* If token is present do token based auth and do not do anything with session
* update HostController. Use config constants, don't use sessions
* Remove Session from the components list
* spacing
* Remove Session from App Components list.
* Move APIEnabled check to the api from auth.php
* Rework auth. login using username and password only occurs on login action now. Including auth.php should not touch the session. auth_hash logins no longer touch the session. replace userLogin with a function called validateUser which matches the semantics of validateToken.
* remove debugging
* Add session storage if stateful query param is on, but only for LEGACY_API_AUTH
* fix mUser to username, etc.
* shuffle lines
* use instead of session when generating auth hash.
* Add docs regarding the use of cookies and stateful query param
* Only open/close session if we are clearing a session var
* Use zm_session_start instead of session_start
* Should use zm_session_start instead of session_start
* document that zm_session_start should be called previously to session_regenerate_id
* Don't actually write out the session when generating auth hashes. Means they should never actually persist.
* More backticking of SQL
* add .. to fix#2686
* Use material icons for sort because they look nicer
* fix typo
* have to add authhash to session on login
* restore username&password login for all urls
* fix
* fixes
* added sha1 and bcrypt submodules
* added bcrypt and sha to src build process
* added test sha1 and bcrypt code to validate working
* bcrypt auth migration in PHP land
* added include path
* add sha source
* added bcrypt to others
* put link_dir ahead of add_executable
* fixed typo
* try add_library instead
* absolute path
* absolute path
* build bcrypt as static
* move to wrapper
* move to fork
* logs tweak
* added lib-ssl/dev for JWT signing
* Moved to openSSL SHA1, initial JWT plugin
* removed vog
* fixed SHA1 algo
* typo
* use php-jwt, use proper way to add PHP modules, via composer
* fixed module path
* first attempt to fix cast error
* own fork
* own fork
* add composer vendor directory
* go back to jwt-cpp as PR merged
* moved to jwt-cpp after PR merge
* New token= query for JWT
* Add JWT token creation, move old code to a different function for future deprecation, simplified code for ZM_XX parameter reading
* JWT integration, validate JWT token via validateToken
* added token validation to zms/zmu/zmuser
* add token to command line for zmu
* move decode inside try/catch
* exception handling for try/catch
* fix db read, forgot to exec query
* remove allowing auth_hash_ip for token
* support refresh tokens as well for increased security
* remove auth_hash_ip
* Error out if used did not create an AUTH_HASH_SECRET
* fixed type conversion
* make sure refresh token login doesn't generate another refresh token
* fix absolute path
* move JWT/Bcrypt inside zm_crypt
* move sha headers out
* move out sha header
* handle case when supplied password is hashed, fix wrong params in AppController
* initial baby step for api tab
* initial plumbing to introduce token expiry and API bans per user
* remove M typo
* display user table in api
* added revoke all tokens code, removed test code
* use strtoul for conversion
* use strtoul for conversion
* use strtoul for conversion
* more fixes
* more fixes
* add mintokenexpiry to DB seek
* typo
* add ability to revoke tokens and enable/disable APIs per user
* moved API enable back to system
* comma
* enable API options only if API enabled
* move user creation to bcrypt
* added password_compat for PHP >=5.3 <5.5
* add Password back so User object indexes don't change
* move token index after adding password
* demote logs
* make old API auth optional, on by default
* make old API auth mechanism optional
* removed stale code
* forgot to checkin update file
* bulk overlay hash mysql encoded passwords
* add back ssl_dev, got deleted
* fix update script
* added token support to index.php
* reworked API document for new changes in 2.0
* Migrate from libdigest to crypt-eks-blowfish due to notice
* merge typo
* css classess for text that disappear
* fixed html typo
* added deps to ubuntu control files
* spaces
* removed extra line
* when regenerating using refresh tokens, username needs to be derived from the refresh token, as no session would exist
* add libssl1.0.0 for ubuntu 16/12
* small API fixes
* clean up of API, remove redundant sections
* moved to ZM fork for bcrypt
* whitespace and google code style
* regenerate auth hash if doing password migration
* dont need AUTH HASH LOGIN to be on
* Add auth hash verification to the user logged in already case
* fix missing ]
* reject requests if per user API disabled
* Populate a global from the session on every request. Use the object instead of using allowedMonitors in session.
* fix when gets loaded.
* use for auth, and add Monitor Edit checks to Zone add/delete/edit
* add back the ZM_OPT_USE_AUTH test for being logged in in AppController
* Update permissions code to use
* change quotes
* Update permission code to use
* Use instal of session for systemPermission
* deprecate montiorPermision in session
* use instead of session streamPermission
* move login code back into AppController. Has to be done for every request
* deprecate eventPermission, controlPermission and systemPermission in session.
* handle auth params in query string as well as post
* exit on HUP to free up memory.
* add missing global user
* system should be System
* error can be due to bad user or password
* added login/logout and related private functions
* handle case when userLogin fails, current code returns PHP error for and API throw is not called
* formatting
* converted login params to POST, removed user=&pass= for other APIs
* formatting
* add auth check back but leave out login/out
* fixes to make it work across zmN, postman and curl
* added back enabled check
* Allow API authentication using the `auth` query parameter containing an auth. hash.
Fixes#1827
The same auth. hash for zms is used here. This allows consumers to use the API without sending the password in the query string and not require forging logins via the login form.
* Move logger.php's global Debug function to Logger::Debug to avoid polluting globals
This avoids a conflict with CakePHP when logger.php gets included indrectly from API code.
* Protect action=login when ZM_ENABLE_CSRF_MAGIC is enabled
Isaac Connor
Isaac Connor
Pliable Pixels
Mitch Capper
Pliable Pixels
Isaac Connor
Matt N
Isaac Connor
Ubuntu
Kyle Johnson