API security update

2024-10-15 13:28:53 +02:00
parent 4889402271
commit 43144ca91b
3 changed files with 36 additions and 2 deletions
--- a/api/v0/authorization.php
+++ b/api/v0/authorization.php
@@ -34,14 +34,14 @@ if (!empty($username) && !empty($password)) {
                    http_response_code(401);
                    }
                    else {
-                    $service = $row['service'];

+                    $service = bin2hex(random_bytes(25)); //$row['service'];
                    $jwt = createCommunicationToken($service);

                    $logindate = date('Y-m-d H:i:s');
                    $id = $row['id'];

-                    $sql1 = "UPDATE users SET lastlogin = '$logindate'  WHERE id='$id'";
+                    $sql1 = "UPDATE users SET lastlogin = '$logindate', service = '$service' WHERE id='$id'";
                    $conn->query($sql1);

                    echo json_encode(array('token' => $jwt));
--- a/api/v1/authorization.php
+++ b/api/v1/authorization.php
@@ -47,6 +47,23 @@ if ($stmt->rowCount() == 1) {

        } else { //STANDARD LOGIN
            if (password_verify($password, $user_data['password'])) { 
+
+                //REFRESH USERKEY
+                if ($user_data['userkey'] != ''){
+                    $user_data['userkey'] = bin2hex(random_bytes(25));
+                    $sql_userkey = 'UPDATE users SET userkey = ? WHERE id = ?';
+                    $stmt_userkey = $pdo->prepare($sql_userkey);
+                    $stmt_userkey->execute([$user_data['userkey'], $user_data['id']]);
+                }
+
+                //REFRESH USERKEY
+                if ($user_data['service'] != ''){
+                    $user_data['service'] = bin2hex(random_bytes(25));
+                    $sql_service = 'UPDATE users SET service = ? WHERE id = ?';
+                    $stmt_service = $pdo->prepare($sql_service);
+                    $stmt_service->execute([$user_data['service'], $user_data['id']]);
+                }
+
                $token = createCommunicationToken($user_data['service']);

                $user = array(
--- a/api/v2/authorization.php
+++ b/api/v2/authorization.php
@@ -48,6 +48,23 @@ if ($stmt->rowCount() == 1) {

        } else { //STANDARD LOGIN
            if (password_verify($password, $user_data['password'])) { 
+
+                //REFRESH USERKEY
+                if ($user_data['userkey'] != ''){
+                    $user_data['userkey'] = bin2hex(random_bytes(25));
+                    $sql_userkey = 'UPDATE users SET userkey = ? WHERE id = ?';
+                    $stmt_userkey = $pdo->prepare($sql_userkey);
+                    $stmt_userkey->execute([$user_data['userkey'], $user_data['id']]);
+                }
+
+                //REFRESH USERKEY
+                if ($user_data['service'] != ''){
+                    $user_data['service'] = bin2hex(random_bytes(25));
+                    $sql_service = 'UPDATE users SET service = ? WHERE id = ?';
+                    $stmt_service = $pdo->prepare($sql_service);
+                    $stmt_service->execute([$user_data['service'], $user_data['id']]);
+                }
+
                $token = createCommunicationToken($user_data['userkey']);

                //RETURN JWT AND CLIENTSECRET