API now checks user credentials before granting tokens.

Added new permission - 'api' that allows the group access to using the API.
2011-09-05 02:12:36 -06:00 · 2011-09-05 02:12:36 -06:00 · 17683eaeaa
commit 17683eaeaa
parent 839ce793c7
2 changed files with 23 additions and 0 deletions
--- a/TShockAPI/SecureRest.cs
+++ b/TShockAPI/SecureRest.cs
@ -23,6 +23,22 @@ namespace TShockAPI
            var user = verbs["username"];
            var pass = verbs["password"];

+            var userAccount = TShock.Users.GetUserByName(user);
+            if (userAccount == null)
+            {
+                return new Dictionary<string, string> { { "status", "401" }, { "error", "Invalid username/password combination provided. Please re-submit your query with a correct pair." } };
+            }
+
+            if (Tools.HashPassword(pass).ToUpper() != userAccount.Password.ToUpper())
+            {
+                return new Dictionary<string, string> { { "status", "401" }, { "error", "Invalid username/password combination provided. Please re-submit your query with a correct pair." } };
+            }
+
+            if (!Tools.GetGroup(userAccount.Group).HasPermission("api") && userAccount.Group != "superadmin")
+            {
+                return new Dictionary<string, string> { { "status", "403" }, { "error", "Although your account was successfully found and identified, your account lacks the permission required to use the API. (api)"} };
+            }
+
            if (Verify != null && !Verify(user, pass))
                return new Dictionary<string, string> { { "status", "401" } , { "error", "Invalid username/password combination provided. Please re-submit your query with a correct pair." } };