Commit Graph

42 Commits

Author SHA1 Message Date
Isaac Connor 50aa0108e5 Add authhash to session 2019-09-03 11:33:02 -04:00
Isaac Connor a384e978c8 don't load user from session if we have already gotten it from elsewhere 2019-09-03 11:19:42 -04:00
Isaac Connor b84d005d8f Load use from session when it exists 2019-09-03 10:54:34 -04:00
Isaac Connor 84492f29b1
Fix token auth sessions (#2676)
* If token is present do token based auth and do not do anything with session

* update HostController.  Use config constants, don't use sessions

* Remove Session from the components list

* spacing

* Remove Session from App Components list.

* Move APIEnabled check to the api from auth.php

* Rework auth.  login using username and password only occurs on login action now.  Including auth.php should not touch the session.  auth_hash logins no longer touch the session.  replace userLogin with a function called validateUser which matches the semantics of validateToken.

* remove debugging

* Add session storage if stateful query param is on, but only for LEGACY_API_AUTH

* fix mUser to username, etc.

* shuffle lines

* use  instead of session when generating auth hash.

* Add docs regarding the use of cookies and stateful query param

* Only open/close session if we are clearing a session var

* Use zm_session_start instead of session_start

* Should use zm_session_start instead of session_start

* document that zm_session_start should be called previously to session_regenerate_id

* Don't actually write out the session when generating auth hashes.  Means they should never actually persist.

* More backticking of SQL

* add .. to fix #2686

* Use material icons for sort because they look nicer

* fix typo

* have to add authhash to session on login

* restore username&password login for all urls

* fix

* fixes
2019-08-20 09:46:53 -04:00
Isaac Connor cfeedd39a4 Use zm_session_start instead of session_start 2019-08-16 15:07:20 -04:00
Isaac Connor 4108495a7d Add session storage if stateful query param is on, but only for LEGACY_API_AUTH 2019-08-16 14:12:14 -04:00
Isaac Connor 618e6816ef Rework auth. login using username and password only occurs on login action now. Including auth.php should not touch the session. auth_hash logins no longer touch the session. replace userLogin with a function called validateUser which matches the semantics of validateToken. 2019-08-15 14:59:15 -04:00
Isaac Connor 9da10abca9 Move APIEnabled check to the api from auth.php 2019-08-13 11:29:32 -04:00
Isaac Connor a63b6486b9 Remove Session from App Components list. 2019-08-12 15:36:40 -04:00
Isaac Connor c2e1293472 spacing 2019-08-12 15:10:58 -04:00
Pliable Pixels bc0565858b check for API disabled only when auth is on (#2624) 2019-05-28 13:44:06 -04:00
Pliable Pixels fc27393a96 Replace MySQL Password() with bcrypt, allow for alternate JWT tokens (#2598)
* added sha1 and bcrypt submodules

* added bcrypt and sha to src build process

* added test sha1 and bcrypt code to validate working

* bcrypt auth migration in PHP land

* added include path

* add sha source

* added bcrypt to others

* put link_dir ahead of add_executable

* fixed typo

* try add_library instead

* absolute path

* absolute path

* build bcrypt as static

* move to wrapper

* move to fork

* logs tweak

* added lib-ssl/dev for JWT signing

* Moved to openSSL SHA1, initial JWT plugin

* removed vog

* fixed SHA1 algo

* typo

* use php-jwt, use proper way to add PHP modules, via composer

* fixed module path

* first attempt to fix cast error

* own fork

* own fork

* add composer vendor directory

* go back to jwt-cpp as PR merged

* moved to jwt-cpp after PR merge

* New token= query for JWT

* Add JWT token creation, move old code to a different function for future deprecation, simplified code for ZM_XX parameter reading

* JWT integration, validate JWT token via validateToken

* added token validation to zms/zmu/zmuser

* add token to command line for zmu

* move decode inside try/catch

* exception handling for try/catch

* fix db read, forgot to exec query

* remove allowing auth_hash_ip for token

* support refresh tokens as well for increased security

* remove auth_hash_ip

* Error out if used did not create an AUTH_HASH_SECRET

* fixed type conversion

* make sure refresh token login doesn't generate another refresh token

* fix absolute path

* move JWT/Bcrypt inside zm_crypt

* move sha headers out

* move out sha header

* handle case when supplied password is hashed, fix wrong params in AppController

* initial baby step for api tab

* initial plumbing to introduce token expiry and API bans per user

* remove M typo

* display user table in api

* added revoke all tokens code, removed test code

* use strtoul for conversion

* use strtoul for conversion

* use strtoul for conversion

* more fixes

* more fixes

* add mintokenexpiry to DB seek

* typo

* add ability to revoke tokens and enable/disable APIs per user

* moved API enable back to system

* comma

* enable API options only if API enabled

* move user creation to bcrypt

* added password_compat for PHP >=5.3 <5.5

* add Password back so User object indexes don't change

* move token index after adding password

* demote logs

* make old API auth optional, on by default

* make old API auth mechanism optional

* removed stale code

* forgot to checkin update file

* bulk overlay hash mysql encoded passwords

* add back ssl_dev, got deleted

* fix update script

* added token support to index.php

* reworked API document for new changes in 2.0

* Migrate from libdigest to crypt-eks-blowfish due to notice

* merge typo

* css classess for text that disappear

* fixed html typo

* added deps to ubuntu control files

* spaces

* removed extra line

* when regenerating using refresh tokens, username needs to be derived from the refresh token, as no session would exist

* add libssl1.0.0 for ubuntu 16/12

* small API fixes

* clean up of API, remove redundant sections

* moved to ZM fork for bcrypt

* whitespace and google code style

* regenerate auth hash if doing password migration

* dont need AUTH HASH LOGIN to be on

* Add auth hash verification to the user logged in already case

* fix missing ]

* reject requests if per user API disabled
2019-05-24 13:48:40 -04:00
Isaac Connor df3e11d83c Fix authentication in api because we no longer store the user object in the session 2019-02-26 17:01:45 -05:00
Isaac Connor 4cd3a93e96 add missing / 2019-02-18 16:30:03 -05:00
Mitch Capper 04c17283ec need to prefix with _dir_ otherwise relative to initial script (#2531) 2019-02-17 11:31:10 -05:00
Isaac Connor 23ddc83ad4
fix_2167 (#2168)
* Populate a global  from the session on every request. Use the  object instead of using allowedMonitors in session.

* fix when  gets loaded.

* use  for auth, and add Monitor Edit checks to Zone add/delete/edit

* add back the ZM_OPT_USE_AUTH test for being logged in in AppController

* Update permissions code to use

* change quotes

* Update permission code to use

* Use  instal of session for systemPermission

* deprecate montiorPermision in session

* use  instead of session streamPermission

* move login code back into AppController. Has to be done for every request

* deprecate eventPermission, controlPermission and systemPermission in session.

* handle auth params in query string as well as post

* exit on HUP to free up memory.

* add missing global user

* system should be System
2018-08-08 09:59:46 -04:00
Isaac Connor dc57a3c91c fix spacing/quotes/google code style 2018-07-24 16:41:09 -04:00
Pliable Pixels 997aa6aa55 fixed getCredentials not working if called directly 2018-07-17 13:57:20 -04:00
Pliable Pixels 0ff9002adf 2156 api login (#2157)
* error can be due to bad user or password

* added login/logout and related private functions

* handle case when userLogin fails, current code returns PHP error for  and API throw is not called

* formatting

* converted login params to POST, removed user=&pass= for other APIs

* formatting

* add auth check back but leave out login/out

* fixes to make it work across zmN, postman and curl

* added back enabled check
2018-07-15 21:17:35 -04:00
Isaac Connor fe5ebe094d More work just using auth.php instead of cake code. Don't reload the User object 2018-07-11 11:45:49 -04:00
Isaac Connor 4f80ca6871 Use userLogin function from auth.php instead of cake code. 2018-07-11 10:33:49 -04:00
Isaac Connor f10509690b add username and passwordHash to Session so that generateAuthHash works 2018-07-11 09:54:15 -04:00
Isaac Connor 21438d17ac Fix authenticating User 2018-07-10 13:19:51 -04:00
Isaac Connor 930d929427 Merge branch 'storageareas' into api_auth 2018-07-10 12:46:30 -04:00
Isaac Connor 513708b11c don't need to define the config, it will have already been done. Include auth.php instead of functions.php as the code has been moved 2018-04-06 14:42:10 -04:00
Isaac Connor 632ab143fe error when can't set session in cake 2018-04-05 14:21:56 -04:00
Isaac Connor 150aa5be51 Merge branch 'master' into api_auth 2017-06-09 12:33:17 -04:00
Matt N 33092e4022 Allow API authentication using the `auth` query parameter containing an auth. hash. (#1845)
* Allow API authentication using the `auth` query parameter containing an auth. hash.

Fixes #1827

The same auth. hash for zms is used here. This allows consumers to use the API without sending the password in the query string and not require forging logins via the login form.

* Move logger.php's global Debug function to Logger::Debug to avoid polluting globals

This avoids a conflict with CakePHP when logger.php gets included indrectly from API code.

* Protect action=login when ZM_ENABLE_CSRF_MAGIC is enabled
2017-05-15 21:51:48 -04:00
Matthew Noorenberghe ea558c79a0 Fix check that API user is enabled 2017-03-20 17:16:24 -07:00
Isaac Connor b4aec41d3d fix warnings and move User import up higher to where it needs to be 2016-06-21 09:09:58 -04:00
Isaac Connor dbdd1ae51e remove debug logging 2016-06-07 16:26:58 -04:00
Isaac Connor f26c9168c4 if user=&pass= are in request, use them for auth 2016-06-07 16:25:35 -04:00
Isaac Connor 6cb163c37f Merge branch 'master' into api_auth 2016-06-07 16:23:50 -04:00
arjunrc 6e606aa74b removed issue # 2015-12-19 19:04:27 -05:00
arjunrc 38b4785557 PP - Gone,flitted away, Taken the starts from the night and sun, From the day! Gone, and a cloud in my heart. - Tennyson 2015-12-19 18:36:38 -05:00
arjunrc 028c9b956c check for opt_use_api, also pull in user roles support 2015-12-19 17:44:02 -05:00
Pliable Pixels a64f7c0036 Included logic to not enforce authentication in API layer if ZM_OPT_USE_AUTH is disabled
If ZM auth is off, API won't work. Changed this to make sure API disables auth if ZM disables auth
2015-08-11 14:47:49 -04:00
Pliable Pixels f7025aaa26 I was using the wrong field to check for portal authentication
Should be user.Username instead of username
2015-08-10 15:55:44 -04:00
Pliable Pixels 38799050ef APIs will be served only if user is logged into the ZM portal 2015-08-07 16:14:02 -04:00
Isaac Connor fadfc01d81 TUrn on sessions and auth 2015-06-30 11:27:33 -04:00
Ubuntu dd9603f70f Merged Angular UI branch API to master 2015-06-11 02:58:58 +00:00
Kyle Johnson f1f3de6d7d Moved the api to underneath the web directory 2014-04-29 20:41:04 +00:00