From c961bc2c883423beddb22aef1096635a8a11cba6 Mon Sep 17 00:00:00 2001 From: xinatorus Date: Mon, 25 May 2020 21:21:38 +0200 Subject: [PATCH] auth fix --- .htaccess | 2 +- app/models/managers/AuthManager.php | 5 +++-- library/ApiController.php | 2 +- public/.htaccess | 6 +++++- 4 files changed, 10 insertions(+), 5 deletions(-) diff --git a/.htaccess b/.htaccess index 71ae402..20d82ef 100644 --- a/.htaccess +++ b/.htaccess @@ -5,7 +5,7 @@ RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] #token to HTTP_AUTHORIZATION -RewriteCond %{HTTP:Authorization} ^(.) +RewriteCond %{HTTP:Authorization} ^(.*) RewriteRule . - [e=HTTP_AUTHORIZATION:%1] # serve all files from public subfolder diff --git a/app/models/managers/AuthManager.php b/app/models/managers/AuthManager.php index 590c4e8..a03ea4d 100644 --- a/app/models/managers/AuthManager.php +++ b/app/models/managers/AuthManager.php @@ -52,8 +52,9 @@ class AuthManager { } public function validateToken($token){ - $tokens = Db::loadAll('SELECT * FROM tokens WHERE token = ? AND expire >= CURRENT_TIMESTAMP AND blocked = 0;', array($token)); - if (count($tokens) == 1) { + list($type, $hash) = explode(' ', $token); + $tokens = Db::loadAll('SELECT * FROM tokens WHERE token = ? AND expire >= CURRENT_TIMESTAMP AND blocked = 0;', array($hash)); + if ($type == 'Bearer' && count($tokens) == 1) { return true; } else if (count($tokens) == 0) { return false; diff --git a/library/ApiController.php b/library/ApiController.php index c5026cc..4d85919 100644 --- a/library/ApiController.php +++ b/library/ApiController.php @@ -20,7 +20,7 @@ class ApiController { if (isset($_SERVER['HTTP_AUTHORIZATION'])) { // TODO: call appropriate class/method $authManager = new AuthManager(); - $this->authenticated = $authManager>validateToken($_SERVER['HTTP_AUTHORIZATION']); + $this->authenticated = $authManager->validateToken($_SERVER['HTTP_AUTHORIZATION']); if(!$this->authenticated){ throw new Exception("Authorization required", 401); } diff --git a/public/.htaccess b/public/.htaccess index 0668858..3ad65e5 100644 --- a/public/.htaccess +++ b/public/.htaccess @@ -7,9 +7,13 @@ RewriteCond %{REQUEST_FILENAME} !.css RewriteCond %{REQUEST_FILENAME} !.js RewriteRule (.*) ./index.php?url=$1 [QSA,L] +#token to HTTP_AUTHORIZATION +RewriteCond %{HTTP:Authorization} ^(.*) +RewriteRule . - [e=HTTP_AUTHORIZATION:%1] + RewriteCond %{HTTPS} off RewriteCond %{REQUEST_FILENAME} !api.php RewriteCond %{REQUEST_FILENAME} !apiFront.php RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] -AddType application/x-httpd-php .php .phtml \ No newline at end of file +AddType application/x-httpd-php .php .phtml