X-Git-Url: https://vcs.fsf.org/?a=blobdiff_plain;f=ext%2Fauthx%2Fauthx.php;h=61fff6ed41dc3a8ceb231aa20d5bcfc8d9abe13e;hb=14091ba78d84460e9af678259664fcc085dc1156;hp=25fe959f4c37ddce5b238e5780010f2974a8a16a;hpb=08f00ce0a14e7384b84633b34ae31446b62f2d9c;p=civicrm-core.git

diff --git a/ext/authx/authx.php b/ext/authx/authx.php
index 25fe959f4c..61fff6ed41 100644
--- a/ext/authx/authx.php
+++ b/ext/authx/authx.php
@@ -13,7 +13,7 @@ Civi::dispatcher()->addListener('civi.invoke.auth', function($e) {
     return (new \Civi\Authx\Authenticator())->auth($e, ['flow' => 'xheader', 'cred' => $_SERVER['HTTP_X_CIVI_AUTH'], 'siteKey' => $siteKey]);
   }
 
-  if (!empty($_SERVER['HTTP_AUTHORIZATION'])) {
+  if (!empty($_SERVER['HTTP_AUTHORIZATION']) && !empty(Civi::settings()->get('authx_header_cred'))) {
     return (new \Civi\Authx\Authenticator())->auth($e, ['flow' => 'header', 'cred' => $_SERVER['HTTP_AUTHORIZATION'], 'siteKey' => $siteKey]);
   }
 
@@ -36,6 +36,14 @@ Civi::dispatcher()->addListener('civi.invoke.auth', function($e) {
       _authx_redact(['_authx']);
     }
   }
+
+  // Accept legacy auth (?key=...&api_key=...) for 'civicrm/ajax/rest' and 'civicrm/ajax/api4/*'.
+  // The use of `?key=` could clash on some endpoints. Only accept on a small list of endpoints that are compatible with it.
+  if (count($e->args) > 2 && $e->args[1] === 'ajax' && in_array($e->args[2], ['rest', 'api4'])) {
+    if ((!empty($_REQUEST['api_key']) || !empty($_REQUEST['key']))) {
+      return (new \Civi\Authx\LegacyRestAuthenticator())->auth($e, ['flow' => 'legacyrest', 'cred' => 'Bearer ' . $_REQUEST['api_key'] ?? '', 'siteKey' => $_REQUEST['key'] ?? NULL]);
+    }
+  }
 });
 
 /**
@@ -130,6 +138,7 @@ function authx_civicrm_config(&$config) {
  */
 function authx_civicrm_install() {
   _authx_civix_civicrm_install();
+
 }
 
 /**
@@ -157,6 +166,13 @@ function authx_civicrm_uninstall() {
  */
 function authx_civicrm_enable() {
   _authx_civix_civicrm_enable();
+  // If the system is already using HTTP `Authorization:` headers before installation/re-activation, then
+  // it's probably an extra/independent layer of security.
+  // Only activate support for `Authorization:` if this looks like a clean/amenable environment.
+  // @link https://github.com/civicrm/civicrm-core/pull/22837
+  if (empty($_SERVER['HTTP_AUTHORIZATION']) && NULL === Civi::settings()->getExplicit('authx_header_cred')) {
+    Civi::settings()->set('authx_header_cred', ['jwt', 'api_key']);
+  }
 }
 
 /**
@@ -214,14 +230,14 @@ function authx_civicrm_permission(&$permissions) {
  *
  * @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_navigationMenu
  */
-//function authx_civicrm_navigationMenu(&$menu) {
-//  _authx_civix_insert_navigation_menu($menu, 'Mailings', array(
-//    'label' => E::ts('New subliminal message'),
-//    'name' => 'mailing_subliminal_message',
-//    'url' => 'civicrm/mailing/subliminal',
-//    'permission' => 'access CiviMail',
-//    'operator' => 'OR',
-//    'separator' => 0,
-//  ));
-//  _authx_civix_navigationMenu($menu);
-//}
+function authx_civicrm_navigationMenu(&$menu) {
+  _authx_civix_insert_navigation_menu($menu, 'Administer/System Settings', [
+    'label' => E::ts('Authentication'),
+    'name' => 'authx_admin',
+    'url' => 'civicrm/admin/setting/authx',
+    'permission' => 'administer CiviCRM',
+    'operator' => 'OR',
+    'separator' => 0,
+  ]);
+  _authx_civix_navigationMenu($menu);
+}