diff --git a/config/config.xml.default b/config/config.xml.default
index 5573772ebaf6ec975ed5e0188f3bf97891264241..73b662985875f19d8a60a12fd6c29e946efeeded 100755
--- a/config/config.xml.default
+++ b/config/config.xml.default
@@ -1,7 +1,7 @@
<?xml version="1.0" encoding="utf-8"?>
<ROOT>
<config>
- <CookieTime>1440</CookieTime> <!-- minutes -->
+ <SessionTime>1440</SessionTime> <!-- minutes -->
<timezone>Europe/Paris</timezone>
<customLangPathDirectory></customLangPathDirectory>
</config>
diff --git a/rest/index.php b/rest/index.php
index 5f638c0aea86ba160d0a457e0c86ef14e1e02b1c..6ad24a5266107faf55675725ef95dab025261b21 100755
--- a/rest/index.php
+++ b/rest/index.php
@@ -26,7 +26,7 @@ $app->add(function (\Slim\Http\Request $request, \Slim\Http\Response $response,
if (!is_file($configPath . '/config.xml')) {
return $response->withStatus(400)->withJson(['errors' => 'Configuration file is missing']);
}
- $routesWithoutAuthentication = ['GET/connection', 'POST/log', 'POST/password', 'PUT/password', 'GET/passwordRules', 'GET/languages/{lang}'];
+ $routesWithoutAuthentication = ['GET/authenticationInformations', 'POST/log', 'POST/password', 'PUT/password', 'GET/passwordRules', 'GET/languages/{lang}'];
$route = $request->getAttribute('route');
$currentMethod = empty($route) ? '' : $route->getMethods()[0];
$currentRoute = empty($route) ? '' : $route->getPattern();
@@ -49,7 +49,7 @@ $app->add(function (\Slim\Http\Request $request, \Slim\Http\Response $response,
});
//Authentication
-$app->get('/connection', \SrcCore\controllers\AuthenticationController::class . ':getConnection');
+$app->get('/authenticationInformations', \SrcCore\controllers\AuthenticationController::class . ':getInformations');
$app->post('/log', \SrcCore\controllers\AuthenticationController::class . ':log');
//Attachments
diff --git a/src/app/user/controllers/UserController.php b/src/app/user/controllers/UserController.php
index 3b547a1cf51a1b9bc98faefee98ea339bff06e0c..6e5648d9bedf4f11ef55d24353a8b7eaef5922a5 100755
--- a/src/app/user/controllers/UserController.php
+++ b/src/app/user/controllers/UserController.php
@@ -70,6 +70,10 @@ class UserController
return $response->withStatus(403)->withJson(['errors' => 'Privilege forbidden']);
}
+ if (!Validator::intVal()->notEmpty()->validate($args['id'])) {
+ return $response->withStatus(400)->withJson(['errors' => 'Route id is not an integer']);
+ }
+
$user = UserController::getUserInformationsById(['id' => $args['id']]);
if (!empty($user)) {
$user['groups'] = [];
@@ -103,8 +107,8 @@ class UserController
if (empty($body)) {
return $response->withStatus(400)->withJson(['errors' => 'Body is not set or empty']);
- } elseif (!Validator::stringType()->notEmpty()->validate($body['login'])) {
- return $response->withStatus(400)->withJson(['errors' => 'Body login is empty or not a string']);
+ } elseif (!Validator::stringType()->notEmpty()->validate($body['login']) || !preg_match("/^[\w.@-]*$/", $body['login'])) {
+ return $response->withStatus(400)->withJson(['errors' => 'Body login is empty, not a string or wrong formatted']);
} elseif (!Validator::stringType()->notEmpty()->validate($body['firstname'])) {
return $response->withStatus(400)->withJson(['errors' => 'Body firstname is empty or not a string']);
} elseif (!Validator::stringType()->notEmpty()->validate($body['lastname'])) {
@@ -147,7 +151,9 @@ class UserController
$body = $request->getParsedBody();
- if (!Validator::stringType()->notEmpty()->validate($body['firstname'])) {
+ if (!Validator::intVal()->notEmpty()->validate($args['id'])) {
+ return $response->withStatus(400)->withJson(['errors' => 'Route id is not an integer']);
+ } elseif (!Validator::stringType()->notEmpty()->validate($body['firstname'])) {
return $response->withStatus(400)->withJson(['errors' => 'Body firstname is empty or not a string']);
} elseif (!Validator::stringType()->notEmpty()->validate($body['lastname'])) {
return $response->withStatus(400)->withJson(['errors' => 'Body lastname is empty or not a string']);
@@ -232,6 +238,10 @@ class UserController
return $response->withStatus(403)->withJson(['errors' => 'Privilege forbidden']);
}
+ if (!Validator::intVal()->notEmpty()->validate($args['id'])) {
+ return $response->withStatus(400)->withJson(['errors' => 'Route id is not an integer']);
+ }
+
$user = UserModel::getById(['id' => $args['id'], 'select' => ['firstname', 'lastname']]);
if (empty($user)) {
return $response->withStatus(400)->withJson(['errors' => 'User does not exist']);
@@ -276,6 +286,10 @@ class UserController
public function getPictureById(Request $request, Response $response, array $args)
{
+ if (!Validator::intVal()->notEmpty()->validate($args['id'])) {
+ return $response->withStatus(400)->withJson(['errors' => 'Route id is not an integer']);
+ }
+
$user = UserModel::getById(['select' => ['picture'], 'id' => $args['id']]);
if (empty($user)) {
return $response->withStatus(400)->withJson(['errors' => 'User does not exist']);
@@ -292,7 +306,9 @@ class UserController
$body = $request->getParsedBody();
- if (!Validator::stringType()->notEmpty()->validate($body['lang'])) {
+ if (!Validator::intVal()->notEmpty()->validate($args['id'])) {
+ return $response->withStatus(400)->withJson(['errors' => 'Route id is not an integer']);
+ } elseif (!Validator::stringType()->notEmpty()->validate($body['lang'])) {
return $response->withStatus(400)->withJson(['errors' => 'Body lang is empty or not a string']);
} elseif (!Validator::stringType()->notEmpty()->validate($body['writingMode'])) {
return $response->withStatus(400)->withJson(['errors' => 'Body writingMode is empty or not a string']);
@@ -334,6 +350,10 @@ class UserController
public function updatePassword(Request $request, Response $response, array $args)
{
+ if (!Validator::intVal()->notEmpty()->validate($args['id'])) {
+ return $response->withStatus(400)->withJson(['errors' => 'Route id is not an integer']);
+ }
+
$body = $request->getParsedBody();
if (!Validator::stringType()->notEmpty()->validate($body['newPassword'])) {
return $response->withStatus(400)->withJson(['errors' => 'Bad Request']);
@@ -357,10 +377,6 @@ class UserController
UserModel::updatePassword(['id' => $args['id'], 'password' => $body['newPassword']]);
- if ($user['mode'] == 'standard') {
- AuthenticationModel::revokeCookie(['userId' => $args['id']]);
- }
-
HistoryController::add([
'code' => 'OK',
'objectType' => 'users',
diff --git a/src/core/controllers/AuthenticationController.php b/src/core/controllers/AuthenticationController.php
index 82aa4c21a5a2fd580c712fafbcc44ab2d014547b..61f87c9f7a5d3d5324a7483c07606e1648172d9b 100755
--- a/src/core/controllers/AuthenticationController.php
+++ b/src/core/controllers/AuthenticationController.php
@@ -136,24 +136,27 @@ class AuthenticationController
return $response->withJson(['user' => UserController::getUserInformationsById(['id' => $user['id']])]);
}
- public static function getConnection(Request $request, Response $response)
+ public static function getInformations(Request $request, Response $response)
{
$connection = ConfigurationModel::getConnection();
+ $encryptKey = CoreConfigModel::getEncryptKey();
- return $response->withJson(['connection' => $connection]);
+ return $response->withJson(['connection' => $connection, 'changeKey' => $encryptKey == 'Security Key Maarch Parapheur #2008']);
}
public static function getJWT()
{
- $cookieTime = 1;
+ $sessionTime = 1;
$loadedXml = CoreConfigModel::getConfig();
if ($loadedXml) {
- $cookieTime = (int)$loadedXml->config->CookieTime;
+ if (!empty($loadedXml->config->sessionTime)) {
+ $sessionTime = (int)$loadedXml->config->sessionTime;
+ }
}
$token = [
- 'exp' => time() + 60 * $cookieTime,
+ 'exp' => time() + 60 * $sessionTime,
'user' => [
'id' => $GLOBALS['id']
]