|
|
|
<?php
|
|
|
|
//from : https://api.wordpress.org/secret-key/1.1/salt
|
|
|
|
define('AUTH_KEY', '2(QMu)jt|2!(9t]V!4SB/y,+T]LcvGZ8-sV@vS6RUgR!_]&S}{6/RZjAmLeW28On');
|
|
|
|
|
|
|
|
function get_client_ip()
|
|
|
|
{
|
|
|
|
$ip = null;
|
|
|
|
if (!empty($_SERVER['HTTP_CLIENT_IP'])) {
|
|
|
|
$ip = $_SERVER['HTTP_CLIENT_IP'];
|
|
|
|
} elseif (!empty($_SERVER['REMOTE_ADDR'])) {
|
|
|
|
$ip = $_SERVER['REMOTE_ADDR'];
|
|
|
|
} elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
|
|
|
|
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
|
|
|
|
}
|
|
|
|
return($ip);
|
|
|
|
}
|
|
|
|
|
|
|
|
$keyring = array(
|
|
|
|
'28__u`AAs51n2KqX?hk27/=|mQI-Sv;]nP%Sd:27+pd#eb{KUK+Vui&a_|$m{+8x',
|
|
|
|
'{KoCg/!0?7_|&pjyh!D%+IHpaB]rj|NA<^}mU|un= =}|`le[~f)&h-%Qpr>mYLA',
|
|
|
|
'0{-f_Z/)J?Dr-=B2G=+U-+&ZTvN2m[+){7nO&rd{t6+|8BW!(+&Lx!U{gF&t.m(8',
|
|
|
|
'TY@V>x3x6= |?K|.dBEt2U;9su-h4kS_-4~+AuDvV4<0.:}^o:l;*&WC6P:<58?t',
|
|
|
|
'?GOHK0|EpH`X1.1DZ,-r*`?(7+<4rbG?;W*ReX+<#CUuGiQ,G^c[SJh!Q#@aHB #',
|
|
|
|
'JdF?Zl=7tE{|+VDh%SzDVj[$nV$Emkt!T9&lhUM7Ty/yRadrv,T(S7CEk rIsx,$',
|
|
|
|
'y:XeG#<+>Jb+cqB*^doW[2|N]ju8l<4?$ek?M?0aFaY>W&TJw rNCz+L7+ZN;#f=',
|
|
|
|
'E|ngUL<N+f)Qfgs$ggG5ejS${9NN7-)qlH]iB;R]xvy%e3G`C+Lb $?K(5F-Rb%u',
|
|
|
|
'!|MuVONHh33|l|`|RqQ|r%sZgCUo?FIXlPBQ`4J/Ajc$fvyS>],O).^DqOWo~Jzy',
|
|
|
|
'i2El=I~}<o.qv;A8~ {i/3]j*XghY8K+}|M]mc-Q ~m$#bJY8NdA-jOUF=|+VLyg',
|
|
|
|
'}#]wSs]%9,I0SF7A5~|5,3S_,/-(#z+L@oxJ<PM|Jro~p=P.c^EMqDgDf-F4o?Xw',
|
|
|
|
'o6h{,vP2CQ&-)gc|Z2^U^{Y^htKH}[IS|&GUtY`E`a)D@kaJr$8,dKSSm@c2D7y+'
|
|
|
|
);
|
|
|
|
|
|
|
|
function is_valid_api_key2($key) {
|
|
|
|
global $keyring;
|
|
|
|
// la clef envoyé es de la forme un md5 : un sel
|
|
|
|
// on coupe la clef en deux
|
|
|
|
$keyset = explode(':',$key);
|
|
|
|
//la premiere partie est un md5
|
|
|
|
@ $coded_key = $keyset[0];
|
|
|
|
// la deuxième est un sel => en rélité la case de tableau à utiliser
|
|
|
|
@ $salt = (int) $keyset[1];
|
|
|
|
// on utiulise l'heure comme référence
|
|
|
|
$time = strftime('%Y%m%d%H');
|
|
|
|
|
|
|
|
// connection BDD
|
|
|
|
$dbhost = 'localhost';
|
|
|
|
$dbuser = 'root';
|
|
|
|
$dbpass = '';
|
|
|
|
$dbname = 'apib3';
|
|
|
|
@ $mysqli = new mysqli($dbhost, $dbuser, $dbpass, $dbname);
|
|
|
|
// on protège les cractères sensible de la clef interne
|
|
|
|
$mysql_safe_salt = $mysqli->real_escape_string($keyring[$salt]);
|
|
|
|
// on protège les cractères sensible de la clef fournie
|
|
|
|
$mysql_safe_key = $mysqli->real_escape_string($coded_key);
|
|
|
|
//on fait le md5 + la comparaison dans le SQL directement
|
|
|
|
$sql = "SELECT * FROM `apikey` WHERE MD5(CONCAT(`api_key`,'".$mysql_safe_salt."','".$time."')) = '".$mysql_safe_key."'";
|
|
|
|
//die($sql);
|
|
|
|
$result = $mysqli->query($sql);
|
|
|
|
if ($result->num_rows > 0) {
|
|
|
|
$mysqli->close();
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
$mysqli->close();
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
function is_valid_api_key($key) {
|
|
|
|
$dbhost = 'localhost';
|
|
|
|
$dbuser = 'root';
|
|
|
|
$dbpass = '';
|
|
|
|
$dbname = 'apib3';
|
|
|
|
@ $mysqli = new mysqli($dbhost, $dbuser, $dbpass, $dbname);
|
|
|
|
$sql = "SELECT * FROM `apikey` WHERE `api_key` LIKE '".$key."'";
|
|
|
|
$result = $mysqli->query($sql);
|
|
|
|
if ($result->num_rows > 0) {
|
|
|
|
$mysqli->close();
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
$mysqli->close();
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
//header('Content-type: text/plain;charset=utf-8');
|
|
|
|
header('Content-type: application/json;charset=utf-8');
|
|
|
|
$vars=array();
|
|
|
|
foreach(array('REQUEST_METHOD',
|
|
|
|
'REDIRECT_URL',
|
|
|
|
'QUERY_STRING',
|
|
|
|
'REQUEST_URI',
|
|
|
|
'REQUEST_TIME_FLOAT',
|
|
|
|
'REQUEST_TIME') as $key)
|
|
|
|
{
|
|
|
|
if(isset($_SERVER[$key]))
|
|
|
|
{
|
|
|
|
$vars[$key] = $_SERVER[$key];
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
$vars[$key] = "";
|
|
|
|
}
|
|
|
|
}
|
|
|
|
//echo json_encode($vars);
|
|
|
|
$query = preg_replace("/^\/api/","",$vars['REDIRECT_URL']);
|
|
|
|
//echo $query;
|
|
|
|
|
|
|
|
switch($query)
|
|
|
|
{
|
|
|
|
case "/toto/" :
|
|
|
|
case "/test/" :
|
|
|
|
header('HTTP/1.1 200 OK');
|
|
|
|
echo json_encode( (object) array('status'=>'active') );
|
|
|
|
break;
|
|
|
|
|
|
|
|
case '/checksaltedkey/' :
|
|
|
|
if($vars['REQUEST_METHOD'] == "GET")
|
|
|
|
{
|
|
|
|
if(isset($_GET['key']))
|
|
|
|
{
|
|
|
|
header('HTTP/1.1 200 OK');
|
|
|
|
echo json_encode( (object) array(
|
|
|
|
'valid'=>is_valid_api_key2($_GET['key']),
|
|
|
|
'ip'=>get_client_ip() ));
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
header('HTTP/1.1 403 Forbidden');
|
|
|
|
echo json_encode( (object) array('error'=>'Please provide a valid key') );
|
|
|
|
}
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
header('HTTP/1.1 405 Method Not Allowed');
|
|
|
|
echo json_encode( (object) array('error'=>'/checksaltedkey/ requires GET method') );
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case '/users/' :
|
|
|
|
if($vars['REQUEST_METHOD'] == "GET")
|
|
|
|
{
|
|
|
|
if(isset($_GET['key']) && is_valid_api_key($_GET['key']))
|
|
|
|
{
|
|
|
|
$dbhost = 'localhost';
|
|
|
|
$dbuser = 'root';
|
|
|
|
$dbpass = '';
|
|
|
|
$dbname = 'apib3';
|
|
|
|
//si je préfixe avec @je n'aurais pas le message d'erreur.
|
|
|
|
@ $mysqli = new mysqli($dbhost, $dbuser, $dbpass, $dbname);
|
|
|
|
$sql = "SELECT COUNT(*) AS nbusers FROM `user`";
|
|
|
|
$result = $mysqli->query($sql);
|
|
|
|
if ($result->num_rows > 0) {
|
|
|
|
$row = $result->fetch_array(MYSQLI_ASSOC);
|
|
|
|
header('HTTP/1.1 200 OK');
|
|
|
|
echo json_encode( (object) array('users'=>$row['nbusers']));
|
|
|
|
$result->free_result();
|
|
|
|
$mysqli->close();
|
|
|
|
}
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
header('HTTP/1.1 403 Forbidden');
|
|
|
|
echo json_encode( (object) array('error'=>'Please provide a valid key') );
|
|
|
|
}
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
header('HTTP/1.1 405 Method Not Allowed');
|
|
|
|
echo json_encode( (object) array('error'=>'/users/ requires GET method') );
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case "/key/" :
|
|
|
|
case "/key" :
|
|
|
|
if($vars['REQUEST_METHOD'] == "POST")
|
|
|
|
{
|
|
|
|
if(!empty($_POST['user']) && !empty($_POST['password']))
|
|
|
|
{
|
|
|
|
$uid = null;
|
|
|
|
$user = $_POST['user'];
|
|
|
|
$password = md5($_POST['password'].AUTH_KEY);
|
|
|
|
$response = array('user'=>$user,'md5'=>$password);
|
|
|
|
|
|
|
|
//essayer de se connecter à ùysql (nb sur un xampp/wammp souvent l'utilisateur root avec mot de passe vide)
|
|
|
|
//https://www.tutorialspoint.com/mysqli/mysqli_connection.htm
|
|
|
|
// na pas oublier de convertir les → en ->
|
|
|
|
$dbhost = 'localhost';
|
|
|
|
$dbuser = 'root';
|
|
|
|
$dbpass = '';
|
|
|
|
$dbname = 'apib3';
|
|
|
|
//si je préfixe avec @je n'aurais pas le message d'erreur.
|
|
|
|
@ $mysqli = new mysqli($dbhost, $dbuser, $dbpass, $dbname);
|
|
|
|
|
|
|
|
if($mysqli->connect_errno ) {
|
|
|
|
header('HTTP/1.1 500 Internal Server Error');
|
|
|
|
echo json_encode( (object) array('error'=>"Connect failed: ".$mysqli->connect_error ));
|
|
|
|
exit();
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
$response['connection'] = 'successful';
|
|
|
|
// vérifier si l'utilisateur existe
|
|
|
|
$sql = "SELECT * FROM `user` WHERE `user` LIKE '".$user."' AND `password` ='".$password."'";
|
|
|
|
$result = $mysqli->query($sql);
|
|
|
|
if ($result->num_rows > 0) {
|
|
|
|
$row = $result->fetch_array(MYSQLI_ASSOC);
|
|
|
|
$response['uid'] = $row['id'];
|
|
|
|
$result->free_result();
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
$sql ="INSERT INTO `user` VALUES (NULL,'".$user."','".$password."')";
|
|
|
|
$result = $mysqli->query($sql);
|
|
|
|
if($mysqli->connect_errno ) {
|
|
|
|
header('HTTP/1.1 500 Internal Server Error');
|
|
|
|
echo json_encode( (object) array('error'=>"Insert failed: ".$mysqli->connect_error ));
|
|
|
|
exit();
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
$uid = $mysqli->insert_id;
|
|
|
|
$response['insert'] = 'successful user id is '.$uid;
|
|
|
|
$response['uid'] = $uid;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
$apikey = md5(array_rand($keyring).$response['uid'].microtime(true));
|
|
|
|
$sql ="INSERT INTO `apikey` VALUES ('".$response['uid']."','".$apikey."')";
|
|
|
|
$result = $mysqli->query($sql);
|
|
|
|
$response = array('key'=>$apikey);
|
|
|
|
}
|
|
|
|
$mysqli->close();
|
|
|
|
header('HTTP/1.1 200 OK');
|
|
|
|
echo json_encode( (object) $response );
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
header('HTTP/1.1 403 Forbidden');
|
|
|
|
echo json_encode( (object) array('error'=>'PLease provide a valid user and matching password') );
|
|
|
|
}
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
header('HTTP/1.1 405 Method Not Allowed');
|
|
|
|
echo json_encode( (object) array('error'=>'/key/ requires POST method') );
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
default :
|
|
|
|
// header('HTTP/1.1 404 Not Found');
|
|
|
|
header('HTTP/1.1 501 Not Implemented');
|
|
|
|
echo json_encode( (object) array('error'=>'This path has not been implemented') );
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|