mirror of https://github.com/itflow-org/itflow
WIP: Allow decrypting logins/credentials via the API
This commit is contained in:
wrongecho
parent
63feff03d2
commit
0c60ecc329
|
|
@ -4,17 +4,49 @@ require_once '../validate_api_key.php';
|
|||
|
||||
require_once '../require_get_method.php';
|
||||
|
||||
// Default
|
||||
$sql = false;
|
||||
|
||||
// Specific credential/login via ID (single)
|
||||
if (isset($_GET['login_id'])) {
|
||||
$id = intval($_GET['login_id']);
|
||||
$sql = mysqli_query($mysqli, "SELECT * FROM logins WHERE login_id = '$id' AND login_client_id LIKE '$client_id'");
|
||||
if (isset($_GET['login_id']) && isset($_GET['api_key_decrypt_password'])) {
|
||||
|
||||
} else {
|
||||
$id = intval($_GET['login_id']);
|
||||
$password = sanitizeInput($_GET['api_key_decrypt_password']);
|
||||
|
||||
$sql = mysqli_query($mysqli, "SELECT * FROM logins WHERE login_id = '$id' AND login_client_id LIKE '$client_id' LIMIT 1");
|
||||
|
||||
|
||||
} elseif (isset($_GET['api_key_decrypt_password'])) {
|
||||
// All credentials ("logins")
|
||||
$sql = mysqli_query($mysqli, "SELECT * FROM logins WHERE login_client_id LIKE '$client_id' ORDER BY login_id LIMIT $limit OFFSET $offset");
|
||||
|
||||
}
|
||||
|
||||
// Output
|
||||
require_once "../read_output.php";
|
||||
// Output - Not using the standard API read_output.php
|
||||
// Usually we just output what is in the database, but credentials need to be decrypted first.
|
||||
|
||||
if ($sql && mysqli_num_rows($sql) > 0) {
|
||||
$return_arr['success'] = "True";
|
||||
$return_arr['count'] = mysqli_num_rows($sql);
|
||||
|
||||
$row = array();
|
||||
while ($row = mysqli_fetch_array($sql)) {
|
||||
//$row['login_username'] = //decrypt
|
||||
$return_arr['data'][] = $row;
|
||||
}
|
||||
|
||||
echo json_encode($return_arr);
|
||||
exit();
|
||||
}
|
||||
else {
|
||||
$return_arr['success'] = "False";
|
||||
$return_arr['message'] = "No resource (for this client and company) with the specified parameter(s).";
|
||||
|
||||
// Log any database/schema related errors to the PHP Error log
|
||||
if (mysqli_error($mysqli)) {
|
||||
error_log("API Database Error: " . mysqli_error($mysqli));
|
||||
}
|
||||
|
||||
echo json_encode($return_arr);
|
||||
exit();
|
||||
}
|
||||
|
|
@ -2126,7 +2126,7 @@ if (LATEST_DATABASE_VERSION > CURRENT_DATABASE_VERSION) {
|
|||
}
|
||||
|
||||
if (CURRENT_DATABASE_VERSION == '1.4.4') {
|
||||
mysqli_query($mysqli, "ALTER TABLE `api_keys` ADD `api_key_credential_decryption_password` VARCHAR(200) NOT NULL AFTER `api_key_secret`");
|
||||
mysqli_query($mysqli, "ALTER TABLE `api_keys` ADD `api_key_decrypt_hash` VARCHAR(200) NOT NULL AFTER `api_key_secret`");
|
||||
|
||||
mysqli_query($mysqli, "UPDATE `settings` SET `config_current_database_version` = '1.4.5'");
|
||||
}
|
||||
|
|
|
|||
|
|
@ -5,4 +5,4 @@
|
|||
* It is used in conjunction with database_updates.php
|
||||
*/
|
||||
|
||||
DEFINE("LATEST_DATABASE_VERSION", "1.4.4");
|
||||
DEFINE("LATEST_DATABASE_VERSION", "1.4.5");
|
||||
|
|
|
|||
2
db.sql
2
db.sql
|
|
@ -66,7 +66,7 @@ CREATE TABLE `api_keys` (
|
|||
`api_key_id` int(11) NOT NULL AUTO_INCREMENT,
|
||||
`api_key_name` varchar(255) NOT NULL,
|
||||
`api_key_secret` varchar(255) NOT NULL,
|
||||
`api_key_credential_decryption_password` varchar(255) NULL,
|
||||
`api_key_decrypt_hash` varchar(255) NULL,
|
||||
`api_key_created_at` datetime NOT NULL DEFAULT current_timestamp(),
|
||||
`api_key_expire` date NOT NULL,
|
||||
`api_key_client_id` int(11) NOT NULL DEFAULT 0,
|
||||
|
|
|
|||
|
|
@ -297,7 +297,7 @@ function encryptUserSpecificKey($user_password)
|
|||
return $salt . $iv . $ciphertext;
|
||||
}
|
||||
|
||||
// Given a ciphertext (incl. IV) and the user's password, returns the site master key
|
||||
// Given a ciphertext (incl. IV) and the user's (or API key) password, returns the site master key
|
||||
// Ran at login, to facilitate generateUserSessionKey
|
||||
function decryptUserSpecificKey($user_encryption_ciphertext, $user_password)
|
||||
{
|
||||
|
|
|
|||
|
|
@ -20,7 +20,7 @@ if (isset($_POST['add_api_key'])) {
|
|||
$password = password_hash(trim($_POST['password']), PASSWORD_DEFAULT);
|
||||
$apikey_specific_encryption_ciphertext = encryptUserSpecificKey(trim($_POST['password']));
|
||||
|
||||
mysqli_query($mysqli,"INSERT INTO api_keys SET api_key_name = '$name', api_key_secret = '$secret', api_key_expire = '$expire', api_key_client_id = $client");
|
||||
mysqli_query($mysqli,"INSERT INTO api_keys SET api_key_name = '$name', api_key_secret = '$secret', api_key_decrypt_hash = '$apikey_specific_encryption_ciphertext', api_key_expire = '$expire', api_key_client_id = $client");
|
||||
|
||||
$api_key_id = mysqli_insert_id($mysqli);
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue