Merge branch 'dev' into perms
This commit is contained in:
redmatrix
@@ -515,7 +515,7 @@ function account_approve($hash) {
|
||||
auto_channel_create($register[0]['uid']);
|
||||
else {
|
||||
$_SESSION['login_return_url'] = 'new_channel';
|
||||
authenticate_success($account[0],true,true,false,true);
|
||||
authenticate_success($account[0],null,true,true,false,true);
|
||||
}
|
||||
|
||||
|
||||
|
||||
@@ -59,20 +59,12 @@ function api_login(&$a){
|
||||
if(isset($_SERVER['PHP_AUTH_USER'])) {
|
||||
$channel_login = 0;
|
||||
$record = account_verify_password($_SERVER['PHP_AUTH_USER'],$_SERVER['PHP_AUTH_PW']);
|
||||
if(! $record) {
|
||||
$r = q("select * from channel left join account on account.account_id = channel.channel_account_id
|
||||
where channel.channel_address = '%s' limit 1",
|
||||
dbesc($_SERVER['PHP_AUTH_USER'])
|
||||
);
|
||||
if ($r) {
|
||||
$record = account_verify_password($r[0]['account_email'],$_SERVER['PHP_AUTH_PW']);
|
||||
if($record)
|
||||
$channel_login = $r[0]['channel_id'];
|
||||
}
|
||||
if($record && $record['channel']) {
|
||||
$channel_login = $record['channel']['channel_id'];
|
||||
}
|
||||
}
|
||||
|
||||
if($record) {
|
||||
if($record['account']) {
|
||||
authenticate_success($record);
|
||||
|
||||
if($channel_login)
|
||||
|
||||
137
include/auth.php
137
include/auth.php
@@ -20,62 +20,85 @@ require_once('include/security.php');
|
||||
* attempts.
|
||||
*
|
||||
* @param string $email
|
||||
* The email address to verify.
|
||||
* The login to verify (channel address, account email or guest login token).
|
||||
* @param string $pass
|
||||
* The provided password to verify.
|
||||
* @return array|null
|
||||
* Returns account record on success, null on failure.
|
||||
*/
|
||||
function account_verify_password($email, $pass) {
|
||||
function account_verify_password($login, $pass) {
|
||||
|
||||
$ret = [ 'account' => null, 'channel' => null, 'xchan' => null ];
|
||||
|
||||
$email_verify = get_config('system', 'verify_email');
|
||||
$register_policy = get_config('system', 'register_policy');
|
||||
|
||||
if(! $login)
|
||||
return null;
|
||||
|
||||
$account = null;
|
||||
$channel = null;
|
||||
$xchan = null;
|
||||
|
||||
if(! strpos($login,'@')) {
|
||||
$channel = channelx_by_nick($login);
|
||||
if(! $channel) {
|
||||
$x = q("select * from atoken where atoken_name = '%s' and atoken_token = '%s' limit 1",
|
||||
dbesc($login),
|
||||
dbesc($pass)
|
||||
);
|
||||
if($x) {
|
||||
$ret['xchan'] = atoken_xchan($x[0]);
|
||||
return $ret;
|
||||
}
|
||||
}
|
||||
}
|
||||
if($channel) {
|
||||
$where = " where account_id = " . intval($channel['channel_account_id']) . " ";
|
||||
}
|
||||
else {
|
||||
$where = " where account_email = '" . dbesc($login) . "' ";
|
||||
}
|
||||
|
||||
$a = q("select * from account $where");
|
||||
if(! $a) {
|
||||
return null;
|
||||
}
|
||||
|
||||
$account = $a[0];
|
||||
|
||||
// Currently we only verify email address if there is an open registration policy.
|
||||
// This isn't because of any policy - it's because the workflow gets too complicated if
|
||||
// you have to verify the email and then go through the account approval workflow before
|
||||
// letting them login.
|
||||
|
||||
// @bug there is no record here
|
||||
//if(($email_verify) && ($register_policy == REGISTER_OPEN) && ($record['account_flags'] & ACCOUNT_UNVERIFIED))
|
||||
// return null;
|
||||
|
||||
$r = q("select * from account where account_email = '%s'",
|
||||
dbesc($email)
|
||||
);
|
||||
if($r) {
|
||||
|
||||
foreach($r as $record) {
|
||||
if(($record['account_flags'] == ACCOUNT_OK)
|
||||
&& (hash('whirlpool', $record['account_salt'] . $pass) === $record['account_password'])) {
|
||||
logger('password verified for ' . $email);
|
||||
return $record;
|
||||
}
|
||||
}
|
||||
if(($email_verify) && ($register_policy == REGISTER_OPEN) && ($account['account_flags'] & ACCOUNT_UNVERIFIED)) {
|
||||
logger('email verification required for ' . $login);
|
||||
return null;
|
||||
}
|
||||
|
||||
$x = q("select * from atoken where atoken_name = '%s' and atoken_token = '%s' limit 1",
|
||||
dbesc($email),
|
||||
dbesc($pass)
|
||||
);
|
||||
if($x) {
|
||||
atoken_login($x[0]);
|
||||
return $x[0];
|
||||
if(($account['account_flags'] == ACCOUNT_OK)
|
||||
&& (hash('whirlpool',$account['account_salt'] . $pass) === $account['account_password'])) {
|
||||
logger('password verified for ' . $login);
|
||||
$ret['account'] = $account;
|
||||
if($channel)
|
||||
$ret['channel'] = $channel;
|
||||
return $ret;
|
||||
}
|
||||
|
||||
$error = 'password failed for ' . $email;
|
||||
$error = 'password failed for ' . $login;
|
||||
logger($error);
|
||||
|
||||
if($record['account_flags'] & ACCOUNT_UNVERIFIED)
|
||||
logger('Account is unverified. account_flags = ' . $record['account_flags']);
|
||||
if($record['account_flags'] & ACCOUNT_BLOCKED)
|
||||
logger('Account is blocked. account_flags = ' . $record['account_flags']);
|
||||
if($record['account_flags'] & ACCOUNT_EXPIRED)
|
||||
logger('Account is expired. account_flags = ' . $record['account_flags']);
|
||||
if($record['account_flags'] & ACCOUNT_REMOVED)
|
||||
logger('Account is removed. account_flags = ' . $record['account_flags']);
|
||||
if($record['account_flags'] & ACCOUNT_PENDING)
|
||||
logger('Account is pending. account_flags = ' . $record['account_flags']);
|
||||
if($account['account_flags'] & ACCOUNT_UNVERIFIED)
|
||||
logger('Account is unverified. account_flags = ' . $account['account_flags']);
|
||||
if($account['account_flags'] & ACCOUNT_BLOCKED)
|
||||
logger('Account is blocked. account_flags = ' . $account['account_flags']);
|
||||
if($account['account_flags'] & ACCOUNT_EXPIRED)
|
||||
logger('Account is expired. account_flags = ' . $account['account_flags']);
|
||||
if($account['account_flags'] & ACCOUNT_REMOVED)
|
||||
logger('Account is removed. account_flags = ' . $account['account_flags']);
|
||||
if($account['account_flags'] & ACCOUNT_PENDING)
|
||||
logger('Account is pending. account_flags = ' . $account['account_flags']);
|
||||
|
||||
log_failed_login($error);
|
||||
|
||||
@@ -131,7 +154,7 @@ if((isset($_SESSION)) && (x($_SESSION, 'authenticated')) &&
|
||||
App::$session->new_cookie(60 * 60 * 24); // one day
|
||||
$_SESSION['last_login_date'] = datetime_convert();
|
||||
unset($_SESSION['visitor_id']); // no longer a visitor
|
||||
authenticate_success($x[0], true, true);
|
||||
authenticate_success($x[0], null, true, true);
|
||||
}
|
||||
}
|
||||
if(array_key_exists('atoken',$_SESSION)) {
|
||||
@@ -177,7 +200,8 @@ if((isset($_SESSION)) && (x($_SESSION, 'authenticated')) &&
|
||||
App::$session->extend_cookie();
|
||||
$login_refresh = true;
|
||||
}
|
||||
authenticate_success($r[0], false, false, false, $login_refresh);
|
||||
$ch = (($_SESSION['uid']) ? channelx_by_n($_SESSION['uid']) : null);
|
||||
authenticate_success($r[0], null, $ch, false, false, $login_refresh);
|
||||
}
|
||||
else {
|
||||
$_SESSION['account_id'] = 0;
|
||||
@@ -218,37 +242,38 @@ else {
|
||||
|
||||
call_hooks('authenticate', $addon_auth);
|
||||
|
||||
$atoken = false;
|
||||
$atoken = null;
|
||||
$account = null;
|
||||
|
||||
if(($addon_auth['authenticated']) && (count($addon_auth['user_record']))) {
|
||||
$record = $addon_auth['user_record'];
|
||||
$account = $addon_auth['user_record'];
|
||||
}
|
||||
else {
|
||||
$x = account_verify_password($_POST['username'], $_POST['password']);
|
||||
if(array_key_exists('atoken',$x))
|
||||
$atoken = true;
|
||||
if(! $atoken) {
|
||||
$record = App::$account = $x;
|
||||
$verify = account_verify_password($_POST['username'], $_POST['password']);
|
||||
if($verify) {
|
||||
$atoken = $verify['xchan'];
|
||||
$channel = $verify['channel'];
|
||||
$account = App::$account = $verify['account'];
|
||||
}
|
||||
|
||||
if(App::$account) {
|
||||
$_SESSION['account_id'] = App::$account['account_id'];
|
||||
}
|
||||
else {
|
||||
notice( t('Failed authentication') . EOL);
|
||||
}
|
||||
|
||||
logger('authenticate: ' . print_r(App::$account, true), LOGGER_ALL);
|
||||
if(App::$account) {
|
||||
$_SESSION['account_id'] = App::$account['account_id'];
|
||||
}
|
||||
elseif($atoken) {
|
||||
atoken_login($atoken);
|
||||
}
|
||||
else {
|
||||
notice( t('Failed authentication') . EOL);
|
||||
}
|
||||
}
|
||||
|
||||
if((! $record) || (! count($record))) {
|
||||
if(! ($account || $atoken)) {
|
||||
$error = 'authenticate: failed login attempt: ' . notags(trim($_POST['username'])) . ' from IP ' . $_SERVER['REMOTE_ADDR'];
|
||||
logger($error);
|
||||
// Also log failed logins to a separate auth log to reduce overhead for server side intrusion prevention
|
||||
$authlog = get_config('system', 'authlog');
|
||||
if ($authlog)
|
||||
@file_put_contents($authlog, datetime_convert() . ':' . session_id() . ' ' . $error . "\n", FILE_APPEND);
|
||||
|
||||
notice( t('Login failed.') . EOL );
|
||||
goaway(z_root() . '/login');
|
||||
}
|
||||
@@ -279,7 +304,7 @@ else {
|
||||
|
||||
$_SESSION['last_login_date'] = datetime_convert();
|
||||
if(! $atoken)
|
||||
authenticate_success($record, true, true);
|
||||
authenticate_success($account,$channel,true, true);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -183,7 +183,9 @@ function format_ical_text($s) {
|
||||
require_once('include/bbcode.php');
|
||||
require_once('include/html2plain.php');
|
||||
|
||||
return(wordwrap(str_replace(array(',',';','\\'),array('\\,','\\;','\\\\'),html2plain(bbcode($s))),72,"\r\n ",true));
|
||||
$s = html2plain(bbcode($s));
|
||||
$s = str_replace(["\r\n","\n"],["",""],$s);
|
||||
return(wordwrap(str_replace(['\\',',',';'],['\\\\','\\,','\\;'],$s),72,"\r\n ",true));
|
||||
}
|
||||
|
||||
|
||||
|
||||
@@ -170,7 +170,7 @@ class ZotOAuth1 extends OAuth1Server {
|
||||
);
|
||||
if($x) {
|
||||
require_once('include/security.php');
|
||||
authenticate_success($x[0],true,false,true,true);
|
||||
authenticate_success($x[0],null,true,false,true,true);
|
||||
$_SESSION['allow_api'] = true;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -12,7 +12,7 @@
|
||||
* @param bool $return
|
||||
* @param bool $update_lastlog
|
||||
*/
|
||||
function authenticate_success($user_record, $login_initial = false, $interactive = false, $return = false, $update_lastlog = false) {
|
||||
function authenticate_success($user_record, $channel = null, $login_initial = false, $interactive = false, $return = false, $update_lastlog = false) {
|
||||
|
||||
$_SESSION['addr'] = $_SERVER['REMOTE_ADDR'];
|
||||
|
||||
@@ -23,11 +23,15 @@ function authenticate_success($user_record, $login_initial = false, $interactive
|
||||
$_SESSION['account_id'] = $user_record['account_id'];
|
||||
$_SESSION['authenticated'] = 1;
|
||||
|
||||
if($channel)
|
||||
$uid_to_load = $channel['channel_id'];
|
||||
|
||||
$uid_to_load = (((x($_SESSION,'uid')) && (intval($_SESSION['uid'])))
|
||||
? intval($_SESSION['uid'])
|
||||
: intval(App::$account['account_default_channel'])
|
||||
);
|
||||
if(! $uid_to_load) {
|
||||
$uid_to_load = (((x($_SESSION,'uid')) && (intval($_SESSION['uid'])))
|
||||
? intval($_SESSION['uid'])
|
||||
: intval(App::$account['account_default_channel'])
|
||||
);
|
||||
}
|
||||
|
||||
if($uid_to_load) {
|
||||
change_channel($uid_to_load);
|
||||
@@ -85,16 +89,12 @@ function authenticate_success($user_record, $login_initial = false, $interactive
|
||||
function atoken_login($atoken) {
|
||||
if(! $atoken)
|
||||
return false;
|
||||
|
||||
$xchan = atoken_xchan($atoken);
|
||||
|
||||
$_SESSION['authenticated'] = 1;
|
||||
$_SESSION['visitor_id'] = $xchan['xchan_hash'];
|
||||
$_SESSION['visitor_id'] = $atoken['xchan_hash'];
|
||||
$_SESSION['atoken'] = $atoken['atoken_id'];
|
||||
|
||||
\App::set_observer($xchan);
|
||||
|
||||
return [ 'atoken' => true ];
|
||||
\App::set_observer($atoken);
|
||||
return true;
|
||||
}
|
||||
|
||||
|
||||
@@ -102,7 +102,8 @@ function atoken_xchan($atoken) {
|
||||
|
||||
$c = channelx_by_n($atoken['atoken_uid']);
|
||||
if($c) {
|
||||
return [
|
||||
return [
|
||||
'atoken_id' => $atoken['atoken_id'],
|
||||
'xchan_hash' => substr($c['channel_hash'],0,16) . '.' . $atoken['atoken_name'],
|
||||
'xchan_name' => $atoken['atoken_name'],
|
||||
'xchan_addr' => t('guest:') . $atoken['atoken_name'] . '@' . \App::get_hostname(),
|
||||
@@ -115,7 +116,7 @@ function atoken_xchan($atoken) {
|
||||
|
||||
];
|
||||
}
|
||||
|
||||
return null;
|
||||
}
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user