AuthController - Code Metrics - Inspection of "Merge branch 'release/3.1.5.10'" - nilsteampassnet/TeamPass - Measure and Improve Code Quality continuously with Scrutinizer

Passed

Push — master ( 97d9b0...f5b400 )

by Nils

created 2025-12-07 15:32 UTC

AuthController A

↳ Parent: Project

Complexity

Total Complexity

Size/Duplication

Total Lines	72
Duplicated Lines	0 %

Importance

Changes	1
Bugs	0	Features	0

Metric	Value
eloc	46
c	1
b	0
f	0
dl	0
loc	72
rs	10
wmc	12

1 Method

Rating	Name	Duplication	Size	Complexity
C	authorizeAction()	0	67	12

<?php
/**
 * Teampass - a collaborative passwords manager.
 * ---
 * This library is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
 * ---
 *
 * @project   Teampass
 * @version    API
 *
 * @file      AuthControler.php
 * ---
 *
 * @author    Nils Laumaillé ([email protected])
 *
 * @copyright 2009-2025 Teampass.net
 *
 * @license   https://spdx.org/licenses/GPL-3.0-only.html#licenseText GPL-3.0
 * ---
 *
 * @see       https://www.teampass.net
 */

use Symfony\Component\HttpFoundation\Request AS symfonyRequest;

class AuthController extends BaseController
{
    /**
     *
     */
    public function authorizeAction()
    {
        $request = symfonyRequest::createFromGlobals();
        $requestMethod = $request->getMethod();
        $strErrorDesc = $responseData = $strErrorHeader = '';

        if (strtoupper($requestMethod) === 'POST') {
            // Security: Prevent credentials from being passed via query string
            // Only allow credentials in POST body (form-data or JSON)
            $queryString = $request->getQueryString();
            if (!empty($queryString)) {
                parse_str(html_entity_decode($queryString), $queryParams);
                $sensitiveParams = ['login', 'password', 'apikey'];
                foreach ($sensitiveParams as $param) {
                    if (isset($queryParams[$param])) {
                        $strErrorDesc = 'Credentials must be sent in request body (application/x-www-form-urlencoded or application/json), not in URL';
                        $strErrorHeader = 'HTTP/1.1 400 Bad Request';
                        break;
                    }
                }
            }

            // Proceed only if no security violation detected
            if (empty($strErrorDesc)) {
                $arrQueryStringParams = $this->getQueryStringParams();

                // Validate required parameters are present
                if (empty($arrQueryStringParams['login']) || empty($arrQueryStringParams['password']) || empty($arrQueryStringParams['apikey'])) {
                    $strErrorDesc = 'Missing required parameters: login, password, and apikey must be provided in request body';
                    $strErrorHeader = 'HTTP/1.1 400 Bad Request';
                } else {
                    require API_ROOT_PATH . "/Model/AuthModel.php";
                    try {
                        $authModel = new AuthModel();
                        $arrUser = $authModel->getUserAuth(
                            $arrQueryStringParams['login'],
                            $arrQueryStringParams['password'],
                            $arrQueryStringParams['apikey']
                        );
                        if (array_key_exists("token", $arrUser)) {
                            $responseData = json_encode($arrUser);
                        } else {
                            $strErrorDesc = $arrUser['error'] . " (" . $arrUser['info'] . ")";
                            $strErrorHeader = 'HTTP/1.1 401 Unauthorized';
                        }
                    } catch (Error $e) {
                        $strErrorDesc = $e->getMessage().' Something went wrong! Please contact support.2';
                        $strErrorHeader = 'HTTP/1.1 500 Internal Server Error';
                    }
                }
            }

        } else {
            $strErrorDesc = 'Method '.$requestMethod.' not supported';
            $strErrorHeader = 'HTTP/1.1 422 Unprocessable Entity';
        }

        // send output
        if (empty($strErrorDesc) === true) {
            $this->sendOutput(
                $responseData,
                ['Content-Type: application/json', 'HTTP/1.1 200 OK']
            );
        } else {
            $this->sendOutput(
                json_encode(['error' => $strErrorDesc]), 
                ['Content-Type: application/json', $strErrorHeader]
            );
        }
    }
}

1			<?php
2			/**
3			* Teampass - a collaborative passwords manager.
4			* ---
5			* This library is distributed in the hope that it will be useful,
6			* but WITHOUT ANY WARRANTY; without even the implied warranty of
7			* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
8			* ---
9			*
10			* @project Teampass
11			* @version API
12			*
13			* @file AuthControler.php
14			* ---
15			*
16			* @author Nils Laumaillé ([email protected])
17			*
18			* @copyright 2009-2025 Teampass.net
19			*
20			* @license https://spdx.org/licenses/GPL-3.0-only.html#licenseText GPL-3.0
21			* ---
22			*
23			* @see https://www.teampass.net
24			*/
25
26			use Symfony\Component\HttpFoundation\Request AS symfonyRequest;
27
28			class AuthController extends BaseController
29			{
30			/**
31			*
32			*/
33			public function authorizeAction()
34			{
35			$request = symfonyRequest::createFromGlobals();
36			$requestMethod = $request->getMethod();
37			$strErrorDesc = $responseData = $strErrorHeader = '';
38
39			if (strtoupper($requestMethod) === 'POST') {
40			// Security: Prevent credentials from being passed via query string
41			// Only allow credentials in POST body (form-data or JSON)
42			$queryString = $request->getQueryString();
43			if (!empty($queryString)) {
44			parse_str(html_entity_decode($queryString), $queryParams);
45			$sensitiveParams = ['login', 'password', 'apikey'];
46			foreach ($sensitiveParams as $param) {
47			if (isset($queryParams[$param])) {
48			$strErrorDesc = 'Credentials must be sent in request body (application/x-www-form-urlencoded or application/json), not in URL';
49			$strErrorHeader = 'HTTP/1.1 400 Bad Request';
50			break;
51			}
52			}
53			}
54
55			// Proceed only if no security violation detected
56			if (empty($strErrorDesc)) {
57			$arrQueryStringParams = $this->getQueryStringParams();
58
59			// Validate required parameters are present
60			if (empty($arrQueryStringParams['login']) \|\| empty($arrQueryStringParams['password']) \|\| empty($arrQueryStringParams['apikey'])) {
61			$strErrorDesc = 'Missing required parameters: login, password, and apikey must be provided in request body';
62			$strErrorHeader = 'HTTP/1.1 400 Bad Request';
63			} else {
64			require API_ROOT_PATH . "/Model/AuthModel.php";
65			try {
66			$authModel = new AuthModel();
67			$arrUser = $authModel->getUserAuth(
68			$arrQueryStringParams['login'],
69			$arrQueryStringParams['password'],
70			$arrQueryStringParams['apikey']
71			);
72			if (array_key_exists("token", $arrUser)) {
73			$responseData = json_encode($arrUser);
74			} else {
75			$strErrorDesc = $arrUser['error'] . " (" . $arrUser['info'] . ")";
76			$strErrorHeader = 'HTTP/1.1 401 Unauthorized';
77			}
78			} catch (Error $e) {
79			$strErrorDesc = $e->getMessage().' Something went wrong! Please contact support.2';
80			$strErrorHeader = 'HTTP/1.1 500 Internal Server Error';
81			}
82			}
83			}
84
85			} else {
86			$strErrorDesc = 'Method '.$requestMethod.' not supported';
87			$strErrorHeader = 'HTTP/1.1 422 Unprocessable Entity';
88			}
89
90			// send output
91			if (empty($strErrorDesc) === true) {
92			$this->sendOutput(
93			$responseData,
94			['Content-Type: application/json', 'HTTP/1.1 200 OK']
95			);
96			} else {
97			$this->sendOutput(
98			json_encode(['error' => $strErrorDesc]),
99			['Content-Type: application/json', $strErrorHeader]
100			);
101			}
102			}
103			}

nilsteampassnet / TeamPass

Push — master ( 97d9b0...f5b400 )

AuthController A

Complexity

Size/Duplication

Importance

1 Method

Duplication Side-by-Side

Filter issues like