Coding standards
Security in ResourceSpace
Developer reference
Database
Action functions
Admin functions
Ajax functions
Annotation functions
API functions
Collections functions
Comment functions
Config functions
CSV export functions
Dash functions
Debug functions
Encryption functions
Facial recognition functions
File functions
General functions
Language functions
Log functions
Login functions
Message functions
Migration functions
Node functions
PDF functions
Plugin functions
Render functions
Reporting functions
Request functions
Research functions
Slideshow functions
Theme permission functions
User functions
Video functions
Database functions
Metadata functions
Resource functions
Search functions
Map functions
Job functions
Tab functions
Test functions

check_api_key()

Description

Check a query is signed correctly.

Parameters

ColumnTypeDefaultDescription
$username string The username of the calling user
$querystring string The query being passed to the API
$sign string The signature to check
$authmode string The type of key being provided (user key or session key)

Location

include/api_functions.php lines 36 to 67

Definition

 
function check_api_key($username,$querystring,$sign,$authmode="userkey"): bool
    
{
    
// Fetch user ID and API key
    
$user=get_user_by_username($username); if ($user===false) {return false;}
    
$aj strpos($querystring,"&ajax=");
    if(
$aj != false)
        {
        
$querystring substr($querystring,0,$aj);
        }

    if(
$authmode == "sessionkey")
        {
        
$userkey=get_session_api_key($user);
        }
    else
        {
        
$userkey=get_api_key($user);
        }

    
# Calculate the expected signature and check it matches
    
$expected=hash("sha256",$userkey $querystring);
    if (
$expected === $sign)
    {
    return 
true;
    }
    
# Also try matching against the username - allows remote API use without knowing the user ID, e.g. in the event of managing multiple systems each with a common username but different ID.
    
if (hash("sha256",get_api_key($username) . $querystring) === $sign)
    {
    return 
true;
    }
    return 
false;
    }

This article was last updated 5th December 2024 07:05 Europe/London time based on the source file dated 27th November 2024 15:30 Europe/London time.