AS1024
/
itflow
mirror of https://github.com/itflow-org/itflow
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Removed old API Key from Settings api.php now uses api_keys and a key is no longer generated upon setup, Also autogen an API key upon creation.

This commit is contained in:
johnnyq 2022-02-04 15:59:51 -05:00
parent b58696f079
commit b1d09e6b56
7 changed files with 8 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
api.php
View File

@ -13,8 +13,8 @@ if(!isset($_GET['api_key']) OR empty($_GET['api_key'])) {
}
// Validate API key from GET request
$config_api_key = mysqli_real_escape_string($mysqli,$_GET['api_key']);
$sql = mysqli_query($mysqli,"SELECT * FROM settings, companies WHERE settings.company_id = companies.company_id AND settings.config_api_key = '$config_api_key'");
$api_key = mysqli_real_escape_string($mysqli,$_GET['api_key']);
$sql = mysqli_query($mysqli,"SELECT * FROM api_keys, companies WHERE api_keys.company_id = companies.company_id AND api_keys.api_key_secret = '$api_key'");
if(mysqli_num_rows($sql) != 1){
// Invalid Key
header("HTTP/1.1 401 Unauthorized");

13
api_key_edit_modal.php
View File

@ -22,19 +22,6 @@
</div>
</div>
<div class="form-group">
<label>Secret <strong class="text-danger">*</strong></label>
<div class="input-group">
<div class="input-group-prepend">
<span class="input-group-text"><i class="fa fa-fw fa-lock"></i></span>
</div>
<input type="password" class="form-control" data-toggle="password" name="secret" placeholder="Enter a Secret" autocomplete="new-password" value="<?php echo $api_key_secret; ?>" required>
<div class="input-group-append">
<span class="input-group-text"><i class="fa fa-fw fa-eye"></i></span>
</div>
</div>
</div>
<div class="form-group">
<label>Expiration Date</label>
<div class="input-group">

3
db.sql
View File

@ -1040,7 +1040,6 @@ DROP TABLE IF EXISTS `settings`;
/*!40101 SET character_set_client = utf8 */;
CREATE TABLE `settings` (
`company_id` int(11) NOT NULL,
`config_api_key` varchar(200) DEFAULT NULL,
`config_aes_key` varchar(250) DEFAULT NULL,
`config_base_url` varchar(200) DEFAULT NULL,
`config_smtp_host` varchar(200) DEFAULT NULL,
@ -1368,4 +1367,4 @@ CREATE TABLE `vendors` (
/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */;
-- Dump completed on 2022-02-03 19:11:34
-- Dump completed on 2022-02-04 15:58:24

1
get_settings.php
View File

@ -5,7 +5,6 @@ $sql_settings = mysqli_query($mysqli,"SELECT * FROM settings WHERE company_id =
$row = mysqli_fetch_array($sql_settings);
//General
$config_api_key = $row['config_api_key'];
$config_aes_key = $row['config_aes_key']; //Legacy
$config_base_url = $row['config_base_url'];

24
post.php
View File

@ -402,8 +402,9 @@ if(isset($_GET['delete_user'])){
if(isset($_POST['add_api_key'])){
$name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name'])));
$secret = trim(mysqli_real_escape_string($mysqli,$_POST['secret']));
$expire = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['expire'])));
// Gen a Key
$secret = keygen();
mysqli_query($mysqli,"INSERT INTO api_keys SET api_key_name = '$name', api_key_secret = '$secret', api_key_expire = '$expire', api_key_created_at = NOW(), company_id = $session_company_id");
@ -422,10 +423,9 @@ if(isset($_POST['edit_api_key'])){
$api_key_id = intval($_POST['api_key_id']);
$name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name'])));
$secret = trim(mysqli_real_escape_string($mysqli,$_POST['secret']));
$expire = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['expire'])));
mysqli_query($mysqli,"UPDATE api_keys SET api_key_name = '$name', api_key_secret = '$secret', api_key_expire = '$expire', api_key_updated_at = NOW() WHERE api_key_id = $api_key_id AND company_id = $session_company_id");
mysqli_query($mysqli,"UPDATE api_keys SET api_key_name = '$name', api_key_expire = '$expire', api_key_updated_at = NOW() WHERE api_key_id = $api_key_id AND company_id = $session_company_id");
// Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'API Key', log_action = 'Modify', log_description = '$session_name modified API Key $name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_created_at = NOW(), log_user_id = $session_user_id, company_id = $session_company_id");
@ -737,25 +737,9 @@ if(isset($_POST['verify'])){
if(isset($_POST['edit_general_settings'])){
$config_api_key = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['config_api_key'])));
//$old_aes_key = $config_aes_key;
//$config_aes_key = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['config_aes_key'])));
$config_base_url = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['config_base_url'])));
mysqli_query($mysqli,"UPDATE settings SET config_api_key = '$config_api_key', config_base_url = '$config_base_url' WHERE company_id = $session_company_id");
// //Update AES key on client_logins if changed
// if($old_aes_key != $config_aes_key){
// $sql = mysqli_query($mysqli,"SELECT login_id, AES_DECRYPT(login_password, '$old_aes_key') AS old_login_password FROM logins
// WHERE company_id = $session_company_id");
//
// while($row = mysqli_fetch_array($sql)){
// $login_id = $row['login_id'];
// $old_login_password = $row['old_login_password'];
//
// mysqli_query($mysqli,"UPDATE logins SET login_password = AES_ENCRYPT('$old_login_password','$config_aes_key') WHERE login_id = $login_id");
// }
// }
mysqli_query($mysqli,"UPDATE settings SET config_base_url = '$config_base_url' WHERE company_id = $session_company_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Settings', log_action = 'Modify', log_description = '$session_name modified general settings', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_created_at = NOW(), log_user_id = $session_user_id, company_id = $session_company_id");

13
settings-general.php
View File

@ -9,19 +9,6 @@
<div class="card-body">
<form action="post.php" method="post" autocomplete="off">
<div class="form-group">
<label>API Key</label>
<div class="input-group">
<div class="input-group-prepend">
<span class="input-group-text"><i class="fa fa-fw fa-key"></i></span>
</div>
<input type="password" class="form-control" data-toggle="password" name="config_api_key" placeholder="No spaces only numbers and letters" value="<?php echo $config_api_key; ?>">
<div class="input-group-append">
<span class="input-group-text"><i class="fa fa-fw fa-eye"></i></span>
</div>
</div>
</div>
<div class="form-group">
<label>Base URL</label>
<div class="input-group">

3
setup.php
View File

@ -485,7 +485,6 @@ if(isset($_POST['add_company_settings'])){
$company_id = mysqli_insert_id($mysqli);
$config_base_url = $_SERVER['HTTP_HOST'] . dirname($_SERVER['REQUEST_URI']);
$config_api_key = keygen();
mkdir_missing("uploads/clients/$company_id");
file_put_contents("uploads/clients/$company_id/index.php", "");
@ -541,7 +540,7 @@ if(isset($_POST['add_company_settings'])){
//Set User Company Permissions
mysqli_query($mysqli,"INSERT INTO user_companies SET user_id = $user_id, company_id = $company_id");
mysqli_query($mysqli,"INSERT INTO settings SET company_id = $company_id, config_invoice_prefix = 'INV-', config_invoice_next_number = 1, config_recurring_prefix = 'REC-', config_recurring_next_number = 1, config_invoice_overdue_reminders = '1,3,7', config_quote_prefix = 'QUO-', config_quote_next_number = 1, config_api_key = '$config_api_key', config_recurring_auto_send_invoice = 1, config_default_net_terms = 7, config_send_invoice_reminders = 1, config_enable_cron = 0, config_ticket_next_number = 1, config_base_url = '$config_base_url'");
mysqli_query($mysqli,"INSERT INTO settings SET company_id = $company_id, config_invoice_prefix = 'INV-', config_invoice_next_number = 1, config_recurring_prefix = 'REC-', config_recurring_next_number = 1, config_invoice_overdue_reminders = '1,3,7', config_quote_prefix = 'QUO-', config_quote_next_number = 1, config_recurring_auto_send_invoice = 1, config_default_net_terms = 7, config_send_invoice_reminders = 1, config_enable_cron = 0, config_ticket_next_number = 1, config_base_url = '$config_base_url'");
//Create Some Data