Add user endpoint

2020-09-04 16:36:32 +02:00 · 2020-09-04 16:36:32 +02:00 · d3551c4f0c
parent 3526c1f058
commit d3551c4f0c
1 changed files with 103 additions and 16 deletions
--- a/jensmemes.php
+++ b/jensmemes.php
@ -41,19 +41,19 @@ if ($method == "GET") {
            $obj->status = 200;
            $query = "SELECT * FROM images";
            if (isset($_GET["category"])) {
-                $query = addCondition('cat="' . $_GET["category"] . '"', $query);
+                $query = addCondition('cat="' . santinize($_GET["category"]) . '"', $query);
            }
            if (isset($_GET["user"])) {
-                $query = addCondition('user LIKE "%' . $_GET["user"] . '%"', $query);
+                $query = addCondition('user LIKE "%' . santinize($_GET["user"]) . '%"', $query);
            }
            if (isset($_GET["search"])) {
-                $query = addCondition('path LIKE "%' . $_GET["search"] . '%"', $query);
+                $query = addCondition('path LIKE "%' . santinize($_GET["search"]) . '%"', $query);
            }
            $obj->memes = memesArray($query);
            break;
        case "/meme":
            if (isset($_GET["id"])) {
-                $q = 'SELECT * FROM images WHERE id=' . $_GET["id"];
+                $q = 'SELECT * FROM images WHERE id=' . santinize($_GET["id"]);
                $res = mysqli_query($jmcon, $q);
                checksql($res);
                $row = mysqli_fetch_array($res, MYSQLI_ASSOC);
@ -70,10 +70,10 @@ if ($method == "GET") {
        case "/random":
            $query = "SELECT * FROM images";
            if (isset($_GET["category"])) {
-                $query = addCondition('cat="' . $_GET["category"] . '"', $query);
+                $query = addCondition('cat="' . santinize($_GET["category"]) . '"', $query);
            }
            if (isset($_GET["user"])) {
-                $query = addCondition('user LIKE "%' . $_GET["user"] . '%"', $query);
+                $query = addCondition('user LIKE "%' . santinize($_GET["user"]) . '%"', $query);
            }
            $memes = memesArray($query);
            $random = rand(0, count($memes) - 1);
@ -91,7 +91,7 @@ if ($method == "GET") {
            break;
        case "/category":
            if (isset($_GET["id"])) {
-                $q = 'SELECT * FROM cats WHERE id="' . $_GET["id"] . '"';
+                $q = 'SELECT * FROM cats WHERE id="' . santinize($_GET["id"]) . '"';
                $res = mysqli_query($jmcon, $q);
                checksql($res);
                $row = mysqli_fetch_array($res, MYSQLI_ASSOC);
@ -110,8 +110,9 @@ if ($method == "GET") {
            while ($row = mysqli_fetch_array($res_users, MYSQLI_ASSOC)) {
                $user = new stdClass();
                $user->name = $row["name"];
-                $user->tokenhash = $row["userdir"];
+                $user->tokenhash = md5($row["token"]);
                $user->userdir = $row["userdir"];
+                $user->id = $row["userdir"];
                $user->dayuploads = $row["uploadsLast24H"];
                array_push($users, $user);
            }
@ -119,12 +120,31 @@ if ($method == "GET") {
            $obj->users = $users;
            $obj->status = 200;
            break;
-        case "/token/random":
-            if (isset($_GET["user"])) {
+        case "/user":
+            $q_user = "SELECT * FROM token";
+            if ($_GET["id"]) {
+                $q_user = addCondition('userdir="' . santinize($_GET["id"]) . '"', $q_user);
+            }
+            else if ($_GET["token"]) {
+                $q_user = addCondition('token="' . santinize($_GET["token"]) . '"', $q_user);
+            }
+            else if ($_GET["name"]) {
+                $q_user = addCondition('name LIKE "%' . santinize($_GET["name"]) . '%"', $q_user);
+            }
+            $res = mysqli_query($jmcon, $q_user);
+            checksql($res);
+            $row = mysqli_fetch_array($res, MYSQLI_ASSOC);
+            if ($row) {
+                $user = new stdClass();
+                $user->name = $row["name"];
+                $user->tokenhash = md5($row["token"]);
+                $user->userdir = $row["userdir"];
+                $user->id = $row["userdir"];
+                $user->dayuploads = $row["uploadsLast24H"];
+                $obj->user = $user;
                $obj->status = 200;
-                $obj->token = genToken($_GET["user"]);
            } else {
-                $obj->error = "Need to set a user with ?user";
+                $obj->error = "user not found";
            }
            break;
        default:
@ -136,6 +156,8 @@ if ($method == "GET") {
        case "/upload":
            upload();
            break;
+        case "/admin":
+            admin(file_get_contents("php://input"));
    }


@ -214,11 +236,22 @@ function genToken($discord) {
    return md5($prehash);
 }

+function santinize($input) {
+    global $jmcon;
+    $out = str_replace(" ", "", $input);
+    $out = str_replace("'", "", $out);
+    $out = str_replace('"', "", $out);
+    $out = mysqli_escape_string($jmcon, $out);
+    return $out;
+}
+
 function upload() {
    global $jmcon;
    global $obj;
    global $jmimagepath;
+    global $jmurl;
    $token = $_POST["token"];
+    $token = santinize($token);
    $cat = $_POST["category"];
    $obj->token = $token;
    if (isset($token)) {
@ -243,10 +276,10 @@ function upload() {
                    $type = gettype($_FILES['file']['name']);
                    if ($type != "array") {
                        $filename = $_FILES['file']['name'];
-                        if (isset($filename)) {
-                            $obj->file = $filename;
+                        if ($filename != "") {
                            move_uploaded_file($_FILES['file']['tmp_name'], $jmimagepath . $homedir . "/" . $filename);
                            $path = "images/" . $homedir . "/" . $filename;
+                            $obj->file = $jmurl.$path;
                            $clientIP = $_SERVER['REMOTE_ADDR'];;
                            $sqlType = "INSERT INTO images (user, path, cat, ip) VALUES ('$user', '$path', '$cat', '$clientIP')";
                            $res = mysqli_query($jmcon, $sqlType);
@ -256,10 +289,10 @@ function upload() {
                        $obj->files = array();
                        for ($i = 0; $i < $countfiles; $i++) {
                            $filename = $_FILES['file']['name'][$i];
-                            if (isset($filename)) {
-                                array_push($obj->files, $filename);
+                            if ($filename != "") {
                                move_uploaded_file($_FILES['file']['tmp_name'][$i], $jmimagepath . $homedir . "/" . $filename);
                                $path = "images/" . $homedir . "/" . $filename;
+                                array_push($obj->files, $jmurl.$path);
                                $clientIP = $_SERVER['REMOTE_ADDR'];;
                                $sqlType = "INSERT INTO images (user, path, cat, ip) VALUES ('$user', '$path', '$cat', '$clientIP')";
                                $res = mysqli_query($jmcon, $sqlType);
@ -284,3 +317,57 @@ function upload() {
        $obj->status = 401;
    }
 }
+
+function admin($data) {
+    global $obj;
+    global $jmkey;
+    global $jmcon;
+    $decr = "";
+    openssl_public_decrypt(base64_decode($data), $decr, $jmkey);
+    $req = json_decode($decr);
+    if ($req == null) {
+        $obj->status = 400;
+        $obj->error = "bad request or unauthorized";
+    } else {
+        switch ($req->method) {
+            case "gettoken":
+                $user = $req->user;
+                $query = "SELECT * FROM token WHERE name='$user'";
+                $res = mysqli_query($jmcon, $query);
+                checksql($res);
+                $tok = mysqli_fetch_array($res, MYSQLI_ASSOC);
+                if ($tok) {
+                    $obj->status = 200;
+                    $obj->token = encrypt($tok["token"], $jmkey);
+                }
+                break;
+            case "register":
+                $user = $req->user;
+                $query = "SELECT * FROM token WHERE name='$user'";
+                $res = mysqli_query($jmcon, $query);
+                checksql($res);
+                $tok = mysqli_fetch_array($res, MYSQLI_ASSOC);
+                if ($tok) {
+                    $obj->status = 200;
+                    $obj->token = encrypt($tok["token"], $jmkey);
+                } else {
+                    $token = genToken($user);
+                    $userdir = md5($user);
+                    $query = "INSERT INTO token (name, token, userdir) VALUES ('$user', '$token', '$userdir')";
+                    $res = mysqli_query($jmcon, $query);
+                    checksql($res);
+                    if ($res) {
+                        $obj->status = 201;
+                        $obj->token = encrypt($token, $jmkey);
+                        $obj->userdir = $userdir;
+                    }
+                }
+        }
+    }
+}
+
+function encrypt($data, $pubkey) {
+    $encr = "";
+    openssl_public_encrypt($data, $encr, $pubkey);
+    return base64_encode($encr);
+}