Commit Graph

288 Commits

Author SHA1 Message Date
Isaac Connor 84492f29b1
Fix token auth sessions (#2676)
* If token is present do token based auth and do not do anything with session

* update HostController.  Use config constants, don't use sessions

* Remove Session from the components list

* spacing

* Remove Session from App Components list.

* Move APIEnabled check to the api from auth.php

* Rework auth.  login using username and password only occurs on login action now.  Including auth.php should not touch the session.  auth_hash logins no longer touch the session.  replace userLogin with a function called validateUser which matches the semantics of validateToken.

* remove debugging

* Add session storage if stateful query param is on, but only for LEGACY_API_AUTH

* fix mUser to username, etc.

* shuffle lines

* use  instead of session when generating auth hash.

* Add docs regarding the use of cookies and stateful query param

* Only open/close session if we are clearing a session var

* Use zm_session_start instead of session_start

* Should use zm_session_start instead of session_start

* document that zm_session_start should be called previously to session_regenerate_id

* Don't actually write out the session when generating auth hashes.  Means they should never actually persist.

* More backticking of SQL

* add .. to fix #2686

* Use material icons for sort because they look nicer

* fix typo

* have to add authhash to session on login

* restore username&password login for all urls

* fix

* fixes
2019-08-20 09:46:53 -04:00
Pliable Pixels a9d01ba3d2 Alarm api (#2665)
* fixed alarm api to use tokens if present

* clearer debug logs for tokens

* space
2019-07-17 20:38:58 -04:00
Pliable Pixels c4dc5f34e4 add event file system path to API (#2639) 2019-06-16 11:59:23 -04:00
Pliable Pixels bc0565858b check for API disabled only when auth is on (#2624) 2019-05-28 13:44:06 -04:00
Isaac Connor 1ddd5b1f74 Merge branch 'master' of github.com:ZoneMinder/zoneminder 2019-05-24 13:56:30 -04:00
Pliable Pixels fc27393a96 Replace MySQL Password() with bcrypt, allow for alternate JWT tokens (#2598)
* added sha1 and bcrypt submodules

* added bcrypt and sha to src build process

* added test sha1 and bcrypt code to validate working

* bcrypt auth migration in PHP land

* added include path

* add sha source

* added bcrypt to others

* put link_dir ahead of add_executable

* fixed typo

* try add_library instead

* absolute path

* absolute path

* build bcrypt as static

* move to wrapper

* move to fork

* logs tweak

* added lib-ssl/dev for JWT signing

* Moved to openSSL SHA1, initial JWT plugin

* removed vog

* fixed SHA1 algo

* typo

* use php-jwt, use proper way to add PHP modules, via composer

* fixed module path

* first attempt to fix cast error

* own fork

* own fork

* add composer vendor directory

* go back to jwt-cpp as PR merged

* moved to jwt-cpp after PR merge

* New token= query for JWT

* Add JWT token creation, move old code to a different function for future deprecation, simplified code for ZM_XX parameter reading

* JWT integration, validate JWT token via validateToken

* added token validation to zms/zmu/zmuser

* add token to command line for zmu

* move decode inside try/catch

* exception handling for try/catch

* fix db read, forgot to exec query

* remove allowing auth_hash_ip for token

* support refresh tokens as well for increased security

* remove auth_hash_ip

* Error out if used did not create an AUTH_HASH_SECRET

* fixed type conversion

* make sure refresh token login doesn't generate another refresh token

* fix absolute path

* move JWT/Bcrypt inside zm_crypt

* move sha headers out

* move out sha header

* handle case when supplied password is hashed, fix wrong params in AppController

* initial baby step for api tab

* initial plumbing to introduce token expiry and API bans per user

* remove M typo

* display user table in api

* added revoke all tokens code, removed test code

* use strtoul for conversion

* use strtoul for conversion

* use strtoul for conversion

* more fixes

* more fixes

* add mintokenexpiry to DB seek

* typo

* add ability to revoke tokens and enable/disable APIs per user

* moved API enable back to system

* comma

* enable API options only if API enabled

* move user creation to bcrypt

* added password_compat for PHP >=5.3 <5.5

* add Password back so User object indexes don't change

* move token index after adding password

* demote logs

* make old API auth optional, on by default

* make old API auth mechanism optional

* removed stale code

* forgot to checkin update file

* bulk overlay hash mysql encoded passwords

* add back ssl_dev, got deleted

* fix update script

* added token support to index.php

* reworked API document for new changes in 2.0

* Migrate from libdigest to crypt-eks-blowfish due to notice

* merge typo

* css classess for text that disappear

* fixed html typo

* added deps to ubuntu control files

* spaces

* removed extra line

* when regenerating using refresh tokens, username needs to be derived from the refresh token, as no session would exist

* add libssl1.0.0 for ubuntu 16/12

* small API fixes

* clean up of API, remove redundant sections

* moved to ZM fork for bcrypt

* whitespace and google code style

* regenerate auth hash if doing password migration

* dont need AUTH HASH LOGIN to be on

* Add auth hash verification to the user logged in already case

* fix missing ]

* reject requests if per user API disabled
2019-05-24 13:48:40 -04:00
Isaac Connor 2ce2381269 Merge branch 'crypt-replacement' of https://github.com/pliablepixels/ZoneMinder into pliablepixels-crypt-replacement 2019-05-19 08:45:42 -04:00
Pliable Pixels 8e1037458a when regenerating using refresh tokens, username needs to be derived from the refresh token, as no session would exist 2019-05-18 11:23:16 -04:00
Isaac Connor 93aeceecfc Merge branch 'crypt-replacement' of https://github.com/pliablepixels/ZoneMinder into pliablepixels-crypt-replacement 2019-05-17 10:18:15 -04:00
Pliable Pixels 41ae745b17 removed stale code 2019-05-12 18:53:51 -04:00
Pliable Pixels ec279ccc9a make old API auth mechanism optional 2019-05-12 18:51:07 -04:00
Pliable Pixels 881d531fe9 make old API auth optional, on by default 2019-05-12 18:19:19 -04:00
Pliable Pixels 225893fcd6 add mintokenexpiry to DB seek 2019-05-12 05:50:19 -04:00
Pliable Pixels 88d50ec9ca added revoke all tokens code, removed test code 2019-05-11 15:47:57 -04:00
Pliable Pixels 95b448abdd handle case when supplied password is hashed, fix wrong params in AppController 2019-05-10 11:25:55 -04:00
Pliable Pixels 1770ebea23 make sure refresh token login doesn't generate another refresh token 2019-05-08 15:26:51 -04:00
Pliable Pixels 0bc96dfe83 Error out if used did not create an AUTH_HASH_SECRET 2019-05-08 14:26:16 -04:00
Pliable Pixels bc050fe330 support refresh tokens as well for increased security 2019-05-08 13:38:42 -04:00
Pliable Pixels 27e6e46f84 remove allowing auth_hash_ip for token 2019-05-08 12:11:32 -04:00
Pliable Pixels b293592e4c added token validation to zms/zmu/zmuser 2019-05-08 10:55:32 -04:00
Pliable Pixels d36c1f5d3c Add JWT token creation, move old code to a different function for future deprecation, simplified code for ZM_XX parameter reading 2019-05-07 15:04:12 -04:00
Pliable Pixels 0bbc582971 New token= query for JWT 2019-05-07 15:03:13 -04:00
Isaac Connor 5b68ddcc9a add a note deprecating getDiskPercent 2019-04-17 09:55:34 -04:00
Pliable Pixels d270fbd0ad added support for named params to consoleEvents (#2571) 2019-04-09 16:28:46 -04:00
Isaac Connor 3abf263e7a fixup half-merged changes to filter to view in montagereview 2019-04-08 16:57:41 -04:00
Isaac Connor 780f4f9b9a Merge branch 'master' of github.com:zoneminder/ZoneMinder 2019-04-06 09:27:44 -04:00
Isaac Connor 110e5075f4 fix namespace fixes #3566 2019-04-01 17:21:01 -04:00
Isaac Connor fa9803d819 Can't use this->data to avoid another db hit. Must load by id 2019-04-01 10:11:56 -04:00
Isaac Connor b988ce0573 more parentheses to make logic more clear 2019-03-20 14:26:35 -04:00
Isaac Connor a634d8b774 use id instead of this->data when loading Event to delete in API 2019-03-19 17:26:20 -04:00
Isaac Connor 520c41da23 Merge ../ZoneMinder.connortechnology.bad into storageareas 2019-03-18 14:40:03 -04:00
Matthew Noorenberghe abb6ef1688 API: Escape 'named' params for SQLi in two more Event endpoints.
Fixes #2099
2019-03-11 00:21:51 -07:00
Matthew Noorenberghe 056b96f7fc API: Monitor and Event 'index' SQLi. Fixes #2099 2019-03-11 00:21:51 -07:00
Isaac Connor af9c87a112 Merge branch 'master' into storageareas 2019-02-27 10:53:19 -05:00
Isaac Connor 4c35f2910c fix ZM namespace 2019-02-26 18:09:18 -05:00
Isaac Connor df3e11d83c Fix authentication in api because we no longer store the user object in the session 2019-02-26 17:01:45 -05:00
Isaac Connor a00e2381b7 Merge branch 'master' into storageareas 2019-02-26 11:33:29 -05:00
Isaac Connor 92dc7878de
Fix 2340 (#2368)
* include includes/functions.php so that we have access to all it's contents

* add a beforeDelete function which deletes the files.  Add other needed functions like Path() LinkPath() etc.

* add require_once for Storage and functions because we use them in Event

* Now that ZM has namespaces use the ZM Event class to do the heavy lifting of delete

* Don't need functions in AppController anymore
2019-02-26 11:28:56 -05:00
Isaac Connor fbdb5bcb62 Merge branch 'master' into storageareas 2019-02-19 12:06:32 -05:00
Isaac Connor eaa7341935 Add missing / in path to auth.php 2019-02-19 10:07:36 -05:00
Isaac Connor 5029d7214a Merge branch 'master' into storageareas 2019-02-18 17:00:45 -05:00
Isaac Connor 4cd3a93e96 add missing / 2019-02-18 16:30:03 -05:00
Mitch Capper 04c17283ec need to prefix with _dir_ otherwise relative to initial script (#2531) 2019-02-17 11:31:10 -05:00
Isaac Connor 5060358870 Merge branch 'master' into storageareas 2018-12-29 09:56:53 -05:00
Andrew Bauer 3258d8e590 remove ZM_DIR_IMAGES (#2374) 2018-12-29 09:52:58 -05:00
Isaac Connor 27826b4aca Merge branch 'master' into storageareas 2018-12-24 09:48:29 -05:00
Isaac Connor 47465260d1 Update permissions checking for Groups to not use session. Fixes #2353 2018-12-21 10:01:48 -05:00
Isaac Connor e626049f6b Merge branch 'swresample' into storageareas 2018-12-20 14:08:40 -05:00
Pliable Pixels 622c17f628 make sure auth is regenerated each time we call this API (#2347) 2018-12-16 11:02:07 -05:00
Isaac Connor c8c34d3f95 Merge branch 'master' into storageareas 2018-12-11 10:21:22 -05:00