harukin/core
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ensure all password checking goes through the authenticate plugin hook (for instance in mod_removeme)

Browse Source
This commit is contained in:
zotlabs 2018-05-14 20:17:00 -07:00
parent c8fc3ad7cd
commit 46152cc56b
1 changed files with 101 additions and 83 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

68
include/auth.php
View File

@ -49,6 +49,28 @@ function account_verify_password($login, $pass) {
$channel = null;
$xchan = null;
$addon_auth = [
'username' => $login,
'password' => trim($pass),
'authenticated' => 0,
'user_record' => null
];
/**
*
* A plugin indicates successful login by setting 'authenticated' to non-zero value and returning a user record
* Plugins should never set 'authenticated' except to indicate success - as hooks may be chained
* and later plugins should not interfere with an earlier one that succeeded.
*
*/
call_hooks('authenticate', $addon_auth);
if(($addon_auth['authenticated']) && is_array($addon_auth['user_record']) && (! empty($addon_auth['user_record']))) {
$ret['account'] = $addon_auth['user_record'];
return $ret;
}
else {
if(! strpos($login,'@')) {
$channel = channelx_by_nick($login);
if(! $channel) {
@ -87,6 +109,23 @@ function account_verify_password($login, $pass) {
return ( [ 'reason' => 'unvalidated' ] );
}
if($channel) {
// Try the authentication plugin again since weve determined we are using the channel login instead of account login
$addon_auth = [
'username' => $account['account_email'],
'password' => trim($pass),
'authenticated' => 0,
'user_record' => null
];
call_hooks('authenticate', $addon_auth);
if(($addon_auth['authenticated']) && is_array($addon_auth['user_record']) && (! empty($addon_auth['user_record']))) {
$ret['account'] = $addon_auth['user_record'];
return $ret;
}
}
if(($account['account_flags'] == ACCOUNT_OK)
&& (hash('whirlpool',$account['account_salt'] . $pass) === $account['account_password'])) {
logger('password verified for ' . $login);
@ -95,6 +134,7 @@ function account_verify_password($login, $pass) {
$ret['channel'] = $channel;
return $ret;
}
}
$error = 'password failed for ' . $login;
logger($error);
@ -242,32 +282,10 @@ else {
if((x($_POST, 'auth-params')) && $_POST['auth-params'] === 'login') {
$record = null;
$addon_auth = array(
'username' => punify(trim($_POST['username'])),
'password' => trim($_POST['password']),
'authenticated' => 0,
'user_record' => null
);
/**
*
* A plugin indicates successful login by setting 'authenticated' to non-zero value and returning a user record
* Plugins should never set 'authenticated' except to indicate success - as hooks may be chained
* and later plugins should not interfere with an earlier one that succeeded.
*
*/
call_hooks('authenticate', $addon_auth);
$atoken = null;
$account = null;
$channel = null;
if(($addon_auth['authenticated']) && (count($addon_auth['user_record']))) {
$account = $addon_auth['user_record'];
}
else {
$verify = account_verify_password($_POST['username'], $_POST['password']);
if($verify && array_key_exists('reason',$verify) && $verify['reason'] === 'unvalidated') {
notice( t('Email validation is incomplete. Please check your email.'));
@ -288,7 +306,6 @@ else {
else {
notice( t('Failed authentication') . EOL);
}
}
if(! ($account || $atoken)) {
$error = 'authenticate: failed login attempt: ' . notags(trim($_POST['username'])) . ' from IP ' . $_SERVER['REMOTE_ADDR'];
@ -326,10 +343,11 @@ else {
// if we haven't failed up this point, log them in.
$_SESSION['last_login_date'] = datetime_convert();
if(! $atoken)
if(! $atoken) {
authenticate_success($account,$channel,true, true);
}
}
}
/**