Add user endpoint

This commit is contained in:
Timo Ley 2020-09-04 16:36:32 +02:00
parent 3526c1f058
commit d3551c4f0c

View file

@ -41,19 +41,19 @@ if ($method == "GET") {
$obj->status = 200; $obj->status = 200;
$query = "SELECT * FROM images"; $query = "SELECT * FROM images";
if (isset($_GET["category"])) { if (isset($_GET["category"])) {
$query = addCondition('cat="' . $_GET["category"] . '"', $query); $query = addCondition('cat="' . santinize($_GET["category"]) . '"', $query);
} }
if (isset($_GET["user"])) { if (isset($_GET["user"])) {
$query = addCondition('user LIKE "%' . $_GET["user"] . '%"', $query); $query = addCondition('user LIKE "%' . santinize($_GET["user"]) . '%"', $query);
} }
if (isset($_GET["search"])) { if (isset($_GET["search"])) {
$query = addCondition('path LIKE "%' . $_GET["search"] . '%"', $query); $query = addCondition('path LIKE "%' . santinize($_GET["search"]) . '%"', $query);
} }
$obj->memes = memesArray($query); $obj->memes = memesArray($query);
break; break;
case "/meme": case "/meme":
if (isset($_GET["id"])) { if (isset($_GET["id"])) {
$q = 'SELECT * FROM images WHERE id=' . $_GET["id"]; $q = 'SELECT * FROM images WHERE id=' . santinize($_GET["id"]);
$res = mysqli_query($jmcon, $q); $res = mysqli_query($jmcon, $q);
checksql($res); checksql($res);
$row = mysqli_fetch_array($res, MYSQLI_ASSOC); $row = mysqli_fetch_array($res, MYSQLI_ASSOC);
@ -70,10 +70,10 @@ if ($method == "GET") {
case "/random": case "/random":
$query = "SELECT * FROM images"; $query = "SELECT * FROM images";
if (isset($_GET["category"])) { if (isset($_GET["category"])) {
$query = addCondition('cat="' . $_GET["category"] . '"', $query); $query = addCondition('cat="' . santinize($_GET["category"]) . '"', $query);
} }
if (isset($_GET["user"])) { if (isset($_GET["user"])) {
$query = addCondition('user LIKE "%' . $_GET["user"] . '%"', $query); $query = addCondition('user LIKE "%' . santinize($_GET["user"]) . '%"', $query);
} }
$memes = memesArray($query); $memes = memesArray($query);
$random = rand(0, count($memes) - 1); $random = rand(0, count($memes) - 1);
@ -91,7 +91,7 @@ if ($method == "GET") {
break; break;
case "/category": case "/category":
if (isset($_GET["id"])) { if (isset($_GET["id"])) {
$q = 'SELECT * FROM cats WHERE id="' . $_GET["id"] . '"'; $q = 'SELECT * FROM cats WHERE id="' . santinize($_GET["id"]) . '"';
$res = mysqli_query($jmcon, $q); $res = mysqli_query($jmcon, $q);
checksql($res); checksql($res);
$row = mysqli_fetch_array($res, MYSQLI_ASSOC); $row = mysqli_fetch_array($res, MYSQLI_ASSOC);
@ -110,8 +110,9 @@ if ($method == "GET") {
while ($row = mysqli_fetch_array($res_users, MYSQLI_ASSOC)) { while ($row = mysqli_fetch_array($res_users, MYSQLI_ASSOC)) {
$user = new stdClass(); $user = new stdClass();
$user->name = $row["name"]; $user->name = $row["name"];
$user->tokenhash = $row["userdir"]; $user->tokenhash = md5($row["token"]);
$user->userdir = $row["userdir"]; $user->userdir = $row["userdir"];
$user->id = $row["userdir"];
$user->dayuploads = $row["uploadsLast24H"]; $user->dayuploads = $row["uploadsLast24H"];
array_push($users, $user); array_push($users, $user);
} }
@ -119,12 +120,31 @@ if ($method == "GET") {
$obj->users = $users; $obj->users = $users;
$obj->status = 200; $obj->status = 200;
break; break;
case "/token/random": case "/user":
if (isset($_GET["user"])) { $q_user = "SELECT * FROM token";
if ($_GET["id"]) {
$q_user = addCondition('userdir="' . santinize($_GET["id"]) . '"', $q_user);
}
else if ($_GET["token"]) {
$q_user = addCondition('token="' . santinize($_GET["token"]) . '"', $q_user);
}
else if ($_GET["name"]) {
$q_user = addCondition('name LIKE "%' . santinize($_GET["name"]) . '%"', $q_user);
}
$res = mysqli_query($jmcon, $q_user);
checksql($res);
$row = mysqli_fetch_array($res, MYSQLI_ASSOC);
if ($row) {
$user = new stdClass();
$user->name = $row["name"];
$user->tokenhash = md5($row["token"]);
$user->userdir = $row["userdir"];
$user->id = $row["userdir"];
$user->dayuploads = $row["uploadsLast24H"];
$obj->user = $user;
$obj->status = 200; $obj->status = 200;
$obj->token = genToken($_GET["user"]);
} else { } else {
$obj->error = "Need to set a user with ?user"; $obj->error = "user not found";
} }
break; break;
default: default:
@ -136,6 +156,8 @@ if ($method == "GET") {
case "/upload": case "/upload":
upload(); upload();
break; break;
case "/admin":
admin(file_get_contents("php://input"));
} }
@ -214,11 +236,22 @@ function genToken($discord) {
return md5($prehash); return md5($prehash);
} }
function santinize($input) {
global $jmcon;
$out = str_replace(" ", "", $input);
$out = str_replace("'", "", $out);
$out = str_replace('"', "", $out);
$out = mysqli_escape_string($jmcon, $out);
return $out;
}
function upload() { function upload() {
global $jmcon; global $jmcon;
global $obj; global $obj;
global $jmimagepath; global $jmimagepath;
global $jmurl;
$token = $_POST["token"]; $token = $_POST["token"];
$token = santinize($token);
$cat = $_POST["category"]; $cat = $_POST["category"];
$obj->token = $token; $obj->token = $token;
if (isset($token)) { if (isset($token)) {
@ -243,10 +276,10 @@ function upload() {
$type = gettype($_FILES['file']['name']); $type = gettype($_FILES['file']['name']);
if ($type != "array") { if ($type != "array") {
$filename = $_FILES['file']['name']; $filename = $_FILES['file']['name'];
if (isset($filename)) { if ($filename != "") {
$obj->file = $filename;
move_uploaded_file($_FILES['file']['tmp_name'], $jmimagepath . $homedir . "/" . $filename); move_uploaded_file($_FILES['file']['tmp_name'], $jmimagepath . $homedir . "/" . $filename);
$path = "images/" . $homedir . "/" . $filename; $path = "images/" . $homedir . "/" . $filename;
$obj->file = $jmurl.$path;
$clientIP = $_SERVER['REMOTE_ADDR'];; $clientIP = $_SERVER['REMOTE_ADDR'];;
$sqlType = "INSERT INTO images (user, path, cat, ip) VALUES ('$user', '$path', '$cat', '$clientIP')"; $sqlType = "INSERT INTO images (user, path, cat, ip) VALUES ('$user', '$path', '$cat', '$clientIP')";
$res = mysqli_query($jmcon, $sqlType); $res = mysqli_query($jmcon, $sqlType);
@ -256,10 +289,10 @@ function upload() {
$obj->files = array(); $obj->files = array();
for ($i = 0; $i < $countfiles; $i++) { for ($i = 0; $i < $countfiles; $i++) {
$filename = $_FILES['file']['name'][$i]; $filename = $_FILES['file']['name'][$i];
if (isset($filename)) { if ($filename != "") {
array_push($obj->files, $filename);
move_uploaded_file($_FILES['file']['tmp_name'][$i], $jmimagepath . $homedir . "/" . $filename); move_uploaded_file($_FILES['file']['tmp_name'][$i], $jmimagepath . $homedir . "/" . $filename);
$path = "images/" . $homedir . "/" . $filename; $path = "images/" . $homedir . "/" . $filename;
array_push($obj->files, $jmurl.$path);
$clientIP = $_SERVER['REMOTE_ADDR'];; $clientIP = $_SERVER['REMOTE_ADDR'];;
$sqlType = "INSERT INTO images (user, path, cat, ip) VALUES ('$user', '$path', '$cat', '$clientIP')"; $sqlType = "INSERT INTO images (user, path, cat, ip) VALUES ('$user', '$path', '$cat', '$clientIP')";
$res = mysqli_query($jmcon, $sqlType); $res = mysqli_query($jmcon, $sqlType);
@ -284,3 +317,57 @@ function upload() {
$obj->status = 401; $obj->status = 401;
} }
} }
function admin($data) {
global $obj;
global $jmkey;
global $jmcon;
$decr = "";
openssl_public_decrypt(base64_decode($data), $decr, $jmkey);
$req = json_decode($decr);
if ($req == null) {
$obj->status = 400;
$obj->error = "bad request or unauthorized";
} else {
switch ($req->method) {
case "gettoken":
$user = $req->user;
$query = "SELECT * FROM token WHERE name='$user'";
$res = mysqli_query($jmcon, $query);
checksql($res);
$tok = mysqli_fetch_array($res, MYSQLI_ASSOC);
if ($tok) {
$obj->status = 200;
$obj->token = encrypt($tok["token"], $jmkey);
}
break;
case "register":
$user = $req->user;
$query = "SELECT * FROM token WHERE name='$user'";
$res = mysqli_query($jmcon, $query);
checksql($res);
$tok = mysqli_fetch_array($res, MYSQLI_ASSOC);
if ($tok) {
$obj->status = 200;
$obj->token = encrypt($tok["token"], $jmkey);
} else {
$token = genToken($user);
$userdir = md5($user);
$query = "INSERT INTO token (name, token, userdir) VALUES ('$user', '$token', '$userdir')";
$res = mysqli_query($jmcon, $query);
checksql($res);
if ($res) {
$obj->status = 201;
$obj->token = encrypt($token, $jmkey);
$obj->userdir = $userdir;
}
}
}
}
}
function encrypt($data, $pubkey) {
$encr = "";
openssl_public_encrypt($data, $encr, $pubkey);
return base64_encode($encr);
}