diff --git a/server/controllers/system.php b/server/controllers/system.php index 8bc393cb..1d8fa889 100644 --- a/server/controllers/system.php +++ b/server/controllers/system.php @@ -12,6 +12,9 @@ require_once 'system/recover-mail-template.php'; require_once 'system/get-stats.php'; require_once 'system/disable-registration.php'; require_once 'system/enable-registration.php'; +require_once 'system/add-api-key.php'; +require_once 'system/delete-api-key.php'; +require_once 'system/get-all-keys.php'; $systemControllerGroup = new ControllerGroup(); $systemControllerGroup->setGroupPath('/system'); @@ -29,5 +32,8 @@ $systemControllerGroup->addController(new RecoverMailTemplateController); $systemControllerGroup->addController(new DisableRegistrationController); $systemControllerGroup->addController(new EnableRegistrationController); $systemControllerGroup->addController(new GetStatsController); +$systemControllerGroup->addController(new AddAPIKeyController); +$systemControllerGroup->addController(new DeleteAPIKeyController); +$systemControllerGroup->addController(new GetAllKeyController); $systemControllerGroup->finalize(); \ No newline at end of file diff --git a/server/controllers/system/add-api-key.php b/server/controllers/system/add-api-key.php new file mode 100644 index 00000000..2f32d66d --- /dev/null +++ b/server/controllers/system/add-api-key.php @@ -0,0 +1,41 @@ + 'staff_3', + 'requestData' => [ + 'name' => [ + 'validation' => DataValidator::length(2, 55)->alnum(), + 'error' => ERRORS::INVALID_NAME + ] + ] + ]; + } + + public function handler() { + $apiInstance = new APIKey(); + + $name = Controller::request('name'); + + $keyInstance = APIKey::getDataStore($name, 'name'); + + if($keyInstance->isNull()){ + $token = Hashing::generateRandomToken(); + + $apiInstance->setProperties([ + 'name' => $name, + 'token' => $token + ]); + + $apiInstance->store(); + Response::respondSuccess($token); + } else { + Response::respondError(ERRORS::NAME_ALREADY_USED); + } + + } +} \ No newline at end of file diff --git a/server/controllers/system/delete-api-key.php b/server/controllers/system/delete-api-key.php new file mode 100644 index 00000000..8ee03152 --- /dev/null +++ b/server/controllers/system/delete-api-key.php @@ -0,0 +1,32 @@ + 'staff_3', + 'requestData' => [ + 'name' => [ + 'validation' => DataValidator::length(2, 55)->alpha(), + 'error' => ERRORS::INVALID_NAME + ] + ] + ]; + } + + public function handler() { + $name = Controller::request('name'); + + $keyInstance = APIKey::getDataStore($name, 'name'); + + if($keyInstance->isNull()) { + Response::respondError(ERRORS::INVALID_NAME); + return; + } + + $keyInstance->delete(); + Response::respondSuccess(); + } +} \ No newline at end of file diff --git a/server/controllers/system/get-all-keys.php b/server/controllers/system/get-all-keys.php new file mode 100644 index 00000000..35206374 --- /dev/null +++ b/server/controllers/system/get-all-keys.php @@ -0,0 +1,19 @@ + 'staff_3', + 'requestData' => [] + ]; + } + + public function handler() { + $apiList = APIKey::getAll(); + + Response::respondSuccess($apiList->toArray()); + } +} \ No newline at end of file diff --git a/server/controllers/user/signup.php b/server/controllers/user/signup.php index 48e6e1c6..cee72f1b 100644 --- a/server/controllers/user/signup.php +++ b/server/controllers/user/signup.php @@ -37,6 +37,7 @@ class SignUpController extends Controller { public function handler() { $this->storeRequestData(); + $apiKey = APIKey::getDataStore(Controller::request('apiKey'), 'token'); $existentUser = User::getUser($this->userEmail, 'email'); @@ -51,7 +52,7 @@ class SignUpController extends Controller { return; } - if (!Setting::getSetting('registration')->value) { + if (!Setting::getSetting('registration')->value && $apiKey->isNull() ) { Response::respondError(ERRORS::NO_PERMISSION); return; } diff --git a/server/data/ERRORS.php b/server/data/ERRORS.php index 4b7507cf..06211649 100644 --- a/server/data/ERRORS.php +++ b/server/data/ERRORS.php @@ -36,4 +36,5 @@ class ERRORS { const INVALID_SUBJECT = 'INVALID_SUBJECT'; const INVALID_BODY = 'INVALID_BODY'; const INVALID_PERIOD = 'INVALID_PERIOD'; + const NAME_ALREADY_USED = 'NAME_ALREADY_USED'; } diff --git a/server/libs/validations/captcha.php b/server/libs/validations/captcha.php index 437d92d8..7ac805c2 100644 --- a/server/libs/validations/captcha.php +++ b/server/libs/validations/captcha.php @@ -8,8 +8,9 @@ class Captcha extends AbstractRule { public function validate($reCaptchaResponse) { $reCaptchaPrivateKey = \Setting::getSetting('recaptcha-private')->getValue(); + $apiKey = \APIKey::getDataStore(\Controller::request('apiKey'), 'token'); - if (!$reCaptchaPrivateKey) return true; + if (!$reCaptchaPrivateKey || !$apiKey->isNull()) return true; $reCaptcha = new \ReCaptcha\ReCaptcha($reCaptchaPrivateKey); $reCaptchaValidation = $reCaptcha->verify($reCaptchaResponse, $_SERVER['REMOTE_ADDR']); diff --git a/server/models/APIKey.php b/server/models/APIKey.php new file mode 100644 index 00000000..2cfc3783 --- /dev/null +++ b/server/models/APIKey.php @@ -0,0 +1,18 @@ + $this->name, + 'token' => $this->token + ]; + } +} \ No newline at end of file diff --git a/tests/init.rb b/tests/init.rb index cae53d63..aaf24e28 100644 --- a/tests/init.rb +++ b/tests/init.rb @@ -55,3 +55,6 @@ require './system/recover-mail-template.rb' require './system/disable-registration.rb' require './system/enable-registration.rb' require './system/get-stats.rb' +require './system/add-api-key.rb' +require './system/delete-api-key.rb' +require './system/get-all-keys.rb' diff --git a/tests/scripts.rb b/tests/scripts.rb index 4cf57fcf..9b5eb892 100644 --- a/tests/scripts.rb +++ b/tests/scripts.rb @@ -44,4 +44,12 @@ class Scripts result['data'] end + + def self.createAPIKey(name) + result = request('/system/add-api-key', { + csrf_userid: $csrf_userid, + csrf_token: $csrf_token, + name: name + }) + end end diff --git a/tests/system/add-api-key.rb b/tests/system/add-api-key.rb new file mode 100644 index 00000000..cf8c86d5 --- /dev/null +++ b/tests/system/add-api-key.rb @@ -0,0 +1,30 @@ +describe'system/add-api-key' do + request('/user/logout') + Scripts.login($staff[:email], $staff[:password], true) + + it 'should add API key' do + result= request('/system/add-api-key', { + csrf_userid: $csrf_userid, + csrf_token: $csrf_token, + name: 'new API' + }) + + (result['status']).should.equal('success') + + row = $database.getRow('apikey', 1, 'id') + + (row['name']).should.equal('new API') + (result['data']).should.equal(row['token']) + + end + it 'should not add API key' do + result= request('/system/add-api-key', { + csrf_userid: $csrf_userid, + csrf_token: $csrf_token, + name: 'new API' + }) + + (result['status']).should.equal('fail') + (result['message']).should.equal('NAME_ALREADY_USED') + end +end diff --git a/tests/system/delete-api-key.rb b/tests/system/delete-api-key.rb new file mode 100644 index 00000000..21553cfb --- /dev/null +++ b/tests/system/delete-api-key.rb @@ -0,0 +1,30 @@ +describe'system/delete-api-key' do + request('/user/logout') + Scripts.login($staff[:email], $staff[:password], true) + + it 'should not delete API key' do + result= request('/system/delete-api-key', { + csrf_userid: $csrf_userid, + csrf_token: $csrf_token, + name: 'new PIA' + }) + + (result['status']).should.equal('fail') + (result['message']).should.equal('INVALID_NAME') + end + + it 'should delete API key' do + result= request('/system/delete-api-key', { + csrf_userid: $csrf_userid, + csrf_token: $csrf_token, + name: 'new API' + }) + + (result['status']).should.equal('success') + + row = $database.getRow('apikey', 1, 'id') + + (row).should.equal(nil) + end + +end diff --git a/tests/system/get-all-keys.rb b/tests/system/get-all-keys.rb new file mode 100644 index 00000000..a604af3d --- /dev/null +++ b/tests/system/get-all-keys.rb @@ -0,0 +1,26 @@ +describe'system/get-all-keys' do + request('/user/logout') + Scripts.login($staff[:email], $staff[:password], true) + + it 'should get all API keys' do + Scripts.createAPIKey('namekey1') + Scripts.createAPIKey('namekey2') + Scripts.createAPIKey('namekey3') + Scripts.createAPIKey('namekey4') + Scripts.createAPIKey('namekey5') + + result= request('/system/get-all-keys', { + csrf_userid: $csrf_userid, + csrf_token: $csrf_token, + }) + + (result['status']).should.equal('success') + (result['data'][0]['name']).should.equal('namekey1') + (result['data'][1]['name']).should.equal('namekey2') + (result['data'][2]['name']).should.equal('namekey3') + (result['data'][3]['name']).should.equal('namekey4') + (result['data'][4]['name']).should.equal('namekey5') + + end + +end