Home Explore Help
Register Sign In
URBANMS
/
EXCELIA_DBARR
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: cdef406346
Branches Tags
EXCELIA_DBARR
/
api
/
class
/
api_login.class.php

api_login.class.php 7.2 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175 
  1. <?php
    2. 

  2. /* Copyright (C) 2015   Jean-François Ferry     <jfefe@aternatik.fr>
    3. 

  3.  * Copyright (C) 2016	Laurent Destailleur		<eldy@users.sourceforge.net>
    4. 

  4.  *
    5. 

  5.  * This program is free software; you can redistribute it and/or modify
    6. 

  6.  * it under the terms of the GNU General Public License as published by
    7. 

  7.  * the Free Software Foundation; either version 3 of the License, or
    8. 

  8.  * (at your option) any later version.
    9. 

  9.  *
    10. 

  10.  * This program is distributed in the hope that it will be useful,
    11. 

  11.  * but WITHOUT ANY WARRANTY; without even the implied warranty of
    12. 

  12.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    13. 

  13.  * GNU General Public License for more details.
    14. 

  14.  *
    15. 

  15.  * You should have received a copy of the GNU General Public License
    16. 

  16.  * along with this program. If not, see <https://www.gnu.org/licenses/>.
    17. 

  17.  */
    18. 

  18. 

  19. use Luracast\Restler\RestException;
    20. 

  20. 

  21. require_once DOL_DOCUMENT_ROOT.'/core/lib/security.lib.php';
    22. 

  22. require_once DOL_DOCUMENT_ROOT.'/user/class/user.class.php';
    23. 

  23. 

  24. /**
    25. 

  25.  * API that allows to log in with an user account.
    26. 

  26.  */
    27. 

  27. class Login
    28. 

  28. {
    29. 

  29. 

  30. 	/**
    31. 

  31. 	 * Constructor of the class
    32. 

  32. 	 */
    33. 

  33. 	public function __construct()
    34. 

  34. 	{
    35. 

  35. 		global $conf, $db;
    36. 

  36. 		$this->db = $db;
    37. 

  37. 

  38. 		//$conf->global->MAIN_MODULE_API_LOGIN_DISABLED = 1;
    39. 

  39. 		if (!empty($conf->global->MAIN_MODULE_API_LOGIN_DISABLED)) {
    40. 

  40. 			throw new RestException(403, "Error login APIs are disabled. You must get the token from backoffice to be able to use APIs");
    41. 

  41. 		}
    42. 

  42. 	}
    43. 

  43. 

  44. 	/**
    45. 

  45. 	 * Login
    46. 

  46. 	 *
    47. 

  47. 	 * Request the API token for a couple username / password.
    48. 

  48. 	 * WARNING: You should NEVER use this API, like you should never use the similare API that uses the POST method. This will expose your password.
    49. 

  49. 	 * To use the APIs, you should instead set an API token to the user you want to allow to use API (This API token called DOLAPIKEY can be found/set on the user page) and use this token as credential for any API call.
    50. 

  50. 	 * From the API explorer, you can enter directly the "DOLAPIKEY" into the field at the top right of the page to get access to any allowed APIs.
    51. 

  51. 	 *
    52. 

  52. 	 * @param   string  $login			User login
    53. 

  53. 	 * @param   string  $password		User password
    54. 

  54. 	 * @param   string  $entity			Entity (when multicompany module is used). '' means 1=first company.
    55. 

  55. 	 * @param   int     $reset          Reset token (0=get current token, 1=ask a new token and canceled old token. This means access using current existing API token of user will fails: new token will be required for new access)
    56. 

  56. 	 * @return  array                   Response status and user token
    57. 

  57. 	 *
    58. 

  58. 	 * @throws RestException 403 Access denied
    59. 

  59. 	 * @throws RestException 500 System error
    60. 

  60. 	 *
    61. 

  61. 	 * @url GET /
    62. 

  62. 	 */
    63. 

  63. 	public function loginUnsecured($login, $password, $entity = '', $reset = 0)
    64. 

  64. 	{
    65. 

  65. 		return $this->index($login, $password, $entity, $reset);
    66. 

  66. 	}
    67. 

  67. 

  68. 	/**
    69. 

  69. 	 * Login
    70. 

  70. 	 *
    71. 

  71. 	 * Request the API token for a couple username / password.
    72. 

  72. 	 * WARNING: You should NEVER use this API, like you should never use the similare API that uses the POST method. This will expose your password.
    73. 

  73. 	 * To use the APIs, you should instead set an API token to the user you want to allow to use API (This API token called DOLAPIKEY can be found/set on the user page) and use this token as credential for any API call.
    74. 

  74. 	 * From the API explorer, you can enter directly the "DOLAPIKEY" into the field at the top right of the page to get access to any allowed APIs.
    75. 

  75. 	 *
    76. 

  76. 	 * @param   string  $login			User login
    77. 

  77. 	 * @param   string  $password		User password
    78. 

  78. 	 * @param   string  $entity			Entity (when multicompany module is used). '' means 1=first company.
    79. 

  79. 	 * @param   int     $reset          Reset token (0=get current token, 1=ask a new token and canceled old token. This means access using current existing API token of user will fails: new token will be required for new access)
    80. 

  80. 	 * @return  array                   Response status and user token
    81. 

  81. 	 *
    82. 

  82. 	 * @throws RestException 403 Access denied
    83. 

  83. 	 * @throws RestException 500 System error
    84. 

  84. 	 *
    85. 

  85. 	 * @url POST /
    86. 

  86. 	 */
    87. 

  87. 	public function index($login, $password, $entity = '', $reset = 0)
    88. 

  88. 	{
    89. 

  89. 		global $conf, $dolibarr_main_authentication, $dolibarr_auto_user;
    90. 

  90. 

  91. 		// Is the login API disabled ? The token must be generated from backoffice only.
    92. 

  92. 		if (!empty($conf->global->API_DISABLE_LOGIN_API)) {
    93. 

  93. 			dol_syslog("Warning: A try to use the login API has been done while the login API is disabled. You must generate or get the token from the backoffice.", LOG_WARNING);
    94. 

  94. 			throw new RestException(403, "Error, the login API has been disabled for security purpose. You must generate or get the token from the backoffice.");
    95. 

  95. 		}
    96. 

  96. 

  97. 		// Authentication mode
    98. 

  98. 		if (empty($dolibarr_main_authentication)) {
    99. 

  99. 			$dolibarr_main_authentication = 'dolibarr';
    100. 

  100. 		}
    101. 

  101. 

  102. 		// Authentication mode: forceuser
    103. 

  103. 		if ($dolibarr_main_authentication == 'forceuser') {
    104. 

  104. 			if (empty($dolibarr_auto_user)) {
    105. 

  105. 				$dolibarr_auto_user = 'auto';
    106. 

  106. 			}
    107. 

  107. 			if ($dolibarr_auto_user != $login) {
    108. 

  108. 				dol_syslog("Warning: your instance is set to use the automatic forced login '".$dolibarr_auto_user."' that is not the requested login. API usage is forbidden in this mode.");
    109. 

  109. 				throw new RestException(403, "Your instance is set to use the automatic login '".$dolibarr_auto_user."' that is not the requested login. API usage is forbidden in this mode.");
    110. 

  110. 			}
    111. 

  111. 		}
    112. 

  112. 

  113. 		// Set authmode
    114. 

  114. 		$authmode = explode(',', $dolibarr_main_authentication);
    115. 

  115. 

  116. 		if ($entity != '' && !is_numeric($entity)) {
    117. 

  117. 			throw new RestException(403, "Bad value for entity, must be the numeric ID of company.");
    118. 

  118. 		}
    119. 

  119. 		if ($entity == '') {
    120. 

  120. 			$entity = 1;
    121. 

  121. 		}
    122. 

  122. 

  123. 		include_once DOL_DOCUMENT_ROOT.'/core/lib/security2.lib.php';
    124. 

  124. 		$login = checkLoginPassEntity($login, $password, $entity, $authmode, 'api');		// Check credentials.
    125. 

  125. 		if (empty($login)) {
    126. 

  126. 			throw new RestException(403, 'Access denied');
    127. 

  127. 		}
    128. 

  128. 

  129. 		$token = 'failedtogenerateorgettoken';
    130. 

  130. 

  131. 		$tmpuser = new User($this->db);
    132. 

  132. 		$tmpuser->fetch(0, $login, 0, 0, $entity);
    133. 

  133. 		if (empty($tmpuser->id)) {
    134. 

  134. 			throw new RestException(500, 'Failed to load user');
    135. 

  135. 		}
    136. 

  136. 

  137. 		// Renew the hash
    138. 

  138. 		if (empty($tmpuser->api_key) || $reset) {
    139. 

  139. 			$tmpuser->getrights();
    140. 

  140. 			if (empty($tmpuser->rights->user->self->creer)) {
    141. 

  141. 				if (empty($tmpuser->api_key)) {
    142. 

  142. 					throw new RestException(403, 'No API token set for this user and user need write permission on itself to reset its API token');
    143. 

  143. 				} else {
    144. 

  144. 					throw new RestException(403, 'User need write permission on itself to reset its API token');
    145. 

  145. 				}
    146. 

  146. 			}
    147. 

  147. 

  148. 			// Generate token for user
    149. 

  149. 			$token = dol_hash($login.uniqid().(empty($conf->global->MAIN_API_KEY)?'':$conf->global->MAIN_API_KEY), 1);
    150. 

  150. 

  151. 			// We store API token into database
    152. 

  152. 			$sql = "UPDATE ".MAIN_DB_PREFIX."user";
    153. 

  153. 			$sql .= " SET api_key = '".$this->db->escape(dolEncrypt($token, '', '', 'dolibarr'))."'";
    154. 

  154. 			$sql .= " WHERE login = '".$this->db->escape($login)."'";
    155. 

  155. 

  156. 			dol_syslog(get_class($this)."::login", LOG_DEBUG); // No log
    157. 

  157. 			$result = $this->db->query($sql);
    158. 

  158. 			if (!$result) {
    159. 

  159. 				throw new RestException(500, 'Error when updating api_key for user :'.$this->db->lasterror());
    160. 

  160. 			}
    161. 

  161. 		} else {
    162. 

  162. 			$token = $tmpuser->api_key;
    163. 

  163. 		}
    164. 

  164. 

  165. 		//return token
    166. 

  166. 		return array(
    167. 

  167. 			'success' => array(
    168. 

  168. 				'code' => 200,
    169. 

  169. 				'token' => $token,
    170. 

  170. 				'entity' => $tmpuser->entity,
    171. 

  171. 				'message' => 'Welcome '.$login.($reset ? ' - Token is new' : ' - This is your token (recorded for your user). You can use it to make any REST API call, or enter it into the DOLAPIKEY field to use the Dolibarr API explorer.')
    172. 

  172. 			)
    173. 

  173. 		);
    174. 

  174. 	}
    175. 

  175. }
    176.