api keys

README.md

@@ -156,6 +156,7 @@ rm "$prod" && ln -s "$old" "$prod"
   - `disable_warning_days`: list of day numbers when a user will get an email warning that their account will be disabled
   - `disable_day`: day number when a user will be disabled
   - a "day number" starts counting from the last day that a user logged in, so on day 5, the user last logged in 5 days ago
+- `[api]keys` can now be specified in the config file
 
 ### 1.5 -> 1.6
 

defaults/config.ini.default

@@ -132,3 +132,6 @@ disable_warning_days[] = 360
 disable_warning_days[] = 380
 disable_warning_days[] = 399
 disable_day = 400
+
+[api]
+keys[] = insert_key_here ; API keys for admin/api/...

resources/lib/UnityHTTPD.php

@@ -420,4 +420,16 @@ public static function getCSRFTokenHiddenFormInput(): string
         $token = htmlspecialchars(CSRFToken::generate());
         return "<input type='hidden' name='csrf_token' value='$token'>";
     }
+
+    public static function validateAPIKey(): void
+    {
+        $authorization = $_SERVER["HTTP_AUTHORIZATION"] ?? "";
+        if (!str_starts_with($authorization, "Bearer ")) {
+            self::badRequest("HTTP_AUTHORIZATION is not Bearer", "invalid HTTP_AUTHORIZATION");
+        }
+        $key = substr($authorization, strlen("Bearer "));
+        if (!in_array($key, CONFIG["api"]["keys"])) {
+            self::forbidden("API key not found in config", "forbidden");
+        }
+    }
 }