ensure all password checking goes through the authenticate plugin hook (for instance in mod_removeme)
This commit is contained in:
zotlabs
@@ -49,6 +49,28 @@ function account_verify_password($login, $pass) {
|
|||||||
$channel = null;
|
$channel = null;
|
||||||
$xchan = null;
|
$xchan = null;
|
||||||
|
|
||||||
|
$addon_auth = [
|
||||||
|
'username' => $login,
|
||||||
|
'password' => trim($pass),
|
||||||
|
'authenticated' => 0,
|
||||||
|
'user_record' => null
|
||||||
|
];
|
||||||
|
|
||||||
|
/**
|
||||||
|
*
|
||||||
|
* A plugin indicates successful login by setting 'authenticated' to non-zero value and returning a user record
|
||||||
|
* Plugins should never set 'authenticated' except to indicate success - as hooks may be chained
|
||||||
|
* and later plugins should not interfere with an earlier one that succeeded.
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
|
||||||
|
call_hooks('authenticate', $addon_auth);
|
||||||
|
|
||||||
|
if(($addon_auth['authenticated']) && is_array($addon_auth['user_record']) && (! empty($addon_auth['user_record']))) {
|
||||||
|
$ret['account'] = $addon_auth['user_record'];
|
||||||
|
return $ret;
|
||||||
|
}
|
||||||
|
else {
|
||||||
if(! strpos($login,'@')) {
|
if(! strpos($login,'@')) {
|
||||||
$channel = channelx_by_nick($login);
|
$channel = channelx_by_nick($login);
|
||||||
if(! $channel) {
|
if(! $channel) {
|
||||||
@@ -87,6 +109,23 @@ function account_verify_password($login, $pass) {
|
|||||||
return ( [ 'reason' => 'unvalidated' ] );
|
return ( [ 'reason' => 'unvalidated' ] );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if($channel) {
|
||||||
|
// Try the authentication plugin again since weve determined we are using the channel login instead of account login
|
||||||
|
$addon_auth = [
|
||||||
|
'username' => $account['account_email'],
|
||||||
|
'password' => trim($pass),
|
||||||
|
'authenticated' => 0,
|
||||||
|
'user_record' => null
|
||||||
|
];
|
||||||
|
|
||||||
|
call_hooks('authenticate', $addon_auth);
|
||||||
|
|
||||||
|
if(($addon_auth['authenticated']) && is_array($addon_auth['user_record']) && (! empty($addon_auth['user_record']))) {
|
||||||
|
$ret['account'] = $addon_auth['user_record'];
|
||||||
|
return $ret;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if(($account['account_flags'] == ACCOUNT_OK)
|
if(($account['account_flags'] == ACCOUNT_OK)
|
||||||
&& (hash('whirlpool',$account['account_salt'] . $pass) === $account['account_password'])) {
|
&& (hash('whirlpool',$account['account_salt'] . $pass) === $account['account_password'])) {
|
||||||
logger('password verified for ' . $login);
|
logger('password verified for ' . $login);
|
||||||
@@ -95,6 +134,7 @@ function account_verify_password($login, $pass) {
|
|||||||
$ret['channel'] = $channel;
|
$ret['channel'] = $channel;
|
||||||
return $ret;
|
return $ret;
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
$error = 'password failed for ' . $login;
|
$error = 'password failed for ' . $login;
|
||||||
logger($error);
|
logger($error);
|
||||||
@@ -242,32 +282,10 @@ else {
|
|||||||
|
|
||||||
if((x($_POST, 'auth-params')) && $_POST['auth-params'] === 'login') {
|
if((x($_POST, 'auth-params')) && $_POST['auth-params'] === 'login') {
|
||||||
|
|
||||||
$record = null;
|
|
||||||
|
|
||||||
$addon_auth = array(
|
|
||||||
'username' => punify(trim($_POST['username'])),
|
|
||||||
'password' => trim($_POST['password']),
|
|
||||||
'authenticated' => 0,
|
|
||||||
'user_record' => null
|
|
||||||
);
|
|
||||||
|
|
||||||
/**
|
|
||||||
*
|
|
||||||
* A plugin indicates successful login by setting 'authenticated' to non-zero value and returning a user record
|
|
||||||
* Plugins should never set 'authenticated' except to indicate success - as hooks may be chained
|
|
||||||
* and later plugins should not interfere with an earlier one that succeeded.
|
|
||||||
*
|
|
||||||
*/
|
|
||||||
|
|
||||||
call_hooks('authenticate', $addon_auth);
|
|
||||||
|
|
||||||
$atoken = null;
|
$atoken = null;
|
||||||
$account = null;
|
$account = null;
|
||||||
|
$channel = null;
|
||||||
|
|
||||||
if(($addon_auth['authenticated']) && (count($addon_auth['user_record']))) {
|
|
||||||
$account = $addon_auth['user_record'];
|
|
||||||
}
|
|
||||||
else {
|
|
||||||
$verify = account_verify_password($_POST['username'], $_POST['password']);
|
$verify = account_verify_password($_POST['username'], $_POST['password']);
|
||||||
if($verify && array_key_exists('reason',$verify) && $verify['reason'] === 'unvalidated') {
|
if($verify && array_key_exists('reason',$verify) && $verify['reason'] === 'unvalidated') {
|
||||||
notice( t('Email validation is incomplete. Please check your email.'));
|
notice( t('Email validation is incomplete. Please check your email.'));
|
||||||
@@ -288,7 +306,6 @@ else {
|
|||||||
else {
|
else {
|
||||||
notice( t('Failed authentication') . EOL);
|
notice( t('Failed authentication') . EOL);
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
if(! ($account || $atoken)) {
|
if(! ($account || $atoken)) {
|
||||||
$error = 'authenticate: failed login attempt: ' . notags(trim($_POST['username'])) . ' from IP ' . $_SERVER['REMOTE_ADDR'];
|
$error = 'authenticate: failed login attempt: ' . notags(trim($_POST['username'])) . ' from IP ' . $_SERVER['REMOTE_ADDR'];
|
||||||
@@ -326,10 +343,11 @@ else {
|
|||||||
// if we haven't failed up this point, log them in.
|
// if we haven't failed up this point, log them in.
|
||||||
|
|
||||||
$_SESSION['last_login_date'] = datetime_convert();
|
$_SESSION['last_login_date'] = datetime_convert();
|
||||||
if(! $atoken)
|
if(! $atoken) {
|
||||||
authenticate_success($account,$channel,true, true);
|
authenticate_success($account,$channel,true, true);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|||||||
Reference in New Issue
Block a user