From 8f1bad60d0b7bd0d0a05bcdcf3c6834e39c0c6eb Mon Sep 17 00:00:00 2001
From: Kevin Papst <kevinpapst@users.noreply.github.com>
Date: Thu, 24 May 2018 21:53:47 +0200
Subject: Add Fever API and user documentation (#1836)

* added fever api and documentation

* spaces to tabs

* fixed code format

* added links

* added utf8 to header

* removed XML support

* removed before check, as we have to convert it afterwards

* added sandboxed setting (currently disabled)
added support for extensions using entry_before_display

* listFeedsOrderUpdate LIMIT

https://github.com/FreshRSS/FreshRSS/pull/1836/files#r175287881

* removed custom sql by using FreshRSS_FeedDAO::listFeedsOrderUpdate()

* fixed mark all as read

* replaced custom sql for getUnread() and getStarred() with dao functions

* removed sanitization functions

* Rework fever login

* Fix config bug

Plus documentation

* Fix array syntax

For compatibility with PHP 5.3

* Disable cookies and session for API

* Fix currentUser

* added response header and error log

* adjusted phpdoc to match new authentication

* Mechanism to delete old keys

* replace PHP_INT_MAX with zero to disable limit

* replace method_exists with check for explicit methods

* removed Press support and smaller refactoring + updated docu

* Rewrite bindParamArray

Avoid one of the SQL injection risks

* Docs and readme

* Fix API link

* Simplify reverse key check

Using userConfig
---
 app/Controllers/userController.php | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

(limited to 'app/Controllers')

diff --git a/app/Controllers/userController.php b/app/Controllers/userController.php
index 4b47b365e..e09572b7e 100644
--- a/app/Controllers/userController.php
+++ b/app/Controllers/userController.php
@@ -44,6 +44,14 @@ class FreshRSS_user_Controller extends Minz_ActionController {
 		return preg_match('/^' . self::USERNAME_PATTERN . '$/', $username) === 1;
 	}
 
+	public static function deleteFeverKey($username) {
+		$userConfig = get_user_configuration($username);
+		if ($userConfig !== null && ctype_xdigit($userConfig->feverKey)) {
+			return @unlink(DATA_PATH . '/fever/.key-' . sha1(FreshRSS_Context::$system_conf->salt) . '-' . $userConfig->feverKey . '.txt');
+		}
+		return false;
+	}
+
 	public static function updateUser($user, $passwordPlain, $apiPasswordPlain, $userConfigUpdated = array()) {
 		$userConfig = get_user_configuration($user);
 		if ($userConfig === null) {
@@ -58,6 +66,16 @@ class FreshRSS_user_Controller extends Minz_ActionController {
 		if ($apiPasswordPlain != '') {
 			$apiPasswordHash = self::hashPassword($apiPasswordPlain);
 			$userConfig->apiPasswordHash = $apiPasswordHash;
+
+			@mkdir(DATA_PATH . '/fever/', 0770, true);
+			self::deleteFeverKey($user);
+			$userConfig->feverKey = strtolower(md5($user . ':' . $apiPasswordPlain));
+			$ok = file_put_contents(DATA_PATH . '/fever/.key-' . sha1(FreshRSS_Context::$system_conf->salt) . '-' . $userConfig->feverKey . '.txt', $user) !== false;
+
+			if (!$ok) {
+				Minz_Log::warning('Could not save API credentials for fever API', ADMIN_LOG);
+				return $ok;
+			}
 		}
 
 		if (is_array($userConfigUpdated)) {
@@ -258,6 +276,7 @@ class FreshRSS_user_Controller extends Minz_ActionController {
 			$ok &= $userDAO->deleteUser($username);
 			$ok &= recursive_unlink($user_data);
 			array_map('unlink', glob(PSHB_PATH . '/feeds/*/' . $username . '.txt'));
+			self::deleteFeverKey();
 		}
 		return $ok;
 	}
-- 
cgit v1.2.3