apis/dispatch.php

   1 <?php
   2 /**
   3  * Rest Dispatch
   4  *
   5  * @package   OpenEMR
   6  * @link      http://www.open-emr.org
   7  * @author    Matthew Vita <matthewvita48@gmail.com>
   8  * @author    Jerry Padgett <sjpadgett@gmail.com>
   9  * @copyright Copyright (c) 2018 Matthew Vita <matthewvita48@gmail.com>
  10  * @copyright Copyright (c) 2018 Jerry Padgett <sjpadgett@gmail.com>
  11  * @license   https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3
  12  */
  13
  14
  15 require_once("./../_rest_config.php");
  16
  17 $gbl = RestConfig::GetInstance();
  18 $context = $gbl->GetContext();
  19 $base_path = $gbl::$ROOT_URL;
  20 $routes = array();
  21 $resource = '';
  22
  23 // Parse needed information from Redirect or REQUEST_URI
  24 if (!empty($_REQUEST['_REWRITE_COMMAND'])) {
  25     $resource = "/" . $_REQUEST['_REWRITE_COMMAND'];
  26 } elseif (!empty($_SERVER['REDIRECT_QUERY_STRING'])) {
  27     $resource = str_replace('_REWRITE_COMMAND=', '/', $_SERVER['REDIRECT_QUERY_STRING']);
  28 } else {
  29     if (!empty($_SERVER['REQUEST_URI'])) {
  30         if (strpos($_SERVER['REQUEST_URI'], '?') > 0) {
  31             $resource = strstr($_SERVER['REQUEST_URI'], '?', true);
  32         } else {
  33             $resource = str_replace("$base_path", '', $_SERVER['REQUEST_URI']);
  34         }
  35     }
  36 }
  37
  38 $ignoreAuth = true;
  39 // Maintain site id for multi site compatibility.
  40 // token is a 32 character hash followed by hex encoded 4 char api flag and site id.
  41 if (is_authentication($resource)) {
  42     // Get a site id from initial login authentication.
  43     $data = (array) $gbl->getPostData((file_get_contents("php://input")));
  44     $site = empty($data['scope']) ? "default" : $data['scope'];
  45     $_GET['site'] = $site;
  46 } elseif (!$context) {
  47     $token = get_bearer_token();
  48     if (strlen($token) > 40) {
  49         $api_token = substr($token, 0, 32);
  50         $rest = hex2bin(substr($token, 32));
  51         $api = substr($rest, 0, 4);
  52         $api_site = substr($rest, 4);
  53         verify_api_request($resource, $api);
  54         $_SERVER["HTTP_X_API_TOKEN"] = $api_token; // set hash to further the adventure.
  55         $_GET['site'] = $api_site; // site id
  56     } else {
  57         // token should always return with embedded site id
  58         http_response_code(401);
  59         exit();
  60     }
  61 } else {
  62     // continue already authorized session.
  63     // let globals verify again.
  64     $ignoreAuth = false;
  65 }
  66
  67 require_once("./../interface/globals.php");
  68 require_once("./../library/acl.inc");
  69
  70 if (!$GLOBALS['rest_api']) {
  71     http_response_code(501);
  72     exit();
  73 }
  74 // api flag must be four chars
  75 // Pass only routes for current api.
  76 //
  77 if (is_fhir_request($resource)) {
  78     $_SESSION['api'] = 'fhir';
  79     $routes = $gbl::$FHIR_ROUTE_MAP;
  80 } else {
  81     $_SESSION['api'] = 'oemr';
  82     $routes = $gbl::$ROUTE_MAP;
  83 }
  84
  85 use OpenEMR\Common\Http\HttpRestRouteHandler;
  86 use OpenEMR\RestControllers\AuthRestController;
  87
  88 function is_authentication($resource)
  89 {
  90     return ($resource === "/api/auth" || $resource === "/fhir/auth");
  91 }
  92
  93 function get_bearer_token()
  94 {
  95     $parse = preg_split("/[\s,]+/", $_SERVER["HTTP_AUTHORIZATION"]);
  96     if (strtoupper(trim($parse[0])) !== 'BEARER') {
  97         return false;
  98     }
  99
 100     return trim($parse[1]);
 101 }
 102
 103 function is_fhir_request($resource)
 104 {
 105     return (stripos(strtolower($resource), "/fhir/") !== false) ? true : false;
 106 }
 107
 108 function verify_api_request($resource, $api)
 109 {
 110     $api = strtolower(trim($api));
 111     if (is_fhir_request($resource)) {
 112         if ($api !== 'fhir') {
 113             http_response_code(401);
 114             exit();
 115         }
 116     } elseif ($api !== 'oemr') {
 117         http_response_code(401);
 118         exit();
 119     }
 120
 121     return;
 122 }
 123
 124 function authentication_check($resource)
 125 {
 126     if (!is_authentication($resource)) {
 127         $token = $_SERVER["HTTP_X_API_TOKEN"];
 128         $authRestController = new AuthRestController();
 129         if (!$authRestController->isValidToken($token)) {
 130             http_response_code(401);
 131             exit();
 132         } else {
 133             $authRestController->optionallyAddMoreTokenTime($token);
 134         }
 135     }
 136 }
 137
 138 function authorization_check($section, $value)
 139 {
 140     global $context;
 141
 142     $authRestController = new AuthRestController();
 143     if ($context) {
 144         $result = $authRestController->aclCheckByUsername($_SESSION['authUser'], $section, $value);
 145     } else {
 146         $result = $authRestController->aclCheck($_SERVER["HTTP_X_API_TOKEN"], $section, $value);
 147     }
 148     if (!$result) {
 149         http_response_code(401);
 150         exit();
 151     }
 152 }
 153
 154 if (!$context) {
 155     authentication_check($resource);
 156 }
 157 // dispatch $routes called by ref.
 158 HttpRestRouteHandler::dispatch($routes, $resource, $_SERVER["REQUEST_METHOD"]);
 159 // Tear down session for security.
 160 if (!$context) {
 161     $gbl->destroySession();
 162 }