aboutsummaryrefslogtreecommitdiffhomepage
path: root/application
diff options
context:
space:
mode:
Diffstat (limited to 'application')
-rw-r--r--application/Updater.php23
-rw-r--r--application/Utils.php26
2 files changed, 49 insertions, 0 deletions
diff --git a/application/Updater.php b/application/Updater.php
index f0d02814..38de3350 100644
--- a/application/Updater.php
+++ b/application/Updater.php
@@ -256,6 +256,29 @@ class Updater
256 256
257 return true; 257 return true;
258 } 258 }
259
260 /**
261 * Initialize API settings:
262 * - api.enabled: true
263 * - api.secret: generated secret
264 */
265 public function updateMethodApiSettings()
266 {
267 if ($this->conf->exists('api.secret')) {
268 return true;
269 }
270
271 $this->conf->set('api.enabled', true);
272 $this->conf->set(
273 'api.secret',
274 generate_api_secret(
275 $this->conf->get('credentials.login'),
276 $this->conf->get('credentials.salt')
277 )
278 );
279 $this->conf->write($this->isLoggedIn);
280 return true;
281 }
259} 282}
260 283
261/** 284/**
diff --git a/application/Utils.php b/application/Utils.php
index 0a5b476e..62902341 100644
--- a/application/Utils.php
+++ b/application/Utils.php
@@ -231,3 +231,29 @@ function autoLocale($headerLocale)
231 } 231 }
232 setlocale(LC_ALL, $attempts); 232 setlocale(LC_ALL, $attempts);
233} 233}
234
235/**
236 * Generates a default API secret.
237 *
238 * Note that the random-ish methods used in this function are predictable,
239 * which makes them NOT suitable for crypto.
240 * BUT the random string is salted with the salt and hashed with the username.
241 * It makes the generated API secret secured enough for Shaarli.
242 *
243 * PHP 7 provides random_int(), designed for cryptography.
244 * More info: http://stackoverflow.com/questions/4356289/php-random-string-generator
245
246 * @param string $username Shaarli login username
247 * @param string $salt Shaarli password hash salt
248 *
249 * @return string|bool Generated API secret, 12 char length.
250 * Or false if invalid parameters are provided (which will make the API unusable).
251 */
252function generate_api_secret($username, $salt)
253{
254 if (empty($username) || empty($salt)) {
255 return false;
256 }
257
258 return str_shuffle(substr(hash_hmac('sha512', uniqid($salt), $username), 10, 12));
259}