171 lines
5.8 KiB
PHP
171 lines
5.8 KiB
PHP
<?php
|
|
define('secure_34563$52', true);
|
|
|
|
//------------------------------------------
|
|
// Get DATA from API
|
|
//------------------------------------------
|
|
$request = explode('/', trim($_SERVER['PATH_INFO'],'/'));
|
|
//$input = json_decode(file_get_contents('php://input'),true);
|
|
$post_data_curl = fopen('php://input', 'r');
|
|
$input = stream_get_contents($post_data_curl);
|
|
|
|
//------------------------------------------
|
|
// Include functions
|
|
//------------------------------------------
|
|
require_once './assets/functions.php';
|
|
include './settings/settings.php';
|
|
include './settings/config.php';
|
|
|
|
//------------------------------------------
|
|
// Header security - enabled via config
|
|
//------------------------------------------
|
|
if (header_security){
|
|
header('Content-Type: application/json');
|
|
|
|
// Set strict security headers
|
|
header('X-Content-Type-Options: nosniff');
|
|
header('X-Frame-Options: DENY');
|
|
header('X-XSS-Protection: 1; mode=block');
|
|
header('Content-Security-Policy: default-src \'none\'');
|
|
header('Access-Control-Allow-Origin: ' . $_ENV['ALLOWED_ORIGIN']);
|
|
header('Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS');
|
|
header('Access-Control-Allow-Headers: Content-Type, Accept, Authorization');
|
|
|
|
// Validate Content-Type
|
|
if (!str_contains($_SERVER['CONTENT_TYPE'],'application/json')) {
|
|
http_response_code(400);
|
|
exit(json_encode(['error' => 'Invalid Content-Type']));
|
|
}
|
|
|
|
// Validate request size
|
|
if ($_SERVER['CONTENT_LENGTH'] > '5M') {
|
|
http_response_code(413);
|
|
exit(json_encode(['error' => 'Request too large']));
|
|
}
|
|
}
|
|
|
|
//------------------------------------------
|
|
// Retrieve API version and Collection
|
|
// api.php/(v)ersion/{get/post}/collection/
|
|
//------------------------------------------
|
|
$version = (isset($request[0])) ? strtolower($request[0]) : '';
|
|
$collection = (isset($request[1])) ? strtolower($request[1]) : '';
|
|
$get_content = (isset($request[2])) ? strtolower($request[2]) : '';
|
|
|
|
//------------------------------------------
|
|
// Initial authorization request - get TOKEN
|
|
//------------------------------------------
|
|
if ($collection == 'authorization'){
|
|
$api_authorization = './api/'.$version.'/'.$collection.'.php'; //Get related file
|
|
|
|
if (file_exists($api_authorization)){
|
|
include_once $api_authorization; //Include the code
|
|
}
|
|
else
|
|
{
|
|
echo null;
|
|
}
|
|
|
|
}
|
|
else {
|
|
|
|
//------------------------------------------
|
|
// Check Security token
|
|
//------------------------------------------
|
|
$bearer_token = get_bearer_token();
|
|
$is_jwt_valid = is_jwt_valid($bearer_token);
|
|
|
|
//------------------------------------------
|
|
//IF security token is valid
|
|
//------------------------------------------
|
|
if($is_jwt_valid && str_contains($version, 'v')) {
|
|
|
|
//------------------------------------------
|
|
// Get Userrights
|
|
//------------------------------------------
|
|
$userkey = getUserKey($bearer_token); //Get key from Token
|
|
$api_user_file = './api/'.$version.'/get/user_credentials.php'; //Get related file
|
|
|
|
if (file_exists($api_user_file)){
|
|
include_once $api_user_file; //Include the code
|
|
}
|
|
else
|
|
{
|
|
echo null;
|
|
}
|
|
//
|
|
//------------------------------------------
|
|
// Check for maintenance mode, exclude debug user
|
|
//------------------------------------------
|
|
if(maintenance_mode == false|| debug_id == $user_data['id']){
|
|
|
|
//------------------------------------------
|
|
// Build up version and check if file is available
|
|
//------------------------------------------
|
|
$api_file = './api/'.$version.'/get/'.$collection.'.php';
|
|
$api_file_post = './api/'.$version.'/post/'.$collection.'.php';
|
|
|
|
//------------------------------------------
|
|
//GET CLEAN LANGUAGE CODE
|
|
//------------------------------------------
|
|
$language_code = ($user_data['language']) ? $user_data['language'] : 'US';
|
|
$api_file_language = './settings/translations/translations_'.strtoupper($language_code).'.php';
|
|
|
|
//------------------------------------------
|
|
//INCLUDE LANGUAGE FILE
|
|
//------------------------------------------
|
|
if (file_exists($api_file_language)){
|
|
include_once $api_file_language; //Include the code
|
|
}
|
|
else {
|
|
include_once './settings/translations/translations_US.php';
|
|
}
|
|
|
|
//------------------------------------------
|
|
//CHECK IF USER IS ALLOWED TO CALL SPECIFIC API
|
|
//------------------------------------------
|
|
if (isAllowed($collection,$profile,$permission,'R') === 1 && empty($input) && file_exists($api_file)){
|
|
|
|
include_once $api_file;
|
|
}
|
|
elseif (isAllowed($collection,$profile,$permission,'U') === 1 && !empty($input) && file_exists($api_file_post)){
|
|
|
|
include_once $api_file_post;
|
|
}
|
|
else
|
|
{
|
|
//------------------------------------------
|
|
// User not allowed to perform operation
|
|
//------------------------------------------
|
|
http_response_code(403); //Forbidden
|
|
}
|
|
}
|
|
else
|
|
{
|
|
//------------------------------------------
|
|
// Maintenance mode is activce -> service unavailable
|
|
//------------------------------------------
|
|
http_response_code(503); //Service Unavailable
|
|
}
|
|
|
|
|
|
}
|
|
else
|
|
{
|
|
//------------------------------------------
|
|
// JWT not VALID
|
|
//------------------------------------------
|
|
http_response_code(403); //Forbidden
|
|
}
|
|
}
|
|
|
|
//------------------------------------------
|
|
// Debuglog
|
|
//------------------------------------------
|
|
if (debug){
|
|
$time_elapsed = microtime(true) - $_SERVER["REQUEST_TIME_FLOAT"];
|
|
$message = $date.';'.$collection.';'.$time_elapsed.';'.$username;
|
|
debuglog($message);
|
|
}
|
|
|
|
?>
|