AS1024
/
itflow
mirror of https://github.com/itflow-org/itflow
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

WIP: Allow decrypting logins/credentials via the API

This commit is contained in:
wrongecho 2024-08-22 17:46:58 +01:00
parent 63feff03d2
commit 0c60ecc329
6 changed files with 43 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
api/v1/credentials/read.php
View File

@ -4,17 +4,49 @@ require_once '../validate_api_key.php';
require_once '../require_get_method.php'; require_once '../require_get_method.php';
// Default
$sql = false;
// Specific credential/login via ID (single) // Specific credential/login via ID (single)
if (isset($_GET['login_id'])) { if (isset($_GET['login_id']) && isset($_GET['api_key_decrypt_password'])) {
$id = intval($_GET['login_id']);
$sql = mysqli_query($mysqli, "SELECT * FROM logins WHERE login_id = '$id' AND login_client_id LIKE '$client_id'");
} else { $id = intval($_GET['login_id']);
$password = sanitizeInput($_GET['api_key_decrypt_password']);
$sql = mysqli_query($mysqli, "SELECT * FROM logins WHERE login_id = '$id' AND login_client_id LIKE '$client_id' LIMIT 1");
} elseif (isset($_GET['api_key_decrypt_password'])) {
// All credentials ("logins") // All credentials ("logins")
$sql = mysqli_query($mysqli, "SELECT * FROM logins WHERE login_client_id LIKE '$client_id' ORDER BY login_id LIMIT $limit OFFSET $offset"); $sql = mysqli_query($mysqli, "SELECT * FROM logins WHERE login_client_id LIKE '$client_id' ORDER BY login_id LIMIT $limit OFFSET $offset");
} }
// Output // Output - Not using the standard API read_output.php
require_once "../read_output.php"; // Usually we just output what is in the database, but credentials need to be decrypted first.
if ($sql && mysqli_num_rows($sql) > 0) {
$return_arr['success'] = "True";
$return_arr['count'] = mysqli_num_rows($sql);
$row = array();
while ($row = mysqli_fetch_array($sql)) {
//$row['login_username'] = //decrypt
$return_arr['data'][] = $row;
}
echo json_encode($return_arr);
exit();
}
else {
$return_arr['success'] = "False";
$return_arr['message'] = "No resource (for this client and company) with the specified parameter(s).";
// Log any database/schema related errors to the PHP Error log
if (mysqli_error($mysqli)) {
error_log("API Database Error: " . mysqli_error($mysqli));
}
echo json_encode($return_arr);
exit();
}

2
database_updates.php
View File

@ -2126,7 +2126,7 @@ if (LATEST_DATABASE_VERSION > CURRENT_DATABASE_VERSION) {
} }
if (CURRENT_DATABASE_VERSION == '1.4.4') { if (CURRENT_DATABASE_VERSION == '1.4.4') {
mysqli_query($mysqli, "ALTER TABLE `api_keys` ADD `api_key_credential_decryption_password` VARCHAR(200) NOT NULL AFTER `api_key_secret`"); mysqli_query($mysqli, "ALTER TABLE `api_keys` ADD `api_key_decrypt_hash` VARCHAR(200) NOT NULL AFTER `api_key_secret`");
mysqli_query($mysqli, "UPDATE `settings` SET `config_current_database_version` = '1.4.5'"); mysqli_query($mysqli, "UPDATE `settings` SET `config_current_database_version` = '1.4.5'");
} }

2
database_version.php
View File

@ -5,4 +5,4 @@
* It is used in conjunction with database_updates.php * It is used in conjunction with database_updates.php
*/ */
DEFINE("LATEST_DATABASE_VERSION", "1.4.4"); DEFINE("LATEST_DATABASE_VERSION", "1.4.5");

2
db.sql
View File

@ -66,7 +66,7 @@ CREATE TABLE `api_keys` (
`api_key_id` int(11) NOT NULL AUTO_INCREMENT, `api_key_id` int(11) NOT NULL AUTO_INCREMENT,
`api_key_name` varchar(255) NOT NULL, `api_key_name` varchar(255) NOT NULL,
`api_key_secret` varchar(255) NOT NULL, `api_key_secret` varchar(255) NOT NULL,
`api_key_credential_decryption_password` varchar(255) NULL, `api_key_decrypt_hash` varchar(255) NULL,
`api_key_created_at` datetime NOT NULL DEFAULT current_timestamp(), `api_key_created_at` datetime NOT NULL DEFAULT current_timestamp(),
`api_key_expire` date NOT NULL, `api_key_expire` date NOT NULL,
`api_key_client_id` int(11) NOT NULL DEFAULT 0, `api_key_client_id` int(11) NOT NULL DEFAULT 0,

2
functions.php
View File

@ -297,7 +297,7 @@ function encryptUserSpecificKey($user_password)
return $salt . $iv . $ciphertext; return $salt . $iv . $ciphertext;
} }
// Given a ciphertext (incl. IV) and the user's password, returns the site master key // Given a ciphertext (incl. IV) and the user's (or API key) password, returns the site master key
// Ran at login, to facilitate generateUserSessionKey // Ran at login, to facilitate generateUserSessionKey
function decryptUserSpecificKey($user_encryption_ciphertext, $user_password) function decryptUserSpecificKey($user_encryption_ciphertext, $user_password)
{ {

2
post/api.php
View File

@ -20,7 +20,7 @@ if (isset($_POST['add_api_key'])) {
$password = password_hash(trim($_POST['password']), PASSWORD_DEFAULT); $password = password_hash(trim($_POST['password']), PASSWORD_DEFAULT);
$apikey_specific_encryption_ciphertext = encryptUserSpecificKey(trim($_POST['password'])); $apikey_specific_encryption_ciphertext = encryptUserSpecificKey(trim($_POST['password']));
mysqli_query($mysqli,"INSERT INTO api_keys SET api_key_name = '$name', api_key_secret = '$secret', api_key_expire = '$expire', api_key_client_id = $client"); mysqli_query($mysqli,"INSERT INTO api_keys SET api_key_name = '$name', api_key_secret = '$secret', api_key_decrypt_hash = '$apikey_specific_encryption_ciphertext', api_key_expire = '$expire', api_key_client_id = $client");
$api_key_id = mysqli_insert_id($mysqli); $api_key_id = mysqli_insert_id($mysqli);