Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Created an API to login, get projects and submit timesheet #88

Closed
wants to merge 6 commits into from
Closed

Created an API to login, get projects and submit timesheet #88

wants to merge 6 commits into from

Conversation

sasithahtl
Copy link

No description provided.

@blomman9
Copy link

In order to test the code you forgot your composer.json file.
Also:

  • $isLoggedIn = true; is always true.
  • $auth and $request are global objects, consider initiating in code for clarity. Splitting them from the access_check.php file (also missing)
  • Move $secret_key, $issuer_claim, $audience_claim to configuration file

@sasithahtl
Copy link
Author

@blomman9 Thank you. And I have fixed the changes that you requested and now you can test the API. Please let me know if you found anything.

sasithahtl
sasithahtl commented Apr 3, 2020
View reviewed changes
Copy link
Author

@sasithahtl sasithahtl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

created a basic small API please review.

@anuko
Copy link
Owner

anuko commented Apr 5, 2020

What is the purpose of these lines in userlogin.php?

$_SESSION['date'] = $current_user_date;

setcookie('tt_login', $cl_login, time() + COOKIE_EXPIRE, '/');

sasithahtl
sasithahtl commented Apr 6, 2020
View reviewed changes
Copy link
Author

@sasithahtl sasithahtl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changed as requested. Please review again!

@blomman9
Copy link

blomman9 commented Apr 7, 2020

Please don't make the files executable.

chmod 644 WEB-INF/config.php.dist
chmod 644 api/projects.php  
chmod 644 api/submitTime.php
chmod 644 api/userlogin.php

Also please add vendor to .gitignore file
echo "vendor" >> .gitignore

Remove file @include('../plugins/limit/access_check.php'); from line 36 in userlogin.php

With regards to input validation on submitTime.php
The value of $cl_project = $object->projectId; should be checked against $project_list = $user->getAssignedProjects(); to exist to be allowed time report, also good to do sanitation of input (floatval($cl_duration) although floats are not allowed by function and filter_var($cl_note, FILTER_SANITIZE_STRING))).

@thiagoalcav thiagoalcav mentioned this pull request Jul 4, 2021
Open
@anuko
Copy link
Owner

anuko commented Dec 20, 2021

Closing the PR as some minimalist API is already provided by ttapi servlet that works directly with Time Tracker database. Anuko Time Tracker Android App uses it. Currently it is for for access to shared Time Tracker server hosted by Anuko. Eventually things may be open-sourced.

@anuko anuko closed this Dec 20, 2021
@blomman9
Copy link

Hi @anuko I was really looking forward to this API especially using JWT.

I read there is no way to invalidate a token once its commissioned, but it makes sense in an app over API calls that potentially can be logged, to issue time based tokens such as JWT (and not solely rely on session or cookie).

Will you reconsider? I can take another look at the MR if you want to.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@sasithahtl @blomman9 @anuko