* If token is present do token based auth and do not do anything with session
* update HostController. Use config constants, don't use sessions
* Remove Session from the components list
* spacing
* Remove Session from App Components list.
* Move APIEnabled check to the api from auth.php
* Rework auth. login using username and password only occurs on login action now. Including auth.php should not touch the session. auth_hash logins no longer touch the session. replace userLogin with a function called validateUser which matches the semantics of validateToken.
* remove debugging
* Add session storage if stateful query param is on, but only for LEGACY_API_AUTH
* fix mUser to username, etc.
* shuffle lines
* use instead of session when generating auth hash.
* Add docs regarding the use of cookies and stateful query param
* Only open/close session if we are clearing a session var
* Use zm_session_start instead of session_start
* Should use zm_session_start instead of session_start
* document that zm_session_start should be called previously to session_regenerate_id
* Don't actually write out the session when generating auth hashes. Means they should never actually persist.
* More backticking of SQL
* add .. to fix#2686
* Use material icons for sort because they look nicer
* fix typo
* have to add authhash to session on login
* restore username&password login for all urls
* fix
* fixes
* added sha1 and bcrypt submodules
* added bcrypt and sha to src build process
* added test sha1 and bcrypt code to validate working
* bcrypt auth migration in PHP land
* added include path
* add sha source
* added bcrypt to others
* put link_dir ahead of add_executable
* fixed typo
* try add_library instead
* absolute path
* absolute path
* build bcrypt as static
* move to wrapper
* move to fork
* logs tweak
* added lib-ssl/dev for JWT signing
* Moved to openSSL SHA1, initial JWT plugin
* removed vog
* fixed SHA1 algo
* typo
* use php-jwt, use proper way to add PHP modules, via composer
* fixed module path
* first attempt to fix cast error
* own fork
* own fork
* add composer vendor directory
* go back to jwt-cpp as PR merged
* moved to jwt-cpp after PR merge
* New token= query for JWT
* Add JWT token creation, move old code to a different function for future deprecation, simplified code for ZM_XX parameter reading
* JWT integration, validate JWT token via validateToken
* added token validation to zms/zmu/zmuser
* add token to command line for zmu
* move decode inside try/catch
* exception handling for try/catch
* fix db read, forgot to exec query
* remove allowing auth_hash_ip for token
* support refresh tokens as well for increased security
* remove auth_hash_ip
* Error out if used did not create an AUTH_HASH_SECRET
* fixed type conversion
* make sure refresh token login doesn't generate another refresh token
* fix absolute path
* move JWT/Bcrypt inside zm_crypt
* move sha headers out
* move out sha header
* handle case when supplied password is hashed, fix wrong params in AppController
* initial baby step for api tab
* initial plumbing to introduce token expiry and API bans per user
* remove M typo
* display user table in api
* added revoke all tokens code, removed test code
* use strtoul for conversion
* use strtoul for conversion
* use strtoul for conversion
* more fixes
* more fixes
* add mintokenexpiry to DB seek
* typo
* add ability to revoke tokens and enable/disable APIs per user
* moved API enable back to system
* comma
* enable API options only if API enabled
* move user creation to bcrypt
* added password_compat for PHP >=5.3 <5.5
* add Password back so User object indexes don't change
* move token index after adding password
* demote logs
* make old API auth optional, on by default
* make old API auth mechanism optional
* removed stale code
* forgot to checkin update file
* bulk overlay hash mysql encoded passwords
* add back ssl_dev, got deleted
* fix update script
* added token support to index.php
* reworked API document for new changes in 2.0
* Migrate from libdigest to crypt-eks-blowfish due to notice
* merge typo
* css classess for text that disappear
* fixed html typo
* added deps to ubuntu control files
* spaces
* removed extra line
* when regenerating using refresh tokens, username needs to be derived from the refresh token, as no session would exist
* add libssl1.0.0 for ubuntu 16/12
* small API fixes
* clean up of API, remove redundant sections
* moved to ZM fork for bcrypt
* whitespace and google code style
* regenerate auth hash if doing password migration
* dont need AUTH HASH LOGIN to be on
* Add auth hash verification to the user logged in already case
* fix missing ]
* reject requests if per user API disabled
* include includes/functions.php so that we have access to all it's contents
* add a beforeDelete function which deletes the files. Add other needed functions like Path() LinkPath() etc.
* add require_once for Storage and functions because we use them in Event
* Now that ZM has namespaces use the ZM Event class to do the heavy lifting of delete
* Don't need functions in AppController anymore
Using zmNinja, the API reports E_NOTICE errors
Notice (8): compact(): Undefined variable: subject [CORE/Cake/Utility/ObjectCollection.php, line 128]
Notice (8): compact() [<a href='http://php.net/function.compact'>function.compact</a>]: Undefined variable: subject [CORE/Cake/Utility/ObjectCollection.php, line 128]
Notice (8): compact() [<a href='http://php.net/function.compact'>function.compact</a>]: Undefined variable: subject [CORE/Cake/Utility/ObjectCollection.php, line 128]
Notice (8): compact() [<a href='http://php.net/function.compact'>function.compact</a>]: Undefined variable: subject [CORE/Cake/Utility/ObjectCollection.php, line 128]
and zmNinja will not work...
there is a better way, but i think disabling E_NOTICE error is way easier
see: https://github.com/ZoneMinder/zoneminder/pull/2269
* Populate a global from the session on every request. Use the object instead of using allowedMonitors in session.
* fix when gets loaded.
* use for auth, and add Monitor Edit checks to Zone add/delete/edit
* add back the ZM_OPT_USE_AUTH test for being logged in in AppController
* Update permissions code to use
* change quotes
* Update permission code to use
* Use instal of session for systemPermission
* deprecate montiorPermision in session
* use instead of session streamPermission
* move login code back into AppController. Has to be done for every request
* deprecate eventPermission, controlPermission and systemPermission in session.
* handle auth params in query string as well as post
* exit on HUP to free up memory.
* add missing global user
* system should be System
Isaac Connor
Isaac Connor
Isaac Connor
Pliable Pixels
Pliable Pixels
Matthew Noorenberghe
Mitch Capper
Andrew Bauer
ratmole
raTmole