api - login/out possible

2020-09-22 18:01:00 +02:00
parent 9371acec8c
commit cb840a8451
11 changed files with 602 additions and 11 deletions
--- a/api/.htaccess_example
+++ b/api/.htaccess_example
@@ -0,0 +1,8 @@
+RewriteEngine on
+# root directory:
+RewriteBase /projects/RegattenApp/api/
+
+
+
+# Show site
+RewriteRule ^(.*)$ index.php?request=$1 [QSA]
--- a/api/config_example.php
+++ b/api/config_example.php
@@ -0,0 +1,44 @@
+<?php
+	
+	// DATABASE Credentials
+	define('DB_USER', 'regattenwebsite');
+	define('DB_PASS', 'RBpOv4YYtZKWIGcN');
+	define('DB_HOST', 'localhost');
+	define('DB_DATABASE', 'regattenwebsite');
+	
+	define('DB_CHANGE_TIME', true);
+	define('DB_USE_UTF8', true);  // use utf-8 in DB requests
+	
+	// DATABASE Table names
+	define('DB_TABLE_USERS', 'users');
+	define('DB_TABLE_LOGINS', 'logins');
+	define('DB_TABLE_KEEPLOGGEDIN', 'keeploggedin');
+	define('DB_TABLE_RESET', 'rstpw');
+	
+	define('DB_TABLE_CLUBS', 'regatta_clubs');
+	define('DB_TABLE_SUFFIX_BOATS', '_boats');
+	define('DB_TABLE_SUFFIX_SAILORS', '_sailors');
+	define('DB_TABLE_SUFFIX_PLANNING', '_planning');
+	define('DB_TABLE_SUFFIX_REGATTAS', '_regattas');
+	define('DB_TABLE_SUFFIX_RESULTS', '_results');
+	define('DB_TABLE_TRIM_BOATS', 'trim_boats');
+	define('DB_TABLE_TRIM_USERS', 'trim_users');
+	define('DB_TABLE_TRIM_TRIMS', 'trim_trims');
+	define('DB_TABLE_NEWS', 'news');
+	define('DB_TABLE_UPDATETIMES', '_updatetimes');
+	
+	// PERMISSIONS
+	define('PERM_ALL', 0);
+	define('PERM_REGISTERED', 1);
+	define('PERM_READ', 2);
+	define('PERM_WRITE', 4);
+	define('PERM_ADMIN', 8);
+	
+	// OUTGOING MAILS - Credentials for outgoing mails
+	define('MAIL_SMTP_HOST', 'ssl://ostertun.net');               // SMTP Server address
+	define('MAIL_SMTP_PORT', 465);                       // port to use
+	define('MAIL_FROM_ADDRESS', 'no-reply@regatten.net');  // address to send mails from
+	define('MAIL_USERNAME', MAIL_FROM_ADDRESS);             // if true: username
+	define('MAIL_PASSWORD', 'pVc05j_3');                    //  & password
+	
+?>
--- a/api/database.php
+++ b/api/database.php
@@ -0,0 +1,157 @@
+<?php
+	
+	/*
+		
+		Mysql Database Support
+		----------------------
+		
+		Required defines:
+		- DB_HOST (STRING)
+		- DB_USER (STRING)
+		- DB_PASS (STRING)
+		- DB_DATABASE (STRING)
+		- DB_USE_UTF8 (BOOL)
+		- DB_CHANGE_TIME (BOOL)
+		
+		Required functions:
+		- logE (in /_global/log.php)
+		
+	*/
+	
+	$mysqli = mysqli_connect(DB_HOST, DB_USER, DB_PASS);
+	
+	if ($mysqli === false) {
+		logE("database", "Could not connect to database\n" . mysqli_connect_error);
+		die('Error: Could not connect to database');
+	}
+	
+	mysqli_select_db($mysqli, DB_DATABASE);
+	if (DB_USE_UTF8) {
+		mysqli_set_charset($mysqli, 'utf8');
+	}
+	
+	function db_get_data($mysqli, $table, $fields = '*', $where = false, $limit = false) {
+		$rest = '';
+		if ($where != false) {
+			$rest .= ' WHERE ' . $where;
+		}
+		if ($limit != false) {
+			$rest .= sprintf(' LIMIT %d', $limit);
+		}
+		$query = 'SELECT ' . $fields . ' FROM ' . mysqli_real_escape_string($mysqli, $table) . $rest . ';';
+		$response = mysqli_query($mysqli, $query);
+		
+		if ($response !== false) {
+			$result = array();
+			if ($response->num_rows > 0) {
+				$i = 0;
+				while ($row = $response->fetch_assoc()) {
+					if (isset($row['id'])) {
+						$id = $row['id'];
+					} else {
+						$id = $i;
+						$i ++;
+					}
+					foreach ($row as $key => $value) {
+						$result[$id][$key] = $value;
+					}
+				}
+			}
+			return $result;
+		} else {
+			logE("database", "get_data\nInvalid request\n" . $query . "\n" . mysqli_error($mysqli));
+			return false;
+		}
+	}
+	
+	function db_update_data($mysqli, $table, $data, $where, $limit = false) {
+		$rest = '';
+		if ($where != false) {
+			$rest .= ' WHERE ' . $where;
+		}
+		if ($limit != false) {
+			$rest .= sprintf(' LIMIT %d', $limit);
+		}
+		$set = '';
+		$first = true;
+		foreach ($data as $key => $value) {
+			if ($first) {
+				$first = false;
+			} else {
+				$set .= ', ';
+			}
+			if ($value === null) {
+				$set .= '`' . mysqli_real_escape_string($mysqli, $key) . '`=NULL';
+			} else {
+				$set .= '`' . mysqli_real_escape_string($mysqli, $key) . '`="' . mysqli_real_escape_string($mysqli, $value) . '"';
+			}
+		}
+		if (defined('DB_CHANGE_TIME')) $set .= ', `changed`=NOW()';
+		$query = 'UPDATE ' . mysqli_real_escape_string($mysqli, $table) . ' SET ' . $set . $rest . ';';
+		$response = mysqli_query($mysqli, $query);
+		
+		if ($response === false) {
+			logE("database", "update_data\nInvalid request\n" . $query . "\n" . mysqli_error($mysqli));
+		} elseif (defined('DB_CHANGE_TIME')) {
+			mysqli_query($mysqli, 'UPDATE `_updatetimes` SET `update`=NOW() WHERE `table`="' . mysqli_real_escape_string($mysqli, $table) . '";');
+		}
+		
+		return $response;
+	}
+	
+	function db_insert_data($mysqli, $table, $data) {
+		$fields = '';
+		$values = '';
+		$first = true;
+		foreach ($data as $key => $value) {
+			if ($first) {
+				$first = false;
+			} else {
+				$fields .= ', ';
+				$values .= ', ';
+			}
+			$fields .= '`' . mysqli_real_escape_string($mysqli, $key) . '`';
+			if ($value === null) {
+				$values .= 'NULL';
+			} else {
+				$values .= '"' . mysqli_real_escape_string($mysqli, $value) . '"';
+			}
+		}
+		if (defined('DB_CHANGE_TIME')) {
+			$fields .= ', `changed`';
+			$values .= ', NOW()';
+		}
+		$query = 'INSERT INTO `' . mysqli_real_escape_string($mysqli, $table) . '` (' . $fields . ') VALUES (' . $values . ');';
+		$response = mysqli_query($mysqli, $query);
+		if ($response === false) {
+			logE("database", "insert_data\nInvalid request\n" . $query . "\n" . mysqli_error($mysqli));
+		} else {
+			$response = mysqli_insert_id($mysqli);
+			if (defined('DB_CHANGE_TIME')) {
+				mysqli_query($mysqli, 'UPDATE `_updatetimes` SET `update`=NOW() WHERE `table`="' . mysqli_real_escape_string($mysqli, $table) . '";');
+			}
+		}
+		
+		return $response;
+	}
+	
+	function db_delete_data($mysqli, $table, $where, $limit = false) {
+		$rest = '';
+		if ($where != false) {
+			$rest .= ' WHERE ' . $where;
+		}
+		if ($limit != false) {
+			$rest .= sprintf(' LIMIT %d', $limit);
+		}
+		$query = 'DELETE FROM `' . mysqli_real_escape_string($mysqli, $table) . '`' . $rest . ';';
+		$response = mysqli_query($mysqli, $query);
+		if ($response === false) {
+			logE("database", "delete_data\nInvalid request\n" . $query . "\n" . mysqli_error($mysqli));
+		} elseif (defined('DB_CHANGE_TIME')) {
+			mysqli_query($mysqli, 'UPDATE `_updatetimes` SET `update`=NOW() WHERE `table`="' . mysqli_real_escape_string($mysqli, $table) . '";');
+		}
+		
+		return $response;
+	}
+	
+?>
--- a/api/index.php
+++ b/api/index.php
@@ -0,0 +1,123 @@
+<?php
+	
+	require_once(__DIR__ . '/../server/config.php');
+	require_once(__DIR__ . '/config.php');
+	require_once(__DIR__ . '/../server/log.php');
+	require_once(__DIR__ . '/database.php');
+	require_once(__DIR__ . '/login.php');
+	
+	$request = false;
+	if (isset($_GET['request'])) {
+		$request = explode('/', $_GET['request']);
+	}
+	if ($request === false) {
+		$request = array();
+	}
+	if (count($request) >= 1) {
+		$action = array_shift($request);
+	} else {
+		$action = '';
+	}
+	
+	define('DONE_OKAY', 0);
+	define('DONE_EMPTY', 1);
+	define('DONE_DATABASE', 2);
+	define('DONE_UNAUTHORIZED', 3);
+	define('DONE_BAD_REQUEST', 4);
+	define('DONE_CONFLICT', 5);
+	define('DONE_SERVER_ERROR', 6);
+	function done($donecode, $content = null) {
+		switch ($donecode) {
+			case DONE_OKAY:
+				header('HTTP/1.0 200 OK');
+				break;
+			case DONE_EMPTY:
+				header('HTTP/1.0 204 No Content');
+				break;
+			case DONE_DATABASE:
+				header('HTTP/1.0 500 Internal Server Error');
+				if ($content === null) {
+					$content = array('error' => 'database error');
+				}
+				break;
+			case DONE_UNAUTHORIZED:
+				header('HTTP/1.0 401 Unauthorized');
+				if ($content === null) {
+					$content = array('error' => 'unauthorized');
+				}
+				break;
+			case DONE_BAD_REQUEST:
+				header('HTTP/1.0 400 Bad Request');
+				if ($content === null) {
+					$content = array('error' => 'bad request');
+				}
+				break;
+			case DONE_CONFLICT:
+				header('HTTP/1.0 409 Conflict');
+				break;
+			case DONE_SERVER_ERROR:
+				header('HTTP/1.0 500 Internal Server Error');
+				break;
+			default:
+				header('HTTP/1.0 500 Internal Server Error');
+				break;
+		}
+		header('Content-Type: application/json');
+		if ($content !== null) {
+			echo json_encode($content);
+		} else {
+			echo '{  }';
+		}
+		exit;
+	}
+	
+	if (isset($_REQUEST['auth']['id'], $_REQUEST['auth']['hash'])) {
+		$user_id = auth_check($mysqli, $_REQUEST['auth']['id'], $_REQUEST['auth']['hash']);
+	} else {
+		$user_id = false;
+	}
+	$perm = get_perm($mysqli, $user_id);
+	
+	function has_perm($permission) {
+		global $perm;
+		return ($perm & $permission) == $permission;
+	}
+	
+	function checkPermission($perm) {
+		if (!has_perm($perm)) done(DONE_UNAUTHORIZED, ['error' => 'permission denied']);
+	}
+	
+	function checkRequest($param) {
+		if (!isset($_REQUEST[$param])) done(DONE_BAD_REQUEST, ['error' => 'missing parameter: ' . $param]);
+	}
+	
+	function replaceChanged($array) {
+		return array_map(function ($entry) {
+			unset($entry['changed']);
+			return $entry;
+		}, $array);
+	}
+	
+	switch ($action) {
+		
+		case 'login':
+			checkRequest('username');
+			checkRequest('password');
+			checkRequest('device');
+			$auth = auth_login($mysqli, $_REQUEST['username'], $_REQUEST['password'], $_REQUEST['device']);
+			if ($auth === false) done(DONE_UNAUTHORIZED);
+			done(DONE_OKAY, $auth);
+			break;
+		
+		case 'logout':
+			checkPermission(PERM_REGISTERED);
+			auth_logout($mysqli, $_REQUEST['auth']['id']);
+			done(DONE_OKAY);
+			break;
+		
+		default:
+			done(DONE_BAD_REQUEST, ['error' => 'action invalid']);
+		
+	}
+	
+?>
--- a/api/login.php
+++ b/api/login.php
@@ -0,0 +1,107 @@
+<?php
+	
+	function get_user($mysqli, $username = null) {
+		if ($username === null) {
+			return db_get_data($mysqli, DB_TABLE_USERS);
+		} else {
+			$user = db_get_data($mysqli, DB_TABLE_USERS, '*', '`username` = "' . mysqli_real_escape_string($mysqli, $username) . '"', 1);
+			if (($user === false) or (count($user) != 1)) return false;
+			return array_values($user)[0];
+		}
+	}
+	
+	function get_user_by_id($mysqli, $user_id) {
+		$res = db_get_data($mysqli, DB_TABLE_USERS, '*', '`id` = "' . mysqli_real_escape_string($mysqli, $user_id) . '"', 1);
+		if (($res !== false) and (count($res) == 1)) {
+			return array_values($res)[0];
+		}
+		return false;
+	}
+	
+	//function signup($mysqli, $username, $email, $password) {
+	//	if (($username == '') or ($email == '') or ($password == '')) {
+	//		return 1;
+	//	}
+	//	if (get_user($mysqli, $username) !== false) {
+	//		return 1;
+	//	}
+	//	$salt = hash('sha512', uniqid(openssl_random_pseudo_bytes(16), true));
+	//	$hashpassword = hash('sha512', $password . $salt);
+	//	
+	//	$user = array();
+	//	$user['username'] = $username;
+	//	$user['email'] = $email;
+	//	$user['password'] = $hashpassword;
+	//	$user['salt'] = $salt;
+	//	if (db_insert_data($mysqli, DB_TABLE_USERS, $user) !== false) {
+	//		$values = array();
+	//		$values['USERNAME'] = $username;
+	//		$message = createMail('signup', STRING_SIGNUP_EMAIL_SUBJECT, $values);
+	//		smtp_send_mail(['Regatten.net', MAIL_FROM_ADDRESS], [[$username, $email]], [], [], STRING_SIGNUP_EMAIL_SUBJECT, $message, [['Content-Type', 'text/html; charset="UTF-8"']]);
+	//		// Analytics
+	//		matomo_event('Login', 'SignUp', $username);
+	//		return true;
+	//	} else {
+	//		return 2;
+	//	}
+	//}
+	
+	function get_perm($mysqli, $user_id) {
+		if ($user_id !== false) {
+			$result = get_user_by_id($mysqli, $user_id);
+			if ($result !== false) {
+				return $result[DB_FIELD_PERM];
+			} else {
+				return 0;
+			}
+		} else {
+			return 0;
+		}
+	}
+	
+	// ### NEW LOGIN ####################################
+	
+	function auth_login($mysqli, $username, $password, $device) {
+		$user = get_user($mysqli, $username);
+		if ($user === false) {
+			// User does not exist
+			return false;
+		}
+		$hashpassword = hash('sha512', $password . $user['salt']);
+		if ($hashpassword !== $user['password']) {
+			// Password incorrect
+			return false;
+		}
+		// All correct
+		$auth = [];
+		$auth['user'] = $user['id'];
+		$auth['username'] = $user['username'];
+		$auth['auth'] = str_replace('/', '-', str_replace('+', '_', base64_encode(openssl_random_pseudo_bytes(24))));
+		$salt = base64_encode(openssl_random_pseudo_bytes(24));
+		$hash = hash('sha512', $auth['auth'] . $salt);
+		$data = [
+			'user' => $user['id'],
+			'salt' => $salt,
+			'authhash' => $hash,
+			'device' => $device
+		];
+		$auth['id'] = db_insert_data($mysqli, DB_TABLE_LOGINS, $data);
+		return $auth;
+	}
+	
+	function auth_logout($mysqli, $id) {
+		db_delete_data($mysqli, DB_TABLE_LOGINS, 'id = "' . mysqli_real_escape_string($mysqli, $id) . '"', 1);
+		return true;
+	}
+	
+	function auth_check($mysqli, $id, $hash) {
+		$auth = db_get_data($mysqli, DB_TABLE_LOGINS, '*', 'id="' . mysqli_real_escape_string($mysqli, $id) . '"', 1);
+		if (($auth === false) or (count($auth) != 1)) return false;
+		$auth = array_values($auth)[0];
+		$hash = hash('sha512', $hash . $auth['salt']);
+		if ($hash != $auth['authhash']) return false;
+		db_update_data($mysqli, DB_TABLE_LOGINS, ['id' => $auth['id']], 'id="' . $auth['id'] . '"', 1); // update changed field => last login
+		return $auth['user'];
+	}
+	
+?>