Commit Graph

235 Commits

Author SHA1 Message Date
Pliable Pixels 16a6938710 add model validation so that we don't create empty monitors 2019-11-02 08:30:25 -04:00
Isaac Connor 9889311b03 Handle username=&password= as well in HostController::login 2019-09-18 11:40:55 -04:00
Isaac Connor 50aa0108e5 Add authhash to session 2019-09-03 11:33:02 -04:00
Isaac Connor a384e978c8 don't load user from session if we have already gotten it from elsewhere 2019-09-03 11:19:42 -04:00
Isaac Connor b84d005d8f Load use from session when it exists 2019-09-03 10:54:34 -04:00
Isaac Connor 84492f29b1
Fix token auth sessions (#2676)
* If token is present do token based auth and do not do anything with session

* update HostController.  Use config constants, don't use sessions

* Remove Session from the components list

* spacing

* Remove Session from App Components list.

* Move APIEnabled check to the api from auth.php

* Rework auth.  login using username and password only occurs on login action now.  Including auth.php should not touch the session.  auth_hash logins no longer touch the session.  replace userLogin with a function called validateUser which matches the semantics of validateToken.

* remove debugging

* Add session storage if stateful query param is on, but only for LEGACY_API_AUTH

* fix mUser to username, etc.

* shuffle lines

* use  instead of session when generating auth hash.

* Add docs regarding the use of cookies and stateful query param

* Only open/close session if we are clearing a session var

* Use zm_session_start instead of session_start

* Should use zm_session_start instead of session_start

* document that zm_session_start should be called previously to session_regenerate_id

* Don't actually write out the session when generating auth hashes.  Means they should never actually persist.

* More backticking of SQL

* add .. to fix #2686

* Use material icons for sort because they look nicer

* fix typo

* have to add authhash to session on login

* restore username&password login for all urls

* fix

* fixes
2019-08-20 09:46:53 -04:00
Isaac Connor cfeedd39a4 Use zm_session_start instead of session_start 2019-08-16 15:07:20 -04:00
Isaac Connor 1d0ee227d7 fix mUser to username, etc. 2019-08-16 14:12:37 -04:00
Isaac Connor 4108495a7d Add session storage if stateful query param is on, but only for LEGACY_API_AUTH 2019-08-16 14:12:14 -04:00
Isaac Connor 618e6816ef Rework auth. login using username and password only occurs on login action now. Including auth.php should not touch the session. auth_hash logins no longer touch the session. replace userLogin with a function called validateUser which matches the semantics of validateToken. 2019-08-15 14:59:15 -04:00
Isaac Connor 9da10abca9 Move APIEnabled check to the api from auth.php 2019-08-13 11:29:32 -04:00
Isaac Connor a63b6486b9 Remove Session from App Components list. 2019-08-12 15:36:40 -04:00
Isaac Connor c2e1293472 spacing 2019-08-12 15:10:58 -04:00
Isaac Connor 0bf036fc55 Remove Session from the components list 2019-08-12 15:06:46 -04:00
Isaac Connor 2320ab4d66 update HostController. Use config constants, don't use sessions 2019-08-12 15:01:40 -04:00
Pliable Pixels a9d01ba3d2 Alarm api (#2665)
* fixed alarm api to use tokens if present

* clearer debug logs for tokens

* space
2019-07-17 20:38:58 -04:00
Pliable Pixels c4dc5f34e4 add event file system path to API (#2639) 2019-06-16 11:59:23 -04:00
Pliable Pixels bc0565858b check for API disabled only when auth is on (#2624) 2019-05-28 13:44:06 -04:00
Isaac Connor 1ddd5b1f74 Merge branch 'master' of github.com:ZoneMinder/zoneminder 2019-05-24 13:56:30 -04:00
Pliable Pixels fc27393a96 Replace MySQL Password() with bcrypt, allow for alternate JWT tokens (#2598)
* added sha1 and bcrypt submodules

* added bcrypt and sha to src build process

* added test sha1 and bcrypt code to validate working

* bcrypt auth migration in PHP land

* added include path

* add sha source

* added bcrypt to others

* put link_dir ahead of add_executable

* fixed typo

* try add_library instead

* absolute path

* absolute path

* build bcrypt as static

* move to wrapper

* move to fork

* logs tweak

* added lib-ssl/dev for JWT signing

* Moved to openSSL SHA1, initial JWT plugin

* removed vog

* fixed SHA1 algo

* typo

* use php-jwt, use proper way to add PHP modules, via composer

* fixed module path

* first attempt to fix cast error

* own fork

* own fork

* add composer vendor directory

* go back to jwt-cpp as PR merged

* moved to jwt-cpp after PR merge

* New token= query for JWT

* Add JWT token creation, move old code to a different function for future deprecation, simplified code for ZM_XX parameter reading

* JWT integration, validate JWT token via validateToken

* added token validation to zms/zmu/zmuser

* add token to command line for zmu

* move decode inside try/catch

* exception handling for try/catch

* fix db read, forgot to exec query

* remove allowing auth_hash_ip for token

* support refresh tokens as well for increased security

* remove auth_hash_ip

* Error out if used did not create an AUTH_HASH_SECRET

* fixed type conversion

* make sure refresh token login doesn't generate another refresh token

* fix absolute path

* move JWT/Bcrypt inside zm_crypt

* move sha headers out

* move out sha header

* handle case when supplied password is hashed, fix wrong params in AppController

* initial baby step for api tab

* initial plumbing to introduce token expiry and API bans per user

* remove M typo

* display user table in api

* added revoke all tokens code, removed test code

* use strtoul for conversion

* use strtoul for conversion

* use strtoul for conversion

* more fixes

* more fixes

* add mintokenexpiry to DB seek

* typo

* add ability to revoke tokens and enable/disable APIs per user

* moved API enable back to system

* comma

* enable API options only if API enabled

* move user creation to bcrypt

* added password_compat for PHP >=5.3 <5.5

* add Password back so User object indexes don't change

* move token index after adding password

* demote logs

* make old API auth optional, on by default

* make old API auth mechanism optional

* removed stale code

* forgot to checkin update file

* bulk overlay hash mysql encoded passwords

* add back ssl_dev, got deleted

* fix update script

* added token support to index.php

* reworked API document for new changes in 2.0

* Migrate from libdigest to crypt-eks-blowfish due to notice

* merge typo

* css classess for text that disappear

* fixed html typo

* added deps to ubuntu control files

* spaces

* removed extra line

* when regenerating using refresh tokens, username needs to be derived from the refresh token, as no session would exist

* add libssl1.0.0 for ubuntu 16/12

* small API fixes

* clean up of API, remove redundant sections

* moved to ZM fork for bcrypt

* whitespace and google code style

* regenerate auth hash if doing password migration

* dont need AUTH HASH LOGIN to be on

* Add auth hash verification to the user logged in already case

* fix missing ]

* reject requests if per user API disabled
2019-05-24 13:48:40 -04:00
Isaac Connor 2ce2381269 Merge branch 'crypt-replacement' of https://github.com/pliablepixels/ZoneMinder into pliablepixels-crypt-replacement 2019-05-19 08:45:42 -04:00
Pliable Pixels 8e1037458a when regenerating using refresh tokens, username needs to be derived from the refresh token, as no session would exist 2019-05-18 11:23:16 -04:00
Isaac Connor 93aeceecfc Merge branch 'crypt-replacement' of https://github.com/pliablepixels/ZoneMinder into pliablepixels-crypt-replacement 2019-05-17 10:18:15 -04:00
Pliable Pixels 41ae745b17 removed stale code 2019-05-12 18:53:51 -04:00
Pliable Pixels ec279ccc9a make old API auth mechanism optional 2019-05-12 18:51:07 -04:00
Pliable Pixels 881d531fe9 make old API auth optional, on by default 2019-05-12 18:19:19 -04:00
Pliable Pixels 225893fcd6 add mintokenexpiry to DB seek 2019-05-12 05:50:19 -04:00
Pliable Pixels 88d50ec9ca added revoke all tokens code, removed test code 2019-05-11 15:47:57 -04:00
Pliable Pixels 95b448abdd handle case when supplied password is hashed, fix wrong params in AppController 2019-05-10 11:25:55 -04:00
Pliable Pixels 1770ebea23 make sure refresh token login doesn't generate another refresh token 2019-05-08 15:26:51 -04:00
Pliable Pixels 0bc96dfe83 Error out if used did not create an AUTH_HASH_SECRET 2019-05-08 14:26:16 -04:00
Pliable Pixels bc050fe330 support refresh tokens as well for increased security 2019-05-08 13:38:42 -04:00
Pliable Pixels 27e6e46f84 remove allowing auth_hash_ip for token 2019-05-08 12:11:32 -04:00
Pliable Pixels b293592e4c added token validation to zms/zmu/zmuser 2019-05-08 10:55:32 -04:00
Pliable Pixels d36c1f5d3c Add JWT token creation, move old code to a different function for future deprecation, simplified code for ZM_XX parameter reading 2019-05-07 15:04:12 -04:00
Pliable Pixels 0bbc582971 New token= query for JWT 2019-05-07 15:03:13 -04:00
Isaac Connor 5b68ddcc9a add a note deprecating getDiskPercent 2019-04-17 09:55:34 -04:00
Pliable Pixels d270fbd0ad added support for named params to consoleEvents (#2571) 2019-04-09 16:28:46 -04:00
Isaac Connor 110e5075f4 fix namespace fixes #3566 2019-04-01 17:21:01 -04:00
Isaac Connor fa9803d819 Can't use this->data to avoid another db hit. Must load by id 2019-04-01 10:11:56 -04:00
Isaac Connor b988ce0573 more parentheses to make logic more clear 2019-03-20 14:26:35 -04:00
Isaac Connor 520c41da23 Merge ../ZoneMinder.connortechnology.bad into storageareas 2019-03-18 14:40:03 -04:00
Matthew Noorenberghe abb6ef1688 API: Escape 'named' params for SQLi in two more Event endpoints.
Fixes #2099
2019-03-11 00:21:51 -07:00
Matthew Noorenberghe 056b96f7fc API: Monitor and Event 'index' SQLi. Fixes #2099 2019-03-11 00:21:51 -07:00
Isaac Connor af9c87a112 Merge branch 'master' into storageareas 2019-02-27 10:53:19 -05:00
Isaac Connor 4c35f2910c fix ZM namespace 2019-02-26 18:09:18 -05:00
Isaac Connor df3e11d83c Fix authentication in api because we no longer store the user object in the session 2019-02-26 17:01:45 -05:00
Isaac Connor fbdb5bcb62 Merge branch 'master' into storageareas 2019-02-19 12:06:32 -05:00
Isaac Connor eaa7341935 Add missing / in path to auth.php 2019-02-19 10:07:36 -05:00
Isaac Connor 5029d7214a Merge branch 'master' into storageareas 2019-02-18 17:00:45 -05:00
Isaac Connor 4cd3a93e96 add missing / 2019-02-18 16:30:03 -05:00
Mitch Capper 04c17283ec need to prefix with _dir_ otherwise relative to initial script (#2531) 2019-02-17 11:31:10 -05:00
Isaac Connor 5060358870 Merge branch 'master' into storageareas 2018-12-29 09:56:53 -05:00
Andrew Bauer 3258d8e590 remove ZM_DIR_IMAGES (#2374) 2018-12-29 09:52:58 -05:00
Isaac Connor 27826b4aca Merge branch 'master' into storageareas 2018-12-24 09:48:29 -05:00
Isaac Connor 47465260d1 Update permissions checking for Groups to not use session. Fixes #2353 2018-12-21 10:01:48 -05:00
Isaac Connor e626049f6b Merge branch 'swresample' into storageareas 2018-12-20 14:08:40 -05:00
Pliable Pixels 622c17f628 make sure auth is regenerated each time we call this API (#2347) 2018-12-16 11:02:07 -05:00
Isaac Connor 7d90a56561 Merge branch 'master' into storageareas 2018-11-30 14:46:42 -05:00
Pliable Pixels e6b8a7bc66 resolves #2327 2018-11-29 09:21:10 -05:00
Isaac Connor f5328265ef fix missing daemons definition 2018-11-28 09:12:22 -05:00
Isaac Connor 51d8c0ea73 add back daemon parameter, but make it actually work 2018-11-14 12:59:44 -05:00
Isaac Connor d671761a35 simplify params to daemonControl since they really aren't being used anyways. Return the status text 2018-11-14 12:54:10 -05:00
Andrew Bauer 073193e410
Merge pull request #2281 from connortechnology/fix_2279_delete_camera_through_api
Fix 2279 delete camera through api
2018-10-30 07:06:14 -05:00
Isaac Connor 39061038fb Don't include related models in Storage index 2018-10-29 14:40:05 -04:00
Isaac Connor 9a2d58adce We don't store all the permissions in the session anymore. We just use the global user object 2018-10-29 11:03:03 -04:00
Isaac Connor 8878397622 fix spacing 2018-10-20 11:36:25 -04:00
Andrew Bauer 409fd6aa6f
Merge pull request #2232 from connortechnology/fix_2229_getDiskPercent
Fix 2229 get disk percent
2018-10-03 18:11:28 -05:00
Isaac Connor 66221e39ab rough in a StorageController for api 2018-10-03 11:22:51 -04:00
Isaac Connor 12bed9b6ac Use alternate, working test for relative ZM_DIR_EVENTS. Don't use human output from du when specifying mid to be consistent. 2018-10-03 11:11:33 -04:00
Isaac Connor 03f09bdc48 Use defined CONFIG constants instead of looking up config from db 2018-10-03 10:56:02 -04:00
Isaac Connor 23ddc83ad4
fix_2167 (#2168)
* Populate a global  from the session on every request. Use the  object instead of using allowedMonitors in session.

* fix when  gets loaded.

* use  for auth, and add Monitor Edit checks to Zone add/delete/edit

* add back the ZM_OPT_USE_AUTH test for being logged in in AppController

* Update permissions code to use

* change quotes

* Update permission code to use

* Use  instal of session for systemPermission

* deprecate montiorPermision in session

* use  instead of session streamPermission

* move login code back into AppController. Has to be done for every request

* deprecate eventPermission, controlPermission and systemPermission in session.

* handle auth params in query string as well as post

* exit on HUP to free up memory.

* add missing global user

* system should be System
2018-08-08 09:59:46 -04:00
Isaac Connor dc57a3c91c fix spacing/quotes/google code style 2018-07-24 16:41:09 -04:00
Pliable Pixels 997aa6aa55 fixed getCredentials not working if called directly 2018-07-17 13:57:20 -04:00
Pliable Pixels 0ff9002adf 2156 api login (#2157)
* error can be due to bad user or password

* added login/logout and related private functions

* handle case when userLogin fails, current code returns PHP error for  and API throw is not called

* formatting

* converted login params to POST, removed user=&pass= for other APIs

* formatting

* add auth check back but leave out login/out

* fixes to make it work across zmN, postman and curl

* added back enabled check
2018-07-15 21:17:35 -04:00
Isaac Connor fe5ebe094d More work just using auth.php instead of cake code. Don't reload the User object 2018-07-11 11:45:49 -04:00
Isaac Connor 4f80ca6871 Use userLogin function from auth.php instead of cake code. 2018-07-11 10:33:49 -04:00
Isaac Connor 983e3c45be Fix spacing and quotes 2018-07-11 09:54:25 -04:00
Isaac Connor f10509690b add username and passwordHash to Session so that generateAuthHash works 2018-07-11 09:54:15 -04:00
Isaac Connor 21438d17ac Fix authenticating User 2018-07-10 13:19:51 -04:00
Isaac Connor 930d929427 Merge branch 'storageareas' into api_auth 2018-07-10 12:46:30 -04:00
Isaac Connor e04eac57ae Include values in /etc/zm files in viewByName 2018-06-25 15:43:01 -04:00
Isaac Connor 24ceb75936 Merge branch 'master' into include_fs_config_in_api_config 2018-06-21 21:41:54 -04:00
Isaac Connor cd64619743 Fix controlling daemon when the monitor is Local 2018-06-06 12:56:33 -04:00
Isaac Connor 2a5f05499e Munge the config in the global configvals into the configs array before returning it. 2018-05-10 13:44:46 -04:00
Isaac Connor 62edca6dcb add fileSize to the api, and use it to add remote fileSize reporting in includes/Event 2018-05-08 13:33:56 -07:00
Isaac Connor 1a012c62ff Add fileExists to event view 2018-05-07 14:07:03 -07:00
Pliable Pixels e953a04f61 naming consistency of attribute (#2096) 2018-05-03 14:03:49 -04:00
Pliable Pixels a3158fcc97 auth_key api for different situations (#2090)
* auth_key api for different situations

* added new flag to indicate if password needs to be appended

* pure json view
2018-05-02 12:26:28 -04:00
Isaac Connor c3b6cd4bab include auth.php if auth is on, and return '' for auth_hash is auth is disabled 2018-04-30 11:24:53 -04:00
Isaac Connor 513708b11c don't need to define the config, it will have already been done. Include auth.php instead of functions.php as the code has been moved 2018-04-06 14:42:10 -04:00
Isaac Connor a789fc88aa implement getAuthHash 2018-04-06 14:41:39 -04:00
Isaac Connor 632ab143fe error when can't set session in cake 2018-04-05 14:21:56 -04:00
Isaac Connor a4fee5c91c further merges from cakephp 2.10.8 2018-03-21 13:09:55 -04:00
Isaac Connor b4c13d56d6 Merge ../ZoneMinder.master into storageareas 2018-03-06 12:29:59 -05:00
tim 0654c7e3b2 Adding group handling in API 2018-03-04 23:01:52 -08:00
Isaac Connor 475c465b0d define 2018-01-26 10:39:12 -05:00
Isaac Connor 1503c586d2 When there is an error saving, add the invalidFields() info to the error message. Only restart the daemon on success. 2018-01-26 10:30:29 -05:00
Isaac Connor 933259f9a5 fix bracket 2018-01-23 13:16:21 -08:00
Isaac Connor bd2da456f4 handle non-multi-server case when restarting monitors via API 2018-01-19 21:09:33 -05:00