From a6623b7b2fa3f026a0ea30e49b1a221f7a4a8e55 Mon Sep 17 00:00:00 2001
From: Alexandre Alapetite <alexandre@alapetite.fr>
Date: Wed, 2 Jan 2019 21:36:33 +0100
Subject: Apache performance (#2202)

* Apache performance
API: Use SetEnvIf if available and fallback to RewriteRule
Docker: Disable unused modules.
Docker: Hard-include .htaccess to avoid having to scan for changes in
that file.
Docker: Disable security check of symlinks, which we do not use ayway.

* Apache readme

* Docker/Apache tuning
Run cron job with correct www-data user instead of root
Remove PHP GMP module uneeded for 64-bit Docker image
Add option to mount custom .htaccess for HTTP authentication
Re-add Apache module for HTTP authentication
Move Alpine-specific instructions to Docker file (instead of Apache
conf) to make it easier to have other base images than Alpine
---
 p/api/.htaccess | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

(limited to 'p/api')

diff --git a/p/api/.htaccess b/p/api/.htaccess
index 41b653d96..937983ec9 100644
--- a/p/api/.htaccess
+++ b/p/api/.htaccess
@@ -1,4 +1,9 @@
-<IfModule mod_rewrite.c>
-	RewriteEngine on
-	RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
+<IfModule mod_setenvif.c>
+	SetEnvIf "^Authorization$" "(.*)" HTTP_AUTHORIZATION=$1
+</IfModule>
+<IfModule !mod_setenvif.c>
+	<IfModule mod_rewrite.c>
+		RewriteEngine on
+		RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
+	</IfModule>
 </IfModule>
-- 
cgit v1.2.3


From 20223b8b01f47fba0858d854c5744fad5900b9cc Mon Sep 17 00:00:00 2001
From: Alexandre Alapetite <alexandre@alapetite.fr>
Date: Sat, 5 Jan 2019 12:33:18 +0100
Subject: Automatic API test (#2207)

* Automatic API test

Easier for end-user, smarter, and the guess testing of greader
authorization token was not reliable.

* Travis + minor
---
 p/api/greader.php | 21 ++++++++-----------
 p/api/index.php   | 27 ++++++++++++++----------
 p/scripts/api.js  | 62 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 87 insertions(+), 23 deletions(-)
 create mode 100644 p/scripts/api.js

(limited to 'p/api')

diff --git a/p/api/greader.php b/p/api/greader.php
index 7cd312f2c..d41430d3c 100644
--- a/p/api/greader.php
+++ b/p/api/greader.php
@@ -143,14 +143,11 @@ function checkCompatibility() {
 	Minz_Log::warning('checkCompatibility() ' . debugInfo(), API_LOG);
 	header('Content-Type: text/plain; charset=UTF-8');
 	if (PHP_INT_SIZE < 8 && !function_exists('gmp_init')) {
-		die('FAIL 64-bit or GMP extension!');
+		die('FAIL 64-bit or GMP extension! Wrong PHP configuration.');
 	}
-	if ((!array_key_exists('HTTP_AUTHORIZATION', $_SERVER)) &&	//Apache mod_rewrite trick should be fine
-		(!array_key_exists('REDIRECT_HTTP_AUTHORIZATION', $_SERVER)) &&	//Apache mod_rewrite with FCGI
-		(empty($_SERVER['SERVER_SOFTWARE']) || (stripos($_SERVER['SERVER_SOFTWARE'], 'nginx') === false)) &&	//nginx should be fine
-		(empty($_SERVER['SERVER_SOFTWARE']) || (stripos($_SERVER['SERVER_SOFTWARE'], 'lighttpd') === false)) &&	//lighttpd should be fine
-		((!function_exists('getallheaders')) || (stripos(php_sapi_name(), 'cgi') !== false))) {	//Main problem is Apache/CGI mode
-		die('FAIL getallheaders! (probably)');
+	$headerAuth = headerVariable('Authorization', 'GoogleLogin_auth');
+	if ($headerAuth == '') {
+		die('FAIL get HTTP Authorization header! Wrong Web server configuration.');
 	}
 	echo 'PASS';
 	exit();
@@ -913,6 +910,10 @@ FreshRSS_Context::$system_conf = Minz_Configuration::get('system');
 
 if (!FreshRSS_Context::$system_conf->api_enabled) {
 	serviceUnavailable();
+} elseif (count($pathInfos) < 3) {
+	badRequest();
+} elseif ($pathInfos[1] === 'check' && $pathInfos[2] === 'compatibility') {
+	checkCompatibility();
 }
 
 ini_set('session.use_cookies', '0');
@@ -927,9 +928,7 @@ if ($user !== '') {
 
 Minz_Session::_param('currentUser', $user);
 
-if (count($pathInfos) < 3) {
-	badRequest();
-} elseif ($pathInfos[1] === 'accounts') {
+if ($pathInfos[1] === 'accounts') {
 	if (($pathInfos[2] === 'ClientLogin') && isset($_REQUEST['Email']) && isset($_REQUEST['Passwd'])) {
 		clientLogin($_REQUEST['Email'], $_REQUEST['Passwd']);
 	}
@@ -1088,8 +1087,6 @@ if (count($pathInfos) < 3) {
 			userInfo();
 			break;
 	}
-} elseif ($pathInfos[1] === 'check' && $pathInfos[2] === 'compatibility') {
-	checkCompatibility();
 }
 
 badRequest();
diff --git a/p/api/index.php b/p/api/index.php
index ee37b794b..d441099d7 100644
--- a/p/api/index.php
+++ b/p/api/index.php
@@ -5,6 +5,18 @@
 <title>FreshRSS API endpoints</title>
 <meta name="robots" content="noindex" />
 <link rel="start" href="../i/" />
+<script src="../scripts/api.js" defer="defer"></script>
+<script id="jsonVars" type="application/json">
+<?php
+require(__DIR__ . '/../../constants.php');
+require(LIB_PATH . '/lib_rss.php');	//Includes class autoloader
+Minz_Configuration::register('system', DATA_PATH . '/config.php', FRESHRSS_PATH . '/config.default.php');
+echo json_encode(array(
+		'greader' => Minz_Url::display('/api/greader.php', 'php', true),
+		'fever' => Minz_Url::display('/api/fever.php', 'php', true),
+	));
+?>
+</script>
 </head>
 
 <body>
@@ -14,17 +26,11 @@
 <dl>
 <dt>Your API address:</dt>
 <dd><?php
-require(__DIR__ . '/../../constants.php');
-require(LIB_PATH . '/lib_rss.php');	//Includes class autoloader
-Minz_Configuration::register('system', DATA_PATH . '/config.php', FRESHRSS_PATH . '/config.default.php');
 echo Minz_Url::display('/api/greader.php', 'html', true);
 ?></dd>
+<dt>Google Reader API configuration test:</dt>
+<dd id="greaderOutput">?</dd>
 </dl>
-<ul>
-<li><a href="greader.php/check%2Fcompatibility" rel="nofollow">Check full server configuration</a></li>
-<li><a href="greader.php/check/compatibility" rel="nofollow">Check partial server
-configuration (without <code>%2F</code> support)</a></li>
-</ul>
 
 <h2>Fever compatible API</h2>
 <dl>
@@ -32,10 +38,9 @@ configuration (without <code>%2F</code> support)</a></li>
 <dd><?php
 echo Minz_Url::display('/api/fever.php', 'html', true);
 ?></dd>
+<dt>Fever API configuration test:</dt>
+<dd id="feverOutput">?</dd>
 </dl>
-<ul>
-<li><a href="fever.php?api" rel="nofollow">Test</a></li>
-</ul>
 
 </body>
 </html>
diff --git a/p/scripts/api.js b/p/scripts/api.js
new file mode 100644
index 000000000..841b16a6a
--- /dev/null
+++ b/p/scripts/api.js
@@ -0,0 +1,62 @@
+"use strict";
+/* jshint esversion:6, strict:global */
+
+function check(url, next) {
+	if (!url || !next) {
+		return;
+	}
+	const req = new XMLHttpRequest();
+	req.open('GET', url, true);
+	req.setRequestHeader('Authorization', 'GoogleLogin auth=test/1');
+	req.onerror = function (e) {
+			next('FAIL: HTTP ' + e);
+		};
+	req.onload = function () {
+		if (this.status == 200) {
+			next(this.response);
+		} else {
+			next('FAIL: HTTP error ' + this.status + ' ' + this.statusText);
+		}
+	};
+	req.send();
+}
+
+const jsonVars = JSON.parse(document.getElementById('jsonVars').innerHTML);
+
+check(jsonVars.greader + '/check/compatibility', function next(result1) {
+		const greaderOutput = document.getElementById('greaderOutput');
+		if (result1 === 'PASS') {
+			greaderOutput.innerHTML = '✔️ ' + result1;
+		} else {
+			check(jsonVars.greader + '/check%2Fcompatibility', function next(result2) {
+				if (result2 === 'PASS') {
+					greaderOutput.innerHTML = '⚠️ WARN: no <code>%2F</code> support, so some clients will not work!';
+				} else {
+					check('./greader.php/check/compatibility', function next(result3) {
+						if (result3 === 'PASS') {
+							greaderOutput.innerHTML = '⚠️ WARN: Probable invalid base URL in ./data/config.php';
+						} else {
+							greaderOutput.innerHTML = '❌ ' + result1;
+						}
+					});
+				}
+			});
+		}
+	});
+
+check(jsonVars.fever + '?api', function next(result1) {
+		const feverOutput = document.getElementById('feverOutput');
+		try {
+			JSON.parse(result1);
+			feverOutput.innerHTML = '✔️ PASS';
+		} catch (ex) {
+			check('./fever.php?api', function next(result2) {
+					try {
+						JSON.parse(result2);
+						feverOutput.innerHTML = '⚠️ WARN: Probable invalid base URL in ./data/config.php';
+					} catch (ex) {
+						feverOutput.innerHTML = '❌ ' + result1;
+					}
+				});
+		}
+	});
-- 
cgit v1.2.3