From 881d531fe960d35c33889128b3d258197269c626 Mon Sep 17 00:00:00 2001 From: Pliable Pixels Date: Sun, 12 May 2019 18:19:19 -0400 Subject: [PATCH] make old API auth optional, on by default --- .../lib/ZoneMinder/ConfigData.pm.in | 11 +++ web/api/app/Controller/HostController.php | 78 +++++++++---------- 2 files changed, 48 insertions(+), 41 deletions(-) diff --git a/scripts/ZoneMinder/lib/ZoneMinder/ConfigData.pm.in b/scripts/ZoneMinder/lib/ZoneMinder/ConfigData.pm.in index c6ec697f1..ef456f085 100644 --- a/scripts/ZoneMinder/lib/ZoneMinder/ConfigData.pm.in +++ b/scripts/ZoneMinder/lib/ZoneMinder/ConfigData.pm.in @@ -396,6 +396,17 @@ our @options = ( type => $types{boolean}, category => 'system', }, + { + name => 'ZM_OPT_USE_LEGACY_API_AUTH', + default => 'yes', + description => 'Enable legacy API authentication', + help => q` + Starting version 1.34.0, ZoneMinder uses a more secure + Authentication mechanism using JWT tokens. Older versions used a less secure MD5 based auth hash. It is recommended you turn this off after you are sure you don't need it. If you are using a 3rd party app that relies on the older API auth mechanisms, you will have to update that app if you turn this off. Note that zmNinja 1.3.057 onwards supports the new token system + `, + type => $types{boolean}, + category => 'system', + }, { name => 'ZM_OPT_USE_EVENTNOTIFICATION', default => 'no', diff --git a/web/api/app/Controller/HostController.php b/web/api/app/Controller/HostController.php index 7b8c7c0ff..a296ef2bc 100644 --- a/web/api/app/Controller/HostController.php +++ b/web/api/app/Controller/HostController.php @@ -31,56 +31,52 @@ class HostController extends AppController { } function login() { - $cred_depr = $this->_getCredentialsDeprecated(); - $ver = $this->_getVersion(); - + $mUser = $this->request->query('user') ? $this->request->query('user') : $this->request->data('user'); $mPassword = $this->request->query('pass') ? $this->request->query('pass') : $this->request->data('pass'); $mToken = $this->request->query('token') ? $this->request->query('token') : $this->request->data('token'); + $ver = $this->_getVersion(); + $cred = []; + $cred_depr = []; + if ($mUser && $mPassword) { - $cred = $this->_getCredentials(true); - // if you authenticated via user/pass then generate new refresh - $this->set(array( - 'access_token'=>$cred[0], - 'access_token_expires'=>$cred[1], - 'refresh_token'=>$cred[2], - 'refresh_token_expires'=>$cred[3], - 'credentials'=>$cred_depr[0], - 'append_password'=>$cred_depr[1], - 'version' => $ver[0], - 'apiversion' => $ver[1], - '_serialize' => array( - 'access_token', - 'access_token_expires', - 'refresh_token', - 'refresh_token_expires', - 'version', - 'credentials', - 'append_password', - 'apiversion' - ))); + $cred = $this->_getCredentials(true); // generate refresh } else { - $cred = $this->_getCredentials(false); - $this->set(array( - 'access_token'=>$cred[0], - 'access_token_expires'=>$cred[1], - 'credentials'=>$cred_depr[0], - 'append_password'=>$cred_depr[1], - 'version' => $ver[0], - 'apiversion' => $ver[1], - '_serialize' => array( - 'access_token', - 'access_token_expires', - 'version', - 'credentials', - 'append_password', - 'apiversion' - ))); - + $cred = $this->_getCredentials(false); // don't generate refresh } + $login_array = array ( + 'access_token'=>$cred[0], + 'access_token_expires'=>$cred[1], + 'version' => $ver[0], + 'apiversion' => $ver[1] + ); + + $login_serialize_list = array ( + 'access_token', + 'access_token_expires', + 'version', + 'apiversion' + ); + + if ($mUser && mPassword) { + $login_array['refresh_token'] = $cred[2]; + $login_array['refresh_token_expires'] = $cred[3]; + array_push ($login_serialize_list, 'refresh_token', 'refresh_token_expires'); + } + + if (ZM_OPT_USE_LEGACY_API_AUTH) { + $cred_depr = $this->_getCredentialsDeprecated(); + $login_array ['credentials']=$cred_depr[0]; + $login_array ['append_password']=$cred_depr[1]; + array_push ($login_serialize_list, 'credentials', 'append_password'); + } + + $this->set($login_array, + '_serialize' => $login_serialize_list); + } // end function login()