Change access checking to functions

Fix the logger to show the allowed endpoint when wildcard endpoints are used

Author: austinwbest

root/app/www/public/api/index.php

@@ -169,60 +169,27 @@
             readfile($proxyBackup);
         }
     } else {
-        // CHECK IF THE ENDPOINT HAS WILDCARDS: /{...}/{...} OR /{...}
-        if (!$proxiedApp['access'][$endpoint]) {
-            $endpointRegexes    = ['/(.*)\/(.*)\/(.*)/', '/(.*)\/(.*)/'];
-            $wildcardRegexes    = ['/(.*)({.*})\/({.*})/', '/(.*)({.*})/'];
-            $wildcard           = false;
+        if ($accessEndpoint = $starr->isAllowedEndpoint($proxiedApp['access'], $endpoint)) {
+            $endpoint = $accessEndpoint;
+        } else {
+            logger($logfile, $apikey, $endpoint, 401);
+            logger(str_replace('access.log', 'access_' . $proxiedApp['proxiedAppDetails']['name'] . '.log', $logfile), $apikey, $endpoint, 401);
+            $usageDb->adjustAppUsage($proxiedApp['proxiedAppDetails']['id'], 401);
 
-            foreach ($wildcardRegexes as $index => $wildcardRegex) {
-                preg_match($endpointRegexes[$index], $endpoint, $requestMatches);
-
-                if (!$requestMatches) {
-                    continue;
-                }
-
-                foreach ($proxiedApp['access'] as $accessEndpoint => $accessMethods) {
-                    preg_match($wildcardRegex, $accessEndpoint, $accessMatches);
-    
-                    if (!$accessMatches) {
-                        continue;
-                    }
-
-                    if ($accessMatches[1] == $requestMatches[1] . '/') {
-                        if (count($accessMatches) == count($requestMatches)) {
-                            $wildcard   = true;
-                            $endpoint   = $accessEndpoint; //-- ALLOW LATER CHECKS TO PASS
-                            break;
-                        }
-                    }
-                }
-
-                if ($wildcard) {
-                    break;
-                }
+            if ($proxyDb->isNotificationTriggerEnabled('blocked')) {
+                $payload    = [
+                                'event'     => 'blocked', 
+                                'proxyApp'  => $proxiedApp['proxiedAppDetails']['name'], 
+                                'starrApp'  => $proxiedApp['starrAppDetails']['name'], 
+                                'endpoint'  => $endpoint
+                            ];
+                $notifications->notify(0, 'blocked', $payload);
             }
 
-            if (!$wildcard) {
-                logger($logfile, $apikey, $endpoint, 401);
-                logger(str_replace('access.log', 'access_' . $proxiedApp['proxiedAppDetails']['name'] . '.log', $logfile), $apikey, $endpoint, 401);
-                $usageDb->adjustAppUsage($proxiedApp['proxiedAppDetails']['id'], 401);
-
-                if ($proxyDb->isNotificationTriggerEnabled('blocked')) {
-                    $payload    = [
-                                    'event'     => 'blocked', 
-                                    'proxyApp'  => $proxiedApp['proxiedAppDetails']['name'], 
-                                    'starrApp'  => $proxiedApp['starrAppDetails']['name'], 
-                                    'endpoint'  => $endpoint
-                                ];
-                    $notifications->notify(0, 'blocked', $payload);
-                }
-
-                apiResponse(401, ['error' => sprintf(APP_API_ERROR, 'provided apikey is missing access to ' . $endpoint)]);
-            }
+            apiResponse(401, ['error' => sprintf(APP_API_ERROR, 'provided apikey is missing access to ' . $endpoint)]);
         }
 
-        if (!in_array($method, $proxiedApp['access'][$endpoint])) {
+        if (!$accessMethod = $starr->isAllowedEndpointMethod($proxiedApp['access'], $endpoint, $method)) {
             logger($logfile, $apikey, $endpoint, 405);
             logger(str_replace('access.log', 'access_' . $proxiedApp['proxiedAppDetails']['name'] . '.log', $logfile), $apikey, $endpoint, 405);
             $usageDb->adjustAppUsage($proxiedApp['proxiedAppDetails']['id'], 405);

root/app/www/public/classes/Starr.php

@@ -211,4 +211,58 @@ public function getAppFromStarrKey($apikey, $starrsTable)
 
         return [];
     }
+
+    public function isAllowedEndpoint($endpoints, $endpoint)
+    {
+        if (!$endpoints || !$endpoint) {
+            return;
+        }
+
+        if ($endpoints[$endpoint]) {
+            return $endpoint;
+        }
+
+        // CHECK IF THE ENDPOINT HAS WILDCARDS: /{...}/{...} OR /{...}
+        if (!$endpoints[$endpoint]) {
+            $endpointRegexes    = ['/(.*)\/(.*)\/(.*)/', '/(.*)\/(.*)/'];
+            $wildcardRegexes    = ['/(.*)({.*})\/({.*})/', '/(.*)({.*})/'];
+
+            foreach ($wildcardRegexes as $index => $wildcardRegex) {
+                preg_match($endpointRegexes[$index], $endpoint, $requestMatches);
+
+                if (!$requestMatches) {
+                    continue;
+                }
+
+                foreach ($endpoints as $accessEndpoint => $accessMethods) {
+                    preg_match($wildcardRegex, $accessEndpoint, $accessMatches);
+    
+                    if (!$accessMatches) {
+                        continue;
+                    }
+
+                    if ($accessMatches[1] == $requestMatches[1] . '/') {
+                        if (count($accessMatches) == count($requestMatches)) {
+                            return $accessEndpoint;
+                        }
+                    }
+                }
+            }
+        }
+
+        return;
+    }
+
+    public function isAllowedEndpointMethod($endpoints, $endpoint, $method)
+    {
+        if (!$endpoints || !$endpoint || !$method) {
+            return false;
+        }
+
+        if (in_array($method, $endpoints[$endpoint]) || in_array(strtolower($method), $endpoints[$endpoint])) {
+            return true;
+        }
+
+        return false;
+    }
 }

root/app/www/public/functions/logger.php

@@ -194,19 +194,15 @@ function getLog($logfile, $page = 1, $app = false)
                 <h4>Endpoint usage <span class="text-small">(<?= count($endpointUsage) ?> endpoint<?= count($endpointUsage) == 1 ? '' : 's' ?>)</span></h4>
                 <?php
                 foreach ($endpointUsage as $endpoint => $methods) {
-                    foreach ($methods as $method => $usage) {
-                        $accessError = true;
+                    $accessEndpoint = $starr->isAllowedEndpoint($proxiedApp['access'], $endpoint);
 
-                        if ($proxiedApp['access'][$endpoint] || $proxiedApp['access'][strtolower($endpoint)]) {
-                            if (in_array(strtolower($method), $proxiedApp['access'][$endpoint]) || in_array(strtolower($method), $proxiedApp['access'][strtolower($endpoint)])) {
-                                $accessError = false;
-                            }
-                        }
+                    foreach ($methods as $method => $usage) {
+                        $accessMethod = $starr->isAllowedEndpointMethod($proxiedApp['access'], $accessEndpoint, $method);
 
                         ?>
-                            <i id="disallowed-endpoint-<?= md5($endpoint.$method) ?>" class="far fa-times-circle text-danger" title="Disallowed endpoint, click to allow it" style="display: <?= $accessError ? 'inline-block' : 'none' ?>; cursor: pointer;" onclick="addEndpointAccess('<?= $app ?>', <?= $proxiedApp['proxiedAppDetails']['id'] ?>, '<?= $endpoint ?>', '<?= $method ?>', '<?= md5($endpoint.$method) ?>')"></i> 
-                            <i id="allowed-endpoint-<?= md5($endpoint.$method) ?>" class="far fa-check-circle text-success" title="Allowed endpoint" style="display: <?= !$accessError ? 'inline-block' : 'none' ?>;"></i>
-                            [<?= strtoupper($method) ?>] <?= $endpoint . ': ' . number_format($usage) ?> hit<?= $usage == 1 ? '' : 's' ?><br>
+                        <i id="disallowed-endpoint-<?= md5($endpoint.$method) ?>" class="far fa-times-circle text-danger" title="Disallowed endpoint, click to allow it" style="display: <?= !$accessMethod ? 'inline-block' : 'none' ?>; cursor: pointer;" onclick="addEndpointAccess('<?= $app ?>', <?= $proxiedApp['proxiedAppDetails']['id'] ?>, '<?= $endpoint ?>', '<?= $method ?>', '<?= md5($endpoint.$method) ?>')"></i> 
+                        <i id="allowed-endpoint-<?= md5($endpoint.$method) ?>" class="far fa-check-circle text-success" title="Allowed endpoint" style="display: <?= $accessMethod ? 'inline-block' : 'none' ?>;"></i>
+                        [<?= strtoupper($method) ?>] <?= ($accessEndpoint != $endpoint ? $accessEndpoint . ' → ' : '') . $endpoint . ': ' . number_format($usage) ?> hit<?= $usage == 1 ? '' : 's' ?><br>
                         <?php
                     }
                 }