dolibarr  16.0.5
api_login.class.php
1 <?php
2 /* Copyright (C) 2015 Jean-Fran├žois Ferry <jfefe@aternatik.fr>
3  * Copyright (C) 2016 Laurent Destailleur <eldy@users.sourceforge.net>
4  *
5  * This program is free software; you can redistribute it and/or modify
6  * it under the terms of the GNU General Public License as published by
7  * the Free Software Foundation; either version 3 of the License, or
8  * (at your option) any later version.
9  *
10  * This program is distributed in the hope that it will be useful,
11  * but WITHOUT ANY WARRANTY; without even the implied warranty of
12  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13  * GNU General Public License for more details.
14  *
15  * You should have received a copy of the GNU General Public License
16  * along with this program. If not, see <https://www.gnu.org/licenses/>.
17  */
18 
19 use Luracast\Restler\RestException;
20 
21 require_once DOL_DOCUMENT_ROOT.'/user/class/user.class.php';
22 
26 class Login
27 {
28 
32  public function __construct()
33  {
34  global $conf, $db;
35  $this->db = $db;
36 
37  //$conf->global->MAIN_MODULE_API_LOGIN_DISABLED = 1;
38  if (!empty($conf->global->MAIN_MODULE_API_LOGIN_DISABLED)) {
39  throw new RestException(403, "Error login APIs are disabled. You must get the token from backoffice to be able to use APIs");
40  }
41  }
42 
62  public function loginUnsecured($login, $password, $entity = '', $reset = 0)
63  {
64  return $this->index($login, $password, $entity, $reset);
65  }
66 
86  public function index($login, $password, $entity = '', $reset = 0)
87  {
88  global $conf, $dolibarr_main_authentication, $dolibarr_auto_user;
89 
90  // Is the login API disabled ? The token must be generated from backoffice only.
91  if (! empty($conf->global->API_DISABLE_LOGIN_API)) {
92  dol_syslog("Warning: A try to use the login API has been done while the login API is disabled. You must generate or get the token from the backoffice.", LOG_WARNING);
93  throw new RestException(403, "Error, the login API has been disabled for security purpose. You must generate or get the token from the backoffice.");
94  }
95 
96  // Authentication mode
97  if (empty($dolibarr_main_authentication)) {
98  $dolibarr_main_authentication = 'dolibarr';
99  }
100 
101  // Authentication mode: forceuser
102  if ($dolibarr_main_authentication == 'forceuser') {
103  if (empty($dolibarr_auto_user)) {
104  $dolibarr_auto_user = 'auto';
105  }
106  if ($dolibarr_auto_user != $login) {
107  dol_syslog("Warning: your instance is set to use the automatic forced login '".$dolibarr_auto_user."' that is not the requested login. API usage is forbidden in this mode.");
108  throw new RestException(403, "Your instance is set to use the automatic login '".$dolibarr_auto_user."' that is not the requested login. API usage is forbidden in this mode.");
109  }
110  }
111 
112  // Set authmode
113  $authmode = explode(',', $dolibarr_main_authentication);
114 
115  if ($entity != '' && !is_numeric($entity)) {
116  throw new RestException(403, "Bad value for entity, must be the numeric ID of company.");
117  }
118  if ($entity == '') {
119  $entity = 1;
120  }
121 
122  include_once DOL_DOCUMENT_ROOT.'/core/lib/security2.lib.php';
123  $login = checkLoginPassEntity($login, $password, $entity, $authmode, 'api'); // Check credentials.
124  if (empty($login)) {
125  throw new RestException(403, 'Access denied');
126  }
127 
128  $token = 'failedtogenerateorgettoken';
129 
130  $tmpuser = new User($this->db);
131  $tmpuser->fetch(0, $login, 0, 0, $entity);
132  if (empty($tmpuser->id)) {
133  throw new RestException(500, 'Failed to load user');
134  }
135 
136  // Renew the hash
137  if (empty($tmpuser->api_key) || $reset) {
138  $tmpuser->getrights();
139  if (empty($tmpuser->rights->user->self->creer)) {
140  if (empty($tmpuser->api_key)) {
141  throw new RestException(403, 'No API token set for this user and user need write permission on itself to reset its API token');
142  } else {
143  throw new RestException(403, 'User need write permission on itself to reset its API token');
144  }
145  }
146 
147  // Generate token for user
148  $token = dol_hash($login.uniqid().(empty($conf->global->MAIN_API_KEY)?'':$conf->global->MAIN_API_KEY), 1);
149 
150  // We store API token into database
151  $sql = "UPDATE ".MAIN_DB_PREFIX."user";
152  $sql .= " SET api_key = '".$this->db->escape($token)."'";
153  $sql .= " WHERE login = '".$this->db->escape($login)."'";
154 
155  dol_syslog(get_class($this)."::login", LOG_DEBUG); // No log
156  $result = $this->db->query($sql);
157  if (!$result) {
158  throw new RestException(500, 'Error when updating api_key for user :'.$this->db->lasterror());
159  }
160  } else {
161  $token = $tmpuser->api_key;
162  }
163 
164  //return token
165  return array(
166  'success' => array(
167  'code' => 200,
168  'token' => $token,
169  'entity' => $tmpuser->entity,
170  'message' => 'Welcome '.$login.($reset ? ' - Token is new' : ' - This is your token (recorded for your user). You can use it to make any REST API call, or enter it into the DOLAPIKEY field to use the Dolibarr API explorer.')
171  )
172  );
173  }
174 }
db
$conf db
API class for accounts.
Definition: inc.php:41
Login\loginUnsecured
loginUnsecured($login, $password, $entity='', $reset=0)
Login.
Definition: api_login.class.php:62
dol_hash
dol_hash($chain, $type='0')
Returns a hash of a string.
Definition: security.lib.php:104
checkLoginPassEntity
checkLoginPassEntity($usertotest, $passwordtotest, $entitytotest, $authmode, $context='')
Return a login if login/pass was successfull.
Definition: security2.lib.php:57
dol_syslog
dol_syslog($message, $level=LOG_INFO, $ident=0, $suffixinfilename='', $restricttologhandler='', $logcontext=null)
Write log message into outputs.
Definition: functions.lib.php:1603
Login
API that allows to log in with an user account.
Definition: api_login.class.php:26
User
Class to manage Dolibarr users.
Definition: user.class.php:44
Login\index
index($login, $password, $entity='', $reset=0)
Login.
Definition: api_login.class.php:86
Login\__construct
__construct()
Constructor of the class.
Definition: api_login.class.php:32