Clean up API::handshake

Use Access::check_network to check the ACLs. Be more restrictive about
validating timestamps.  Miscellaneous cleanup (line wraps, etc.)

1 files changed, 36 insertions, 44 deletions

diff --git a/lib/class/api.class.php b/lib/class/api.class.php
index f23885c2..631308eb 100644
--- a/lib/class/api.class.php
+++ b/lib/class/api.class.php
@@ -115,80 +115,69 @@ class Api {
 
 	/**
 	 * handshake
-	 * This is the function that handles the verifying a new handshake
-	 * this takes a timestamp, auth key, and client IP. Optionally it
-	 * can take a username, if non is passed the ACL must be non-use
-	 * specific
+	 *
+	 * This is the function that handles verifying a new handshake
+	 * Takes a timestamp, auth key, and username.
 	 */
 	public static function handshake($input) {
 
-		$timestamp = $input['timestamp'];
+		$timestamp = preg_replace('/[^0-9]/', '', $input['timestamp']);
 		$passphrase = $input['auth'];
 		$ip = $_SERVER['REMOTE_ADDR'];
 		$username = $input['user'];
 		$version = $input['version'];
 
-			// Let them know we're attempting
-			debug_event('API',"Attempting Handshake IP:$ip User:$username Version:$version",'5');
+		// Log the attempt
+		debug_event('API', "Handshake Attempt, IP:$ip User:$username Version:$version", 5);
 
 		if (intval($version) < self::$version) {
-			debug_event('API','Login Failed version too old','1');
-			Error::add('api','Login Failed version too old');
+			debug_event('API', 'Login Failed: version too old', 1);
+			Error::add('api', 'Login Failed: version too old');
 			return false;
 		}
 
-		// If the timestamp is over 2hr old sucks to be them
-		if ($timestamp < (time() - 14400)) {
-			debug_event('API','Login Failed, timestamp too old','1');
-			Error::add('api','Login Failed, timestamp too old');
+		// If the timestamp isn't within 30 minutes sucks to be them
+		if (($timestamp < (time() - 1800)) || 
+			($timestamp > (time() + 1800))) {
+			debug_event('API', 'Login Failed: timestamp out of range', 1);
+			Error::add('api', 'Login Failed: timestamp out of range');
 			return false;
 		}
 
-		// First we'll filter by username and IP
+		// Grab the correct userid
+		// FIXME: Does this if/else make sense with the new ACLs?
 		if (!trim($username)) {
 			$user_id = '-1';
 		}
 		else {
 			$client = User::get_from_username($username);
-			$user_id =$client->id;
+			$user_id = $client->id;
 		}
-
-		// Clean incomming variables
-		$user_id 	= Dba::escape($user_id);
-		$timestamp 	= preg_replace('/[^0-9]/', '', $timestamp);
-		$ip 		= inet_pton($ip);
+		$user_id = Dba::escape($user_id);
 
 		// Log this attempt
-		debug_event('API','Login Attempt, IP:' . inet_ntop($ip) . ' Time:' . $timestamp . ' User:' . $username . '(' . $user_id . ') Auth:' . $passphrase,'1');
-
-		$ip = Dba::escape($ip);
-
-		// Run the query and return the passphrases as we'll have to mangle them
-		// to figure out if they match what we've got
-		$sql = "SELECT * FROM `access_list` " .
-			"WHERE `type`='rpc' AND (`user`='$user_id' OR `access_list`.`user`='-1') " .
-			"AND `start` <= '$ip' AND `end` >= '$ip'";
-		$db_results = Dba::read($sql);
-
-		while ($row = Dba::fetch_assoc($db_results)) {
+		debug_event('API', "Login Attempt, IP:$ip Time: $timestamp User:$username ($user_id) Auth:$passphrase", 1);
 
-			// Now we're sure that there is an ACL line that matches this user or ALL USERS,
-			// pull the users password and then see what we come out with
+		if (Access::check_network('api', $user_id, 5, $ip)) {
+			// Now we're sure that there is an ACL line that matches
+			// this user or ALL USERS, pull the user's password and
+			// then see what we come out with
 			$sql = "SELECT * FROM `user` WHERE `id`='$user_id'";
-			$user_results = Dba::read($sql);
+			$db_results = Dba::read($sql);
 
-			$row = Dba::fetch_assoc($user_results);
+			$row = Dba::fetch_assoc($db_results);
 
 			if (!$row['password']) {
-				debug_event('API','Unable to find user with username of ' . $user_id,'1');
+				debug_event('API', 'Unable to find user with userid of ' . $user_id, 1);
 				Error::add('api','Invalid Username/Password');
 				return false;
 			}
 
-			$sha1pass = hash('sha256',$timestamp . $row['password']);
+			$sha1pass = hash('sha256', $timestamp . $row['password']);
 
 			if ($sha1pass === $passphrase) {
-				// Create the Session, in this class for now needs to be moved
+				// Create the session
+				// FIXME: needs to be moved to the correct class
 				$data['username']	= $client->username;
 				$data['type']		= 'api';
 				$data['value']		= $timestamp;
@@ -196,16 +185,19 @@ class Api {
 
 				// Insert the token into the streamer
 				Stream::insert_session($token,$client->id);
-				debug_event('API','Login Success, passphrase matched','1');
+				debug_event('API', 'Login Success, passphrase matched', 1);
 
-				// We need to also get the 'last update' of the catalog information in an RFC 2822 Format
+				// We need to also get the 'last update' of the
+				// catalog information in an RFC 2822 Format
 				$sql = "SELECT MAX(`last_update`) AS `update`,MAX(`last_add`) AS `add`, MAX(`last_clean`) AS `clean` FROM `catalog`";
 				$db_results = Dba::read($sql);
 				$row = Dba::fetch_assoc($db_results);
 
-				// Now we need to quickly get the totals of songs
-				$sql = "SELECT COUNT(`id`) AS `song`,COUNT(DISTINCT(`album`)) AS `album`," .
-					"COUNT(DISTINCT(`artist`)) AS `artist` FROM `song`";
+				// Now we need to quickly get the song totals
+				$sql = 'SELECT COUNT(`id`) AS `song`, ' .
+					'COUNT(DISTINCT(`album`)) AS `album`, '.
+					'COUNT(DISTINCT(`artist`)) AS `artist` ' .
+					'FROM `song`';
 				$db_results = Dba::read($sql);
 				$counts = Dba::fetch_assoc($db_results);