6 * @link http://www.open-emr.org
7 * @author Matthew Vita <matthewvita48@gmail.com>
8 * @author Brady Miller <brady.g.miller@gmail.com>
9 * @copyright Copyright (c) 2018 Matthew Vita <matthewvita48@gmail.com>
10 * @copyright Copyright (c) 2018 Brady Miller <brady.g.miller@gmail.com>
11 * @license https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3
15 namespace OpenEMR\RestControllers
;
17 require_once("./../library/authentication/common_operations.php");
19 class AuthRestController
21 public function __construct()
25 public function authenticate($authPayload)
27 $is_valid = confirm_user_password($authPayload["username"], $authPayload["password"]);
29 if (!$is_valid && strtolower(trim($authPayload["grant_type"])) !== 'password') {
30 http_response_code(401);
33 if (!empty($_SESSION['api']) && !empty($_SESSION['site_id'])) {
34 $encoded_api = bin2hex(trim($_SESSION['api']));
35 $encoded_site = bin2hex(trim($_SESSION['site_id']));
37 http_response_code(401);
41 $user = sqlQuery("SELECT id FROM users_secure WHERE username = ?", array($authPayload['username']));
43 $sql = " INSERT INTO api_token SET";
44 $sql .= " user_id=?,";
45 $sql .= " token=(SELECT LEFT(SHA2(CONCAT(NOW(), RAND(), UUID()), 512), 32)),";
46 $sql .= " expiry=DATE_ADD(NOW(), INTERVAL 1 HOUR)";
48 sqlInsert($sql, array($user["id"]));
50 $token = sqlQuery("SELECT token FROM api_token WHERE user_id = ? ORDER BY id DESC", array($user["id"]));
52 $encoded_token = $token["token"] . $encoded_api . $encoded_site;
53 $give = array("token_type" => "Bearer", "access_token" => $encoded_token, "expires_in" => "3600");
54 http_response_code(200);
58 public function isValidToken($token)
60 $tokenResult = sqlQuery("SELECT user_id, token, expiry FROM api_token WHERE token=?", array($token));
66 $currentDateTime = date("Y-m-d H:i:s");
67 $expiryDateTime = date("Y-m-d H:i:s", strtotime($tokenResult['expiry']));
69 if ($expiryDateTime <= $currentDateTime) {
76 public function getUserFromToken($token)
79 $sql .= " u.username";
80 $sql .= " FROM api_token a";
81 $sql .= " JOIN users_secure u ON u.id = a.user_id";
82 $sql .= " WHERE a.token = ?";
84 $userResult = sqlQuery($sql, array($token));
85 return $userResult["username"];
88 public function aclCheck($token, $section, $value)
90 $username = $this->getUserFromToken($token);
91 return acl_check($section, $value, $username);
94 public function aclCheckByUsername($username, $section, $value)
96 return acl_check($section, $value, $username);
99 public function optionallyAddMoreTokenTime($token)
101 $tokenResult = sqlQuery("SELECT user_id, token, expiry FROM api_token WHERE token=?", array($token));
103 $currentDateTime = date("Y-m-d H:i:s");
104 $expiryDateTime = date("Y-m-d H:i:s", strtotime($tokenResult['expiry']));
106 $minutesLeft = round(abs(strtotime($currentDateTime) - strtotime($expiryDateTime)) / 60, 2);
108 if ($minutesLeft < 10) {
109 sqlStatement("UPDATE api_token SET expiry=DATE_ADD(NOW(), INTERVAL 1 HOUR) WHERE token=?", array($token));