diff options
Diffstat (limited to 'application/Utils.php')
| -rw-r--r-- | application/Utils.php | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/application/Utils.php b/application/Utils.php index 0a5b476e..62902341 100644 --- a/application/Utils.php +++ b/application/Utils.php | |||
| @@ -231,3 +231,29 @@ function autoLocale($headerLocale) | |||
| 231 | } | 231 | } |
| 232 | setlocale(LC_ALL, $attempts); | 232 | setlocale(LC_ALL, $attempts); |
| 233 | } | 233 | } |
| 234 | |||
| 235 | /** | ||
| 236 | * Generates a default API secret. | ||
| 237 | * | ||
| 238 | * Note that the random-ish methods used in this function are predictable, | ||
| 239 | * which makes them NOT suitable for crypto. | ||
| 240 | * BUT the random string is salted with the salt and hashed with the username. | ||
| 241 | * It makes the generated API secret secured enough for Shaarli. | ||
| 242 | * | ||
| 243 | * PHP 7 provides random_int(), designed for cryptography. | ||
| 244 | * More info: http://stackoverflow.com/questions/4356289/php-random-string-generator | ||
| 245 | |||
| 246 | * @param string $username Shaarli login username | ||
| 247 | * @param string $salt Shaarli password hash salt | ||
| 248 | * | ||
| 249 | * @return string|bool Generated API secret, 12 char length. | ||
| 250 | * Or false if invalid parameters are provided (which will make the API unusable). | ||
| 251 | */ | ||
| 252 | function generate_api_secret($username, $salt) | ||
| 253 | { | ||
| 254 | if (empty($username) || empty($salt)) { | ||
| 255 | return false; | ||
| 256 | } | ||
| 257 | |||
| 258 | return str_shuffle(substr(hash_hmac('sha512', uniqid($salt), $username), 10, 12)); | ||
| 259 | } | ||