tokens.php 3.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170
  1. <?php
  2. /**
  3. * Library for managing user tokens
  4. */
  5. /**
  6. * Obtain a token for a user.
  7. *
  8. * @param string $username The username
  9. * @param int $expire Minutes until token expires (default is 60 minutes)
  10. *
  11. * @return bool
  12. */
  13. function create_user_token($username, $expire = 60) {
  14. global $CONFIG;
  15. $site_guid = $CONFIG->site_id;
  16. $user = get_user_by_username($username);
  17. $time = time();
  18. $time += 60 * $expire;
  19. $token = md5(rand() . microtime() . $username . $time . $site_guid);
  20. if (!$user) {
  21. return false;
  22. }
  23. if (insert_data("INSERT into {$CONFIG->dbprefix}users_apisessions
  24. (user_guid, site_guid, token, expires) values
  25. ({$user->guid}, $site_guid, '$token', '$time')
  26. on duplicate key update token='$token', expires='$time'")) {
  27. return $token;
  28. }
  29. return false;
  30. }
  31. /**
  32. * Get all tokens attached to a user
  33. *
  34. * @param int $user_guid The user GUID
  35. * @param int $site_guid The ID of the site (default is current site)
  36. *
  37. * @return false if none available or array of stdClass objects
  38. * (see users_apisessions schema for available variables in objects)
  39. * @since 1.7.0
  40. */
  41. function get_user_tokens($user_guid, $site_guid) {
  42. global $CONFIG;
  43. if (!isset($site_guid)) {
  44. $site_guid = $CONFIG->site_id;
  45. }
  46. $site_guid = (int)$site_guid;
  47. $user_guid = (int)$user_guid;
  48. $tokens = get_data("SELECT * from {$CONFIG->dbprefix}users_apisessions
  49. where user_guid=$user_guid and site_guid=$site_guid");
  50. return $tokens;
  51. }
  52. /**
  53. * Validate a token against a given site.
  54. *
  55. * A token registered with one site can not be used from a
  56. * different apikey(site), so be aware of this during development.
  57. *
  58. * @param string $token The Token.
  59. * @param int $site_guid The ID of the site (default is current site)
  60. *
  61. * @return mixed The user id attached to the token if not expired or false.
  62. */
  63. function validate_user_token($token, $site_guid) {
  64. global $CONFIG;
  65. if (!isset($site_guid)) {
  66. $site_guid = $CONFIG->site_id;
  67. }
  68. $site_guid = (int)$site_guid;
  69. $token = sanitise_string($token);
  70. $time = time();
  71. $user = get_data_row("SELECT * from {$CONFIG->dbprefix}users_apisessions
  72. where token='$token' and site_guid=$site_guid and $time < expires");
  73. if ($user) {
  74. return $user->user_guid;
  75. }
  76. return false;
  77. }
  78. /**
  79. * Remove user token
  80. *
  81. * @param string $token The toekn
  82. * @param int $site_guid The ID of the site (default is current site)
  83. *
  84. * @return bool
  85. * @since 1.7.0
  86. */
  87. function remove_user_token($token, $site_guid) {
  88. global $CONFIG;
  89. if (!isset($site_guid)) {
  90. $site_guid = $CONFIG->site_id;
  91. }
  92. $site_guid = (int)$site_guid;
  93. $token = sanitise_string($token);
  94. return delete_data("DELETE from {$CONFIG->dbprefix}users_apisessions
  95. where site_guid=$site_guid and token='$token'");
  96. }
  97. /**
  98. * Remove expired tokens
  99. *
  100. * @return bool
  101. * @since 1.7.0
  102. */
  103. function remove_expired_user_tokens() {
  104. global $CONFIG;
  105. $site_guid = $CONFIG->site_id;
  106. $time = time();
  107. return delete_data("DELETE from {$CONFIG->dbprefix}users_apisessions
  108. where site_guid=$site_guid and expires < $time");
  109. }
  110. /**
  111. * The auth.gettoken API.
  112. * This API call lets a user log in, returning an authentication token which can be used
  113. * to authenticate a user for a period of time. It is passed in future calls as the parameter
  114. * auth_token.
  115. *
  116. * @param string $username Username
  117. * @param string $password Clear text password
  118. *
  119. * @return string Token string or exception
  120. * @throws SecurityException
  121. * @access private
  122. */
  123. function auth_gettoken($username, $password) {
  124. // check if username is an email address
  125. if (is_email_address($username)) {
  126. $users = get_user_by_email($username);
  127. // check if we have a unique user
  128. if (is_array($users) && (count($users) == 1)) {
  129. $username = $users[0]->username;
  130. }
  131. }
  132. // validate username and password
  133. if (true === elgg_authenticate($username, $password)) {
  134. $token = create_user_token($username);
  135. if ($token) {
  136. return $token;
  137. }
  138. }
  139. throw new SecurityException(elgg_echo('SecurityException:authenticationfailed'));
  140. }