kenmirrors/grocy
1
0
Fork 0
mirror of https://github.com/grocy/grocy.git synced 2025-04-29 09:39:57 +00:00
Code Issues Projects Releases Wiki Activity

Allow providing the API key also via a query parameter (closes #329)

Browse Source
This commit is contained in:
Bernd Bestel 2019-08-10 13:30:50 +02:00
parent 19935276e9
commit d6e9dc1b59
No known key found for this signature in database
GPG Key ID: 71BD34C0D4891300
3 changed files with 17 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
changelog/52_UNRELEASED_2019-xx-xx.md
View File

@ -7,3 +7,4 @@
- New endpoint `/stock/shoppinglist/remove-product` to remove a product from a shopping list (thanks @Forceu)
- When adding a product (through `stock/product/{productId}/add` or `stock/product/{productId}/inventory`) with omitted best before date and if the given product has "Default best before days" set, the best before date is calculated based on that (so far always today was used which is still the case when no date is supplied and also the product has no "Default best before days set) (thanks @Forceu)
- New endpoint `/objects/{entity}/search/{searchString}` search for objects by name (contains search)
- It's now also possible to provide the API key via a query parameter (same name as the header, so `GROCY-API-KEY`)

2
grocy.openapi.json
View File

@ -2,7 +2,7 @@
"openapi": "3.0.0",
"info": {
"title": "grocy REST API",
"description": "Authentication is done via API keys (header *GROCY-API-KEY*), which you can manage [here](PlaceHolderManageApiKeysUrl).<br>Additionally requests from within the frontend are also valid (via session cookie).",
"description": "Authentication is done via API keys (header *GROCY-API-KEY* or same named query parameter), which you can manage [here](PlaceHolderManageApiKeysUrl).<br>Additionally requests from within the frontend are also valid (via session cookie).",
"version": "xxx",
"contact": {
"email": "bernd@berrnd.de"

16
middleware/ApiKeyAuthMiddleware.php
View File

@ -31,6 +31,7 @@ class ApiKeyAuthMiddleware extends BaseMiddleware
{
$validSession = true;
$validApiKey = true;
$usedApiKey = null;
$sessionService = new SessionService();
if (!isset($_COOKIE[$this->SessionCookieName]) || !$sessionService->IsValidSession($_COOKIE[$this->SessionCookieName]))
@ -39,10 +40,23 @@ class ApiKeyAuthMiddleware extends BaseMiddleware
}
$apiKeyService = new ApiKeyService();
// First check of the API key in the configured header
if (!$request->hasHeader($this->ApiKeyHeaderName) || !$apiKeyService->IsValidApiKey($request->getHeaderLine($this->ApiKeyHeaderName)))
{
$validApiKey = false;
}
else
{
$usedApiKey = $request->getHeaderLine($this->ApiKeyHeaderName);
}
// Not recommended, but it's also possible to provide the API key via a query parameter (same name as the configured header)
if (!$validApiKey && !empty($request->getQueryParam($this->ApiKeyHeaderName)) && $apiKeyService->IsValidApiKey($request->getQueryParam($this->ApiKeyHeaderName)))
{
$validApiKey = true;
$usedApiKey = $request->getQueryParam($this->ApiKeyHeaderName);
}
// Handling of special purpose API keys
if (!$validApiKey)
@ -63,7 +77,7 @@ class ApiKeyAuthMiddleware extends BaseMiddleware
}
elseif ($validApiKey)
{
$user = $apiKeyService->GetUserByApiKey($request->getHeaderLine($this->ApiKeyHeaderName));
$user = $apiKeyService->GetUserByApiKey($usedApiKey);
define('GROCY_AUTHENTICATED', true);
define('GROCY_USER_ID', $user->id);