From be99e947c0d1ec38d8d7e2a5b691ed6e21182937 Mon Sep 17 00:00:00 2001
From: grandeljay <github.jay@grandel.anonaddy.me>
Date: Wed, 23 Nov 2022 17:58:16 +0100
Subject: [PATCH] Remove api token

---
 src/assets/js/default.js               | 10 +++---
 src/assets/js/home.js                  | 12 +++----
 src/assets/js/html2canvas.js           |  1 -
 src/assets/js/inline.js.php            |  5 ---
 src/assets/js/parts/wishlist-filter.js |  3 --
 src/assets/js/parts/wishlists.js       | 47 +++++++-------------------
 src/assets/js/wishlist.js              | 15 ++------
 src/classes/api.php                    | 36 ++++----------------
 src/pages/install.php                  |  4 +--
 src/update/1-7-1.sql                   |  8 -----
 10 files changed, 33 insertions(+), 108 deletions(-)

diff --git a/src/assets/js/default.js b/src/assets/js/default.js
index ed4c603b..ded7f358 100644
--- a/src/assets/js/default.js
+++ b/src/assets/js/default.js
@@ -18,11 +18,11 @@ $(function() {
      */
     /** API */
     $.fn.api.settings.api = {
-        'get wishlists'               : '/?page=api&module=wishlists&api_token={apitoken}',
-        'get wishlists by priority' : '/?page=api&module=wishlists&api_token={apitoken}&style={style}&wishlist_id={wishlistid}&priority={priority}',
-        'delete wishlist'             : '/?page=api&module=wishlists',
-        'update wish status'          : '/?page=api&module=wishes',
-        'delete wish'                 : '/?page=api&module=wishes',
+        'get wishlists'             : '/?page=api&module=wishlists',
+        'get wishlists by priority' : '/?page=api&module=wishlists&style={style}&wishlist_id={wishlistid}&priority={priority}',
+        'delete wishlist'           : '/?page=api&module=wishlists',
+        'update wish status'        : '/?page=api&module=wishes',
+        'delete wish'               : '/?page=api&module=wishes',
     };
 
     /** Default callbacks */
diff --git a/src/assets/js/home.js b/src/assets/js/home.js
index c10abd97..f966b5aa 100644
--- a/src/assets/js/home.js
+++ b/src/assets/js/home.js
@@ -4,11 +4,10 @@ $(function() {
      */
     const params_statistics = new URLSearchParams(
         {
-            'api_token' : wishthis.api.token,
-            'module'    : 'statistics',
-            'page'      : 'api',
+            'module' : 'statistics',
+            'page'   : 'api',
 
-            'table'     : 'all',
+            'table' : 'all',
         }
     );
 
@@ -68,9 +67,8 @@ $(function() {
      */
     const params_news = new URLSearchParams(
         {
-            'api_token' : wishthis.api.token,
-            'module'    : 'blog',
-            'page'      : 'api',
+            'module' : 'blog',
+            'page'   : 'api',
         }
     );
 
diff --git a/src/assets/js/html2canvas.js b/src/assets/js/html2canvas.js
index 8b7d2354..ec763341 100644
--- a/src/assets/js/html2canvas.js
+++ b/src/assets/js/html2canvas.js
@@ -17,7 +17,6 @@ window.addEventListener("load", (event) => {
     .then(canvas => {
         var data = new URLSearchParams();
         data.append('preview', canvas.toDataURL());
-        data.append('api_token', wishthis.api.token);
         data.append('page', wishthis.$_GET.page);
 
         /** Save page preview */
diff --git a/src/assets/js/inline.js.php b/src/assets/js/inline.js.php
index f823d1e5..fea90e8d 100644
--- a/src/assets/js/inline.js.php
+++ b/src/assets/js/inline.js.php
@@ -17,11 +17,6 @@ global $options;
     wishthis.locale  = '<?= str_replace('_', '-', $this->language) ?>';
     wishthis.$_GET   = JSON.parse('<?= isset($_GET) ? json_encode($_GET) : json_encode(array()) ?>');
 
-    /** API */
-    wishthis.api                     = {
-        'token' : "<?= $options->getOption('api_token'); ?>",
-    };
-
     /** Wish */
     wishthis.wish = {
         'status' : {
diff --git a/src/assets/js/parts/wishlist-filter.js b/src/assets/js/parts/wishlist-filter.js
index ba2ae4aa..be904c4e 100644
--- a/src/assets/js/parts/wishlist-filter.js
+++ b/src/assets/js/parts/wishlist-filter.js
@@ -10,9 +10,6 @@ $(function () {
     })
     .api({
         'action'  : 'get wishlists by priority',
-        'urlData' : {
-            'apitoken' : wishthis.api.token,
-        },
         beforeSend : function (settings) {
             settings.urlData.style      = $('input[name="style"]').val();
             settings.urlData.priority   = $('.ui.dropdown.filter.priority').dropdown('get value');
diff --git a/src/assets/js/parts/wishlists.js b/src/assets/js/parts/wishlists.js
index 35f526be..dcaf81d7 100644
--- a/src/assets/js/parts/wishlists.js
+++ b/src/assets/js/parts/wishlists.js
@@ -16,9 +16,6 @@ $(function () {
     var wishlists     = [];
     var wishlists_api = {
         'action'  : 'get wishlists',
-        'urlData' : {
-            'apitoken' : wishthis.api.token,
-        },
         onSuccess : function(response, dropdown_wishlists, xhr) {
             /** Save response for later use */
             wishlists = response.results;
@@ -68,9 +65,8 @@ $(function () {
                 /** Get wishlist */
                 const get_wishlist = new URLSearchParams(
                     {
-                        'api_token' : wishthis.api.token,
-                        'module'    : 'wishlists',
-                        'page'      : 'api',
+                        'module' : 'wishlists',
+                        'page'   : 'api',
 
                         'wishlist_id' : wishlist_id,
                     }
@@ -99,9 +95,8 @@ $(function () {
 
                     const params_url = new URLSearchParams(
                         {
-                            'api_token' : wishthis.api.token,
-                            'module'    : 'url',
-                            'page'      : 'api',
+                            'module' : 'url',
+                            'page'   : 'api',
 
                             'url' : window.btoa(urlParams.toString()),
                         }
@@ -125,9 +120,8 @@ $(function () {
                     /*
                     const get_wishes = new URLSearchParams(
                         {
-                            'api_token' : wishthis.api.token,
-                            'module'    : 'wishes',
-                            'page'      : 'api',
+                            'module' : 'wishes',
+                            'page'   : 'api',
 
                             'wishlist_id'    : wishlist.id,
                             'wishlist_style' : $('[name="style"]').val(),
@@ -247,9 +241,8 @@ $(function () {
 
         const params_cache = new URLSearchParams(
             {
-                'api_token' : wishthis.api.token,
-                'module'    : 'wishes',
-                'page'      : 'api',
+                'module' : 'wishes',
+                'page'   : 'api',
 
                 'wish_id'       : card.attr('data-id'),
                 'wishlist_user' : wishlist_user,
@@ -313,7 +306,6 @@ $(function () {
 
         var formRename = modalRename.find('.form.wishlist-rename');
         var formData   = new URLSearchParams(new FormData(formRename[0]));
-        formData.append('api_token', wishthis.api.token);
         formData.append('wishlist_id', wishthis.$_GET.id);
 
         fetch('/?page=api&module=wishlists', {
@@ -397,8 +389,6 @@ $(function () {
                         action: 'delete wishlist',
                         method: 'DELETE',
                         data: {
-                            'api_token' : wishthis.api.token,
-
                             'wishlistID' : wishlist_id
                         },
                         on: 'now',
@@ -442,8 +432,6 @@ $(function () {
             action    : 'update wish status',
             method    : 'PUT',
             data      : {
-                'api_token' : wishthis.api.token,
-
                 'wish_id'     : card.attr('data-id'),
                 'wish_status' : wishthis.strings.wish.status.fulfilled,
             },
@@ -485,9 +473,8 @@ $(function () {
 
         var wishFormData = new URLSearchParams(
             {
-                'api_token' : wishthis.api.token,
-                'module'    : 'wishes',
-                'page'      : 'api',
+                'module' : 'wishes',
+                'page'   : 'api',
 
                 'wish_id' : wishID
             }
@@ -574,9 +561,7 @@ $(function () {
                     action    : 'delete wish',
                     method    : 'DELETE',
                     data      : {
-                        'api_token' : wishthis.api.token,
-
-                        'wish_id': card.attr('data-id'),
+                        'wish_id' : card.attr('data-id'),
                     },
                     on        : 'now',
                     onSuccess : function () {
@@ -678,7 +663,6 @@ $(function () {
                 buttonCreate.addClass('loading');
 
                 var formData = new URLSearchParams(new FormData(formWishlistCreate[0]));
-                formData.append('api_token', wishthis.api.token);
 
                 fetch('/?page=api&module=wishlists', {
                     method : 'POST',
@@ -735,9 +719,8 @@ $(function () {
         if (wishURLCurrent) {
             const params_url = new URLSearchParams(
                 {
-                    'api_token' : wishthis.api.token,
-                    'module'    : 'wishes',
-                    'page'      : 'api',
+                    'module' : 'wishes',
+                    'page'   : 'api',
 
                     'wish_url' : wishURLCurrent
                 }
@@ -775,8 +758,6 @@ $(function () {
 
                             const formData = new URLSearchParams(
                                 {
-                                    'api_token' : wishthis.api.token,
-
                                     'wish_url_current'  : modalValidate.find('input.current').val(),
                                     'wish_url_proposed' : modalValidate.find('input.proposed').val(),
                                 }
@@ -805,7 +786,6 @@ $(function () {
                     /** Save form edit fields */
                     /** This code block is a duplicate, please refactor */
                     var formData = new URLSearchParams(new FormData(formAddOrEdit[0]));
-                    formData.append('api_token', wishthis.api.token);
                     formData.append('wishlist_id', wishthis.$_GET.id);
 
                     fetch('/?page=api&module=wishes', {
@@ -838,7 +818,6 @@ $(function () {
             /** Save form edit fields */
             /** This code block is a duplicate, please refactor */
             var formData = new URLSearchParams(new FormData(formAddOrEdit[0]));
-            formData.append('api_token', wishthis.api.token);
             formData.append('wishlist_id', wishthis.$_GET.id);
 
             fetch('/?page=api&module=wishes', {
diff --git a/src/assets/js/wishlist.js b/src/assets/js/wishlist.js
index 9a3280fd..793dcf5c 100644
--- a/src/assets/js/wishlist.js
+++ b/src/assets/js/wishlist.js
@@ -47,8 +47,6 @@ $(function() {
             action    : 'update wish status',
             method    : 'PUT',
             data      : {
-                'api_token' : wishthis.api.token,
-
                 'wish_id'     : card.attr('data-id'),
                 'wish_status' : wishthis.wish.status.temporary,
             },
@@ -68,8 +66,6 @@ $(function() {
             action    : 'update wish status',
             method    : 'PUT',
             data      : {
-                'api_token' : wishthis.api.token,
-
                 'wish_id'     : card.attr('data-id'),
                 'wish_status' : wishthis.wish.status.unavailable,
             },
@@ -90,9 +86,7 @@ $(function() {
 
         var formData = new URLSearchParams(
             {
-                'api_token' : wishthis.api.token,
-
-                'wishlist'  : $('[data-wishlist]').attr('data-wishlist'),
+                'wishlist' : $('[data-wishlist]').attr('data-wishlist'),
             }
         );
 
@@ -121,9 +115,8 @@ $(function() {
     /** Determine if list is saved */
     const params_ws_saved = new URLSearchParams(
         {
-            'api_token' : wishthis.api.token,
-            'module'    : 'wishlists-saved',
-            'page'      : 'api',
+            'module' : 'wishlists-saved',
+            'page'   : 'api',
         }
     );
 
@@ -168,8 +161,6 @@ $(function() {
 
         var formData = new URLSearchParams(
             {
-                'api_token'   : wishthis.api.token,
-
                 'locale'      : wishlist_locale,
                 'wishlist-id' : wishlist_id,
             }
diff --git a/src/classes/api.php b/src/classes/api.php
index 39fdac29..9bddb738 100644
--- a/src/classes/api.php
+++ b/src/classes/api.php
@@ -17,8 +17,6 @@ class API
     private string $module_path;
     private array $input;
 
-    public string $token;
-
     public function __construct()
     {
         global $options;
@@ -27,43 +25,21 @@ class API
 
         $this->module      = $this->input['module'] ?? '';
         $this->module_path = ROOT . '/src/api/' . $this->module . '.php';
-        $this->token       = $options->getOption('api_token');
-
-        /** For installer */
-        if (empty($this->token)) {
-            $this->token = sha1(ROOT);
-        }
     }
 
     public function do()
     {
         if (file_exists($this->module_path)) {
-            if (!empty(trim($this->input['api_token']))) {
-                if ($this->input['api_token'] === $this->token) {
-                    ob_start();
+            ob_start();
 
-                    $response = array();
+            $response = array();
 
-                    require $this->module_path;
+            require $this->module_path;
 
-                    $response['warning'] = ob_get_clean();
+            $response['warning'] = ob_get_clean();
 
-                    header('Content-type: application/json; charset=utf-8');
-                    echo json_encode($response);
-                } else {
-                    http_response_code(403);
-                    ?>
-                    <h1>Forbidden</h1>
-                    <p>The specified API token "<?= $this->input['api_token'] ?>" is invalid.</p>
-                    <?php
-                }
-            } else {
-                http_response_code(403);
-                ?>
-                <h1>Forbidden</h1>
-                <p>Please specify an API token.</p>
-                <?php
-            }
+            header('Content-type: application/json; charset=utf-8');
+            echo json_encode($response);
         } else {
             http_response_code(404);
             ?>
diff --git a/src/pages/install.php b/src/pages/install.php
index dd902a29..222e5352 100644
--- a/src/pages/install.php
+++ b/src/pages/install.php
@@ -43,7 +43,6 @@ switch ($step) {
 
                     <form class="ui form" action="<?= Page::PAGE_INSTALL ?>" method="POST">
                         <input type="hidden" name="step" value="<?= $step + 1; ?>" />
-                        <input type="hidden" name="api_token" value="<?= sha1(ROOT) ?>">
 
                         <div class="ui error message"></div>
 
@@ -251,8 +250,7 @@ switch ($step) {
                 `options` (`key`, `value`)
             VALUES
                 ("isInstalled", true),
-                ("version", "' . VERSION . '"),
-                ("api_token", UUID())
+                ("version", "' . VERSION . '")
             ;'
         );
 
diff --git a/src/update/1-7-1.sql b/src/update/1-7-1.sql
index aaba7ddd..b00dcf07 100644
--- a/src/update/1-7-1.sql
+++ b/src/update/1-7-1.sql
@@ -1,11 +1,3 @@
-/**
- * Options
- */
-INSERT INTO
-    `options` (`key`, `value`)
-VALUES
-    ('api_token', UUID());
-
 /**
  * Sessions
  */