diff options
author | ArthurHoaro <arthur@hoa.ro> | 2016-07-31 10:46:17 +0200 |
---|---|---|
committer | ArthurHoaro <arthur@hoa.ro> | 2016-12-12 03:54:10 +0100 |
commit | cbfdcff2615e901bdc434d06f38a3da8eecbdf8b (patch) | |
tree | de0d67591015f1bd6d35bd8490adfc8981d3355c /application | |
parent | 624f999fb75ceeefbc690276f42e5a545ad35357 (diff) | |
download | Shaarli-cbfdcff2615e901bdc434d06f38a3da8eecbdf8b.tar.gz Shaarli-cbfdcff2615e901bdc434d06f38a3da8eecbdf8b.tar.zst Shaarli-cbfdcff2615e901bdc434d06f38a3da8eecbdf8b.zip |
Prepare settings for the API in the admin page and during the install
API settings:
- api.enabled
- api.secret
The API settings will be initialized (and the secret generated) with an update method.
Diffstat (limited to 'application')
-rw-r--r-- | application/Updater.php | 23 | ||||
-rw-r--r-- | application/Utils.php | 26 |
2 files changed, 49 insertions, 0 deletions
diff --git a/application/Updater.php b/application/Updater.php index f0d02814..38de3350 100644 --- a/application/Updater.php +++ b/application/Updater.php | |||
@@ -256,6 +256,29 @@ class Updater | |||
256 | 256 | ||
257 | return true; | 257 | return true; |
258 | } | 258 | } |
259 | |||
260 | /** | ||
261 | * Initialize API settings: | ||
262 | * - api.enabled: true | ||
263 | * - api.secret: generated secret | ||
264 | */ | ||
265 | public function updateMethodApiSettings() | ||
266 | { | ||
267 | if ($this->conf->exists('api.secret')) { | ||
268 | return true; | ||
269 | } | ||
270 | |||
271 | $this->conf->set('api.enabled', true); | ||
272 | $this->conf->set( | ||
273 | 'api.secret', | ||
274 | generate_api_secret( | ||
275 | $this->conf->get('credentials.login'), | ||
276 | $this->conf->get('credentials.salt') | ||
277 | ) | ||
278 | ); | ||
279 | $this->conf->write($this->isLoggedIn); | ||
280 | return true; | ||
281 | } | ||
259 | } | 282 | } |
260 | 283 | ||
261 | /** | 284 | /** |
diff --git a/application/Utils.php b/application/Utils.php index 0a5b476e..62902341 100644 --- a/application/Utils.php +++ b/application/Utils.php | |||
@@ -231,3 +231,29 @@ function autoLocale($headerLocale) | |||
231 | } | 231 | } |
232 | setlocale(LC_ALL, $attempts); | 232 | setlocale(LC_ALL, $attempts); |
233 | } | 233 | } |
234 | |||
235 | /** | ||
236 | * Generates a default API secret. | ||
237 | * | ||
238 | * Note that the random-ish methods used in this function are predictable, | ||
239 | * which makes them NOT suitable for crypto. | ||
240 | * BUT the random string is salted with the salt and hashed with the username. | ||
241 | * It makes the generated API secret secured enough for Shaarli. | ||
242 | * | ||
243 | * PHP 7 provides random_int(), designed for cryptography. | ||
244 | * More info: http://stackoverflow.com/questions/4356289/php-random-string-generator | ||
245 | |||
246 | * @param string $username Shaarli login username | ||
247 | * @param string $salt Shaarli password hash salt | ||
248 | * | ||
249 | * @return string|bool Generated API secret, 12 char length. | ||
250 | * Or false if invalid parameters are provided (which will make the API unusable). | ||
251 | */ | ||
252 | function generate_api_secret($username, $salt) | ||
253 | { | ||
254 | if (empty($username) || empty($salt)) { | ||
255 | return false; | ||
256 | } | ||
257 | |||
258 | return str_shuffle(substr(hash_hmac('sha512', uniqid($salt), $username), 10, 12)); | ||
259 | } | ||