217 lines
7.6 KiB
PHP
217 lines
7.6 KiB
PHP
<?php
|
|
define('secure_34563$52', true);
|
|
|
|
//------------------------------------------
|
|
// Get DATA from API
|
|
//------------------------------------------
|
|
$request = explode('/', trim($_SERVER['PATH_INFO'],'/'));
|
|
//$input = json_decode(file_get_contents('php://input'),true);
|
|
$post_data_curl = fopen('php://input', 'r');
|
|
$input = stream_get_contents($post_data_curl);
|
|
|
|
//------------------------------------------
|
|
// Include functions
|
|
//------------------------------------------
|
|
require_once './assets/functions.php';
|
|
include './settings/settings_redirector.php';
|
|
include './settings/config_redirector.php';
|
|
|
|
//------------------------------------------
|
|
// Header security - enabled via config
|
|
//------------------------------------------
|
|
if (header_security){
|
|
|
|
// Array of allowed domain patterns (without the protocol part)
|
|
$allowedDomainPatterns = [
|
|
'vanbeers.tv',
|
|
'soveliti.nl',
|
|
'veliti.nl',
|
|
'gewoonlekkerspaans.nl'
|
|
];
|
|
|
|
// Get the origin from the request headers
|
|
$origin = $_SERVER['HTTP_ORIGIN'] ?? '';
|
|
|
|
// Set CORS headers if origin is allowed
|
|
if (isOriginAllowed($origin, $allowedDomainPatterns)) {
|
|
header("Access-Control-Allow-Origin: $origin");
|
|
header("Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS");
|
|
header("Access-Control-Allow-Headers: Authorization, Content-Type");
|
|
//header("Access-Control-Allow-Credentials: true"); // Include if needed
|
|
}
|
|
|
|
// Handle preflight requests
|
|
if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
|
|
// Return early with 204 No Content for preflight requests
|
|
http_response_code(204);
|
|
exit;
|
|
}
|
|
// Strict security headers
|
|
header('Content-Type: application/json');
|
|
header('X-Content-Type-Options: nosniff');
|
|
header('X-Frame-Options: DENY');
|
|
header('X-XSS-Protection: 1; mode=block');
|
|
header('Content-Security-Policy: default-src \'none\'');
|
|
header('Strict-Transport-Security: max-age=31536000; includeSubDomains');
|
|
header('Referrer-Policy: strict-origin-when-cross-origin');
|
|
|
|
// Validate Content-Type
|
|
if (!str_contains($_SERVER['CONTENT_TYPE'] ?? '', 'application/json')) {
|
|
http_response_code(400);
|
|
exit(json_encode(['error' => 'Invalid Content-Type']));
|
|
}
|
|
|
|
// Validate request size
|
|
$maxRequestSize = 5 * 1024 * 1024; // 5MB in bytes
|
|
if (isset($_SERVER['CONTENT_LENGTH']) && $_SERVER['CONTENT_LENGTH'] > $maxRequestSize) {
|
|
http_response_code(413);
|
|
exit(json_encode(['error' => 'Request too large']));
|
|
}
|
|
}
|
|
|
|
//------------------------------------------
|
|
// Retrieve API version and Collection
|
|
// api.php/(v)ersion/{get/post}/collection/
|
|
//------------------------------------------
|
|
$version = (isset($request[0])) ? strtolower($request[0]) : '';
|
|
$collection = (isset($request[1])) ? strtolower($request[1]) : '';
|
|
$get_content = (isset($request[2])) ? strtolower($request[2]) : '';
|
|
|
|
//------------------------------------------
|
|
// Initial authorization request - get TOKEN
|
|
//------------------------------------------
|
|
if ($collection == 'authorization'){
|
|
$api_authorization = './api/'.$version.'/'.$collection.'.php'; //Get related file
|
|
|
|
if (file_exists($api_authorization)){
|
|
include_once $api_authorization; //Include the code
|
|
}
|
|
else
|
|
{
|
|
echo null;
|
|
}
|
|
|
|
}
|
|
else {
|
|
|
|
//------------------------------------------
|
|
// Check Security token
|
|
//------------------------------------------
|
|
$bearer_token = get_bearer_token();
|
|
$is_jwt_valid = is_jwt_valid($bearer_token);
|
|
|
|
//------------------------------------------
|
|
//IF security token is valid
|
|
//------------------------------------------
|
|
if($is_jwt_valid && str_contains($version, 'v')) {
|
|
|
|
//------------------------------------------
|
|
// Get Userrights
|
|
//------------------------------------------
|
|
$userkey = getUserKey($bearer_token); //Get key from Token
|
|
$api_user_file = './api/'.$version.'/get/user_credentials.php'; //Get related file
|
|
|
|
if (file_exists($api_user_file)){
|
|
include_once $api_user_file; //Include the code
|
|
}
|
|
else
|
|
{
|
|
echo null;
|
|
}
|
|
//
|
|
//------------------------------------------
|
|
// Check for maintenance mode, exclude debug user
|
|
//------------------------------------------
|
|
if(maintenance_mode == false|| debug_id == $user_data['id']){
|
|
|
|
//------------------------------------------
|
|
// Build up version and check if file is available
|
|
//------------------------------------------
|
|
$api_file = './api/'.$version.'/get/'.$collection.'.php';
|
|
$api_file_post = './api/'.$version.'/post/'.$collection.'.php';
|
|
|
|
//------------------------------------------
|
|
//GET CLEAN LANGUAGE CODE
|
|
//------------------------------------------
|
|
$language_code = ($user_data['language']) ? $user_data['language'] : 'US';
|
|
$api_file_language = './settings/translations/translations_'.strtoupper($language_code).'.php';
|
|
|
|
//------------------------------------------
|
|
//INCLUDE LANGUAGE FILE
|
|
//------------------------------------------
|
|
if (file_exists($api_file_language)){
|
|
include_once $api_file_language; //Include the code
|
|
}
|
|
else {
|
|
include_once './settings/translations/translations_US.php';
|
|
}
|
|
|
|
//------------------------------------------
|
|
//CHECK IF USER IS ALLOWED TO CALL SPECIFIC API
|
|
//------------------------------------------
|
|
|
|
//------------------------------------------
|
|
// First check if endPoint is fileUpload
|
|
//------------------------------------------
|
|
$fileUploadEndpoints = [
|
|
'media_upload'
|
|
];
|
|
|
|
$isFileUploadEndpoint = in_array($collection, $fileUploadEndpoints);
|
|
$hasValidFileData = !empty($_FILES) && $_SERVER['REQUEST_METHOD'] ==='POST';
|
|
|
|
if ($isFileUploadEndpoint && $hasValidFileData) {
|
|
$input = $_POST;
|
|
}
|
|
|
|
//------------------------------------------
|
|
// END check if endPoint is fileUpload
|
|
//------------------------------------------
|
|
|
|
debuglog("API call: collection=$collection, input_empty=" . (empty($input) ? 'true' : 'false') . ", file_exists=" . (file_exists($api_file) ? 'true' : 'false'));
|
|
|
|
if (isAllowed($collection,$profile,$permission,'R') === 1 && empty($input) && file_exists($api_file)){
|
|
|
|
include_once $api_file;
|
|
}
|
|
elseif (isAllowed($collection,$profile,$permission,'U') === 1 && !empty($input) && file_exists($api_file_post)){
|
|
|
|
include_once $api_file_post;
|
|
}
|
|
else
|
|
{
|
|
//------------------------------------------
|
|
// User not allowed to perform operation
|
|
//------------------------------------------
|
|
http_response_code(403); //Forbidden
|
|
}
|
|
}
|
|
else
|
|
{
|
|
//------------------------------------------
|
|
// Maintenance mode is activce -> service unavailable
|
|
//------------------------------------------
|
|
http_response_code(503); //Service Unavailable
|
|
}
|
|
|
|
|
|
}
|
|
else
|
|
{
|
|
//------------------------------------------
|
|
// JWT not VALID
|
|
//------------------------------------------
|
|
http_response_code(403); //Forbidden
|
|
}
|
|
}
|
|
|
|
//------------------------------------------
|
|
// Debuglog
|
|
//------------------------------------------
|
|
if (debug){
|
|
$time_elapsed = microtime(true) - $_SERVER["REQUEST_TIME_FLOAT"];
|
|
$message = $date.';'.$collection.';'.$time_elapsed.';'.$username;
|
|
debuglog($message);
|
|
}
|
|
|
|
?>
|