Fix signature issue and remove old token subscriber #164
This commit is contained in:
parent
a2be71a001
commit
3ac8b8e53d
4 changed files with 26 additions and 156 deletions
|
|
@ -41,8 +41,8 @@ class UserCreateCommand extends Command
|
|||
$this->em->persist($user);
|
||||
$this->em->flush();
|
||||
|
||||
$output->write('API Key - ' . $user->getAPIKey());
|
||||
$output->write('Secret Key - ' . $user->getSecretKey());
|
||||
$output->write('API Key - ' . $user->getAPIKey() . "\n");
|
||||
$output->write('Secret Key - ' . $user->getSecretKey() . "\n");
|
||||
}
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -1,122 +0,0 @@
|
|||
<?php
|
||||
|
||||
namespace Catalyst\APIBundle\EventSubscriber;
|
||||
|
||||
use Catalyst\APIBundle\Controller\APIController;
|
||||
|
||||
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
|
||||
use Symfony\Component\HttpKernel\Event\FilterControllerEvent;
|
||||
use Symfony\Component\EventDispatcher\EventSubscriberInterface;
|
||||
use Symfony\Component\HttpKernel\KernelEvents;
|
||||
|
||||
use Doctrine\ORM\EntityManagerInterface;
|
||||
|
||||
use DateTime;
|
||||
|
||||
class TokenSubscriber implements EventSubscriberInterface
|
||||
{
|
||||
const HEADER_API_KEY = 'X-Cata-API-Key';
|
||||
const HEADER_SIGNATURE = 'X-Cata-Signature';
|
||||
const HEADER_DATE = 'X-Cata-Date';
|
||||
|
||||
const DATE_FORMAT = 'D, d M Y H:i:s T';
|
||||
|
||||
const QUERY_API_KEY = 'api_key';
|
||||
const QUERY_SIGNATURE = 'sig';
|
||||
|
||||
// 30 minute time limit
|
||||
const TIME_LIMIT = 1800;
|
||||
|
||||
protected $em;
|
||||
|
||||
public function __construct(EntityManagerInterface $em)
|
||||
{
|
||||
$this-> em = $em;
|
||||
}
|
||||
|
||||
protected function getSecretKey($api_key)
|
||||
{
|
||||
return 'sldkfjlksdjflksdjflksdjflsjf';
|
||||
}
|
||||
|
||||
protected function validateSignature($req, $hdate_string, $secret_key, $sig)
|
||||
{
|
||||
// get needed params for generation
|
||||
$method = $req->getRealMethod();
|
||||
$uri = $req->getRequestUri();
|
||||
|
||||
$elements = [$method, $uri, $hdate_string, $secret_key];
|
||||
$sig_source = implode('|', $elements);
|
||||
|
||||
error_log($sig_source);
|
||||
|
||||
// generate signature
|
||||
$raw_sig = hash_hmac('sha1', $sig_source, $secret_key, true);
|
||||
$enc_sig = base64_encode($raw_sig);
|
||||
|
||||
error_log($enc_sig);
|
||||
|
||||
if ($enc_sig != trim($sig))
|
||||
throw new AccessDeniedHttpException('Invalid signature.');
|
||||
|
||||
}
|
||||
|
||||
public function onKernelController(FilterControllerEvent $event)
|
||||
{
|
||||
$controller = $event->getController();
|
||||
|
||||
// not a controller class? (docs said to handle)
|
||||
if (!is_array($controller))
|
||||
return;
|
||||
|
||||
|
||||
// not an api controller
|
||||
if (!($controller[0] instanceof APIController))
|
||||
return;
|
||||
|
||||
$req = $event->getRequest();
|
||||
|
||||
// check date from headers
|
||||
$headers = $req->headers->all();
|
||||
$hdate_string = $req->headers->get(self::HEADER_DATE);
|
||||
if ($hdate_string == null)
|
||||
throw new AccessDeniedHttpException('No date specified.');
|
||||
|
||||
$hdate = DateTime::createFromFormat(self::DATE_FORMAT, $hdate_string);
|
||||
if ($hdate == null)
|
||||
throw new AccessDeniedHttpException('Invalid date specified.');
|
||||
|
||||
// get number of seconds difference
|
||||
$date_now = new DateTime();
|
||||
$date_diff = abs($date_now->getTimestamp() - $hdate->getTimestamp());
|
||||
|
||||
// time difference is too much
|
||||
if ($date_diff > self::TIME_LIMIT)
|
||||
throw new AccessDeniedHttpException('Clock synchronization error.');
|
||||
|
||||
// api key header
|
||||
$api_key = $req->headers->get(self::HEADER_API_KEY);
|
||||
if ($api_key == null)
|
||||
throw new AccessDeniedHttpException('No api key sent.');
|
||||
|
||||
// check valid api key
|
||||
$secret_key = $this->getSecretKey($api_key);
|
||||
|
||||
// signature header
|
||||
$sig = $req->headers->get(self::HEADER_SIGNATURE);
|
||||
if ($sig == null)
|
||||
throw new AccessDeniedHttpException('No signature sent.');
|
||||
|
||||
// check valid signature
|
||||
$this->validateSignature($req, $hdate_string, $secret_key, $sig);
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
public static function getSubscribedEvents()
|
||||
{
|
||||
return [
|
||||
KernelEvents::CONTROLLER => 'onKernelController',
|
||||
];
|
||||
}
|
||||
}
|
||||
|
|
@ -40,13 +40,14 @@ class APIKeyAuthenticator implements SimplePreAuthenticatorInterface, Authentica
|
|||
return 'sldkfjlksdjflksdjflksdjflsjf';
|
||||
}
|
||||
|
||||
protected function validateSignature($req, $hdate_string, $secret_key, $sig)
|
||||
protected function validateSignature($creds, $secret_key)
|
||||
{
|
||||
// get needed params for generation
|
||||
$method = $req->getRealMethod();
|
||||
$uri = $req->getRequestUri();
|
||||
|
||||
$elements = [$method, $uri, $hdate_string, $secret_key];
|
||||
$elements = [
|
||||
$creds['method'],
|
||||
$creds['uri'],
|
||||
$creds['date'],
|
||||
$secret_key,
|
||||
];
|
||||
$sig_source = implode('|', $elements);
|
||||
|
||||
error_log($sig_source);
|
||||
|
|
@ -57,8 +58,8 @@ class APIKeyAuthenticator implements SimplePreAuthenticatorInterface, Authentica
|
|||
|
||||
error_log($enc_sig);
|
||||
|
||||
if ($enc_sig != trim($sig))
|
||||
throw new BadCredentialsException('Invalid signature.');
|
||||
if ($enc_sig != trim($creds['signature']))
|
||||
throw new CustomUserMessageAuthenticationException('Invalid signature.');
|
||||
|
||||
}
|
||||
|
||||
|
|
@ -86,20 +87,23 @@ class APIKeyAuthenticator implements SimplePreAuthenticatorInterface, Authentica
|
|||
if ($date_diff > self::TIME_LIMIT)
|
||||
throw new BadCredentialsException('Clock synchronization error.');
|
||||
|
||||
// check valid api key
|
||||
$secret_key = $this->getSecretKey($api_key);
|
||||
|
||||
// signature header
|
||||
$sig = $req->headers->get(self::HEADER_SIGNATURE);
|
||||
if ($sig == null)
|
||||
throw new BadCredentialsException('No signature sent.');
|
||||
|
||||
// check valid signature
|
||||
$this->validateSignature($req, $hdate_string, $secret_key, $sig);
|
||||
// credentials
|
||||
$creds = [
|
||||
'api_key' => $api_key,
|
||||
'date' => $hdate_string,
|
||||
'signature' => $sig,
|
||||
'method' => $req->getRealMethod(),
|
||||
'uri' => $req->getRequestUri(),
|
||||
];
|
||||
|
||||
return new PreAuthenticatedToken(
|
||||
'anonymous',
|
||||
$api_key,
|
||||
$creds,
|
||||
$provider_key
|
||||
);
|
||||
}
|
||||
|
|
@ -121,24 +125,17 @@ class APIKeyAuthenticator implements SimplePreAuthenticatorInterface, Authentica
|
|||
);
|
||||
}
|
||||
|
||||
$api_key = $token->getCredentials();
|
||||
$creds = $token->getCredentials();
|
||||
$api_key = $creds['api_key'];
|
||||
$user = $user_provider->getUserByAPIKey($api_key);
|
||||
|
||||
/*
|
||||
$username = $user_provider->getUsernameForAPIKey($api_key);
|
||||
|
||||
if (!$username)
|
||||
{
|
||||
// CAUTION: this message will be returned to the client
|
||||
// (so don't put any un-trusted messages / error strings here)
|
||||
throw new CustomUserMessageAuthenticationException(
|
||||
sprintf('API Key "%s" does not exist.', $api_key)
|
||||
);
|
||||
}
|
||||
*/
|
||||
// check if api key is valid
|
||||
if (!$user)
|
||||
throw new CustomUserMessageAuthenticationException('Invalid API Key');
|
||||
|
||||
// check if signature is valid
|
||||
$this->validateSignature($creds, $user->getSecretKey());
|
||||
|
||||
// $user = $user_provider->loadUserByUsername($username);
|
||||
|
||||
return new PreAuthenticatedToken(
|
||||
|
|
|
|||
|
|
@ -76,11 +76,6 @@ services:
|
|||
$ip_address: "%env(APNS_REDIS_IP_ADDRESS)%"
|
||||
$port: "%env(APNS_REDIS_PORT)%"
|
||||
|
||||
Catalyst\APIBundle\EventSubscriber\TokenSubscriber:
|
||||
arguments:
|
||||
$em: "@doctrine.orm.entity_manager"
|
||||
tags: ['kernel.event_subscriber']
|
||||
|
||||
Catalyst\APIBundle\Security\APIKeyUserProvider:
|
||||
arguments:
|
||||
$em: "@doctrine.orm.entity_manager"
|
||||
|
|
|
|||
Loading…
Reference in a new issue