api_login.class.php 5.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139
  1. <?php
  2. /* Copyright (C) 2015 Jean-François Ferry <jfefe@aternatik.fr>
  3. * Copyright (C) 2016 Laurent Destailleur <eldy@users.sourceforge.net>
  4. *
  5. * This program is free software; you can redistribute it and/or modify
  6. * it under the terms of the GNU General Public License as published by
  7. * the Free Software Foundation; either version 3 of the License, or
  8. * (at your option) any later version.
  9. *
  10. * This program is distributed in the hope that it will be useful,
  11. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  12. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  13. * GNU General Public License for more details.
  14. *
  15. * You should have received a copy of the GNU General Public License
  16. * along with this program. If not, see <https://www.gnu.org/licenses/>.
  17. */
  18. use Luracast\Restler\RestException;
  19. require_once DOL_DOCUMENT_ROOT.'/user/class/user.class.php';
  20. /**
  21. * API that allows to log in with an user account.
  22. */
  23. class Login
  24. {
  25. /**
  26. * Constructor of the class
  27. */
  28. public function __construct()
  29. {
  30. global $db;
  31. $this->db = $db;
  32. }
  33. /**
  34. * Login
  35. *
  36. * Request the API token for a couple username / password.
  37. * Using method POST is recommanded for security reasons (method GET is often logged by default by web servers with parameters so with login and pass into server log file).
  38. * Both methods are provided for developer conveniance. Best is to not use at all the login API method and enter directly the "DOLAPIKEY" into field at the top right of page. Note: The API key (DOLAPIKEY) can be found/set on the user page.
  39. *
  40. * @param string $login User login
  41. * @param string $password User password
  42. * @param string $entity Entity (when multicompany module is used). '' means 1=first company.
  43. * @param int $reset Reset token (0=get current token, 1=ask a new token and canceled old token. This means access using current existing API token of user will fails: new token will be required for new access)
  44. * @return array Response status and user token
  45. *
  46. * @throws RestException 403
  47. * @throws RestException 500
  48. *
  49. * @url GET /
  50. * @url POST /
  51. */
  52. public function index($login, $password, $entity = '', $reset = 0)
  53. {
  54. global $conf, $dolibarr_main_authentication, $dolibarr_auto_user;
  55. // TODO Remove the API login. The token must be generated from backoffice only.
  56. // Authentication mode
  57. if (empty($dolibarr_main_authentication)) $dolibarr_main_authentication = 'dolibarr';
  58. // Authentication mode: forceuser
  59. if ($dolibarr_main_authentication == 'forceuser')
  60. {
  61. if (empty($dolibarr_auto_user)) $dolibarr_auto_user = 'auto';
  62. if ($dolibarr_auto_user != $login)
  63. {
  64. dol_syslog("Warning: your instance is set to use the automatic forced login '".$dolibarr_auto_user."' that is not the requested login. API usage is forbidden in this mode.");
  65. throw new RestException(403, "Your instance is set to use the automatic login '".$dolibarr_auto_user."' that is not the requested login. API usage is forbidden in this mode.");
  66. }
  67. }
  68. // Set authmode
  69. $authmode = explode(',', $dolibarr_main_authentication);
  70. if ($entity != '' && !is_numeric($entity))
  71. {
  72. throw new RestException(403, "Bad value for entity, must be the numeric ID of company.");
  73. }
  74. if ($entity == '') $entity = 1;
  75. include_once DOL_DOCUMENT_ROOT.'/core/lib/security2.lib.php';
  76. $login = checkLoginPassEntity($login, $password, $entity, $authmode, 'api');
  77. if (empty($login))
  78. {
  79. throw new RestException(403, 'Access denied');
  80. }
  81. $token = 'failedtogenerateorgettoken';
  82. $tmpuser = new User($this->db);
  83. $tmpuser->fetch(0, $login, 0, 0, $entity);
  84. if (empty($tmpuser->id))
  85. {
  86. throw new RestException(500, 'Failed to load user');
  87. }
  88. // Renew the hash
  89. if (empty($tmpuser->api_key) || $reset)
  90. {
  91. $tmpuser->getrights();
  92. if (empty($tmpuser->rights->user->self->creer))
  93. {
  94. throw new RestException(403, 'User need write permission on itself to reset its API token');
  95. }
  96. // Generate token for user
  97. $token = dol_hash($login.uniqid().$conf->global->MAIN_API_KEY, 1);
  98. // We store API token into database
  99. $sql = "UPDATE ".MAIN_DB_PREFIX."user";
  100. $sql .= " SET api_key = '".$this->db->escape($token)."'";
  101. $sql .= " WHERE login = '".$this->db->escape($login)."'";
  102. dol_syslog(get_class($this)."::login", LOG_DEBUG); // No log
  103. $result = $this->db->query($sql);
  104. if (!$result)
  105. {
  106. throw new RestException(500, 'Error when updating api_key for user :'.$this->db->lasterror());
  107. }
  108. } else {
  109. $token = $tmpuser->api_key;
  110. }
  111. //return token
  112. return array(
  113. 'success' => array(
  114. 'code' => 200,
  115. 'token' => $token,
  116. 'entity' => $tmpuser->entity,
  117. 'message' => 'Welcome '.$login.($reset ? ' - Token is new' : ' - This is your token (generated by a previous call). You can use it to make any REST API call, or enter it into the DOLAPIKEY field to use the Dolibarr API explorer.')
  118. )
  119. );
  120. }
  121. }