added a nonce to hmac signature and header so same call in same second does not get...

git-svn-id: http://code.elgg.org/elgg/trunk@3672 36083f99-b078-4883-b0ff-0f9b5a30f544

diff --git a/engine/lib/api.php b/engine/lib/api.php
index 91c3743a32b4ed8ce981ca433185d5b701e827ad..b3da52c5a6706c33bdf6777ef7bf9069d2491958 100644 (file)
--- a/engine/lib/api.php
+++ b/engine/lib/api.php
@@ -716,6 +716,7 @@ function api_auth_hmac() {
        // calculate expected HMAC
        $hmac = calculate_hmac( $api_header->hmac_algo,
                                                        $api_header->time,
+                                                       $api_header->nonce,
                                                        $api_header->api_key,
                                                        $secret_key,
                                                        $query,
@@ -787,6 +788,11 @@ function get_and_validate_api_headers() {
                throw new APIException(elgg_echo('APIException:TemporalDrift'));
        }
 
+       $result->nonce = $_SERVER['HTTP_X_ELGG_NONCE'];
+       if ($result->nonce == "") {
+               throw new APIException(elgg_echo('APIException:MissingNonce'));
+       }
+       
        if ($result->method == "POST") {
                $result->posthash = $_SERVER['HTTP_X_ELGG_POSTHASH'];
                if ($result->posthash == "") {
@@ -844,7 +850,7 @@ function map_api_hash($algo) {
  * @param $post_hash string Optional sha1 hash of the post data.
  * @return string The HMAC string
  */
-function calculate_hmac($algo, $time, $api_key, $secret_key, $get_variables, $post_hash = "") {
+function calculate_hmac($algo, $time, $nonce, $api_key, $secret_key, $get_variables, $post_hash = "") {
        global $CONFIG;
 
        elgg_log("HMAC Parts: $algo, $time, $api_key, $secret_key, $get_variables, $post_hash");
@@ -852,6 +858,7 @@ function calculate_hmac($algo, $time, $api_key, $secret_key, $get_variables, $po
        $ctx = hash_init(map_api_hash($algo), HASH_HMAC, $secret_key);
 
        hash_update($ctx, trim($time));
+       hash_update($ctx, trim($nonce));
        hash_update($ctx, trim($api_key));
        hash_update($ctx, trim($get_variables));
        if (trim($post_hash)!="") {
@@ -1163,6 +1170,9 @@ function send_api_call(array $keys, $url, array $call, $method = 'GET', $post_da
 
        // Time
        $time = time();
+       
+       // Nonce
+       $nonce = uniqid('');
 
        // URL encode all the parameters
        foreach ($call as $k => $v){
@@ -1183,9 +1193,11 @@ function send_api_call(array $keys, $url, array $call, $method = 'GET', $post_da
        if ((isset($keys['public'])) && (isset($keys['private']))) {
                $headers['X-Elgg-apikey'] = $keys['public'];
                $headers['X-Elgg-time'] = $time;
+               $headers['X-Elgg-nonce'] = $nonce;
                $headers['X-Elgg-hmac-algo'] = 'sha1';
                $headers['X-Elgg-hmac'] = calculate_hmac('sha1',
                        $time,
+                       $nonce,
                        $keys['public'],
                        $keys['private'],
                        $params,

diff --git a/languages/en.php b/languages/en.php
index 5c562431fd4e9517c587ddee6d19795d9e16d6e6..7764e9d680b79ae4c8839c6034679fd3aacbe6bb 100644 (file)
--- a/languages/en.php
+++ b/languages/en.php
@@ -143,6 +143,7 @@ $english = array(
        'APIException:MissingHmac' => "Missing X-Elgg-hmac header",
        'APIException:MissingHmacAlgo' => "Missing X-Elgg-hmac-algo header",
        'APIException:MissingTime' => "Missing X-Elgg-time header",
+       'APIException:MissingNonce' => "Missing X-Elgg-nonce header",
        'APIException:TemporalDrift' => "X-Elgg-time is too far in the past or future. Epoch fail.",
        'APIException:NoQueryString' => "No data on the query string",
        'APIException:MissingPOSTHash' => "Missing X-Elgg-posthash header",