Commit Graph

39 Commits

Author SHA1 Message Date
Isaac Connor 84492f29b1
Fix token auth sessions (#2676)
* If token is present do token based auth and do not do anything with session

* update HostController.  Use config constants, don't use sessions

* Remove Session from the components list

* spacing

* Remove Session from App Components list.

* Move APIEnabled check to the api from auth.php

* Rework auth.  login using username and password only occurs on login action now.  Including auth.php should not touch the session.  auth_hash logins no longer touch the session.  replace userLogin with a function called validateUser which matches the semantics of validateToken.

* remove debugging

* Add session storage if stateful query param is on, but only for LEGACY_API_AUTH

* fix mUser to username, etc.

* shuffle lines

* use  instead of session when generating auth hash.

* Add docs regarding the use of cookies and stateful query param

* Only open/close session if we are clearing a session var

* Use zm_session_start instead of session_start

* Should use zm_session_start instead of session_start

* document that zm_session_start should be called previously to session_regenerate_id

* Don't actually write out the session when generating auth hashes.  Means they should never actually persist.

* More backticking of SQL

* add .. to fix #2686

* Use material icons for sort because they look nicer

* fix typo

* have to add authhash to session on login

* restore username&password login for all urls

* fix

* fixes
2019-08-20 09:46:53 -04:00
Isaac Connor 1ddd5b1f74 Merge branch 'master' of github.com:ZoneMinder/zoneminder 2019-05-24 13:56:30 -04:00
Pliable Pixels fc27393a96 Replace MySQL Password() with bcrypt, allow for alternate JWT tokens (#2598)
* added sha1 and bcrypt submodules

* added bcrypt and sha to src build process

* added test sha1 and bcrypt code to validate working

* bcrypt auth migration in PHP land

* added include path

* add sha source

* added bcrypt to others

* put link_dir ahead of add_executable

* fixed typo

* try add_library instead

* absolute path

* absolute path

* build bcrypt as static

* move to wrapper

* move to fork

* logs tweak

* added lib-ssl/dev for JWT signing

* Moved to openSSL SHA1, initial JWT plugin

* removed vog

* fixed SHA1 algo

* typo

* use php-jwt, use proper way to add PHP modules, via composer

* fixed module path

* first attempt to fix cast error

* own fork

* own fork

* add composer vendor directory

* go back to jwt-cpp as PR merged

* moved to jwt-cpp after PR merge

* New token= query for JWT

* Add JWT token creation, move old code to a different function for future deprecation, simplified code for ZM_XX parameter reading

* JWT integration, validate JWT token via validateToken

* added token validation to zms/zmu/zmuser

* add token to command line for zmu

* move decode inside try/catch

* exception handling for try/catch

* fix db read, forgot to exec query

* remove allowing auth_hash_ip for token

* support refresh tokens as well for increased security

* remove auth_hash_ip

* Error out if used did not create an AUTH_HASH_SECRET

* fixed type conversion

* make sure refresh token login doesn't generate another refresh token

* fix absolute path

* move JWT/Bcrypt inside zm_crypt

* move sha headers out

* move out sha header

* handle case when supplied password is hashed, fix wrong params in AppController

* initial baby step for api tab

* initial plumbing to introduce token expiry and API bans per user

* remove M typo

* display user table in api

* added revoke all tokens code, removed test code

* use strtoul for conversion

* use strtoul for conversion

* use strtoul for conversion

* more fixes

* more fixes

* add mintokenexpiry to DB seek

* typo

* add ability to revoke tokens and enable/disable APIs per user

* moved API enable back to system

* comma

* enable API options only if API enabled

* move user creation to bcrypt

* added password_compat for PHP >=5.3 <5.5

* add Password back so User object indexes don't change

* move token index after adding password

* demote logs

* make old API auth optional, on by default

* make old API auth mechanism optional

* removed stale code

* forgot to checkin update file

* bulk overlay hash mysql encoded passwords

* add back ssl_dev, got deleted

* fix update script

* added token support to index.php

* reworked API document for new changes in 2.0

* Migrate from libdigest to crypt-eks-blowfish due to notice

* merge typo

* css classess for text that disappear

* fixed html typo

* added deps to ubuntu control files

* spaces

* removed extra line

* when regenerating using refresh tokens, username needs to be derived from the refresh token, as no session would exist

* add libssl1.0.0 for ubuntu 16/12

* small API fixes

* clean up of API, remove redundant sections

* moved to ZM fork for bcrypt

* whitespace and google code style

* regenerate auth hash if doing password migration

* dont need AUTH HASH LOGIN to be on

* Add auth hash verification to the user logged in already case

* fix missing ]

* reject requests if per user API disabled
2019-05-24 13:48:40 -04:00
Isaac Connor 2ce2381269 Merge branch 'crypt-replacement' of https://github.com/pliablepixels/ZoneMinder into pliablepixels-crypt-replacement 2019-05-19 08:45:42 -04:00
Pliable Pixels 8e1037458a when regenerating using refresh tokens, username needs to be derived from the refresh token, as no session would exist 2019-05-18 11:23:16 -04:00
Isaac Connor 93aeceecfc Merge branch 'crypt-replacement' of https://github.com/pliablepixels/ZoneMinder into pliablepixels-crypt-replacement 2019-05-17 10:18:15 -04:00
Pliable Pixels 41ae745b17 removed stale code 2019-05-12 18:53:51 -04:00
Pliable Pixels ec279ccc9a make old API auth mechanism optional 2019-05-12 18:51:07 -04:00
Pliable Pixels 881d531fe9 make old API auth optional, on by default 2019-05-12 18:19:19 -04:00
Pliable Pixels 88d50ec9ca added revoke all tokens code, removed test code 2019-05-11 15:47:57 -04:00
Pliable Pixels 1770ebea23 make sure refresh token login doesn't generate another refresh token 2019-05-08 15:26:51 -04:00
Pliable Pixels 0bc96dfe83 Error out if used did not create an AUTH_HASH_SECRET 2019-05-08 14:26:16 -04:00
Pliable Pixels bc050fe330 support refresh tokens as well for increased security 2019-05-08 13:38:42 -04:00
Pliable Pixels 27e6e46f84 remove allowing auth_hash_ip for token 2019-05-08 12:11:32 -04:00
Pliable Pixels b293592e4c added token validation to zms/zmu/zmuser 2019-05-08 10:55:32 -04:00
Pliable Pixels d36c1f5d3c Add JWT token creation, move old code to a different function for future deprecation, simplified code for ZM_XX parameter reading 2019-05-07 15:04:12 -04:00
Isaac Connor 5b68ddcc9a add a note deprecating getDiskPercent 2019-04-17 09:55:34 -04:00
Isaac Connor 4c35f2910c fix ZM namespace 2019-02-26 18:09:18 -05:00
Isaac Connor df3e11d83c Fix authentication in api because we no longer store the user object in the session 2019-02-26 17:01:45 -05:00
Isaac Connor eaa7341935 Add missing / in path to auth.php 2019-02-19 10:07:36 -05:00
Mitch Capper 04c17283ec need to prefix with _dir_ otherwise relative to initial script (#2531) 2019-02-17 11:31:10 -05:00
Pliable Pixels 622c17f628 make sure auth is regenerated each time we call this API (#2347) 2018-12-16 11:02:07 -05:00
Pliable Pixels e6b8a7bc66 resolves #2327 2018-11-29 09:21:10 -05:00
Isaac Connor 8878397622 fix spacing 2018-10-20 11:36:25 -04:00
Isaac Connor 12bed9b6ac Use alternate, working test for relative ZM_DIR_EVENTS. Don't use human output from du when specifying mid to be consistent. 2018-10-03 11:11:33 -04:00
Isaac Connor 03f09bdc48 Use defined CONFIG constants instead of looking up config from db 2018-10-03 10:56:02 -04:00
Isaac Connor 23ddc83ad4
fix_2167 (#2168)
* Populate a global  from the session on every request. Use the  object instead of using allowedMonitors in session.

* fix when  gets loaded.

* use  for auth, and add Monitor Edit checks to Zone add/delete/edit

* add back the ZM_OPT_USE_AUTH test for being logged in in AppController

* Update permissions code to use

* change quotes

* Update permission code to use

* Use  instal of session for systemPermission

* deprecate montiorPermision in session

* use  instead of session streamPermission

* move login code back into AppController. Has to be done for every request

* deprecate eventPermission, controlPermission and systemPermission in session.

* handle auth params in query string as well as post

* exit on HUP to free up memory.

* add missing global user

* system should be System
2018-08-08 09:59:46 -04:00
Pliable Pixels 997aa6aa55 fixed getCredentials not working if called directly 2018-07-17 13:57:20 -04:00
Pliable Pixels 0ff9002adf 2156 api login (#2157)
* error can be due to bad user or password

* added login/logout and related private functions

* handle case when userLogin fails, current code returns PHP error for  and API throw is not called

* formatting

* converted login params to POST, removed user=&pass= for other APIs

* formatting

* add auth check back but leave out login/out

* fixes to make it work across zmN, postman and curl

* added back enabled check
2018-07-15 21:17:35 -04:00
Isaac Connor 983e3c45be Fix spacing and quotes 2018-07-11 09:54:25 -04:00
Pliable Pixels e953a04f61 naming consistency of attribute (#2096) 2018-05-03 14:03:49 -04:00
Pliable Pixels a3158fcc97 auth_key api for different situations (#2090)
* auth_key api for different situations

* added new flag to indicate if password needs to be appended

* pure json view
2018-05-02 12:26:28 -04:00
Isaac Connor c3b6cd4bab include auth.php if auth is on, and return '' for auth_hash is auth is disabled 2018-04-30 11:24:53 -04:00
Isaac Connor a789fc88aa implement getAuthHash 2018-04-06 14:41:39 -04:00
Pliable Pixels 192d0dbb45 added TimeZone get API 2016-10-18 14:07:31 -04:00
arjunrc 38b4785557 PP - Gone,flitted away, Taken the starts from the night and sun, From the day! Gone, and a cloud in my heart. - Tennyson 2015-12-19 18:36:38 -05:00
arjunrc e812398fb9 initial user role support 2015-12-19 17:44:39 -05:00
pliablepixels 7112001b64 getVersion.json now returns both ZM version and API version 2015-06-13 16:33:15 +00:00
Ubuntu dd9603f70f Merged Angular UI branch API to master 2015-06-11 02:58:58 +00:00