iarv/Piwigo
1
0
Fork 0
mirror of https://github.com/Piwigo/Piwigo.git synced 2026-03-28 17:42:57 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
5d518e583d5dd471a2353c3e340c7e0c5c8921f6
Piwigo/include/user.inc.php
Linty ae740ba3af fixes #2355 implement API key management system 
- Added API key get, creation, editing, and revocation methods.

- Updated the profile template to include API key management features.

- Updated the database schema to support the new API key system, including additional fields for key management.

- Added client-side JavaScript functionality to handle API key operations and display responses.

- Update tools/htm.ws with the new way to authenticate.

- Restriction of certain api methods when used with an api key

- Backward compatibility with older apps
2025-06-09 20:35:57 +02:00

136 lines
3.3 KiB
PHP
Raw Blame History

<?php
// +-----------------------------------------------------------------------+
// | This file is part of Piwigo. |
// | |
// | For copyright and license information, please view the COPYING.txt |
// | file that was distributed with this source code. |
// +-----------------------------------------------------------------------+
// by default we start with guest
$user['id'] = $conf['guest_id'];
if (isset($_COOKIE[session_name()]))
{
if (isset($_GET['act']) and $_GET['act'] == 'logout')
{ // logout
logout_user();
redirect(get_gallery_home_url());
}
elseif (!empty($_SESSION['pwg_uid']))
{
$user['id'] = $_SESSION['pwg_uid'];
}
}
// Now check the auto-login
if ( $user['id']==$conf['guest_id'] )
{
auto_login();
}
// using Apache authentication override the above user search
if ($conf['apache_authentication'])
{
$remote_user = null;
foreach (array('REMOTE_USER', 'REDIRECT_REMOTE_USER') as $server_key)
{
if (isset($_SERVER[$server_key]))
{
$remote_user = $_SERVER[$server_key];
break;
}
}
if (isset($remote_user))
{
if (!($user['id'] = get_userid($remote_user)))
{
$user['id'] = register_user($remote_user, '', '', false);
}
}
}
// automatic login by authentication key
if (isset($_GET['auth']))
{
auth_key_login($_GET['auth']);
}
// HTTP_AUTHORIZATION api_key
if (
defined('IN_WS')
and isset($_SERVER['HTTP_AUTHORIZATION'])
and !empty($_SERVER['HTTP_AUTHORIZATION'])
and isset($_REQUEST['method'])
)
{
$auth_header = pwg_db_real_escape_string($_SERVER['HTTP_AUTHORIZATION']) ?? null;
if ($auth_header)
{
$authenticate = auth_key_login($auth_header, true);
if (!$authenticate)
{
include_once(PHPWG_ROOT_PATH.'include/ws_init.inc.php');
$service->sendResponse(new PwgError(401, 'Invalid api_key'));
exit;
}
define('PWG_API_KEY_REQUEST', true);
// set pwg_token for api_key request
if (isset($_POST['pwg_token']))
{
$_POST['pwg_token'] = get_pwg_token();
}
if (isset($_GET['pwg_token']))
{
$_GET['pwg_token'] = get_pwg_token();
}
// logger
global $logger;
$logger->info('[api_key][pkid='.explode(':', $auth_header)[0].'][method='.$_REQUEST['method'].']');
}
}
if (
defined('IN_WS')
and isset($_REQUEST['method'])
and 'pwg.images.uploadAsync' == $_REQUEST['method']
and isset($_POST['username'])
and isset($_POST['password'])
)
{
if (!try_log_user($_POST['username'], $_POST['password'], false))
{
include_once(PHPWG_ROOT_PATH.'include/ws_init.inc.php');
$service->sendResponse(new PwgError(999, 'Invalid username/password'));
exit();
}
$_SESSION['connected_with'] = 'pwg.images.uploadAsync';
}
$page['user_use_cache'] = true;
if (defined('IN_ADMIN') and IN_ADMIN)
{
$page['user_use_cache'] = false;
}
elseif (
isset($_REQUEST['method'])
and isset($_SERVER['HTTP_REFERER'])
and preg_match('/\/admin\.php\?page=/', $_SERVER['HTTP_REFERER'])
)
{
$page['user_use_cache'] = false;
}
$user = build_user( $user['id'], $page['user_use_cache']);
if ($conf['browser_language'] and (is_a_guest() or is_generic()) and $language = get_browser_language())
{
$user['language'] = $language;
}
trigger_notify('user_init', $user);
?>
Reference in New Issue View Git Blame Copy Permalink