server: clean up scripts, require POST for non-idempotent requests

2022-08-16 21:16:22 +02:00 · 2022-08-16 21:16:22 +02:00 · 096c7ac168
commit 096c7ac168
parent c7f08a80e9
4 changed files with 52 additions and 39 deletions
--- a/server/ping-get.php
+++ b/server/ping-get.php
@ -1,16 +1,22 @@
 <?php
-require_once('config.inc.php');

+require_once('config.inc.php');
 $apikeys = $config['ping-get'];

 header('Content-type: text/plain');
-if(isset($_GET['apikey']) && in_array($_GET['apikey'], $apikeys, true)) {
-    $str=file_get_contents('pinged.txt');
-    echo $str;
-    file_put_contents ( 'pinged.txt' , 'false' );
-} else {
-    $str=file_get_contents('pinged.txt');
-    echo "API Key Missing!\n";
-    echo $str;
+
+if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
+	echo "Must use POST request method\n";
+	return;
 }
+
+if (!isset($_GET['apikey']) || !in_array($_GET['apikey'], $apikeys, true)) {
+	echo "Invalid API key\n";
+	return;
+}
+
+$str=file_get_contents('pinged.txt');
+echo $str;
+file_put_contents('pinged.txt', 'false');
+
 ?>
--- a/server/ping.php
+++ b/server/ping.php
@ -1,17 +1,20 @@
 <?php
-require_once('config.inc.php');

+require_once('config.inc.php');
 $apikeys = $config['ping'];

 header('Content-type: text/plain');
-if ($_SERVER['REQUEST_METHOD'] == 'POST' &&
-    isset($_GET['apikey']) && in_array($_GET['apikey'], $apikeys, true))
-{
-    file_put_contents ( 'pinged.txt' , 'true' );
-    echo $str;
-} else {
-    $str=file_get_contents('pinged.txt');
-    echo "API Key Missing (must be POST method)!\n";
-    echo $str;
+
+if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
+	echo "Must use POST request method\n";
+	return;
 }
+
+if (!isset($_GET['apikey']) || !in_array($_GET['apikey'], $apikeys, true)) {
+	echo "Invalid API key\n";
+	return;
+}
+
+file_put_contents('pinged.txt', 'true');
+
 ?>
--- a/server/status.txt
+++ b/server/status.txt
--- a/server/update.php
+++ b/server/update.php
@ -1,30 +1,34 @@
 <?php

 require_once('config.inc.php');
-
 $apikeys = $config['update'];

 header('Content-type: text/plain');
-if( isset($_GET['apikey']) && in_array($_GET['apikey'], $apikeys, true) ) {
-    if(isset($_GET['open']) && $_GET['open']=='true')
-    {
-        file_put_contents ( 'status.txt' , 'true,'.time() );
-        exec("./open.sh");
-        echo "true";
-    } else if(isset($_GET['open']) && $_GET['open'] =='false') {
-        file_put_contents ( 'status.txt' , 'false,'.time() );
-        exec("./close.sh");
-        echo "false";
-    }else{
-        echo "you are too stupid to use the api!\n";
-    }
+
+if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
+	echo "Must use POST request method\n";
+	return;
+}
+
+if (!isset($_GET['apikey']) || !in_array($_GET['apikey'], $apikeys, true)) {
+	echo "Invalid API key\n";
+	return;
+}
+
+if (!isset($_GET['open'])) {
+	echo "Missing 'open' request parameter\n";
+	return;
+}
+
+if ($_GET['open'] === 'true') {
+	file_put_contents('status.txt', 'true,'.time());
+	echo "true";
+} else if ($_GET['open'] === 'false') {
+	file_put_contents('status.txt', 'false,'.time());
+	echo "false";
 } else {
-    $str=file_get_contents('status.txt');
-    $arr=explode(',',$str);
-    $open=$arr[0];
-    $date=$arr[1]; //lastchange: upadate via file see explode/implode
-    echo "API Key Missing!\n";
-    echo $open;
+	echo "Invalid 'open' parameter value\n";
+	return;
 }

 ?>