get api key from http header only

Christian Cordiviola · Christian Cordiviola · commit 70204f1a5d27 · 2024-02-23T17:05:20.000+01:00
diff --git a/www/addresses.php b/www/addresses.php
@@ -5,7 +5,8 @@
 // found in the LICENSE.md file.
 require_once __DIR__ . '/common.inc';
 
-if (isset($_REQUEST['k'])) {
+$user_api_key = $request_context->getApiKeyInUse();
+if (strlen($user_api_key)) {
     $keys_file = SETTINGS_PATH . '/keys.ini';
     if (file_exists(SETTINGS_PATH . '/common/keys.ini')) {
         $keys_file = SETTINGS_PATH . '/common/keys.ini';
@@ -14,7 +15,7 @@
         $keys_file = SETTINGS_PATH . '/server/keys.ini';
     }
     $keys = parse_ini_file($keys_file, true);
-    if (isset($keys['server']['key']) && $_REQUEST['k'] == $keys['server']['key']) {
+    if (isset($keys['server']['key']) && $user_api_key == $keys['server']['key']) {
         $admin = true;
     }
 }
diff --git a/www/getLocations.php b/www/getLocations.php
@@ -201,7 +201,8 @@ function LoadLocations($isPaid = false)
     $isPaid = false;
     $locations = array();
     $loc = LoadLocationsIni();
-    if (isset($_REQUEST['k'])) {
+    $user_api_key = $request_context->getApiKeyInUse();
+    if (strlen($user_api_key)) {
         foreach ($loc as $name => $location) {
             if (isset($location['browser']) && isset($location['noapi'])) {
                 unset($loc[$name]);
diff --git a/www/getTesters.php b/www/getTesters.php
@@ -8,7 +8,8 @@
     //header("HTTP/1.1 403 Unauthorized");
     //exit;
 }
-if (isset($_REQUEST['k'])) {
+$user_api_key = $request_context->getApiKeyInUse();
+if (strlen($user_api_key)) {
     $keys_file = SETTINGS_PATH . '/keys.ini';
     if (file_exists(SETTINGS_PATH . '/common/keys.ini')) {
         $keys_file = SETTINGS_PATH . '/common/keys.ini';
@@ -17,7 +18,7 @@
         $keys_file = SETTINGS_PATH . '/server/keys.ini';
     }
     $keys = parse_ini_file($keys_file, true);
-    if (isset($keys['server']['key']) && $_REQUEST['k'] == $keys['server']['key']) {
+    if (isset($keys['server']['key']) && $user_api_key == $keys['server']['key']) {
         $admin = true;
     }
 }
diff --git a/www/src/RequestContext.php b/www/src/RequestContext.php
@@ -131,7 +131,7 @@ public function getHost(): string
 
     public function setEnvironment(?string $env = ''): void
     {
-      // This should really be a match, but we're on 7.4
+        // This should really be a match, but we're on 7.4
         switch ($env) {
             case 'development':
                 $this->environment = Environment::$Development;
@@ -161,21 +161,17 @@ public function getEnvironment(): string
     public function getApiKeyInUse(): string
     {
         if (empty($this->api_key_in_use)) {
-            $user_api_key = $this->getRaw()['k'] ?? "";
-            if (empty($user_api_key)) {
-                $user_api_key_header = $this->user_api_key_header;
-                $request_headers = getallheaders();
-                $matching_headers = array_filter($request_headers, function ($k) use ($user_api_key_header) {
-                    return strtolower($k) == strtolower($user_api_key_header);
-                }, ARRAY_FILTER_USE_KEY);
-                if (!empty($matching_headers)) {
-                    $user_api_key = array_values($matching_headers)[0];
-                }
+            $user_api_key_header = $this->user_api_key_header;
+            $request_headers = getallheaders();
+            $matching_headers = array_filter($request_headers, function ($k) use ($user_api_key_header) {
+                return strtolower($k) == strtolower($user_api_key_header);
+            }, ARRAY_FILTER_USE_KEY);
+            if (!empty($matching_headers)) {
+                $user_api_key = array_values($matching_headers)[0];
             }
-
-            $this->api_key_in_use = $user_api_key;
+            $this->api_key_in_use = $user_api_key ?? "";
         }
 
-        return $this->api_key_in_use;
+        return $this->api_key_in_use ?? "";
     }
 }
diff --git a/www/usage.php b/www/usage.php
@@ -26,8 +26,9 @@
 ?>
 
 <?php
-if (array_key_exists('k', $_REQUEST) && strlen($_REQUEST['k'])) {
-    $key = trim($_REQUEST['k']);
+$user_api_key = $request_context->getApiKeyInUse();
+if (strlen($user_api_key)) {
+    $key = trim($user_api_key);
     $keys_file = SETTINGS_PATH . '/keys.ini';
     if (file_exists(SETTINGS_PATH . '/common/keys.ini')) {
         $keys_file = SETTINGS_PATH . '/common/keys.ini';

Original file line number	Diff line number	Diff line change
`@@ -5,7 +5,8 @@`
`5`	`5`	`// found in the LICENSE.md file.`
`6`	`6`	`require_once __DIR__ . '/common.inc';`
`7`	`7`
`8`		`-if (isset($_REQUEST['k'])) {`
	`8`	`+$user_api_key = $request_context->getApiKeyInUse();`
	`9`	`+if (strlen($user_api_key)) {`
`9`	`10`	`$keys_file = SETTINGS_PATH . '/keys.ini';`
`10`	`11`	`if (file_exists(SETTINGS_PATH . '/common/keys.ini')) {`
`11`	`12`	`$keys_file = SETTINGS_PATH . '/common/keys.ini';`
`@@ -14,7 +15,7 @@`
`14`	`15`	`$keys_file = SETTINGS_PATH . '/server/keys.ini';`
`15`	`16`	`}`
`16`	`17`	`$keys = parse_ini_file($keys_file, true);`
`17`		`- if (isset($keys['server']['key']) && $_REQUEST['k'] == $keys['server']['key']) {`
	`18`	`+ if (isset($keys['server']['key']) && $user_api_key == $keys['server']['key']) {`
`18`	`19`	`$admin = true;`
`19`	`20`	`}`
`20`	`21`	`}`
Original file line number	Diff line number	Diff line change
`@@ -8,7 +8,8 @@`
`8`	`8`	`//header("HTTP/1.1 403 Unauthorized");`
`9`	`9`	`//exit;`
`10`	`10`	`}`
`11`		`-if (isset($_REQUEST['k'])) {`
	`11`	`+$user_api_key = $request_context->getApiKeyInUse();`
	`12`	`+if (strlen($user_api_key)) {`
`12`	`13`	`$keys_file = SETTINGS_PATH . '/keys.ini';`
`13`	`14`	`if (file_exists(SETTINGS_PATH . '/common/keys.ini')) {`
`14`	`15`	`$keys_file = SETTINGS_PATH . '/common/keys.ini';`
`@@ -17,7 +18,7 @@`
`17`	`18`	`$keys_file = SETTINGS_PATH . '/server/keys.ini';`
`18`	`19`	`}`
`19`	`20`	`$keys = parse_ini_file($keys_file, true);`
`20`		`- if (isset($keys['server']['key']) && $_REQUEST['k'] == $keys['server']['key']) {`
	`21`	`+ if (isset($keys['server']['key']) && $user_api_key == $keys['server']['key']) {`
`21`	`22`	`$admin = true;`
`22`	`23`	`}`
`23`	`24`	`}`