Basic User and Auth

2024-07-13 20:17:59 +02:00 · 2024-07-13 20:17:59 +02:00 · edf8b7cecf
commit edf8b7cecf
parent 03da043be3
5 changed files with 116 additions and 7 deletions
--- a/exam/api/docs/index.css
+++ b/exam/api/docs/index.css
@ -1,3 +0,0 @@
-body {
-  background-color: red;
-}
--- a/exam/api/docs/index.html
+++ b/exam/api/docs/index.html
@ -3,7 +3,7 @@
  <head>
    <link href="./index.css" rel="stylesheet" />

-    <title>Calculator</title>
+    <title>API Docs</title>
  </head>

  <body></body>
--- a/exam/api/users/index.php
+++ b/exam/api/users/index.php
@ -4,11 +4,23 @@ $method = $_SERVER['REQUEST_METHOD'];

 switch ($method) {
  case "GET":
-    return get();
+    if (Auth::hasPermission("read")) return get();
+    break;
+  case "PUT":
+    if (Auth::hasPermission("write")) return put();
+    break;
+  case "POST":
+    if (Auth::hasPermission("write")) return post();
+    break;
+  case "DELETE":
+    if (Auth::hasPermission("write")) return delete();
+    break;
  default:
    return Response::api("$method not supported", 500);
 }

+return Response::api("Not allowed", 401);
+
 function get()
 {
  $db = Database::getInstance();
@ -17,10 +29,80 @@ function get()
    "SELECT
      *
    FROM
-      egb_benutzer";
+      Users";

  $stmt = $db->prepare($query);
  $stmt->execute();

  Response::api($stmt->fetchAll());
 }
+
+function put()
+{
+  $db = Database::getInstance();
+
+  $_PUT = json_decode(file_get_contents('php://input'), true);
+
+  $query =
+    "INSERT INTO
+      Users(FirstName, LastName, Token)
+    VALUES(:FIRST, :LAST, UUID())";
+
+  try {
+    $stmt = $db->prepare($query);
+    $stmt->bindValue(":FIRST", $_PUT["firstName"]);
+    $stmt->bindValue(":LAST", $_PUT["lastName"]);
+
+    Response::api($stmt->execute());
+  } catch (Exception $e) {
+    Response::api($e->getMessage(), 500);
+  }
+}
+
+function post()
+{
+  $db = Database::getInstance();
+
+  $query =
+    "UPDATE
+      Users
+    SET
+      FirstName = :FIRST, LastName = :LAST
+    WHERE
+      ID = :ID";
+
+  $_POST = json_decode(file_get_contents('php://input'), true);
+
+  try {
+    $stmt = $db->prepare($query);
+    $stmt->bindValue(":FIRST", $_POST["firstName"]);
+    $stmt->bindValue(":LAST", $_POST["lastName"]);
+    $stmt->bindValue(":ID", $_POST["ID"]);
+
+    Response::api($stmt->execute());
+  } catch (Exception $e) {
+    Response::api($e->getMessage(), 500);
+  }
+}
+
+function delete()
+{
+  $db = Database::getInstance();
+
+  $_DELETE = json_decode(file_get_contents('php://input'), true);
+
+  $query =
+    "DELETE FROM
+      Users
+    WHERE
+      ID = :ID";
+
+  try {
+    $stmt = $db->prepare($query);
+    $stmt->bindValue(":ID", $_DELETE["ID"]);
+
+    Response::api($stmt->execute());
+  } catch (Exception $e) {
+    Response::api($e->getMessage(), 500);
+  }
+}
--- a/exam/app/app.php
+++ b/exam/app/app.php
@ -1,6 +1,8 @@
 <?php

-ini_set("display_errors", 1);
+if (strpos($_SERVER["REQUEST_URI"], "api") === false) {
+  ini_set("display_errors", 1);
+}
 ini_set("default_charset", "utf-8");
 ini_set('session.cookie_httponly', 1);
 ini_set('session.cookie_secure', 1);
--- a/exam/vendor/auth/auth.php
+++ b/exam/vendor/auth/auth.php
@ -0,0 +1,28 @@
+<?php
+
+class Auth
+{
+  public static function hasPermission(string $required)
+  {
+    $db = Database::getInstance();
+
+    if (!isset($_SERVER["HTTP_TOKEN"])) return false;
+    $token = $_SERVER["HTTP_TOKEN"];
+
+    $query =
+      "SELECT
+        UserPermissions.Permission
+      FROM
+        UserPermissions, Users
+      WHERE
+        Users.ID = UserPermissions.fkUserID AND
+        Users.Token = :TOKEN";
+
+    $stmt = $db->prepare($query);
+    $stmt->bindValue(":TOKEN", $token);
+    $stmt->execute();
+    $perms = $stmt->fetchAll(PDO::FETCH_COLUMN, 0);
+
+    return in_array($required, $perms);
+  }
+}