15 files changed, 508 insertions, 21 deletions
diff --git a/application/FeedBuilder.php b/application/FeedBuilder.php
index fedd90e6..a1f4da48 100644
--- a/application/FeedBuilder.php
+++ b/application/FeedBuilder.php
@@ -63,11 +63,6 @@ class FeedBuilder
    protected $hideDates;
    /**
-     * @var string PubSub hub URL.
-     */
-    protected $pubsubhubUrl;
-    /**
     * @var string server locale.
     */
    protected $locale;
@@ -120,7 +115,6 @@ class FeedBuilder
        }
        $data['language'] = $this->getTypeLanguage();
-        $data['pubsubhub_url'] = $this->pubsubhubUrl;
        $data['last_update'] = $this->getLatestDateFormatted();
        $data['show_dates'] = !$this->hideDates || $this->isLoggedIn;
        // Remove leading slash from REQUEST_URI.
@@ -183,16 +177,6 @@ class FeedBuilder
    }
    /**
-     * Assign PubSub hub URL.
-     *
-     * @param string $pubsubhubUrl PubSub hub url.
-     */
-    public function setPubsubhubUrl($pubsubhubUrl)
-    {
-        $this->pubsubhubUrl = $pubsubhubUrl;
-    }
-    /**
     * Set this to true to use permalinks instead of direct links.
     *
     * @param boolean $usePermalinks true to force permalinks.
diff --git a/application/HttpUtils.php b/application/HttpUtils.php
index e705cfd6..e8fc1f5d 100644
--- a/application/HttpUtils.php
+++ b/application/HttpUtils.php
@@ -297,9 +297,17 @@ function server_url($server)
            // Keep forwarded port
            if (strpos($server['HTTP_X_FORWARDED_PORT'], ',') !== false) {
                $ports = explode(',', $server['HTTP_X_FORWARDED_PORT']);
-                $port = ':' . trim($ports[0]);
+                $port = trim($ports[0]);
            } else {
-                $port = ':' . $server['HTTP_X_FORWARDED_PORT'];
+                $port = $server['HTTP_X_FORWARDED_PORT'];
+            }
+            if (($scheme == 'http' && $port != '80')
+                || ($scheme == 'https' && $port != '443')
+            ) {
+                $port = ':' . $port;
+            } else {
+                $port = '';
            }
        }
diff --git a/application/LinkFilter.php b/application/LinkFilter.php
index daa6d9cc..57ebfd5c 100644
--- a/application/LinkFilter.php
+++ b/application/LinkFilter.php
@@ -348,7 +348,7 @@ class LinkFilter
        $tagsOut = $casesensitive ? $tags : mb_convert_case($tags, MB_CASE_LOWER, 'UTF-8');
        $tagsOut = str_replace(',', ' ', $tagsOut);
-        return array_values(array_filter(explode(' ', trim($tagsOut)), 'strlen'));
+        return preg_split('/\s+/', $tagsOut, -1, PREG_SPLIT_NO_EMPTY);
    }
 }
diff --git a/application/Updater.php b/application/Updater.php
index f0d02814..38de3350 100644
--- a/application/Updater.php
+++ b/application/Updater.php
@@ -256,6 +256,29 @@ class Updater
        return true;
    }
+    /**
+     * Initialize API settings:
+     *   - api.enabled: true
+     *   - api.secret: generated secret
+     */
+    public function updateMethodApiSettings()
+    {
+        if ($this->conf->exists('api.secret')) {
+            return true;
+        }
+        $this->conf->set('api.enabled', true);
+        $this->conf->set(
+            'api.secret',
+            generate_api_secret(
+                $this->conf->get('credentials.login'),
+                $this->conf->get('credentials.salt')
+            )
+        );
+        $this->conf->write($this->isLoggedIn);
+        return true;
+    }
 }
 /**
diff --git a/application/Url.php b/application/Url.php
index c5c7dd18..25a62a8a 100644
--- a/application/Url.php
+++ b/application/Url.php
@@ -94,7 +94,10 @@ class Url
        'utm_',
        // ATInternet
-        'xtor='
+        'xtor=',
+        // Other
+        'campaign_'
    );
    private static $annoyingFragments = array(
diff --git a/application/Utils.php b/application/Utils.php
index 0a5b476e..35d65224 100644
--- a/application/Utils.php
+++ b/application/Utils.php
@@ -231,3 +231,42 @@ function autoLocale($headerLocale)
    }
    setlocale(LC_ALL, $attempts);
 }
+/**
+ * Generates a default API secret.
+ *
+ * Note that the random-ish methods used in this function are predictable,
+ * which makes them NOT suitable for crypto.
+ * BUT the random string is salted with the salt and hashed with the username.
+ * It makes the generated API secret secured enough for Shaarli.
+ *
+ * PHP 7 provides random_int(), designed for cryptography.
+ * More info: http://stackoverflow.com/questions/4356289/php-random-string-generator
+ * @param string $username Shaarli login username
+ * @param string $salt     Shaarli password hash salt
+ *
+ * @return string|bool Generated API secret, 12 char length.
+ *                     Or false if invalid parameters are provided (which will make the API unusable).
+ */
+function generate_api_secret($username, $salt)
+{
+    if (empty($username) || empty($salt)) {
+        return false;
+    }
+    return str_shuffle(substr(hash_hmac('sha512', uniqid($salt), $username), 10, 12));
+}
+/**
+ * Trim string, replace sequences of whitespaces by a single space.
+ * PHP equivalent to `normalize-space` XSLT function.
+ *
+ * @param string $string Input string.
+ *
+ * @return mixed Normalized string.
+ */
+function normalize_spaces($string)
+{
+    return preg_replace('/\s{2,}/', ' ', trim($string));
+}
diff --git a/application/api/ApiMiddleware.php b/application/api/ApiMiddleware.php
new file mode 100644
index 00000000..162e88e0
--- /dev/null
+++ b/application/api/ApiMiddleware.php
@@ -0,0 +1,132 @@
+<?php
+namespace Shaarli\Api;
+use Shaarli\Api\Exceptions\ApiException;
+use Shaarli\Api\Exceptions\ApiAuthorizationException;
+use Slim\Container;
+use Slim\Http\Request;
+use Slim\Http\Response;
+/**
+ * Class ApiMiddleware
+ *
+ * This will be called before accessing any API Controller.
+ * Its role is to make sure that the API is enabled, configured, and to validate the JWT token.
+ *
+ * If the request is validated, the controller is called, otherwise a JSON error response is returned.
+ *
+ * @package Api
+ */
+class ApiMiddleware
+{
+    /**
+     * @var int JWT token validity in seconds (9 min).
+     */
+    public static $TOKEN_DURATION = 540;
+    /**
+     * @var Container: contains conf, plugins, etc.
+     */
+    protected $container;
+    /**
+     * @var \ConfigManager instance.
+     */
+    protected $conf;
+    /**
+     * ApiMiddleware constructor.
+     *
+     * @param Container $container instance.
+     */
+    public function __construct($container)
+    {
+        $this->container = $container;
+        $this->conf = $this->container->get('conf');
+        $this->setLinkDb($this->conf);
+    }
+    /**
+     * Middleware execution:
+     *   - check the API request
+     *   - execute the controller
+     *   - return the response
+     *
+     * @param  Request  $request  Slim request
+     * @param  Response $response Slim response
+     * @param  callable $next     Next action
+     *
+     * @return Response response.
+     */
+    public function __invoke($request, $response, $next)
+    {
+        try {
+            $this->checkRequest($request);
+            $response = $next($request, $response);
+        } catch(ApiException $e) {
+            $e->setResponse($response);
+            $e->setDebug($this->conf->get('dev.debug', false));
+            $response = $e->getApiResponse();
+        }
+        return $response;
+    }
+    /**
+     * Check the request validity (HTTP method, request value, etc.),
+     * that the API is enabled, and the JWT token validity.
+     *
+     * @param  Request $request  Slim request
+     *
+     * @throws ApiAuthorizationException The API is disabled or the token is invalid.
+     */
+    protected function checkRequest($request)
+    {
+        if (! $this->conf->get('api.enabled', true)) {
+            throw new ApiAuthorizationException('API is disabled');
+        }
+        $this->checkToken($request);
+    }
+    /**
+     * Check that the JWT token is set and valid.
+     * The API secret setting must be set.
+     *
+     * @param  Request $request  Slim request
+     *
+     * @throws ApiAuthorizationException The token couldn't be validated.
+     */
+    protected function checkToken($request) {
+        $jwt = $request->getHeaderLine('jwt');
+        if (empty($jwt)) {
+            throw new ApiAuthorizationException('JWT token not provided');
+        }
+        if (empty($this->conf->get('api.secret'))) {
+            throw new ApiAuthorizationException('Token secret must be set in Shaarli\'s administration');
+        }
+        ApiUtils::validateJwtToken($jwt, $this->conf->get('api.secret'));
+    }
+    /**
+     * Instantiate a new LinkDB including private links,
+     * and load in the Slim container.
+     *
+     * FIXME! LinkDB could use a refactoring to avoid this trick.
+     *
+     * @param \ConfigManager $conf instance.
+     */
+    protected function setLinkDb($conf)
+    {
+        $linkDb = new \LinkDB(
+            $conf->get('resource.datastore'),
+            true,
+            $conf->get('privacy.hide_public_links'),
+            $conf->get('redirector.url'),
+            $conf->get('redirector.encode_url')
+        );
+        $this->container['db'] = $linkDb;
+    }
+}
diff --git a/application/api/ApiUtils.php b/application/api/ApiUtils.php
new file mode 100644
index 00000000..fbb1e72f
--- /dev/null
+++ b/application/api/ApiUtils.php
@@ -0,0 +1,51 @@
+<?php
+namespace Shaarli\Api;
+use Shaarli\Api\Exceptions\ApiAuthorizationException;
+/**
+ * Class ApiUtils
+ *
+ * Utility functions for the API.
+ */
+class ApiUtils
+{
+    /**
+     * Validates a JWT token authenticity.
+     *
+     * @param string $token  JWT token extracted from the headers.
+     * @param string $secret API secret set in the settings.
+     *
+     * @throws ApiAuthorizationException the token is not valid.
+     */
+    public static function validateJwtToken($token, $secret)
+    {
+        $parts = explode('.', $token);
+        if (count($parts) != 3 || strlen($parts[0]) == 0 || strlen($parts[1]) == 0) {
+            throw new ApiAuthorizationException('Malformed JWT token');
+        }
+        $genSign = hash_hmac('sha512', $parts[0] .'.'. $parts[1], $secret);
+        if ($parts[2] != $genSign) {
+            throw new ApiAuthorizationException('Invalid JWT signature');
+        }
+        $header = json_decode(base64_decode($parts[0]));
+        if ($header === null) {
+            throw new ApiAuthorizationException('Invalid JWT header');
+        }
+        $payload = json_decode(base64_decode($parts[1]));
+        if ($payload === null) {
+            throw new ApiAuthorizationException('Invalid JWT payload');
+        }
+        if (empty($payload->iat)
+            || $payload->iat > time()
+            || time() - $payload->iat > ApiMiddleware::$TOKEN_DURATION
+        ) {
+            throw new ApiAuthorizationException('Invalid JWT issued time');
+        }
+    }
+}
diff --git a/application/api/controllers/ApiController.php b/application/api/controllers/ApiController.php
new file mode 100644
index 00000000..1dd47f17
--- /dev/null
+++ b/application/api/controllers/ApiController.php
@@ -0,0 +1,54 @@
+<?php
+namespace Shaarli\Api\Controllers;
+use \Slim\Container;
+/**
+ * Abstract Class ApiController
+ *
+ * Defines REST API Controller dependencies injected from the container.
+ *
+ * @package Api\Controllers
+ */
+abstract class ApiController
+{
+    /**
+     * @var Container
+     */
+    protected $ci;
+    /**
+     * @var \ConfigManager
+     */
+    protected $conf;
+    /**
+     * @var \LinkDB
+     */
+    protected $linkDb;
+    /**
+     * @var int|null JSON style option.
+     */
+    protected $jsonStyle;
+    /**
+     * ApiController constructor.
+     * 
+     * Note: enabling debug mode displays JSON with readable formatting.
+     *
+     * @param Container $ci Slim container.
+     */
+    public function __construct(Container $ci)
+    {
+        $this->ci = $ci;
+        $this->conf = $ci->get('conf');
+        $this->linkDb = $ci->get('db');
+        if ($this->conf->get('dev.debug', false)) {
+            $this->jsonStyle = JSON_PRETTY_PRINT;
+        } else {
+            $this->jsonStyle = null;
+        }
+    }
+}
diff --git a/application/api/controllers/Info.php b/application/api/controllers/Info.php
new file mode 100644
index 00000000..25433f72
--- /dev/null
+++ b/application/api/controllers/Info.php
@@ -0,0 +1,42 @@
+<?php
+namespace Shaarli\Api\Controllers;
+use Slim\Http\Request;
+use Slim\Http\Response;
+/**
+ * Class Info
+ * 
+ * REST API Controller: /info
+ *
+ * @package Api\Controllers
+ * @see http://shaarli.github.io/api-documentation/#links-instance-information-get
+ */
+class Info extends ApiController
+{
+    /**
+     * Service providing various information about Shaarli instance.
+     * 
+     * @param Request  $request  Slim request.
+     * @param Response $response Slim response.
+     *
+     * @return Response response.
+     */
+    public function getInfo($request, $response)
+    {
+        $info = [
+            'global_counter' => count($this->linkDb),
+            'private_counter' => count_private($this->linkDb),
+            'settings' => array(
+                'title' => $this->conf->get('general.title', 'Shaarli'),
+                'header_link' => $this->conf->get('general.header_link', '?'),
+                'timezone' => $this->conf->get('general.timezone', 'UTC'),
+                'enabled_plugins' => $this->conf->get('general.enabled_plugins', []),
+                'default_private_links' => $this->conf->get('privacy.default_private_links', false),
+            ),
+        ];
+        return $response->withJson($info, 200, $this->jsonStyle);
+    }
+}
diff --git a/application/api/exceptions/ApiAuthorizationException.php b/application/api/exceptions/ApiAuthorizationException.php
new file mode 100644
index 00000000..0e3f4776
--- /dev/null
+++ b/application/api/exceptions/ApiAuthorizationException.php
@@ -0,0 +1,34 @@
+<?php
+namespace Shaarli\Api\Exceptions;
+/**
+ * Class ApiAuthorizationException
+ *
+ * Request not authorized, return a 401 HTTP code.
+ */
+class ApiAuthorizationException extends ApiException
+{
+    /**
+     * {@inheritdoc}
+     */
+    public function getApiResponse()
+    {
+        $this->setMessage('Not authorized');
+        return $this->buildApiResponse(401);
+    }
+    /**
+     * Set the exception message.
+     *
+     * We only return a generic error message in production mode to avoid giving
+     * to much security information.
+     *
+     * @param $message string the exception message.
+     */
+    public function setMessage($message)
+    {
+        $original = $this->debug === true ? ': '. $this->getMessage() : '';
+        $this->message = $message . $original;
+    }
+}
diff --git a/application/api/exceptions/ApiBadParametersException.php b/application/api/exceptions/ApiBadParametersException.php
new file mode 100644
index 00000000..e5cc19ea
--- /dev/null
+++ b/application/api/exceptions/ApiBadParametersException.php
@@ -0,0 +1,19 @@
+<?php
+namespace Shaarli\Api\Exceptions;
+/**
+ * Class ApiBadParametersException
+ *
+ * Invalid request exception, return a 400 HTTP code.
+ */
+class ApiBadParametersException extends ApiException
+{
+    /**
+     * {@inheritdoc}
+     */
+    public function getApiResponse()
+    {
+        return $this->buildApiResponse(400);
+    }
+}
diff --git a/application/api/exceptions/ApiException.php b/application/api/exceptions/ApiException.php
new file mode 100644
index 00000000..c8490e0c
--- /dev/null
+++ b/application/api/exceptions/ApiException.php
@@ -0,0 +1,77 @@
+<?php
+namespace Shaarli\Api\Exceptions;
+use Slim\Http\Response;
+/**
+ * Abstract class ApiException
+ *
+ * Parent Exception related to the API, able to generate a valid Response (ResponseInterface).
+ * Also can include various information in debug mode.
+ */
+abstract class ApiException extends \Exception {
+    /**
+     * @var Response instance from Slim.
+     */
+    protected $response;
+    /**
+     * @var bool Debug mode enabled/disabled.
+     */
+    protected $debug;
+    /**
+     * Build the final response.
+     *
+     * @return Response Final response to give.
+     */
+    public abstract function getApiResponse();
+    /**
+     * Creates ApiResponse body.
+     * In production mode, it will only return the exception message,
+     * but in dev mode, it includes additional information in an array.
+     *
+     * @return array|string response body
+     */
+    protected function getApiResponseBody() {
+        if ($this->debug !== true) {
+            return $this->getMessage();
+        }
+        return [
+            'message' => $this->getMessage(),
+            'stacktrace' => get_class($this) .': '. $this->getTraceAsString()
+        ];
+    }
+    /**
+     * Build the Response object to return.
+     *
+     * @param int $code HTTP status.
+     *
+     * @return Response with status + body.
+     */
+    protected function buildApiResponse($code)
+    {
+        $style = $this->debug ? JSON_PRETTY_PRINT : null;
+        return $this->response->withJson($this->getApiResponseBody(), $code, $style);
+    }
+    /**
+     * @param Response $response
+     */
+    public function setResponse($response)
+    {
+        $this->response = $response;
+    }
+    /**
+     * @param bool $debug
+     */
+    public function setDebug($debug)
+    {
+        $this->debug = $debug;
+    }
+}
diff --git a/application/api/exceptions/ApiInternalException.php b/application/api/exceptions/ApiInternalException.php
new file mode 100644
index 00000000..1cb05532
--- /dev/null
+++ b/application/api/exceptions/ApiInternalException.php
@@ -0,0 +1,19 @@
+<?php
+namespace Shaarli\Api\Exceptions;
+/**
+ * Class ApiInternalException
+ *
+ * Generic exception, return a 500 HTTP code.
+ */
+class ApiInternalException extends ApiException
+{
+    /**
+     * @inheritdoc
+     */
+    public function getApiResponse()
+    {
+        return $this->buildApiResponse(500);
+    }
+}
diff --git a/application/config/ConfigManager.php b/application/config/ConfigManager.php
index f5f753f8..ca8918b5 100644
--- a/application/config/ConfigManager.php
+++ b/application/config/ConfigManager.php
@@ -20,6 +20,8 @@ class ConfigManager
     */
    protected static $NOT_FOUND = 'NOT_FOUND';
+    public static $DEFAULT_PLUGINS = array('qrcode');
    /**
     * @var string Config folder.
     */
@@ -308,7 +310,7 @@ class ConfigManager
        $this->setEmpty('general.header_link', '?');
        $this->setEmpty('general.links_per_page', 20);
-        $this->setEmpty('general.enabled_plugins', array('qrcode'));
+        $this->setEmpty('general.enabled_plugins', self::$DEFAULT_PLUGINS);
        $this->setEmpty('updates.check_updates', false);
        $this->setEmpty('updates.check_updates_branch', 'stable');

diff --git a/application/FeedBuilder.php b/application/FeedBuilder.php index fedd90e6..a1f4da48 100644 --- a/application/FeedBuilder.php +++ b/application/FeedBuilder.php
@@ -63,11 +63,6 @@ class FeedBuilder
63	protected $hideDates;	63	protected $hideDates;
64		64
65	/**	65	/**
66	* @var string PubSub hub URL.
67	*/
68	protected $pubsubhubUrl;
69
70	/**
71	* @var string server locale.	66	* @var string server locale.
72	*/	67	*/
73	protected $locale;	68	protected $locale;
@@ -120,7 +115,6 @@ class FeedBuilder
120	}	115	}
121		116
122	$data['language'] = $this->getTypeLanguage();	117	$data['language'] = $this->getTypeLanguage();
123	$data['pubsubhub_url'] = $this->pubsubhubUrl;
124	$data['last_update'] = $this->getLatestDateFormatted();	118	$data['last_update'] = $this->getLatestDateFormatted();
125	$data['show_dates'] = !$this->hideDates \|\| $this->isLoggedIn;	119	$data['show_dates'] = !$this->hideDates \|\| $this->isLoggedIn;
126	// Remove leading slash from REQUEST_URI.	120	// Remove leading slash from REQUEST_URI.
@@ -183,16 +177,6 @@ class FeedBuilder
183	}	177	}
184		178
185	/**	179	/**
186	* Assign PubSub hub URL.
187	*
188	* @param string $pubsubhubUrl PubSub hub url.
189	*/
190	public function setPubsubhubUrl($pubsubhubUrl)
191	{
192	$this->pubsubhubUrl = $pubsubhubUrl;
193	}
194
195	/**
196	* Set this to true to use permalinks instead of direct links.	180	* Set this to true to use permalinks instead of direct links.
197	*	181	*
198	* @param boolean $usePermalinks true to force permalinks.	182	* @param boolean $usePermalinks true to force permalinks.


diff --git a/application/HttpUtils.php b/application/HttpUtils.php index e705cfd6..e8fc1f5d 100644 --- a/application/HttpUtils.php +++ b/application/HttpUtils.php
@@ -297,9 +297,17 @@ function server_url($server)
297	// Keep forwarded port	297	// Keep forwarded port
298	if (strpos($server['HTTP_X_FORWARDED_PORT'], ',') !== false) {	298	if (strpos($server['HTTP_X_FORWARDED_PORT'], ',') !== false) {
299	$ports = explode(',', $server['HTTP_X_FORWARDED_PORT']);	299	$ports = explode(',', $server['HTTP_X_FORWARDED_PORT']);
300	$port = ':' . trim($ports[0]);	300	$port = trim($ports[0]);
301	} else {	301	} else {
302	$port = ':' . $server['HTTP_X_FORWARDED_PORT'];	302	$port = $server['HTTP_X_FORWARDED_PORT'];
		303	}
		304
		305	if (($scheme == 'http' && $port != '80')
		306	\|\| ($scheme == 'https' && $port != '443')
		307	) {
		308	$port = ':' . $port;
		309	} else {
		310	$port = '';
303	}	311	}
304	}	312	}
305		313


diff --git a/application/LinkFilter.php b/application/LinkFilter.php index daa6d9cc..57ebfd5c 100644 --- a/application/LinkFilter.php +++ b/application/LinkFilter.php
@@ -348,7 +348,7 @@ class LinkFilter
348	$tagsOut = $casesensitive ? $tags : mb_convert_case($tags, MB_CASE_LOWER, 'UTF-8');	348	$tagsOut = $casesensitive ? $tags : mb_convert_case($tags, MB_CASE_LOWER, 'UTF-8');
349	$tagsOut = str_replace(',', ' ', $tagsOut);	349	$tagsOut = str_replace(',', ' ', $tagsOut);
350		350
351	return array_values(array_filter(explode(' ', trim($tagsOut)), 'strlen'));	351	return preg_split('/\s+/', $tagsOut, -1, PREG_SPLIT_NO_EMPTY);
352	}	352	}
353	}	353	}
354		354


diff --git a/application/Updater.php b/application/Updater.php index f0d02814..38de3350 100644 --- a/application/Updater.php +++ b/application/Updater.php
@@ -256,6 +256,29 @@ class Updater
256		256
257	return true;	257	return true;
258	}	258	}
		259
		260	/**
		261	* Initialize API settings:
		262	* - api.enabled: true
		263	* - api.secret: generated secret
		264	*/
		265	public function updateMethodApiSettings()
		266	{
		267	if ($this->conf->exists('api.secret')) {
		268	return true;
		269	}
		270
		271	$this->conf->set('api.enabled', true);
		272	$this->conf->set(
		273	'api.secret',
		274	generate_api_secret(
		275	$this->conf->get('credentials.login'),
		276	$this->conf->get('credentials.salt')
		277	)
		278	);
		279	$this->conf->write($this->isLoggedIn);
		280	return true;
		281	}
259	}	282	}
260		283
261	/**	284	/**


diff --git a/application/Url.php b/application/Url.php index c5c7dd18..25a62a8a 100644 --- a/application/Url.php +++ b/application/Url.php
@@ -94,7 +94,10 @@ class Url
94	'utm_',	94	'utm_',
95		95
96	// ATInternet	96	// ATInternet
97	'xtor='	97	'xtor=',
		98
		99	// Other
		100	'campaign_'
98	);	101	);
99		102
100	private static $annoyingFragments = array(	103	private static $annoyingFragments = array(


diff --git a/application/Utils.php b/application/Utils.php index 0a5b476e..35d65224 100644 --- a/application/Utils.php +++ b/application/Utils.php
@@ -231,3 +231,42 @@ function autoLocale($headerLocale)
231	}	231	}
232	setlocale(LC_ALL, $attempts);	232	setlocale(LC_ALL, $attempts);
233	}	233	}
		234
		235	/**
		236	* Generates a default API secret.
		237	*
		238	* Note that the random-ish methods used in this function are predictable,
		239	* which makes them NOT suitable for crypto.
		240	* BUT the random string is salted with the salt and hashed with the username.
		241	* It makes the generated API secret secured enough for Shaarli.
		242	*
		243	* PHP 7 provides random_int(), designed for cryptography.
		244	* More info: http://stackoverflow.com/questions/4356289/php-random-string-generator
		245
		246	* @param string $username Shaarli login username
		247	* @param string $salt Shaarli password hash salt
		248	*
		249	* @return string\|bool Generated API secret, 12 char length.
		250	* Or false if invalid parameters are provided (which will make the API unusable).
		251	*/
		252	function generate_api_secret($username, $salt)
		253	{
		254	if (empty($username) \|\| empty($salt)) {
		255	return false;
		256	}
		257
		258	return str_shuffle(substr(hash_hmac('sha512', uniqid($salt), $username), 10, 12));
		259	}
		260
		261	/**
		262	* Trim string, replace sequences of whitespaces by a single space.
		263	* PHP equivalent to `normalize-space` XSLT function.
		264	*
		265	* @param string $string Input string.
		266	*
		267	* @return mixed Normalized string.
		268	*/
		269	function normalize_spaces($string)
		270	{
		271	return preg_replace('/\s{2,}/', ' ', trim($string));
		272	}


diff --git a/application/api/ApiMiddleware.php b/application/api/ApiMiddleware.php new file mode 100644 index 00000000..162e88e0 --- /dev/null +++ b/application/api/ApiMiddleware.php
@@ -0,0 +1,132 @@
		1	<?php
		2
		3	namespace Shaarli\Api;
		4
		5	use Shaarli\Api\Exceptions\ApiException;
		6	use Shaarli\Api\Exceptions\ApiAuthorizationException;
		7	use Slim\Container;
		8	use Slim\Http\Request;
		9	use Slim\Http\Response;
		10
		11	/**
		12	* Class ApiMiddleware
		13	*
		14	* This will be called before accessing any API Controller.
		15	* Its role is to make sure that the API is enabled, configured, and to validate the JWT token.
		16	*
		17	* If the request is validated, the controller is called, otherwise a JSON error response is returned.
		18	*
		19	* @package Api
		20	*/
		21	class ApiMiddleware
		22	{
		23	/**
		24	* @var int JWT token validity in seconds (9 min).
		25	*/
		26	public static $TOKEN_DURATION = 540;
		27
		28	/**
		29	* @var Container: contains conf, plugins, etc.
		30	*/
		31	protected $container;
		32
		33	/**
		34	* @var \ConfigManager instance.
		35	*/
		36	protected $conf;
		37
		38	/**
		39	* ApiMiddleware constructor.
		40	*
		41	* @param Container $container instance.
		42	*/
		43	public function __construct($container)
		44	{
		45	$this->container = $container;
		46	$this->conf = $this->container->get('conf');
		47	$this->setLinkDb($this->conf);
		48	}
		49
		50	/**
		51	* Middleware execution:
		52	* - check the API request
		53	* - execute the controller
		54	* - return the response
		55	*
		56	* @param Request $request Slim request
		57	* @param Response $response Slim response
		58	* @param callable $next Next action
		59	*
		60	* @return Response response.
		61	*/
		62	public function __invoke($request, $response, $next)
		63	{
		64	try {
		65	$this->checkRequest($request);
		66	$response = $next($request, $response);
		67	} catch(ApiException $e) {
		68	$e->setResponse($response);
		69	$e->setDebug($this->conf->get('dev.debug', false));
		70	$response = $e->getApiResponse();
		71	}
		72
		73	return $response;
		74	}
		75
		76	/**
		77	* Check the request validity (HTTP method, request value, etc.),
		78	* that the API is enabled, and the JWT token validity.
		79	*
		80	* @param Request $request Slim request
		81	*
		82	* @throws ApiAuthorizationException The API is disabled or the token is invalid.
		83	*/
		84	protected function checkRequest($request)
		85	{
		86	if (! $this->conf->get('api.enabled', true)) {
		87	throw new ApiAuthorizationException('API is disabled');
		88	}
		89	$this->checkToken($request);
		90	}
		91
		92	/**
		93	* Check that the JWT token is set and valid.
		94	* The API secret setting must be set.
		95	*
		96	* @param Request $request Slim request
		97	*
		98	* @throws ApiAuthorizationException The token couldn't be validated.
		99	*/
		100	protected function checkToken($request) {
		101	$jwt = $request->getHeaderLine('jwt');
		102	if (empty($jwt)) {
		103	throw new ApiAuthorizationException('JWT token not provided');
		104	}
		105
		106	if (empty($this->conf->get('api.secret'))) {
		107	throw new ApiAuthorizationException('Token secret must be set in Shaarli\'s administration');
		108	}
		109
		110	ApiUtils::validateJwtToken($jwt, $this->conf->get('api.secret'));
		111	}
		112
		113	/**
		114	* Instantiate a new LinkDB including private links,
		115	* and load in the Slim container.
		116	*
		117	* FIXME! LinkDB could use a refactoring to avoid this trick.
		118	*
		119	* @param \ConfigManager $conf instance.
		120	*/
		121	protected function setLinkDb($conf)
		122	{
		123	$linkDb = new \LinkDB(
		124	$conf->get('resource.datastore'),
		125	true,
		126	$conf->get('privacy.hide_public_links'),
		127	$conf->get('redirector.url'),
		128	$conf->get('redirector.encode_url')
		129	);
		130	$this->container['db'] = $linkDb;
		131	}
		132	}


diff --git a/application/api/ApiUtils.php b/application/api/ApiUtils.php new file mode 100644 index 00000000..fbb1e72f --- /dev/null +++ b/application/api/ApiUtils.php
@@ -0,0 +1,51 @@
		1	<?php
		2
		3	namespace Shaarli\Api;
		4
		5	use Shaarli\Api\Exceptions\ApiAuthorizationException;
		6
		7	/**
		8	* Class ApiUtils
		9	*
		10	* Utility functions for the API.
		11	*/
		12	class ApiUtils
		13	{
		14	/**
		15	* Validates a JWT token authenticity.
		16	*
		17	* @param string $token JWT token extracted from the headers.
		18	* @param string $secret API secret set in the settings.
		19	*
		20	* @throws ApiAuthorizationException the token is not valid.
		21	*/
		22	public static function validateJwtToken($token, $secret)
		23	{
		24	$parts = explode('.', $token);
		25	if (count($parts) != 3 \|\| strlen($parts[0]) == 0 \|\| strlen($parts[1]) == 0) {
		26	throw new ApiAuthorizationException('Malformed JWT token');
		27	}
		28
		29	$genSign = hash_hmac('sha512', $parts[0] .'.'. $parts[1], $secret);
		30	if ($parts[2] != $genSign) {
		31	throw new ApiAuthorizationException('Invalid JWT signature');
		32	}
		33
		34	$header = json_decode(base64_decode($parts[0]));
		35	if ($header === null) {
		36	throw new ApiAuthorizationException('Invalid JWT header');
		37	}
		38
		39	$payload = json_decode(base64_decode($parts[1]));
		40	if ($payload === null) {
		41	throw new ApiAuthorizationException('Invalid JWT payload');
		42	}
		43
		44	if (empty($payload->iat)
		45	\|\| $payload->iat > time()
		46	\|\| time() - $payload->iat > ApiMiddleware::$TOKEN_DURATION
		47	) {
		48	throw new ApiAuthorizationException('Invalid JWT issued time');
		49	}
		50	}
		51	}


diff --git a/application/api/controllers/ApiController.php b/application/api/controllers/ApiController.php new file mode 100644 index 00000000..1dd47f17 --- /dev/null +++ b/application/api/controllers/ApiController.php
@@ -0,0 +1,54 @@
		1	<?php
		2
		3	namespace Shaarli\Api\Controllers;
		4
		5	use \Slim\Container;
		6
		7	/**
		8	* Abstract Class ApiController
		9	*
		10	* Defines REST API Controller dependencies injected from the container.
		11	*
		12	* @package Api\Controllers
		13	*/
		14	abstract class ApiController
		15	{
		16	/**
		17	* @var Container
		18	*/
		19	protected $ci;
		20
		21	/**
		22	* @var \ConfigManager
		23	*/
		24	protected $conf;
		25
		26	/**
		27	* @var \LinkDB
		28	*/
		29	protected $linkDb;
		30
		31	/**
		32	* @var int\|null JSON style option.
		33	*/
		34	protected $jsonStyle;
		35
		36	/**
		37	* ApiController constructor.
		38	*
		39	* Note: enabling debug mode displays JSON with readable formatting.
		40	*
		41	* @param Container $ci Slim container.
		42	*/
		43	public function __construct(Container $ci)
		44	{
		45	$this->ci = $ci;
		46	$this->conf = $ci->get('conf');
		47	$this->linkDb = $ci->get('db');
		48	if ($this->conf->get('dev.debug', false)) {
		49	$this->jsonStyle = JSON_PRETTY_PRINT;
		50	} else {
		51	$this->jsonStyle = null;
		52	}
		53	}
		54	}


diff --git a/application/api/controllers/Info.php b/application/api/controllers/Info.php new file mode 100644 index 00000000..25433f72 --- /dev/null +++ b/application/api/controllers/Info.php
@@ -0,0 +1,42 @@
		1	<?php
		2
		3	namespace Shaarli\Api\Controllers;
		4
		5	use Slim\Http\Request;
		6	use Slim\Http\Response;
		7
		8	/**
		9	* Class Info
		10	*
		11	* REST API Controller: /info
		12	*
		13	* @package Api\Controllers
		14	* @see http://shaarli.github.io/api-documentation/#links-instance-information-get
		15	*/
		16	class Info extends ApiController
		17	{
		18	/**
		19	* Service providing various information about Shaarli instance.
		20	*
		21	* @param Request $request Slim request.
		22	* @param Response $response Slim response.
		23	*
		24	* @return Response response.
		25	*/
		26	public function getInfo($request, $response)
		27	{
		28	$info = [
		29	'global_counter' => count($this->linkDb),
		30	'private_counter' => count_private($this->linkDb),
		31	'settings' => array(
		32	'title' => $this->conf->get('general.title', 'Shaarli'),
		33	'header_link' => $this->conf->get('general.header_link', '?'),
		34	'timezone' => $this->conf->get('general.timezone', 'UTC'),
		35	'enabled_plugins' => $this->conf->get('general.enabled_plugins', []),
		36	'default_private_links' => $this->conf->get('privacy.default_private_links', false),
		37	),
		38	];
		39
		40	return $response->withJson($info, 200, $this->jsonStyle);
		41	}
		42	}


diff --git a/application/api/exceptions/ApiAuthorizationException.php b/application/api/exceptions/ApiAuthorizationException.php new file mode 100644 index 00000000..0e3f4776 --- /dev/null +++ b/application/api/exceptions/ApiAuthorizationException.php
@@ -0,0 +1,34 @@
		1	<?php
		2
		3	namespace Shaarli\Api\Exceptions;
		4
		5	/**
		6	* Class ApiAuthorizationException
		7	*
		8	* Request not authorized, return a 401 HTTP code.
		9	*/
		10	class ApiAuthorizationException extends ApiException
		11	{
		12	/**
		13	* {@inheritdoc}
		14	*/
		15	public function getApiResponse()
		16	{
		17	$this->setMessage('Not authorized');
		18	return $this->buildApiResponse(401);
		19	}
		20
		21	/**
		22	* Set the exception message.
		23	*
		24	* We only return a generic error message in production mode to avoid giving
		25	* to much security information.
		26	*
		27	* @param $message string the exception message.
		28	*/
		29	public function setMessage($message)
		30	{
		31	$original = $this->debug === true ? ': '. $this->getMessage() : '';
		32	$this->message = $message . $original;
		33	}
		34	}


diff --git a/application/api/exceptions/ApiBadParametersException.php b/application/api/exceptions/ApiBadParametersException.php new file mode 100644 index 00000000..e5cc19ea --- /dev/null +++ b/application/api/exceptions/ApiBadParametersException.php
@@ -0,0 +1,19 @@
		1	<?php
		2
		3	namespace Shaarli\Api\Exceptions;
		4
		5	/**
		6	* Class ApiBadParametersException
		7	*
		8	* Invalid request exception, return a 400 HTTP code.
		9	*/
		10	class ApiBadParametersException extends ApiException
		11	{
		12	/**
		13	* {@inheritdoc}
		14	*/
		15	public function getApiResponse()
		16	{
		17	return $this->buildApiResponse(400);
		18	}
		19	}


diff --git a/application/api/exceptions/ApiException.php b/application/api/exceptions/ApiException.php new file mode 100644 index 00000000..c8490e0c --- /dev/null +++ b/application/api/exceptions/ApiException.php
@@ -0,0 +1,77 @@
		1	<?php
		2
		3	namespace Shaarli\Api\Exceptions;
		4
		5	use Slim\Http\Response;
		6
		7	/**
		8	* Abstract class ApiException
		9	*
		10	* Parent Exception related to the API, able to generate a valid Response (ResponseInterface).
		11	* Also can include various information in debug mode.
		12	*/
		13	abstract class ApiException extends \Exception {
		14
		15	/**
		16	* @var Response instance from Slim.
		17	*/
		18	protected $response;
		19
		20	/**
		21	* @var bool Debug mode enabled/disabled.
		22	*/
		23	protected $debug;
		24
		25	/**
		26	* Build the final response.
		27	*
		28	* @return Response Final response to give.
		29	*/
		30	public abstract function getApiResponse();
		31
		32	/**
		33	* Creates ApiResponse body.
		34	* In production mode, it will only return the exception message,
		35	* but in dev mode, it includes additional information in an array.
		36	*
		37	* @return array\|string response body
		38	*/
		39	protected function getApiResponseBody() {
		40	if ($this->debug !== true) {
		41	return $this->getMessage();
		42	}
		43	return [
		44	'message' => $this->getMessage(),
		45	'stacktrace' => get_class($this) .': '. $this->getTraceAsString()
		46	];
		47	}
		48
		49	/**
		50	* Build the Response object to return.
		51	*
		52	* @param int $code HTTP status.
		53	*
		54	* @return Response with status + body.
		55	*/
		56	protected function buildApiResponse($code)
		57	{
		58	$style = $this->debug ? JSON_PRETTY_PRINT : null;
		59	return $this->response->withJson($this->getApiResponseBody(), $code, $style);
		60	}
		61
		62	/**
		63	* @param Response $response
		64	*/
		65	public function setResponse($response)
		66	{
		67	$this->response = $response;
		68	}
		69
		70	/**
		71	* @param bool $debug
		72	*/
		73	public function setDebug($debug)
		74	{
		75	$this->debug = $debug;
		76	}
		77	}


diff --git a/application/api/exceptions/ApiInternalException.php b/application/api/exceptions/ApiInternalException.php new file mode 100644 index 00000000..1cb05532 --- /dev/null +++ b/application/api/exceptions/ApiInternalException.php
@@ -0,0 +1,19 @@
		1	<?php
		2
		3	namespace Shaarli\Api\Exceptions;
		4
		5	/**
		6	* Class ApiInternalException
		7	*
		8	* Generic exception, return a 500 HTTP code.
		9	*/
		10	class ApiInternalException extends ApiException
		11	{
		12	/**
		13	* @inheritdoc
		14	*/
		15	public function getApiResponse()
		16	{
		17	return $this->buildApiResponse(500);
		18	}
		19	}


diff --git a/application/config/ConfigManager.php b/application/config/ConfigManager.php index f5f753f8..ca8918b5 100644 --- a/application/config/ConfigManager.php +++ b/application/config/ConfigManager.php
@@ -20,6 +20,8 @@ class ConfigManager
20	*/	20	*/
21	protected static $NOT_FOUND = 'NOT_FOUND';	21	protected static $NOT_FOUND = 'NOT_FOUND';
22		22
		23	public static $DEFAULT_PLUGINS = array('qrcode');
		24
23	/**	25	/**
24	* @var string Config folder.	26	* @var string Config folder.
25	*/	27	*/
@@ -308,7 +310,7 @@ class ConfigManager
308		310
309	$this->setEmpty('general.header_link', '?');	311	$this->setEmpty('general.header_link', '?');
310	$this->setEmpty('general.links_per_page', 20);	312	$this->setEmpty('general.links_per_page', 20);
311	$this->setEmpty('general.enabled_plugins', array('qrcode'));	313	$this->setEmpty('general.enabled_plugins', self::$DEFAULT_PLUGINS);
312		314
313	$this->setEmpty('updates.check_updates', false);	315	$this->setEmpty('updates.check_updates', false);
314	$this->setEmpty('updates.check_updates_branch', 'stable');	316	$this->setEmpty('updates.check_updates_branch', 'stable');