From 43144ca91ba43d0e387d26636b9e74ddfe4ba1b3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E2=80=9CVeLiTi=E2=80=9D?= <“info@veliti.nl”>
Date: Tue, 15 Oct 2024 13:28:53 +0200
Subject: [PATCH] API security update

---
 api/v0/authorization.php |  4 ++--
 api/v1/authorization.php | 17 +++++++++++++++++
 api/v2/authorization.php | 17 +++++++++++++++++
 3 files changed, 36 insertions(+), 2 deletions(-)

diff --git a/api/v0/authorization.php b/api/v0/authorization.php
index 2eb2a17..89cf78e 100644
--- a/api/v0/authorization.php
+++ b/api/v0/authorization.php
@@ -34,14 +34,14 @@ if (!empty($username) && !empty($password)) {
                     http_response_code(401);
                     }
                     else {
-                    $service = $row['service'];
 
+                    $service = bin2hex(random_bytes(25)); //$row['service'];
                     $jwt = createCommunicationToken($service);
 
                     $logindate = date('Y-m-d H:i:s');
                     $id = $row['id'];
 
-                    $sql1 = "UPDATE users SET lastlogin = '$logindate'  WHERE id='$id'";
+                    $sql1 = "UPDATE users SET lastlogin = '$logindate', service = '$service' WHERE id='$id'";
                     $conn->query($sql1);
 
                     echo json_encode(array('token' => $jwt));
diff --git a/api/v1/authorization.php b/api/v1/authorization.php
index 1dceb35..c273a4b 100644
--- a/api/v1/authorization.php
+++ b/api/v1/authorization.php
@@ -47,6 +47,23 @@ if ($stmt->rowCount() == 1) {
 
         } else { //STANDARD LOGIN
             if (password_verify($password, $user_data['password'])) { 
+
+                //REFRESH USERKEY
+                if ($user_data['userkey'] != ''){
+                    $user_data['userkey'] = bin2hex(random_bytes(25));
+                    $sql_userkey = 'UPDATE users SET userkey = ? WHERE id = ?';
+                    $stmt_userkey = $pdo->prepare($sql_userkey);
+                    $stmt_userkey->execute([$user_data['userkey'], $user_data['id']]);
+                }
+
+                //REFRESH USERKEY
+                if ($user_data['service'] != ''){
+                    $user_data['service'] = bin2hex(random_bytes(25));
+                    $sql_service = 'UPDATE users SET service = ? WHERE id = ?';
+                    $stmt_service = $pdo->prepare($sql_service);
+                    $stmt_service->execute([$user_data['service'], $user_data['id']]);
+                }
+
                 $token = createCommunicationToken($user_data['service']);
 
                 $user = array(
diff --git a/api/v2/authorization.php b/api/v2/authorization.php
index a510e45..d10db82 100644
--- a/api/v2/authorization.php
+++ b/api/v2/authorization.php
@@ -48,6 +48,23 @@ if ($stmt->rowCount() == 1) {
 
         } else { //STANDARD LOGIN
             if (password_verify($password, $user_data['password'])) { 
+
+                //REFRESH USERKEY
+                if ($user_data['userkey'] != ''){
+                    $user_data['userkey'] = bin2hex(random_bytes(25));
+                    $sql_userkey = 'UPDATE users SET userkey = ? WHERE id = ?';
+                    $stmt_userkey = $pdo->prepare($sql_userkey);
+                    $stmt_userkey->execute([$user_data['userkey'], $user_data['id']]);
+                }
+
+                //REFRESH USERKEY
+                if ($user_data['service'] != ''){
+                    $user_data['service'] = bin2hex(random_bytes(25));
+                    $sql_service = 'UPDATE users SET service = ? WHERE id = ?';
+                    $stmt_service = $pdo->prepare($sql_service);
+                    $stmt_service->execute([$user_data['service'], $user_data['id']]);
+                }
+
                 $token = createCommunicationToken($user_data['userkey']);
 
                 //RETURN JWT AND CLIENTSECRET