aboutsummaryrefslogtreecommitdiffstats
path: root/include/auth.php
Commit message (Collapse)AuthorAgeFilesLines
* php8: random cleanup and warning fixesMario2022-09-081-2/+2
|
* fix random php warningsMario2022-09-071-2/+2
|
* fix duplicate ids in login form and move login/register buttons into the ↵Mario2022-03-031-17/+22
| | | | hamburger menu on small screens
* prefer zot6 and also check for hubloc_deletedMario Vavti2020-08-241-2/+5
|
* ensure all password checking goes through the authenticate plugin hook (for ↵zotlabs2018-05-141-80/+98
| | | | instance in mod_removeme)
* channel delegation: push current identity and pop it on logout from the ↵zotlabs2018-04-111-2/+11
| | | | delegated channel. This fixes the known issue of being forced to log back in after leaving the delegated channel.
* hubzilla issue #1015 - login with unicode domain namezotlabs2018-03-281-2/+3
|
* redirect to the email_validation page if login was attempted after account ↵zotlabs2018-01-291-0/+1
| | | | creation but prior to successful verification. This presents the link to resend the verification email and/or allows you to enter it.
* on failed auth due to unverified email, tell the person why and remind them ↵zotlabs2017-10-101-2/+5
| | | | to check their email.
* fix immediate issue with multiple login forms until I can figure out an ↵zotlabs2017-02-081-1/+1
| | | | elegant way to "popup" the modal login form already on the page. We still may need this fix for the actual login module which should always be callable and present a login form even if the nav is completely borked.
* This checkin should make all permission modes work correctly with atokens ↵redmatrix2016-08-011-0/+1
| | | | (they should be able to post content if allowed to). It also removes the strict linkage between permissions and connections so any individual permission can be set for any xchan; even those for which you have no connections.
* zat URL auth updated to match changes to the atoken_login interfaceredmatrix2016-07-211-2/+10
|
* sort out some of the authentication mess - with luck this may fix the DAV ↵redmatrix2016-07-201-57/+82
| | | | auth issue which I simply could not duplicate or find a reason for.
* first cut at zot access tokensredmatrix2016-07-141-24/+52
|
* more work on sessions and cookies, as some anomalies appeared in caldav and ↵redmatrix2016-05-161-8/+8
| | | | firefox which suggested deeper issues
* move more session related stuff such as paranoia handling (IP address ↵redmatrix2016-04-101-36/+2
| | | | changes) into the session object and extend remember_me cookies once a day so that they will never expire (theoretically). The DB session driver will extend its expiration on every session write (in the case of persistent sessions).
* a few issues: block public not blocking mod_cal, typo in sql for one clone ↵redmatrix2016-04-101-0/+2
| | | | file sync operation, fix_system_urls not catching cached contact photos, extend sessionhandler expiration when remember_me is enabled as the stored session is expiring long before the browser session.
* objectify all the session management stuffredmatrix2016-04-081-7/+7
|
* Bug: "remember me" doesn'tredmatrix2016-04-031-2/+2
|
* static Appredmatrix2016-03-311-8/+8
|
* issue #320 - regression, after removing channel attached to an authenticated ↵redmatrix2016-03-121-27/+0
| | | | session the session was not completely cleared.
* Move api_auth() out to a file that can be included from plugins/modules to ↵ken restivo2015-11-101-0/+1
| | | | allow them to expose their own programmatic API.
* explicitly unset delegate session vars on logoutfriendica2015-03-231-1/+2
|
* local_user => local_channelfriendica2015-01-281-1/+1
|
* Redirect to login page on failed login. Fixes #628Stefan Parviainen2014-12-281-1/+1
|
* Add security logger to RedDAV.Klaus Weidenbach2014-12-141-4/+18
| | | | Some smaller clean ups whitepsaces and tabs, use PHP_EOL, Doxygen, etc.
* PostgreSQL support initial commitHabeas Codice2014-11-131-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There were 11 main types of changes: - UPDATE's and DELETE's sometimes had LIMIT 1 at the end of them. This is not only non-compliant but it would certainly not do what whoever wrote it thought it would. It is likely this mistake was just copied from Friendica. All of these instances, the LIMIT 1 was simply removed. - Bitwise operations (and even some non-zero int checks) erroneously rely on MySQL implicit integer-boolean conversion in the WHERE clauses. This is non-compliant (and bad programming practice to boot). Proper explicit boolean conversions were added. New queries should use proper conventions. - MySQL has a different operator for bitwise XOR than postgres. Rather than add yet another dba_ func, I converted them to "& ~" ("AND NOT") when turning off, and "|" ("OR") when turning on. There were no true toggles (XOR). New queries should refrain from using XOR when not necessary. - There are several fields which the schema has marked as NOT NULL, but the inserts don't specify them. The reason this works is because mysql totally ignores the constraint and adds an empty text default automatically. Again, non-compliant, obviously. In these cases a default of empty text was added. - Several statements rely on a non-standard MySQL feature (http://dev.mysql.com/doc/refman/5.5/en/group-by-handling.html). These queries can all be rewritten to be standards compliant. Interestingly enough, the newly rewritten standards compliant queries run a zillion times faster, even on MySQL. - A couple of function/operator name translations were needed (RAND/RANDOM, GROUP_CONCAT/STRING_AGG, UTC_NOW, REGEXP/~, ^/#) -- assist functions added in the dba_ - INTERVALs: postgres requires quotes around the value, mysql requires that there are not quotes around the value -- assist functions added in the dba_ - NULL_DATE's -- Postgres does not allow the invalid date '0000-00-00 00:00:00' (there is no such thing as year 0 or month 0 or day 0). We use '0001-01-01 00:00:00' for postgres. Conversions are handled in Zot/item packets automagically by quoting all dates with dbescdate(). - char(##) specifications in the schema creates fields with blank spaces that aren't trimmed in the code. MySQL apparently treats char(##) as varchar(##), again, non-compliant. Since postgres works better with text fields anyway, this ball of bugs was simply side-stepped by using 'text' datatype for all text fields in the postgres schema. varchar was used in a couple of places where it actually seemed appropriate (size constraint), but without rigorously vetting that all of the PHP code actually validates data, new bugs might come out from under the rug. - postgres doesn't store nul bytes and a few other non-printables in text fields, even when quoted. bytea fields were used when storing binary data (photo.data, attach.data). A new dbescbin() function was added to handle this transparently. - postgres does not support LIMIT #,# syntax. All databases support LIMIT # OFFSET # syntax. Statements were updated to be standard. These changes require corresponding changes in the coding standards. Please review those before adding any code going forward. Still on my TODO list: - remove quotes from non-reserved identifiers and make reserved identifiers use dba func for quoting - Rewrite search queries for better results (both MySQL and Postgres)
* Some documentation of include/auth.php.Klaus Weidenbach2014-10-051-53/+74
|
* and provide a strong hint by showing the errant account_flagsfriendica2014-09-091-5/+5
|
* in case somebody has problems and does an update to try and fix it, put ↵friendica2014-09-091-0/+13
| | | | something in the logs to show what's happening.
* paranoia tweaksfriendica2014-07-211-2/+6
|
* add more control to auth paranoia settingfriendica2014-07-201-4/+27
|
* docofriendica2014-07-101-1/+7
|
* finish implementing email verification. Currently it only applies if ↵friendica2014-07-091-1/+6
| | | | REGISTER_OPEN is in effect.
* log IP mis-matches even if paranoia isn't set.friendica2014-05-111-7/+8
|
* This should resolve the dav authentication loop (correctly)friendica2014-02-221-6/+15
|
* introduce a new privacy level "PERMS_AUTHED" to indicate somebody that is ↵friendica2014-02-181-1/+1
| | | | able to successfully authenticate (but is not necessarily in this network).
* some more snakebite and fix up include/account - forgot about that inline ↵friendica2014-02-181-4/+4
| | | | array stuff
* operation snakebite continued. openid now works for local accounts using the ↵friendica2014-02-171-0/+10
| | | | rmagic module and after storing your openid in pconfig. This is just an interesting but trivial (in the bigger scheme of things) side effect of snakebite. The snake hasn't even waken up yet.
* use profile photo on vcard before reverting to xchan photofriendica2014-02-111-1/+1
|
* Log failed auth to it's own file so fail2ban doesn't have to parse MB of textThomas Willingham2014-01-151-2/+15
|
* on successful magic-auth, put remote_service_class and remote_hub into the ↵friendica2013-12-031-0/+2
| | | | session
* doc - complete hook list, still need detailed functional descriptions with ↵friendica2013-10-181-1/+2
| | | | parameters and examples for each
* More mobile theme fixesChristian Vogeley2013-08-311-0/+1
| | | | | | If user is logged in personal settings are used else use admin settings. Only show toggle link if there is something to switch between.
* get rid of more variables with dashes in the names - use underscore *except* ↵friendica2013-08-151-1/+1
| | | | in CSS. These were probably already here, but if you see any - please keep them out of PHP and MySQL where they sometimes get interpreted as a subtraction operation and are a bugger to find.
* remote control - if auth'd visitor is in config system remote_admins ↵friendica2013-07-221-0/+15
| | | | (array), become superuser. Literally. Full control. Untested.
* move new_cookie() to the session driver so we can use it for other purposes ↵friendica2013-05-231-10/+0
| | | | besides "normal" web login (for instance magic auth)
* start formatting for Doxygenfriendica2013-02-251-1/+1
|
* lostpass fixes and login/logout flow if authenticated but no default channel ↵friendica2013-01-271-0/+2
| | | | exists
* make contact_remove sort of work so I can actually get rid of Oliver's and ↵friendica2013-01-251-2/+2
| | | | Michael J's dead contacts and not poll them every ten minutes forever