Add Fever API and user documentation (#1836)

* added fever api and documentation

* spaces to tabs

* fixed code format

* added links

* added utf8 to header

* removed XML support

* removed before check, as we have to convert it afterwards

* added sandboxed setting (currently disabled)
added support for extensions using entry_before_display

* listFeedsOrderUpdate LIMIT

https://github.com/FreshRSS/FreshRSS/pull/1836/files#r175287881

* removed custom sql by using FreshRSS_FeedDAO::listFeedsOrderUpdate()

* fixed mark all as read

* replaced custom sql for getUnread() and getStarred() with dao functions

* removed sanitization functions

* Rework fever login

* Fix config bug

Plus documentation

* Fix array syntax

For compatibility with PHP 5.3

* Disable cookies and session for API

* Fix currentUser

* added response header and error log

* adjusted phpdoc to match new authentication

* Mechanism to delete old keys

* replace PHP_INT_MAX with zero to disable limit

* replace method_exists with check for explicit methods

* removed Press support and smaller refactoring + updated docu

* Rewrite bindParamArray

Avoid one of the SQL injection risks

* Docs and readme

* Fix API link

* Simplify reverse key check

Using userConfig

3 files changed, 23 insertions, 3 deletions

diff --git a/app/Controllers/userController.php b/app/Controllers/userController.php
index 4b47b365e..e09572b7e 100644
--- a/app/Controllers/userController.php
+++ b/app/Controllers/userController.php
@@ -44,6 +44,14 @@ class FreshRSS_user_Controller extends Minz_ActionController {
 		return preg_match('/^' . self::USERNAME_PATTERN . '$/', $username) === 1;
 	}
 
+	public static function deleteFeverKey($username) {
+		$userConfig = get_user_configuration($username);
+		if ($userConfig !== null && ctype_xdigit($userConfig->feverKey)) {
+			return @unlink(DATA_PATH . '/fever/.key-' . sha1(FreshRSS_Context::$system_conf->salt) . '-' . $userConfig->feverKey . '.txt');
+		}
+		return false;
+	}
+
 	public static function updateUser($user, $passwordPlain, $apiPasswordPlain, $userConfigUpdated = array()) {
 		$userConfig = get_user_configuration($user);
 		if ($userConfig === null) {
@@ -58,6 +66,16 @@ class FreshRSS_user_Controller extends Minz_ActionController {
 		if ($apiPasswordPlain != '') {
 			$apiPasswordHash = self::hashPassword($apiPasswordPlain);
 			$userConfig->apiPasswordHash = $apiPasswordHash;
+
+			@mkdir(DATA_PATH . '/fever/', 0770, true);
+			self::deleteFeverKey($user);
+			$userConfig->feverKey = strtolower(md5($user . ':' . $apiPasswordPlain));
+			$ok = file_put_contents(DATA_PATH . '/fever/.key-' . sha1(FreshRSS_Context::$system_conf->salt) . '-' . $userConfig->feverKey . '.txt', $user) !== false;
+
+			if (!$ok) {
+				Minz_Log::warning('Could not save API credentials for fever API', ADMIN_LOG);
+				return $ok;
+			}
 		}
 
 		if (is_array($userConfigUpdated)) {
@@ -258,6 +276,7 @@ class FreshRSS_user_Controller extends Minz_ActionController {
 			$ok &= $userDAO->deleteUser($username);
 			$ok &= recursive_unlink($user_data);
 			array_map('unlink', glob(PSHB_PATH . '/feeds/*/' . $username . '.txt'));
+			self::deleteFeverKey();
 		}
 		return $ok;
 	}
diff --git a/app/Models/EntryDAO.php b/app/Models/EntryDAO.php
index 516aad3b8..a3bca3727 100644
--- a/app/Models/EntryDAO.php
+++ b/app/Models/EntryDAO.php
@@ -801,7 +801,7 @@ class FreshRSS_EntryDAO extends Minz_ModelPdo implements FreshRSS_Searchable {
 			. 'WHERE ' . $where
 			. $search
 			. 'ORDER BY e.id ' . $order
-			. ($limit > 0 ? ' LIMIT ' . $limit : ''));	//TODO: See http://explainextended.com/2009/10/23/mysql-order-by-limit-performance-late-row-lookups/
+			. ($limit > 0 ? ' LIMIT ' . intval($limit) : ''));	//TODO: See http://explainextended.com/2009/10/23/mysql-order-by-limit-performance-late-row-lookups/
 	}
 
 	public function listWhereRaw($type = 'a', $id = '', $state = FreshRSS_Entry::STATE_ALL, $order = 'DESC', $limit = 1, $firstId = '', $filters = null, $date_min = 0) {
diff --git a/app/Models/FeedDAO.php b/app/Models/FeedDAO.php
index f968ae98b..9d980c139 100644
--- a/app/Models/FeedDAO.php
+++ b/app/Models/FeedDAO.php
@@ -299,13 +299,14 @@ class FreshRSS_FeedDAO extends Minz_ModelPdo implements FreshRSS_Searchable {
 	/**
 	 * Use $defaultCacheDuration == -1 to return all feeds, without filtering them by TTL.
 	 */
-	public function listFeedsOrderUpdate($defaultCacheDuration = 3600) {
+	public function listFeedsOrderUpdate($defaultCacheDuration = 3600, $limit = 0) {
 		$this->updateTTL();
 		$sql = 'SELECT id, url, name, website, `lastUpdate`, `pathEntries`, `httpAuth`, keep_history, ttl, attributes '
 		     . 'FROM `' . $this->prefix . 'feed` '
 		     . ($defaultCacheDuration < 0 ? '' : 'WHERE ttl >= ' . FreshRSS_Feed::TTL_DEFAULT
 		     . ' AND `lastUpdate` < (' . (time() + 60) . '-(CASE WHEN ttl=' . FreshRSS_Feed::TTL_DEFAULT . ' THEN ' . intval($defaultCacheDuration) . ' ELSE ttl END)) ')
-		     . 'ORDER BY `lastUpdate`';
+		     . 'ORDER BY `lastUpdate` '
+		     . ($limit < 1 ? '' : 'LIMIT ' . intval($limit));
 		$stm = $this->bd->prepare($sql);
 		if ($stm && $stm->execute()) {
 			return self::daoToFeed($stm->fetchAll(PDO::FETCH_ASSOC));