From b8e5d5844d2fa5672375fd798c0b9230eb42b1b5 Mon Sep 17 00:00:00 2001 From: johnnyq Date: Fri, 4 Feb 2022 16:37:19 -0500 Subject: [PATCH] Updated new API Validation with api-keys table and added some additonal log fields --- api.php | 2 +- api/v1/validate_api_key.php | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/api.php b/api.php index 1343ed34..f68ab40a 100644 --- a/api.php +++ b/api.php @@ -14,7 +14,7 @@ if(!isset($_GET['api_key']) OR empty($_GET['api_key'])) { // Validate API key from GET request $api_key = mysqli_real_escape_string($mysqli,$_GET['api_key']); -$sql = mysqli_query($mysqli,"SELECT * FROM api_keys, companies WHERE api_keys.company_id = companies.company_id AND api_keys.api_key_secret = '$api_key' AND api_key_expire > NOW()"); +$sql = mysqli_query($mysqli,"SELECT * FROM api_keys, companies WHERE api_keys.company_id = companies.company_id AND api_key_secret = '$api_key' AND api_key_expire > NOW()"); if(mysqli_num_rows($sql) != 1){ // Invalid Key header("HTTP/1.1 401 Unauthorized"); diff --git a/api/v1/validate_api_key.php b/api/v1/validate_api_key.php index 1eea0fb6..9f0c07e2 100644 --- a/api/v1/validate_api_key.php +++ b/api/v1/validate_api_key.php @@ -52,16 +52,16 @@ if(isset($_POST['api_key'])){ if(isset($api_key)){ $api_key = mysqli_real_escape_string($mysqli,$api_key); - $sql = mysqli_query($mysqli,"SELECT * FROM settings, companies WHERE settings.company_id = companies.company_id AND settings.config_api_key = '$api_key'"); + $sql = mysqli_query($mysqli,"SELECT * FROM api_keys, companies WHERE api_keys.company_id = companies.company_id AND api_key_secret = '$api_key' AND api_key_expire > NOW()"); // Failed if(mysqli_num_rows($sql) != 1){ // Invalid Key header("HTTP/1.1 401 Unauthorized"); - mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'API', log_action = 'Incorrect Key', log_description = 'Failed from $ip', log_created_at = NOW()"); + mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'API', log_action = 'Failed', log_description = 'Incorrect or expired Key', log_ip = '$ip', log_user_agent = '$session_user_agent', log_created_at = NOW()"); $return_arr['success'] = "False"; - $return_arr['message'] = "API Key authentication failure."; + $return_arr['message'] = "API Key authentication failure or expired."; header("HTTP/1.1 401 Unauthorized"); echo json_encode($return_arr);