Added token authentication handling. It just returns an unsupported error.

I do not see a way to implement this without altering password storage in the database.

Reverting API version to 1.11.0

lib/class/subsonic_xml_data.class.php

@@ -36,6 +36,7 @@ class Subsonic_XML_Data
     const SSERROR_APIVERSION_CLIENT = 20;
     const SSERROR_APIVERSION_SERVER = 30;
     const SSERROR_BADAUTH           = 40;
+    const SSERROR_TOKENAUTHNOTSUPPORTED = 41;
     const SSERROR_UNAUTHORIZED      = 50;
     const SSERROR_TRIAL             = 60;
     const SSERROR_DATA_NOTFOUND     = 70;
@@ -237,6 +238,7 @@ class Subsonic_XML_Data
                 case Subsonic_XML_Data::SSERROR_APIVERSION_CLIENT:  $message = "Incompatible Subsonic REST protocol version. Client must upgrade."; break;
                 case Subsonic_XML_Data::SSERROR_APIVERSION_SERVER:  $message = "Incompatible Subsonic REST protocol version. Server must upgrade."; break;
                 case Subsonic_XML_Data::SSERROR_BADAUTH:            $message = "Wrong username or password."; break;
+                case Subsonic_XML_Data::SSERROR_TOKENAUTHNOTSUPPORTED: $message = "Token authentication not supported."; break;
                 case Subsonic_XML_Data::SSERROR_UNAUTHORIZED:       $message = "User is not authorized for the given operation."; break;
                 case Subsonic_XML_Data::SSERROR_TRIAL:              $message = "The trial period for the Subsonic server is over. Please upgrade to Subsonic Premium. Visit subsonic.org for details."; break;
                 case Subsonic_XML_Data::SSERROR_DATA_NOTFOUND:      $message = "The requested data was not found."; break;

rest/index.php

@@ -56,6 +56,8 @@ if (empty($user)) {
 $password = $_SERVER['PHP_AUTH_PW'];
 if (empty($password)) {
     $password = $_REQUEST['p'];
+    $token = $_REQUEST['t'];
+    $salt = $_REQUEST['s'];
 }
 $version   = $_REQUEST['v'];
 $clientapp = $_REQUEST['c'];
@@ -64,13 +66,31 @@ if (empty($_SERVER['HTTP_USER_AGENT'])) {
     $_SERVER['HTTP_USER_AGENT'] = $clientapp;
 }
 
-if (empty($user) || empty($password) || empty($version) || empty($action) || empty($clientapp)) {
+if (empty($user) || (empty($password) && (empty($token) || empty($salt))) || empty($version) || empty($action) || empty($clientapp)) {
     ob_end_clean();
     debug_event('subsonic', 'Missing Subsonic base parameters', 3);
     Subsonic_Api::apiOutput2($f, Subsonic_XML_Data::createError(Subsonic_XML_Data::SSERROR_MISSINGPARAM), $callback);
     exit();
 }
 
+if (isset($token) && isset($salt)) {
+    //We can't support token authentication. 
+    //No external authentication modules will support this since we can't extract password from salted hash
+    //Can't support with mysql because password is stored as a hash (not salted and using different encryption)
+    //so no comparisons are possible
+
+    //tell client we don't support token authentication
+    //hopefully they will fall back to earlier authentication method 
+    //( pre api 1.13 using the p parameter with the password)
+
+    debug_event('Access Denied', 'Token authentication not supported in Subsonic API for user [' . $user . ']', '3');
+    ob_end_clean();
+    Subsonic_Api::apiOutput2($f, Subsonic_XML_Data::createError(Subsonic_XML_Data::SSERROR_TOKENAUTHNOTSUPPORTED), $callback);
+    exit();
+
+    
+}
+
 $password = Subsonic_Api::decrypt_password($password);
 
 // Check user authentication