Prepare settings for the API in the admin page and during the install

API settings: - api.enabled - api.secret The API settings will be initialized (and the secret generated) with an update method.
author: ArthurHoaro <arthur@hoa.ro> 2016-07-31 10:46:17 +0200
committer: ArthurHoaro <arthur@hoa.ro> 2016-12-12 03:54:10 +0100
commit: cbfdcff2615e901bdc434d06f38a3da8eecbdf8b (patch)
tree: de0d67591015f1bd6d35bd8490adfc8981d3355c /application
parent: 624f999fb75ceeefbc690276f42e5a545ad35357 (diff)
download: Shaarli-cbfdcff2615e901bdc434d06f38a3da8eecbdf8b.tar.gz
Shaarli-cbfdcff2615e901bdc434d06f38a3da8eecbdf8b.tar.zst
Shaarli-cbfdcff2615e901bdc434d06f38a3da8eecbdf8b.zip
2 files changed, 49 insertions, 0 deletions
diff --git a/application/Updater.php b/application/Updater.php
index f0d02814..38de3350 100644
--- a/application/Updater.php
+++ b/application/Updater.php
@@ -256,6 +256,29 @@ class Updater
        return true;
    }
+    /**
+     * Initialize API settings:
+     *   - api.enabled: true
+     *   - api.secret: generated secret
+     */
+    public function updateMethodApiSettings()
+    {
+        if ($this->conf->exists('api.secret')) {
+            return true;
+        }
+        $this->conf->set('api.enabled', true);
+        $this->conf->set(
+            'api.secret',
+            generate_api_secret(
+                $this->conf->get('credentials.login'),
+                $this->conf->get('credentials.salt')
+            )
+        );
+        $this->conf->write($this->isLoggedIn);
+        return true;
+    }
 }
 /**
diff --git a/application/Utils.php b/application/Utils.php
index 0a5b476e..62902341 100644
--- a/application/Utils.php
+++ b/application/Utils.php
@@ -231,3 +231,29 @@ function autoLocale($headerLocale)
    }
    setlocale(LC_ALL, $attempts);
 }
+/**
+ * Generates a default API secret.
+ *
+ * Note that the random-ish methods used in this function are predictable,
+ * which makes them NOT suitable for crypto.
+ * BUT the random string is salted with the salt and hashed with the username.
+ * It makes the generated API secret secured enough for Shaarli.
+ *
+ * PHP 7 provides random_int(), designed for cryptography.
+ * More info: http://stackoverflow.com/questions/4356289/php-random-string-generator
+ * @param string $username Shaarli login username
+ * @param string $salt     Shaarli password hash salt
+ *
+ * @return string|bool Generated API secret, 12 char length.
+ *                     Or false if invalid parameters are provided (which will make the API unusable).
+ */
+function generate_api_secret($username, $salt)
+{
+    if (empty($username) || empty($salt)) {
+        return false;
+    }
+    return str_shuffle(substr(hash_hmac('sha512', uniqid($salt), $username), 10, 12));
+}
author	ArthurHoaro <arthur@hoa.ro>	2016-07-31 10:46:17 +0200
committer	ArthurHoaro <arthur@hoa.ro>	2016-12-12 03:54:10 +0100
commit	cbfdcff2615e901bdc434d06f38a3da8eecbdf8b (patch)
tree	de0d67591015f1bd6d35bd8490adfc8981d3355c /application
parent	624f999fb75ceeefbc690276f42e5a545ad35357 (diff)
download	Shaarli-cbfdcff2615e901bdc434d06f38a3da8eecbdf8b.tar.gz Shaarli-cbfdcff2615e901bdc434d06f38a3da8eecbdf8b.tar.zst Shaarli-cbfdcff2615e901bdc434d06f38a3da8eecbdf8b.zip

diff --git a/application/Updater.php b/application/Updater.php index f0d02814..38de3350 100644 --- a/application/Updater.php +++ b/application/Updater.php
@@ -256,6 +256,29 @@ class Updater
256		256
257	return true;	257	return true;
258	}	258	}
		259
		260	/**
		261	* Initialize API settings:
		262	* - api.enabled: true
		263	* - api.secret: generated secret
		264	*/
		265	public function updateMethodApiSettings()
		266	{
		267	if ($this->conf->exists('api.secret')) {
		268	return true;
		269	}
		270
		271	$this->conf->set('api.enabled', true);
		272	$this->conf->set(
		273	'api.secret',
		274	generate_api_secret(
		275	$this->conf->get('credentials.login'),
		276	$this->conf->get('credentials.salt')
		277	)
		278	);
		279	$this->conf->write($this->isLoggedIn);
		280	return true;
		281	}
259	}	282	}
260		283
261	/**	284	/**


diff --git a/application/Utils.php b/application/Utils.php index 0a5b476e..62902341 100644 --- a/application/Utils.php +++ b/application/Utils.php
@@ -231,3 +231,29 @@ function autoLocale($headerLocale)
231	}	231	}
232	setlocale(LC_ALL, $attempts);	232	setlocale(LC_ALL, $attempts);
233	}	233	}
		234
		235	/**
		236	* Generates a default API secret.
		237	*
		238	* Note that the random-ish methods used in this function are predictable,
		239	* which makes them NOT suitable for crypto.
		240	* BUT the random string is salted with the salt and hashed with the username.
		241	* It makes the generated API secret secured enough for Shaarli.
		242	*
		243	* PHP 7 provides random_int(), designed for cryptography.
		244	* More info: http://stackoverflow.com/questions/4356289/php-random-string-generator
		245
		246	* @param string $username Shaarli login username
		247	* @param string $salt Shaarli password hash salt
		248	*
		249	* @return string\|bool Generated API secret, 12 char length.
		250	* Or false if invalid parameters are provided (which will make the API unusable).
		251	*/
		252	function generate_api_secret($username, $salt)
		253	{
		254	if (empty($username) \|\| empty($salt)) {
		255	return false;
		256	}
		257
		258	return str_shuffle(substr(hash_hmac('sha512', uniqid($salt), $username), 10, 12));
		259	}