From b32c8063b6e34c5c951bf7aecb6423038fb965e0 Mon Sep 17 00:00:00 2001
From: jakani24 <janis.st44@gmail.com>
Date: Sun, 11 Feb 2024 20:39:30 +0100
Subject: [PATCH] added apikey authn

---
 .../api/php/accessctrl/check_apikey.php       | 32 +++++++++++++++++++
 .../cyberhex-code/api/php/log/add_entry.php   |  4 +++
 .../api/php/settings/get_settings.php         |  5 +++
 .../secure_zone/php/client_settings.php       |  2 +-
 4 files changed, 42 insertions(+), 1 deletion(-)
 create mode 100644 src/server/cyberhex-code/api/php/accessctrl/check_apikey.php

diff --git a/src/server/cyberhex-code/api/php/accessctrl/check_apikey.php b/src/server/cyberhex-code/api/php/accessctrl/check_apikey.php
new file mode 100644
index 0000000..a465ef2
--- /dev/null
+++ b/src/server/cyberhex-code/api/php/accessctrl/check_apikey.php
@@ -0,0 +1,32 @@
+<?php
+function check_apikey(){
+	include "../../../config.php";
+	$conn = new mysqli($DB_SERVERNAME, $DB_USERNAME, $DB_PASSWORD,$DB_DATABASE);
+		if ($conn->connect_error) {
+			$success=0;
+			die("Connection failed: " . $conn->connect_error);
+		}
+	if(!isset($_GET["apikey"]) or !isset($_GET["machineid"])){
+		return false;
+	}
+	else{
+		$apikey=$_GET["apikey"];
+		$machineid=$_GET["machineid"];
+		$sql = "SELECT * FROM api WHERE apikey = ? and machineid = ?";
+		$stmt = $conn->prepare($sql);
+		$stmt->bind_param("ss", $apikey,$machineid);
+		
+		// Execute the statement
+		$stmt->execute();
+
+		// Get the result
+		$result = $stmt->get_result();
+		
+		// Check if the user exists and verify the password
+		if ($result->num_rows > 0) {
+			return true;
+			//apikey authenticated
+		}
+	}
+}
+?>
\ No newline at end of file
diff --git a/src/server/cyberhex-code/api/php/log/add_entry.php b/src/server/cyberhex-code/api/php/log/add_entry.php
index f11907a..db10574 100644
--- a/src/server/cyberhex-code/api/php/log/add_entry.php
+++ b/src/server/cyberhex-code/api/php/log/add_entry.php
@@ -1,6 +1,10 @@
 <?php
 //we need to auth the user => apikey
 //put auth code here afterwards
+include "../accessctrl/check_apikey.php";
+if(check_apikey()!==true){
+	die("no_atuh");
+}
 
 //add the entry to the log db
 //this page has no gui, it may return ok or error
diff --git a/src/server/cyberhex-code/api/php/settings/get_settings.php b/src/server/cyberhex-code/api/php/settings/get_settings.php
index 9923500..17fd381 100644
--- a/src/server/cyberhex-code/api/php/settings/get_settings.php
+++ b/src/server/cyberhex-code/api/php/settings/get_settings.php
@@ -1,6 +1,11 @@
 <?php
 //we need to auth the user => apikey
 //put auth code here afterwards
+include "../accessctrl/check_apikey.php";
+if(check_apikey()!==true){
+	die("no_atuh");
+}
+
 $setting_virus_ctrl_virus_found_action = "not configured yet";
 $setting_server_server_url="not configured yet";
 $setting_rtp_folder_scan_status=0;
diff --git a/src/server/cyberhex-code/system/secure_zone/php/client_settings.php b/src/server/cyberhex-code/system/secure_zone/php/client_settings.php
index aedd818..1b4ee41 100644
--- a/src/server/cyberhex-code/system/secure_zone/php/client_settings.php
+++ b/src/server/cyberhex-code/system/secure_zone/php/client_settings.php
@@ -310,7 +310,7 @@ function load_settings(){
 					</div>
 					<div id="rtp" style="display:none">
 						<h4>RTP</h4>
-						<h7>RTP: folderscanner on/off</h7>
+						<h7>RTP: on/off</h7>
 						<div class="form-check form-switch">
 							<?php if($setting_rtp_folder_scan_status=="true")
 								echo ("<input class=\"form-check-input\" type=\"checkbox\" role=\"switch\" id=\"flexSwitchCheckDefault\" onclick=\"update_switch('flexSwitchCheckDefault','setting_rtp_folder_scan_status')\" checked>");