From 0150cc9e8e1a2abf6c675eb08032506e42118922 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mike=20Schw=C3=B6rer?= <mailport@mikescher.de>
Date: Tue, 13 Nov 2018 16:23:04 +0100
Subject: [PATCH] force POST in send.php

---
 web/index_more.php |  1 -
 web/model.php      | 27 +++++++++++++++++++++++++++
 web/send.php       | 38 +++++++++++++++++++++-----------------
 3 files changed, 48 insertions(+), 18 deletions(-)

diff --git a/web/index_more.php b/web/index_more.php
index c5d3782..8019d27 100644
--- a/web/index_more.php
+++ b/web/index_more.php
@@ -77,7 +77,6 @@
         "canonical_ids":0,
         "results": [{"message_id":"0:10000000000000000000000000000000d"}]
     },
-    "messagecount":623,
     "quota":17,
     "quota_max":100
 }</pre>
diff --git a/web/model.php b/web/model.php
index e822c8c..3892201 100644
--- a/web/model.php
+++ b/web/model.php
@@ -2,6 +2,33 @@
 
 include('lib/httpful.phar');
 
+class ERR
+{
+	const NO_ERROR             = 0000;
+
+	const MISSING_UID          = 1101;
+	const MISSING_TOK          = 1102;
+	const MISSING_TITLE        = 1103;
+	const INVALID_PRIO         = 1104;
+	const REQ_METHOD           = 1105;
+
+	const NO_TITLE             = 1201;
+	const TITLE_TOO_LONG       = 1202;
+	const CONTENT_TOO_LONG     = 1203;
+	const USR_MSG_ID_TOO_LONG  = 1204;
+
+	const USER_NOT_FOUND       = 1301;
+	const USER_AUTH_FAILED     = 1302;
+
+	const NO_DEVICE_LINKED     = 1401;
+
+	const QUOTA_REACHED        = 2101;
+
+	const FIREBASE_COM_FAILED  = 9901;
+	const FIREBASE_COM_ERRORED = 9902;
+	const INTERNAL_EXCEPTION   = 9903;
+}
+
 class Statics
 {
 	public static $DB = NULL;
diff --git a/web/send.php b/web/send.php
index 6c8f906..dd6ca22 100644
--- a/web/send.php
+++ b/web/send.php
@@ -9,11 +9,13 @@ try
 //sleep(1);
 //------------------------------------------------------------------
 
+	if ($_SERVER['REQUEST_METHOD'] !== 'POST') api_return(400, json_encode(['success' => false, 'error' =>  ERR::REQ_METHOD, 'errhighlight' => -1, 'message' => 'Invalid request method (must be POST)']));
+
 	$INPUT = array_merge($_GET, $_POST);
 
-	if (!isset($INPUT['user_id']))  api_return(400, json_encode(['success' => false, 'error' => 1101, 'errhighlight' => 101, 'message' => 'Missing parameter [[user_id]]']));
-	if (!isset($INPUT['user_key'])) api_return(400, json_encode(['success' => false, 'error' => 1102, 'errhighlight' => 102, 'message' => 'Missing parameter [[user_token]]']));
-	if (!isset($INPUT['title']))    api_return(400, json_encode(['success' => false, 'error' => 1103, 'errhighlight' => 103, 'message' => 'Missing parameter [[title]]']));
+	if (!isset($INPUT['user_id']))  api_return(400, json_encode(['success' => false, 'error' => ERR::MISSING_UID,   'errhighlight' => 101, 'message' => 'Missing parameter [[user_id]]']));
+	if (!isset($INPUT['user_key'])) api_return(400, json_encode(['success' => false, 'error' => ERR::MISSING_TOK,   'errhighlight' => 102, 'message' => 'Missing parameter [[user_token]]']));
+	if (!isset($INPUT['title']))    api_return(400, json_encode(['success' => false, 'error' => ERR::MISSING_TITLE, 'errhighlight' => 103, 'message' => 'Missing parameter [[title]]']));
 
 //------------------------------------------------------------------
 
@@ -27,12 +29,12 @@ try
 
 //------------------------------------------------------------------
 
-	if ($priority !== '0' && $priority !== '1' && $priority !== '2') api_return(400, json_encode(['success' => false, 'error' => 1104, 'errhighlight' => 105, 'message' => 'Invalid priority']));
+	if ($priority !== '0' && $priority !== '1' && $priority !== '2') api_return(400, json_encode(['success' => false, 'error' => ERR::INVALID_PRIO, 'errhighlight' => 105, 'message' => 'Invalid priority']));
 
-	if (strlen(trim($message)) == 0)                 api_return(400, json_encode(['success' => false, 'error' => 1201, 'errhighlight' => 103, 'message' => 'No title specified']));
-	if (strlen($message) > 120)                      api_return(400, json_encode(['success' => false, 'error' => 1202, 'errhighlight' => 103, 'message' => 'Title too long (120 characters)']));
-	if (strlen($content) > 10000)                    api_return(400, json_encode(['success' => false, 'error' => 1203, 'errhighlight' => 104, 'message' => 'Content too long (10000 characters)']));
-	if ($usrmsgid != null && strlen($usrmsgid) > 64) api_return(400, json_encode(['success' => false, 'error' => 1204, 'errhighlight' => -1,  'message' => 'MessageID too long (64 characters)']));
+	if (strlen(trim($message)) == 0)                 api_return(400, json_encode(['success' => false, 'error' => ERR::NO_TITLE,            'errhighlight' => 103, 'message' => 'No title specified']));
+	if (strlen($message) > 120)                      api_return(400, json_encode(['success' => false, 'error' => ERR::TITLE_TOO_LONG,      'errhighlight' => 103, 'message' => 'Title too long (120 characters)']));
+	if (strlen($content) > 10000)                    api_return(400, json_encode(['success' => false, 'error' => ERR::CONTENT_TOO_LONG,    'errhighlight' => 104, 'message' => 'Content too long (10000 characters)']));
+	if ($usrmsgid != null && strlen($usrmsgid) > 64) api_return(400, json_encode(['success' => false, 'error' => ERR::USR_MSG_ID_TOO_LONG, 'errhighlight' => -1,  'message' => 'MessageID too long (64 characters)']));
 
 //------------------------------------------------------------------
 
@@ -42,22 +44,22 @@ try
 	$stmt->execute(['uid' => $user_id]);
 
 	$datas = $stmt->fetchAll(PDO::FETCH_ASSOC);
-	if (count($datas)<=0) die(json_encode(['success' => false, 'error' => 1301, 'errhighlight' => 101, 'message' => 'User not found']));
+	if (count($datas)<=0) die(json_encode(['success' => false, 'error' => ERR::USER_NOT_FOUND, 'errhighlight' => 101, 'message' => 'User not found']));
 	$data = $datas[0];
 
-	if ($data === null)                     api_return(401, json_encode(['success' => false, 'error' => 1301, 'errhighlight' => 101, 'message' => 'User not found']));
-	if ($data['user_id'] !== (int)$user_id) api_return(401, json_encode(['success' => false, 'error' => 1302, 'errhighlight' => 101, 'message' => 'UserID not found']));
-	if ($data['user_key'] !== $user_key)    api_return(401, json_encode(['success' => false, 'error' => 1303, 'errhighlight' => 102, 'message' => 'Authentification failed']));
+	if ($data === null)                     api_return(401, json_encode(['success' => false, 'error' => ERR::USER_NOT_FOUND,   'errhighlight' => 101, 'message' => 'User not found']));
+	if ($data['user_id'] !== (int)$user_id) api_return(401, json_encode(['success' => false, 'error' => ERR::USER_NOT_FOUND,   'errhighlight' => 101, 'message' => 'UserID not found']));
+	if ($data['user_key'] !== $user_key)    api_return(401, json_encode(['success' => false, 'error' => ERR::USER_AUTH_FAILED, 'errhighlight' => 102, 'message' => 'Authentification failed']));
 
 	$fcm = $data['fcm_token'];
 
 	$new_quota = $data['quota_today'] + 1;
 	if ($data['quota_day'] === null || $data['quota_day'] !== date("Y-m-d")) $new_quota=1;
-	if ($new_quota > Statics::quota_max($data['is_pro'])) api_return(403, json_encode(['success' => false, 'error' => 2101, 'errhighlight' => -1, 'message' => 'Daily quota reached ('.Statics::quota_max($data['is_pro']).')']));
+	if ($new_quota > Statics::quota_max($data['is_pro'])) api_return(403, json_encode(['success' => false, 'error' => ERR::QUOTA_REACHED, 'errhighlight' => -1, 'message' => 'Daily quota reached ('.Statics::quota_max($data['is_pro']).')']));
 
 	if ($fcm == null || $fcm == '' ||  $fcm == false)
 	{
-		api_return(412, json_encode(['success' => false, 'error' => 1401, 'errhighlight' => -1, 'message' => 'No device linked with this account']));
+		api_return(412, json_encode(['success' => false, 'error' => ERR::NO_DEVICE_LINKED, 'errhighlight' => -1, 'message' => 'No device linked with this account']));
 	}
 
 //------------------------------------------------------------------
@@ -136,14 +138,14 @@ try
 		{
 			reportError("FCM communication failed (success_1 <> true)\n\n".$httpresult);
 			$pdo->rollBack();
-			api_return(500, json_encode(['success' => false, 'error' => 9902, 'errhighlight' => -1, 'message' => 'Communication with firebase service failed.']));
+			api_return(500, json_encode(['success' => false, 'error' => ERR::FIREBASE_COM_ERRORED, 'errhighlight' => -1, 'message' => 'Communication with firebase service failed.']));
 		}
 	}
 	catch (Exception $e)
 	{
 		reportError("FCM communication failed", $e);
 		$pdo->rollBack();
-		api_return(500, json_encode(['success' => false, 'error' => 9901, 'errhighlight' => -1, 'message' => 'Communication with firebase service failed.'."\n\n".'Exception: ' . $e->getMessage()]));
+		api_return(500, json_encode(['success' => false, 'error' => ERR::FIREBASE_COM_FAILED, 'errhighlight' => -1, 'message' => 'Communication with firebase service failed.'."\n\n".'Exception: ' . $e->getMessage()]));
 	}
 
 	$stmt = $pdo->prepare('UPDATE users SET timestamp_accessed=NOW(), messages_sent=messages_sent+1, quota_today=:q, quota_day=NOW() WHERE user_id = :uid');
@@ -157,6 +159,8 @@ try
 	api_return(200, json_encode(
 	[
 		'success'       => true,
+		'error'         => ERR::NO_ERROR,
+		'errhighlight'  => -1,
 		'message'       => 'Message sent',
 		'suppress_send' => false,
 		'response'      => $httpresult,
@@ -171,5 +175,5 @@ catch (Exception $mex)
 {
 	reportError("Root try-catch triggered", $mex);
 	if ($pdo->inTransaction()) $pdo->rollBack();
-	api_return(500, json_encode(['success' => false, 'error' => 9903, 'errhighlight' => -1, 'message' => 'PHP script threw exception.'."\n\n".'Exception: ' . $e->getMessage()]));
+	api_return(500, json_encode(['success' => false, 'error' => ERR::INTERNAL_EXCEPTION, 'errhighlight' => -1, 'message' => 'PHP script threw exception.'."\n\n".'Exception: ' . $e->getMessage()]));
 }