { $this->debug->append("STA " . __METHOD__, 4); - $stmt = $this->mysqli->prepare("SELECT api_key FROM $this->table WHERE api_key = ?"); - if ($this->checkStmt($stmt) && $stmt->bind_param("s", $key) && $stmt->execute() && $stmt->bind_result($api_key) && $stmt->fetch()) - return $key === $api_key; - return false; + $stmt = $this->mysqli->prepare("SELECT api_key, id FROM $this->table WHERE api_key = ? LIMIT 1"); + if ($this->checkStmt($stmt) && $stmt->bind_param("s", $key) && $stmt->execute() && $stmt->bind_result($api_key, $id) && $stmt->fetch()) { + if ($api_key === $key) + return $id; + } + header("HTTP/1.1 401 Unauthorized"); + die('Access denied'); } private function checkUserPassword($username, $password) { @@ -326,12 +329,12 @@ class User { $stmt = $this->mysqli->prepare(" INSERT INTO $this->table (username, pass, email, pin, api_key) VALUES (?, ?, ?, ?, ?) - "); + "); } else { $stmt = $this->mysqli->prepare(" INSERT INTO $this->table (username, pass, email, pin, api_key, admin) VALUES (?, ?, ?, ?, ?, 1) - "); + "); } if ($this->checkStmt($stmt)) { $stmt->bind_param('sssss', $username, hash("sha256", $password1.$this->salt), $email1, hash("sha256", $pin.$this->salt), $apikey); @@ -393,14 +396,14 @@ class User { $headers .= "MIME-Version: 1.0\n"; $headers .= "Content-Type: text/html; charset=ISO-8859-1\r\n"; if (mail($email, - $smarty->fetch('templates/mail/subject.tpl'), - $smarty->fetch('templates/mail/body.tpl'), - $headers)) { - return true; - } else { - $this->setErrorMessage("Unable to send mail to your address"); - return false; - } + $smarty->fetch('templates/mail/subject.tpl'), + $smarty->fetch('templates/mail/body.tpl'), + $headers)) { + return true; + } else { + $this->setErrorMessage("Unable to send mail to your address"); + return false; + } return false; } } diff --git a/public/include/pages/api.inc.php b/public/include/pages/api.inc.php index 3b4d3858..c2e64a60 100644 --- a/public/include/pages/api.inc.php +++ b/public/include/pages/api.inc.php @@ -5,7 +5,7 @@ if (!defined('SECURITY')) die('Hacking attempt'); // Check for valid API key -$user->checkApiKey($_REQUEST['api_key']); +$id = $user->checkApiKey($_REQUEST['api_key']); header('HTTP/1.1 400 Bad Request'); die('400 Bad Request'); diff --git a/public/include/pages/api/getblockcount.inc.php b/public/include/pages/api/getblockcount.inc.php index f3a6779f..2cbd06a5 100644 --- a/public/include/pages/api/getblockcount.inc.php +++ b/public/include/pages/api/getblockcount.inc.php @@ -5,7 +5,7 @@ if (!defined('SECURITY')) die('Hacking attempt'); // Check user token -$user->checkApiKey($_REQUEST['api_key']); +$id = $user->checkApiKey($_REQUEST['api_key']); if ($bitcoin->can_connect() === true){ if (!$iBlock = $memcache->get('iBlock')) { diff --git a/public/include/pages/api/getblocksfound.inc.php b/public/include/pages/api/getblocksfound.inc.php index 67cd6ab7..00883dad 100644 --- a/public/include/pages/api/getblocksfound.inc.php +++ b/public/include/pages/api/getblocksfound.inc.php @@ -5,7 +5,7 @@ if (!defined('SECURITY')) die('Hacking attempt'); // Check user token -$user->checkApiKey($_REQUEST['api_key']); +$id = $user->checkApiKey($_REQUEST['api_key']); // Set a sane limit, overwrite with URL parameter $iLimit = 10; diff --git a/public/include/pages/api/getcurrentworkers.inc.php b/public/include/pages/api/getcurrentworkers.inc.php index 2f0a3241..4e26cc1c 100644 --- a/public/include/pages/api/getcurrentworkers.inc.php +++ b/public/include/pages/api/getcurrentworkers.inc.php @@ -5,7 +5,7 @@ if (!defined('SECURITY')) die('Hacking attempt'); // Check user token -$user->checkApiKey($_REQUEST['api_key']); +$id = $user->checkApiKey($_REQUEST['api_key']); // Output JSON format echo json_encode(array('getcurrentworkers' => $worker->getCountAllActiveWorkers())); diff --git a/public/include/pages/api/getdifficulty.inc.php b/public/include/pages/api/getdifficulty.inc.php index 60c0f111..9d2aa7a2 100644 --- a/public/include/pages/api/getdifficulty.inc.php +++ b/public/include/pages/api/getdifficulty.inc.php @@ -5,7 +5,7 @@ if (!defined('SECURITY')) die('Hacking attempt'); // Check user token -$user->checkApiKey($_REQUEST['api_key']); +$id = $user->checkApiKey($_REQUEST['api_key']); // Fetch data from litecoind if ($bitcoin->can_connect() === true){ diff --git a/public/include/pages/api/getestimatedtime.inc.php b/public/include/pages/api/getestimatedtime.inc.php index 6bc76881..a48393fa 100644 --- a/public/include/pages/api/getestimatedtime.inc.php +++ b/public/include/pages/api/getestimatedtime.inc.php @@ -5,7 +5,7 @@ if (!defined('SECURITY')) die('Hacking attempt'); // Check user token -$user->checkApiKey($_REQUEST['api_key']); +$id = $user->checkApiKey($_REQUEST['api_key']); // Estimated time to find the next block $iCurrentPoolHashrate = $statistics->getCurrentHashrate() * 1000; diff --git a/public/include/pages/api/getpoolhashrate.inc.php b/public/include/pages/api/getpoolhashrate.inc.php index 996d1ce2..6f6763ec 100644 --- a/public/include/pages/api/getpoolhashrate.inc.php +++ b/public/include/pages/api/getpoolhashrate.inc.php @@ -5,7 +5,7 @@ if (!defined('SECURITY')) die('Hacking attempt'); // Check user token -$user->checkApiKey($_REQUEST['api_key']); +$id = $user->checkApiKey($_REQUEST['api_key']); // Output JSON format echo json_encode(array('getpoolhashrate' => $statistics->getCurrentHashrate())); diff --git a/public/include/pages/api/getpoolsharerate.inc.php b/public/include/pages/api/getpoolsharerate.inc.php index 980c0ba3..8e9117f1 100644 --- a/public/include/pages/api/getpoolsharerate.inc.php +++ b/public/include/pages/api/getpoolsharerate.inc.php @@ -5,7 +5,7 @@ if (!defined('SECURITY')) die('Hacking attempt'); // Check user token -$user->checkApiKey($_REQUEST['api_key']); +$id = $user->checkApiKey($_REQUEST['api_key']); // Output JSON format echo json_encode(array('getpoolsharerate' => $statistics->getCurrentShareRate())); diff --git a/public/include/pages/api/gettimesincelastblock.inc.php b/public/include/pages/api/gettimesincelastblock.inc.php index f80c55ce..532da6bd 100644 --- a/public/include/pages/api/gettimesincelastblock.inc.php +++ b/public/include/pages/api/gettimesincelastblock.inc.php @@ -5,7 +5,7 @@ if (!defined('SECURITY')) die('Hacking attempt'); // Check user token -$user->checkApiKey($_REQUEST['api_key']); +$id = $user->checkApiKey($_REQUEST['api_key']); // Fetch our last block found $aBlocksFoundData = $statistics->getBlocksFound(1);