From 18e6796726d73d7dc90ecdd16c181493941f5487 Mon Sep 17 00:00:00 2001
From: ArthurHoaro <arthur@hoa.ro>
Date: Thu, 15 Dec 2016 10:13:00 +0100
Subject: REST API structure using Slim framework

  * REST API routes are handle by Slim.
  * Every API controller go through ApiMiddleware which handles security.
  * First service implemented `/info`, for tests purpose.
---
 application/api/ApiUtils.php | 51 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 51 insertions(+)
 create mode 100644 application/api/ApiUtils.php

(limited to 'application/api/ApiUtils.php')

diff --git a/application/api/ApiUtils.php b/application/api/ApiUtils.php
new file mode 100644
index 00000000..fbb1e72f
--- /dev/null
+++ b/application/api/ApiUtils.php
@@ -0,0 +1,51 @@
+<?php
+
+namespace Shaarli\Api;
+
+use Shaarli\Api\Exceptions\ApiAuthorizationException;
+
+/**
+ * Class ApiUtils
+ *
+ * Utility functions for the API.
+ */
+class ApiUtils
+{
+    /**
+     * Validates a JWT token authenticity.
+     *
+     * @param string $token  JWT token extracted from the headers.
+     * @param string $secret API secret set in the settings.
+     *
+     * @throws ApiAuthorizationException the token is not valid.
+     */
+    public static function validateJwtToken($token, $secret)
+    {
+        $parts = explode('.', $token);
+        if (count($parts) != 3 || strlen($parts[0]) == 0 || strlen($parts[1]) == 0) {
+            throw new ApiAuthorizationException('Malformed JWT token');
+        }
+
+        $genSign = hash_hmac('sha512', $parts[0] .'.'. $parts[1], $secret);
+        if ($parts[2] != $genSign) {
+            throw new ApiAuthorizationException('Invalid JWT signature');
+        }
+
+        $header = json_decode(base64_decode($parts[0]));
+        if ($header === null) {
+            throw new ApiAuthorizationException('Invalid JWT header');
+        }
+
+        $payload = json_decode(base64_decode($parts[1]));
+        if ($payload === null) {
+            throw new ApiAuthorizationException('Invalid JWT payload');
+        }
+
+        if (empty($payload->iat)
+            || $payload->iat > time()
+            || time() - $payload->iat > ApiMiddleware::$TOKEN_DURATION
+        ) {
+            throw new ApiAuthorizationException('Invalid JWT issued time');
+        }
+    }
+}
-- 
cgit v1.2.3


From 7a9daac56dc64ec1ddb12adece3e1a8f71778cc7 Mon Sep 17 00:00:00 2001
From: VirtualTam <virtualtam@flibidi.net>
Date: Wed, 4 Jan 2017 11:41:05 +0100
Subject: API: fix JWT signature verification

Fixes https://github.com/shaarli/Shaarli/issues/737

Added:
- Base64Url utilities

Fixed:
- use URL-safe Base64 encoding/decoding functions
- use byte representations for HMAC digests
- all JWT parts are Base64Url-encoded

See:
- https://en.wikipedia.org/wiki/JSON_Web_Token
- https://tools.ietf.org/html/rfc7519
- https://scotch.io/tutorials/the-anatomy-of-a-json-web-token
- https://jwt.io/introduction/
- https://en.wikipedia.org/wiki/Base64#URL_applications
- https://secure.php.net/manual/en/function.base64-encode.php#103849

Signed-off-by: VirtualTam <virtualtam@flibidi.net>
---
 application/api/ApiUtils.php | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

(limited to 'application/api/ApiUtils.php')

diff --git a/application/api/ApiUtils.php b/application/api/ApiUtils.php
index fbb1e72f..a419c396 100644
--- a/application/api/ApiUtils.php
+++ b/application/api/ApiUtils.php
@@ -1,13 +1,11 @@
 <?php
-
 namespace Shaarli\Api;
 
+use Shaarli\Base64Url;
 use Shaarli\Api\Exceptions\ApiAuthorizationException;
 
 /**
- * Class ApiUtils
- *
- * Utility functions for the API.
+ * REST API utilities
  */
 class ApiUtils
 {
@@ -26,17 +24,17 @@ class ApiUtils
             throw new ApiAuthorizationException('Malformed JWT token');
         }
 
-        $genSign = hash_hmac('sha512', $parts[0] .'.'. $parts[1], $secret);
+        $genSign = Base64Url::encode(hash_hmac('sha512', $parts[0] .'.'. $parts[1], $secret, true));
         if ($parts[2] != $genSign) {
             throw new ApiAuthorizationException('Invalid JWT signature');
         }
 
-        $header = json_decode(base64_decode($parts[0]));
+        $header = json_decode(Base64Url::decode($parts[0]));
         if ($header === null) {
             throw new ApiAuthorizationException('Invalid JWT header');
         }
 
-        $payload = json_decode(base64_decode($parts[1]));
+        $payload = json_decode(Base64Url::decode($parts[1]));
         if ($payload === null) {
             throw new ApiAuthorizationException('Invalid JWT payload');
         }
-- 
cgit v1.2.3


From c3b00963fe22479e87998c82bc83827a54c8d972 Mon Sep 17 00:00:00 2001
From: ArthurHoaro <arthur@hoa.ro>
Date: Thu, 22 Dec 2016 14:36:45 +0100
Subject: REST API: implement getLinks service

See http://shaarli.github.io/api-documentation/#links-links-collection-get
---
 application/api/ApiUtils.php | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

(limited to 'application/api/ApiUtils.php')

diff --git a/application/api/ApiUtils.php b/application/api/ApiUtils.php
index fbb1e72f..d0242919 100644
--- a/application/api/ApiUtils.php
+++ b/application/api/ApiUtils.php
@@ -48,4 +48,35 @@ class ApiUtils
             throw new ApiAuthorizationException('Invalid JWT issued time');
         }
     }
+
+    /**
+     * Format a Link for the REST API.
+     *
+     * @param array  $link     Link data read from the datastore.
+     * @param string $indexUrl Shaarli's index URL (used for relative URL).
+     *
+     * @return array Link data formatted for the REST API.
+     */
+    public static function formatLink($link, $indexUrl)
+    {
+        $out['id'] = $link['id'];
+        // Not an internal link
+        if ($link['url'][0] != '?') {
+            $out['url'] = $link['url'];
+        } else {
+            $out['url'] = $indexUrl . $link['url'];
+        }
+        $out['shorturl'] = $link['shorturl'];
+        $out['title'] = $link['title'];
+        $out['description'] = $link['description'];
+        $out['tags'] = preg_split('/\s+/', $link['tags'], -1, PREG_SPLIT_NO_EMPTY);
+        $out['private'] = $link['private'] == true;
+        $out['created'] = $link['created']->format(\DateTime::ATOM);
+        if (! empty($link['updated'])) {
+            $out['updated'] = $link['updated']->format(\DateTime::ATOM);
+        } else {
+            $out['updated'] = '';
+        }
+        return $out;
+    }
 }
-- 
cgit v1.2.3


From 68016e37983b882c51c6ac92da6f6cc1250676e5 Mon Sep 17 00:00:00 2001
From: ArthurHoaro <arthur@hoa.ro>
Date: Thu, 5 Jan 2017 15:58:24 +0100
Subject: REST API: implement POST link service

---
 application/api/ApiUtils.php | 35 +++++++++++++++++++++++++++++++++--
 1 file changed, 33 insertions(+), 2 deletions(-)

(limited to 'application/api/ApiUtils.php')

diff --git a/application/api/ApiUtils.php b/application/api/ApiUtils.php
index d4015865..b8155a34 100644
--- a/application/api/ApiUtils.php
+++ b/application/api/ApiUtils.php
@@ -12,7 +12,7 @@ class ApiUtils
     /**
      * Validates a JWT token authenticity.
      *
-     * @param string $token  JWT token extracted from the headers.
+     * @param string $token JWT token extracted from the headers.
      * @param string $secret API secret set in the settings.
      *
      * @throws ApiAuthorizationException the token is not valid.
@@ -50,7 +50,7 @@ class ApiUtils
     /**
      * Format a Link for the REST API.
      *
-     * @param array  $link     Link data read from the datastore.
+     * @param array $link Link data read from the datastore.
      * @param string $indexUrl Shaarli's index URL (used for relative URL).
      *
      * @return array Link data formatted for the REST API.
@@ -77,4 +77,35 @@ class ApiUtils
         }
         return $out;
     }
+
+    /**
+     * Convert a link given through a request, to a valid link for LinkDB.
+     *
+     * If no URL is provided, it will generate a local note URL.
+     * If no title is provided, it will use the URL as title.
+     *
+     * @param array  $input          Request Link.
+     * @param bool   $defaultPrivate Request Link.
+     *
+     * @return array Formatted link.
+     */
+    public static function buildLinkFromRequest($input, $defaultPrivate)
+    {
+        $input['url'] = ! empty($input['url']) ? cleanup_url($input['url']) : '';
+        if (isset($input['private'])) {
+            $private = filter_var($input['private'], FILTER_VALIDATE_BOOLEAN);
+        } else {
+            $private = $defaultPrivate;
+        }
+
+        $link = [
+            'title'         => ! empty($input['title']) ? $input['title'] : $input['url'],
+            'url'           => $input['url'],
+            'description'   => ! empty($input['description']) ? $input['description'] : '',
+            'tags'          => ! empty($input['tags']) ? implode(' ', $input['tags']) : '',
+            'private'       => $private,
+            'created'       => new \DateTime(),
+        ];
+        return $link;
+    }
 }
-- 
cgit v1.2.3


From cf9181dddf8b6113b1b017e4bcb21fac0a0b1c83 Mon Sep 17 00:00:00 2001
From: ArthurHoaro <arthur@hoa.ro>
Date: Sat, 1 Apr 2017 11:11:25 +0200
Subject: REST API: implement PUT method

  * Related to #609
  * Documentation: http://shaarli.github.io/api-documentation/#links-link-put
---
 application/api/ApiUtils.php | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

(limited to 'application/api/ApiUtils.php')

diff --git a/application/api/ApiUtils.php b/application/api/ApiUtils.php
index b8155a34..f154bb52 100644
--- a/application/api/ApiUtils.php
+++ b/application/api/ApiUtils.php
@@ -108,4 +108,30 @@ class ApiUtils
         ];
         return $link;
     }
+
+    /**
+     * Update link fields using an updated link object.
+     *
+     * @param array $oldLink data
+     * @param array $newLink data
+     *
+     * @return array $oldLink updated with $newLink values
+     */
+    public static function updateLink($oldLink, $newLink)
+    {
+        foreach (['title', 'url', 'description', 'tags', 'private'] as $field) {
+            $oldLink[$field] = $newLink[$field];
+        }
+        $oldLink['updated'] = new \DateTime();
+
+        if (empty($oldLink['url'])) {
+            $oldLink['url'] = '?' . $oldLink['shorturl'];
+        }
+
+        if (empty($oldLink['title'])) {
+            $oldLink['title'] = $oldLink['url'];
+        }
+
+        return $oldLink;
+    }
 }
-- 
cgit v1.2.3