Collections functions
General functions
Render functions
Theme permission functions
Resource functions

check_api_key()

Description

Check a query is signed correctly.

Parameters

ColumnTypeDefaultDescription
$username string The username of the calling user
$querystring string The query being passed to the API
$sign string The signature to check
$authmode string "userkey" The type of key being provided (user key or session key)

Return

void

Location

include/api_functions.php lines 33 to 64

Definition

 
function check_api_key($username,$querystring,$sign,$authmode="userkey")
    {
    
// Fetch user ID and API key
    
$user=get_user_by_username($username); if ($user===false) {return false;}
    
$aj strpos($querystring,"&ajax=");
    if(
$aj != false)
        {
        
$querystring substr($querystring,0,$aj);
        }

    if(
$authmode == "sessionkey")
        {
        
$userkey=get_session_api_key($user);
        }
    else
        {        
        
$userkey=get_api_key($user);
        }

    
# Calculate the expected signature and check it matches
    
$expected=hash("sha256",$userkey $querystring);
    if (
$expected === $sign)
    {
    return 
true;
    }
    
# Also try matching against the username - allows remote API use without knowing the user ID, e.g. in the event of managing multiple systems each with a common username but different ID.
    
if (hash("sha256",get_api_key($username) . $querystring) === $sign)
    {
    return 
true;
    } 
    return 
false;
    }

This article was last updated 2nd October 2022 17:35 Europe/London time based on the source file dated 5th September 2022 10:20 Europe/London time.