aboutsummaryrefslogtreecommitdiffstats
path: root/include/auth.php
diff options
context:
space:
mode:
Diffstat (limited to 'include/auth.php')
-rw-r--r--include/auth.php139
1 files changed, 82 insertions, 57 deletions
diff --git a/include/auth.php b/include/auth.php
index 79d04c728..f8120981a 100644
--- a/include/auth.php
+++ b/include/auth.php
@@ -20,62 +20,85 @@ require_once('include/security.php');
* attempts.
*
* @param string $email
- * The email address to verify.
+ * The login to verify (channel address, account email or guest login token).
* @param string $pass
* The provided password to verify.
* @return array|null
* Returns account record on success, null on failure.
*/
-function account_verify_password($email, $pass) {
+function account_verify_password($login, $pass) {
+
+ $ret = [ 'account' => null, 'channel' => null, 'xchan' => null ];
$email_verify = get_config('system', 'verify_email');
$register_policy = get_config('system', 'register_policy');
+ if(! $login)
+ return null;
+
+ $account = null;
+ $channel = null;
+ $xchan = null;
+
+ if(! strpos($login,'@')) {
+ $channel = channelx_by_nick($login);
+ if(! $channel) {
+ $x = q("select * from atoken where atoken_name = '%s' and atoken_token = '%s' limit 1",
+ dbesc($login),
+ dbesc($pass)
+ );
+ if($x) {
+ $ret['xchan'] = atoken_xchan($x[0]);
+ return $ret;
+ }
+ }
+ }
+ if($channel) {
+ $where = " where account_id = " . intval($channel['channel_account_id']) . " ";
+ }
+ else {
+ $where = " where account_email = '" . dbesc($login) . "' ";
+ }
+
+ $a = q("select * from account $where");
+ if(! $a) {
+ return null;
+ }
+
+ $account = $a[0];
+
// Currently we only verify email address if there is an open registration policy.
// This isn't because of any policy - it's because the workflow gets too complicated if
// you have to verify the email and then go through the account approval workflow before
// letting them login.
- // @bug there is no record here
- //if(($email_verify) && ($register_policy == REGISTER_OPEN) && ($record['account_flags'] & ACCOUNT_UNVERIFIED))
- // return null;
-
- $r = q("select * from account where account_email = '%s'",
- dbesc($email)
- );
- if($r) {
-
- foreach($r as $record) {
- if(($record['account_flags'] == ACCOUNT_OK)
- && (hash('whirlpool', $record['account_salt'] . $pass) === $record['account_password'])) {
- logger('password verified for ' . $email);
- return $record;
- }
- }
+ if(($email_verify) && ($register_policy == REGISTER_OPEN) && ($account['account_flags'] & ACCOUNT_UNVERIFIED)) {
+ logger('email verification required for ' . $login);
+ return null;
}
- $x = q("select * from atoken where atoken_name = '%s' and atoken_token = '%s' limit 1",
- dbesc($email),
- dbesc($pass)
- );
- if($x) {
- atoken_login($x[0]);
- return $x[0];
+ if(($account['account_flags'] == ACCOUNT_OK)
+ && (hash('whirlpool',$account['account_salt'] . $pass) === $account['account_password'])) {
+ logger('password verified for ' . $login);
+ $ret['account'] = $account;
+ if($channel)
+ $ret['channel'] = $channel;
+ return $ret;
}
- $error = 'password failed for ' . $email;
+ $error = 'password failed for ' . $login;
logger($error);
- if($record['account_flags'] & ACCOUNT_UNVERIFIED)
- logger('Account is unverified. account_flags = ' . $record['account_flags']);
- if($record['account_flags'] & ACCOUNT_BLOCKED)
- logger('Account is blocked. account_flags = ' . $record['account_flags']);
- if($record['account_flags'] & ACCOUNT_EXPIRED)
- logger('Account is expired. account_flags = ' . $record['account_flags']);
- if($record['account_flags'] & ACCOUNT_REMOVED)
- logger('Account is removed. account_flags = ' . $record['account_flags']);
- if($record['account_flags'] & ACCOUNT_PENDING)
- logger('Account is pending. account_flags = ' . $record['account_flags']);
+ if($account['account_flags'] & ACCOUNT_UNVERIFIED)
+ logger('Account is unverified. account_flags = ' . $account['account_flags']);
+ if($account['account_flags'] & ACCOUNT_BLOCKED)
+ logger('Account is blocked. account_flags = ' . $account['account_flags']);
+ if($account['account_flags'] & ACCOUNT_EXPIRED)
+ logger('Account is expired. account_flags = ' . $account['account_flags']);
+ if($account['account_flags'] & ACCOUNT_REMOVED)
+ logger('Account is removed. account_flags = ' . $account['account_flags']);
+ if($account['account_flags'] & ACCOUNT_PENDING)
+ logger('Account is pending. account_flags = ' . $account['account_flags']);
log_failed_login($error);
@@ -131,7 +154,7 @@ if((isset($_SESSION)) && (x($_SESSION, 'authenticated')) &&
App::$session->new_cookie(60 * 60 * 24); // one day
$_SESSION['last_login_date'] = datetime_convert();
unset($_SESSION['visitor_id']); // no longer a visitor
- authenticate_success($x[0], true, true);
+ authenticate_success($x[0], null, true, true);
}
}
if(array_key_exists('atoken',$_SESSION)) {
@@ -177,7 +200,8 @@ if((isset($_SESSION)) && (x($_SESSION, 'authenticated')) &&
App::$session->extend_cookie();
$login_refresh = true;
}
- authenticate_success($r[0], false, false, false, $login_refresh);
+ $ch = (($_SESSION['uid']) ? channelx_by_n($_SESSION['uid']) : null);
+ authenticate_success($r[0], null, $ch, false, false, $login_refresh);
}
else {
$_SESSION['account_id'] = 0;
@@ -218,37 +242,38 @@ else {
call_hooks('authenticate', $addon_auth);
- $atoken = false;
+ $atoken = null;
+ $account = null;
if(($addon_auth['authenticated']) && (count($addon_auth['user_record']))) {
- $record = $addon_auth['user_record'];
+ $account = $addon_auth['user_record'];
}
else {
- $x = account_verify_password($_POST['username'], $_POST['password']);
- if(array_key_exists('atoken',$x))
- $atoken = true;
- if(! $atoken) {
- $record = App::$account = $x;
-
- if(App::$account) {
- $_SESSION['account_id'] = App::$account['account_id'];
- }
- else {
- notice( t('Failed authentication') . EOL);
- }
-
- logger('authenticate: ' . print_r(App::$account, true), LOGGER_ALL);
+ $verify = account_verify_password($_POST['username'], $_POST['password']);
+ if($verify) {
+ $atoken = $verify['xchan'];
+ $channel = $verify['channel'];
+ $account = App::$account = $verify['account'];
+ }
+
+ if(App::$account) {
+ $_SESSION['account_id'] = App::$account['account_id'];
+ }
+ elseif($atoken) {
+ atoken_login($atoken);
+ }
+ else {
+ notice( t('Failed authentication') . EOL);
}
}
- if((! $record) || (! count($record))) {
+ if(! ($account || $atoken)) {
$error = 'authenticate: failed login attempt: ' . notags(trim($_POST['username'])) . ' from IP ' . $_SERVER['REMOTE_ADDR'];
logger($error);
// Also log failed logins to a separate auth log to reduce overhead for server side intrusion prevention
$authlog = get_config('system', 'authlog');
if ($authlog)
@file_put_contents($authlog, datetime_convert() . ':' . session_id() . ' ' . $error . "\n", FILE_APPEND);
-
notice( t('Login failed.') . EOL );
goaway(z_root() . '/login');
}
@@ -279,7 +304,7 @@ else {
$_SESSION['last_login_date'] = datetime_convert();
if(! $atoken)
- authenticate_success($record, true, true);
+ authenticate_success($account,$channel,true, true);
}
}