Skip to content

Commit

Permalink
Issue techjoomla#80 Fix: Tokens should not be accepted via request va…
Browse files Browse the repository at this point in the history 
…riables
  • Loading branch information
@niteshkesarkar
niteshkesarkar committed May 12, 2020
1 parent eddce0f commit 6620597
Show file tree
Hide file tree
Showing 3 changed files with 22 additions and 8 deletions.
5 changes: 3 additions & 2 deletions code/site/libraries/authentication.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -182,13 +182,14 @@ public static function getCom_apiVersion()
private static function getAuthMethod()
{
$app = JFactory::getApplication();
$key = $app->input->get('key');

// $key = $app->input->get('key');

if (isset($_SERVER['HTTP_X_AUTH']) && $_SERVER['HTTP_X_AUTH'])
{
$authMethod = $_SERVER['HTTP_X_AUTH'];
}
elseif ($key || self::getBearerToken())
elseif (self::getBearerToken())
{
$authMethod = 'key';
}
Expand Down
10 changes: 7 additions & 3 deletions code/site/libraries/authentication/key.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,10 +30,14 @@ class ApiAuthenticationKey extends ApiAuthentication
public function authenticate()
{
$app = JFactory::getApplication();
$query_token = $app->input->get('key', '', 'STRING');

// $query_token = $app->input->get('key', '', 'STRING');

$header_token = $this->getBearerToken();
$key = $header_token ? $header_token : $query_token;
$token = $this->loadTokenByHash($key);

// $key = $header_token ? $header_token : $query_token;

$token = $this->loadTokenByHash($header_token);

if (isset($token->state) && $token->state == 1)
{
Expand Down
15 changes: 12 additions & 3 deletions code/site/libraries/plugin.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -349,7 +349,10 @@ final private function checkRequestLimit()
return true;
}

$hash = $app->input->get('key', '', 'STRING');
// $hash = $app->input->get('key', '', 'STRING');

$hash = APIAuthentication::getBearerToken();

$ip_address = $app->input->server->get('REMOTE_ADDR', '', 'STRING');

$time = $this->params->get('request_limit_time', 'hour');
Expand Down Expand Up @@ -442,7 +445,10 @@ final private function log()

$table = JTable::getInstance('Log', 'ApiTable');
$date = JFactory::getDate();
$table->hash = $app->input->get('key', '', 'STRING');

// $table->hash = $app->input->get('key', '', 'STRING');

$table->hash = APIAuthentication::getBearerToken();
$table->ip_address = $app->input->server->get('REMOTE_ADDR', '', 'STRING');
$table->time = $date->toSql();
$table->request = $req_url;
Expand All @@ -465,7 +471,10 @@ final private function lastUsed()
$app = JFactory::getApplication();
$table = JTable::getInstance('Key', 'ApiTable');

$hash = $app->input->get('key', '', 'STRING');
// $hash = $app->input->get('key', '', 'STRING');

$hash = APIAuthentication::getBearerToken();

$table->setLastUsed($hash);
}

Expand Down

0 comments on commit 6620597

Please sign in to comment.