diff --git a/src/flextype/core/Endpoints/Api.php b/src/flextype/core/Endpoints/Api.php index 023b4a6a..07baa9db 100644 --- a/src/flextype/core/Endpoints/Api.php +++ b/src/flextype/core/Endpoints/Api.php @@ -68,13 +68,35 @@ class Api return $this->getStatusCodeMessage(400); } - $data = array_merge($options['request']->getQueryParams() ?? [], $options['request']->getParsedBody() ?? []); + if (! isset($options['params'])) { + return $this->getStatusCodeMessage(400); + } + + $queryData = $options['request']->getQueryParams() ?? []; + $bodyData = $options['request']->getParsedBody() ?? []; + + $data = array_merge($queryData, $bodyData); + + $dataTest = true; + foreach ($options['params'] as $key => $value) { + if (! in_array($value, array_flip($data))) { + $dataTest = false; + } + } + + if (! $dataTest) { + return $this->getStatusCodeMessage(400); + } // Check is api enabled if (! registry()->get('flextype.settings.api.' . $options['api'] . '.enabled')) { return $this->getStatusCodeMessage(400); } + if (! tokens()->has($data['token'])) { + return $this->getStatusCodeMessage(401); + } + // Fetch token $tokenData = tokens()->fetch($data['token']); @@ -91,6 +113,16 @@ class Api return $this->getStatusCodeMessage(400); } + if (isset($data['access_token'])) { + if (! isset($tokenData['hashed_access_token'])) { + return $this->getStatusCodeMessage(401); + } + + if (! password_verify($data['access_token'], $tokenData['hashed_access_token'])) { + return $this->getStatusCodeMessage(401); + } + } + // Update token calls tokens()->update($data['token'], ['calls' => $tokenData['calls'] + 1]);