From 5949607d17bceb51d61c73b5c0dbc0fcc063bd04 Mon Sep 17 00:00:00 2001 From: friendica Date: Mon, 21 Jan 2013 19:16:21 -0800 Subject: magic auth - it's mostly done or at least all the code bits are written and it looks in theory to be pretty secure and it doesn't white screen. Getting it to actually work(?), well we won't know how hard that will be until we get it on a couple of systems and try it. Magic auth on one box is a no-op because you're already authenticated. --- include/auth.php | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) (limited to 'include/auth.php') diff --git a/include/auth.php b/include/auth.php index c12432449..75a450dc8 100644 --- a/include/auth.php +++ b/include/auth.php @@ -64,14 +64,19 @@ if((isset($_SESSION)) && (x($_SESSION,'authenticated')) && ((! (x($_POST,'auth-p goaway(z_root()); } -// if(x($_SESSION,'visitor_id') && (! x($_SESSION,'uid'))) { -// $r = q("SELECT * FROM `contact` WHERE `id` = %d LIMIT 1", -// intval($_SESSION['visitor_id']) -// ); -// if(count($r)) { -// $a->contact = $r[0]; -// } -// } + if(x($_SESSION,'visitor_id') && (! x($_SESSION,'uid'))) { + $r = q("select * from hubloc left join xchan on xchan_hash = hubloc_hash where hubloc_addr = '%s' limit 1", + dbesc($_SESSION['visitor_id']) + ); + if($r) { + get_app()->set_observer($r[0]); + } + else { + unset($_SESSION['visitor_id']); + unset($_SESSION['authenticated']); + } + $a->set_groups(init_groups_visitor($_SESSION['visitor_id'])); + } if(x($_SESSION,'uid') || x($_SESSION,'account_id')) { -- cgit v1.2.3 From fb76675a28b37b7281546373671d0dabbd69ef46 Mon Sep 17 00:00:00 2001 From: friendica Date: Mon, 21 Jan 2013 19:56:39 -0800 Subject: now we're into the minor nitty fixes --- include/auth.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'include/auth.php') diff --git a/include/auth.php b/include/auth.php index 75a450dc8..9cdbd80d5 100644 --- a/include/auth.php +++ b/include/auth.php @@ -63,9 +63,9 @@ if((isset($_SESSION)) && (x($_SESSION,'authenticated')) && ((! (x($_POST,'auth-p info( t('Logged out.') . EOL); goaway(z_root()); } - +dbg(1); if(x($_SESSION,'visitor_id') && (! x($_SESSION,'uid'))) { - $r = q("select * from hubloc left join xchan on xchan_hash = hubloc_hash where hubloc_addr = '%s' limit 1", + $r = q("select * from hubloc left join xchan on xchan_hash = hubloc_hash where hubloc_hash = '%s' limit 1", dbesc($_SESSION['visitor_id']) ); if($r) { @@ -77,7 +77,7 @@ if((isset($_SESSION)) && (x($_SESSION,'authenticated')) && ((! (x($_POST,'auth-p } $a->set_groups(init_groups_visitor($_SESSION['visitor_id'])); } - +dbg(0); if(x($_SESSION,'uid') || x($_SESSION,'account_id')) { // already logged in user returning -- cgit v1.2.3 From c96eb6dc971dc74724a2c20fccf02d34dd08d156 Mon Sep 17 00:00:00 2001 From: friendica Date: Fri, 25 Jan 2013 16:18:35 -0800 Subject: make contact_remove sort of work so I can actually get rid of Oliver's and Michael J's dead contacts and not poll them every ten minutes forever --- include/auth.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'include/auth.php') diff --git a/include/auth.php b/include/auth.php index 9cdbd80d5..68dc9308f 100644 --- a/include/auth.php +++ b/include/auth.php @@ -63,7 +63,7 @@ if((isset($_SESSION)) && (x($_SESSION,'authenticated')) && ((! (x($_POST,'auth-p info( t('Logged out.') . EOL); goaway(z_root()); } -dbg(1); + if(x($_SESSION,'visitor_id') && (! x($_SESSION,'uid'))) { $r = q("select * from hubloc left join xchan on xchan_hash = hubloc_hash where hubloc_hash = '%s' limit 1", dbesc($_SESSION['visitor_id']) @@ -77,7 +77,7 @@ dbg(1); } $a->set_groups(init_groups_visitor($_SESSION['visitor_id'])); } -dbg(0); + if(x($_SESSION,'uid') || x($_SESSION,'account_id')) { // already logged in user returning -- cgit v1.2.3 From 28ab6d5bf508120956d575e260ed2fa2b8417e59 Mon Sep 17 00:00:00 2001 From: friendica Date: Sun, 27 Jan 2013 01:19:24 -0800 Subject: lostpass fixes and login/logout flow if authenticated but no default channel exists --- include/auth.php | 2 ++ 1 file changed, 2 insertions(+) (limited to 'include/auth.php') diff --git a/include/auth.php b/include/auth.php index 68dc9308f..14751f5a2 100644 --- a/include/auth.php +++ b/include/auth.php @@ -39,9 +39,11 @@ function account_verify_password($email,$pass) { foreach($r as $record) { if(($record['account_flags'] == ACCOUNT_OK) || ($record['account_flags'] == ACCOUNT_UNVERIFIED) && (hash('whirlpool',$record['account_salt'] . $pass) === $record['account_password'])) { + logger('password verified for ' . $email); return $record; } } + logger('password failed for ' . $email); return null; } -- cgit v1.2.3 From ea3940c4b0b8232e2de0771811b9f90ade9ee45f Mon Sep 17 00:00:00 2001 From: friendica Date: Mon, 25 Feb 2013 17:09:40 -0800 Subject: start formatting for Doxygen --- include/auth.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'include/auth.php') diff --git a/include/auth.php b/include/auth.php index 14751f5a2..59145df83 100644 --- a/include/auth.php +++ b/include/auth.php @@ -1,4 +1,4 @@ - Date: Thu, 23 May 2013 20:35:40 -0700 Subject: move new_cookie() to the session driver so we can use it for other purposes besides "normal" web login (for instance magic auth) --- include/auth.php | 10 ---------- 1 file changed, 10 deletions(-) (limited to 'include/auth.php') diff --git a/include/auth.php b/include/auth.php index 59145df83..fc13725be 100644 --- a/include/auth.php +++ b/include/auth.php @@ -198,13 +198,3 @@ else { authenticate_success($record, true, true); } } - - -function new_cookie($time) { - $old_sid = session_id(); - session_set_cookie_params("$time"); - session_regenerate_id(false); - - q("UPDATE session SET sid = '%s' WHERE sid = '%s'", dbesc(session_id()), dbesc($old_sid)); -} - -- cgit v1.2.3 From f9e61fe07520b99912b842cb81d2db3321f4c361 Mon Sep 17 00:00:00 2001 From: friendica Date: Mon, 22 Jul 2013 14:34:26 -0700 Subject: remote control - if auth'd visitor is in config system remote_admins (array), become superuser. Literally. Full control. Untested. --- include/auth.php | 15 +++++++++++++++ 1 file changed, 15 insertions(+) (limited to 'include/auth.php') diff --git a/include/auth.php b/include/auth.php index fc13725be..c86a54fb1 100644 --- a/include/auth.php +++ b/include/auth.php @@ -67,6 +67,21 @@ if((isset($_SESSION)) && (x($_SESSION,'authenticated')) && ((! (x($_POST,'auth-p } if(x($_SESSION,'visitor_id') && (! x($_SESSION,'uid'))) { + // if our authenticated guest is allowed to take control of the admin channel, make it so. + $admins = get_config('system','remote_admin'); + if($admins && is_array($admins) && in_array($_SESSION['visitor_id'],$admins)) { + $x = q("select * from account where account_email = '%s' and account_email != '' and ( account_flags & %d ) limit 1", + dbesc(get_config('system','admin_email')), + intval(ACCOUNT_ROLE_ADMIN) + ); + if($x) { + new_cookie(60*60*24); // one day + $_SESSION['last_login_date'] = datetime_convert(); + unset($_SESSION['visitor_id']); // no longer a visitor + authenticate_success($x[0], true, true); + } + } + $r = q("select * from hubloc left join xchan on xchan_hash = hubloc_hash where hubloc_hash = '%s' limit 1", dbesc($_SESSION['visitor_id']) ); -- cgit v1.2.3 From a8dd7280b33008d5100b6d8020640673abf5a78a Mon Sep 17 00:00:00 2001 From: friendica Date: Thu, 15 Aug 2013 22:52:19 -0700 Subject: get rid of more variables with dashes in the names - use underscore *except* in CSS. These were probably already here, but if you see any - please keep them out of PHP and MySQL where they sometimes get interpreted as a subtraction operation and are a bugger to find. --- include/auth.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'include/auth.php') diff --git a/include/auth.php b/include/auth.php index c86a54fb1..143a16de8 100644 --- a/include/auth.php +++ b/include/auth.php @@ -14,7 +14,7 @@ function nuke_session() { unset($_SESSION['administrator']); unset($_SESSION['cid']); unset($_SESSION['theme']); - unset($_SESSION['mobile-theme']); + unset($_SESSION['mobile_theme']); unset($_SESSION['page_flags']); unset($_SESSION['submanage']); unset($_SESSION['my_url']); -- cgit v1.2.3 From 02fe2d488155b0907c950eb3118c523940c6827f Mon Sep 17 00:00:00 2001 From: Christian Vogeley Date: Sat, 31 Aug 2013 18:20:34 +0200 Subject: More mobile theme fixes If user is logged in personal settings are used else use admin settings. Only show toggle link if there is something to switch between. --- include/auth.php | 1 + 1 file changed, 1 insertion(+) (limited to 'include/auth.php') diff --git a/include/auth.php b/include/auth.php index 143a16de8..d04ebbe43 100644 --- a/include/auth.php +++ b/include/auth.php @@ -15,6 +15,7 @@ function nuke_session() { unset($_SESSION['cid']); unset($_SESSION['theme']); unset($_SESSION['mobile_theme']); + unset($_SESSION['show_mobile']); unset($_SESSION['page_flags']); unset($_SESSION['submanage']); unset($_SESSION['my_url']); -- cgit v1.2.3 From 4ce948731aa2a927758a74d3cdf3d113cbddf4b0 Mon Sep 17 00:00:00 2001 From: friendica Date: Fri, 18 Oct 2013 15:48:59 -0700 Subject: doc - complete hook list, still need detailed functional descriptions with parameters and examples for each --- include/auth.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'include/auth.php') diff --git a/include/auth.php b/include/auth.php index d04ebbe43..8eb8bf333 100644 --- a/include/auth.php +++ b/include/auth.php @@ -61,7 +61,8 @@ if((isset($_SESSION)) && (x($_SESSION,'authenticated')) && ((! (x($_POST,'auth-p if(((x($_POST,'auth-params')) && ($_POST['auth-params'] === 'logout')) || ($a->module === 'logout')) { // process logout request - call_hooks("logging_out"); + $args = array('channel_id' => local_user()); + call_hooks('logging_out', $args); nuke_session(); info( t('Logged out.') . EOL); goaway(z_root()); -- cgit v1.2.3 From f57909d19075ffe74358ce2cb48c4be66e964a7c Mon Sep 17 00:00:00 2001 From: friendica Date: Tue, 3 Dec 2013 16:31:05 -0800 Subject: on successful magic-auth, put remote_service_class and remote_hub into the session --- include/auth.php | 2 ++ 1 file changed, 2 insertions(+) (limited to 'include/auth.php') diff --git a/include/auth.php b/include/auth.php index 8eb8bf333..c0002e6c1 100644 --- a/include/auth.php +++ b/include/auth.php @@ -22,6 +22,8 @@ function nuke_session() { unset($_SESSION['my_address']); unset($_SESSION['addr']); unset($_SESSION['return_url']); + unset($_SESSION['remote_service_class']); + unset($_SESSION['remote_hub']); } /** -- cgit v1.2.3 From 9addc83520adada78ad339edd6abe666f65b7059 Mon Sep 17 00:00:00 2001 From: Thomas Willingham Date: Wed, 15 Jan 2014 22:54:51 +0000 Subject: Log failed auth to it's own file so fail2ban doesn't have to parse MB of text --- include/auth.php | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) (limited to 'include/auth.php') diff --git a/include/auth.php b/include/auth.php index c0002e6c1..a92f998bf 100644 --- a/include/auth.php +++ b/include/auth.php @@ -34,6 +34,7 @@ function nuke_session() { */ function account_verify_password($email,$pass) { + $r = q("select * from account where account_email = '%s'", dbesc($email) ); @@ -46,7 +47,13 @@ function account_verify_password($email,$pass) { return $record; } } - logger('password failed for ' . $email); + $error = 'password failed for ' . $email; + logger($error); + // Also log failed logins to a separate auth log to reduce overhead for server side intrusion prevention + $authlog = get_config('system', 'authlog'); + if ($authlog) + @file_put_contents($authlog, datetime_convert() . ':' . session_id() . ' ' . $error . "\n", FILE_APPEND); + return null; } @@ -186,7 +193,13 @@ else { } if((! $record) || (! count($record))) { - logger('authenticate: failed login attempt: ' . notags(trim($_POST['username'])) . ' from IP ' . $_SERVER['REMOTE_ADDR']); + $error = 'authenticate: failed login attempt: ' . notags(trim($_POST['username'])) . ' from IP ' . $_SERVER['REMOTE_ADDR']; + logger($error); + // Also log failed logins to a separate auth log to reduce overhead for server side intrusion prevention + $authlog = get_config('system', 'authlog'); + if ($authlog) + @file_put_contents($authlog, datetime_convert() . ':' . session_id() . ' ' . $error . "\n", FILE_APPEND); + notice( t('Login failed.') . EOL ); goaway(z_root()); } -- cgit v1.2.3 From 655b6445d5f3354b0af3b9ee22b33be828499d41 Mon Sep 17 00:00:00 2001 From: friendica Date: Tue, 11 Feb 2014 19:51:43 -0800 Subject: use profile photo on vcard before reverting to xchan photo --- include/auth.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'include/auth.php') diff --git a/include/auth.php b/include/auth.php index a92f998bf..2b7c385fd 100644 --- a/include/auth.php +++ b/include/auth.php @@ -52,7 +52,7 @@ function account_verify_password($email,$pass) { // Also log failed logins to a separate auth log to reduce overhead for server side intrusion prevention $authlog = get_config('system', 'authlog'); if ($authlog) - @file_put_contents($authlog, datetime_convert() . ':' . session_id() . ' ' . $error . "\n", FILE_APPEND); + @file_put_contents($authlog, datetime_convert() . ':' . session_id() . ' ' . $error . "\n", FILE_APPEND); return null; } -- cgit v1.2.3 From d6ab975b188778a0be936c3065b502e0c58b8c91 Mon Sep 17 00:00:00 2001 From: friendica Date: Mon, 17 Feb 2014 19:48:05 -0800 Subject: operation snakebite continued. openid now works for local accounts using the rmagic module and after storing your openid in pconfig. This is just an interesting but trivial (in the bigger scheme of things) side effect of snakebite. The snake hasn't even waken up yet. --- include/auth.php | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'include/auth.php') diff --git a/include/auth.php b/include/auth.php index 2b7c385fd..a4e859e0c 100644 --- a/include/auth.php +++ b/include/auth.php @@ -230,3 +230,13 @@ else { authenticate_success($record, true, true); } } + + +function match_openid($authid) { + $r = q("select * from pconfig where cat = 'system' and k = 'openid' "); + if($r) + foreach($r as $rr) + if($rr['v'] === $authid) + return $rr['uid']; + return false; +} -- cgit v1.2.3 From 5747e20e502cd4504aef4371b30631265579e81c Mon Sep 17 00:00:00 2001 From: friendica Date: Tue, 18 Feb 2014 16:59:31 -0800 Subject: some more snakebite and fix up include/account - forgot about that inline array stuff --- include/auth.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'include/auth.php') diff --git a/include/auth.php b/include/auth.php index a4e859e0c..425715014 100644 --- a/include/auth.php +++ b/include/auth.php @@ -233,10 +233,10 @@ else { function match_openid($authid) { - $r = q("select * from pconfig where cat = 'system' and k = 'openid' "); + $r = q("select * from pconfig where cat = 'system' and k = 'openid' and v = '%s' limit 1", + dbesc($authid) + ); if($r) - foreach($r as $rr) - if($rr['v'] === $authid) - return $rr['uid']; + return $r[0]['uid']; return false; } -- cgit v1.2.3 From 24d119b8c4e94ed130577e4e4a8d17ea13c406ac Mon Sep 17 00:00:00 2001 From: friendica Date: Tue, 18 Feb 2014 20:59:25 -0800 Subject: introduce a new privacy level "PERMS_AUTHED" to indicate somebody that is able to successfully authenticate (but is not necessarily in this network). --- include/auth.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'include/auth.php') diff --git a/include/auth.php b/include/auth.php index 425715014..a3b028c73 100644 --- a/include/auth.php +++ b/include/auth.php @@ -93,7 +93,7 @@ if((isset($_SESSION)) && (x($_SESSION,'authenticated')) && ((! (x($_POST,'auth-p } } - $r = q("select * from hubloc left join xchan on xchan_hash = hubloc_hash where hubloc_hash = '%s' limit 1", + $r = q("select * from xchan left join hubloc on xchan_hash = hubloc_hash where xchan_hash = '%s' limit 1", dbesc($_SESSION['visitor_id']) ); if($r) { -- cgit v1.2.3 From 075b7fa9c82d5b0663528d2cf5e6f28dd1c5f4ab Mon Sep 17 00:00:00 2001 From: friendica Date: Sat, 22 Feb 2014 13:33:18 -0800 Subject: This should resolve the dav authentication loop (correctly) --- include/auth.php | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) (limited to 'include/auth.php') diff --git a/include/auth.php b/include/auth.php index a3b028c73..c21705c99 100644 --- a/include/auth.php +++ b/include/auth.php @@ -58,14 +58,17 @@ function account_verify_password($email,$pass) { } -// login/logout - +/** + * Inline - not a function + * look for auth parameters or re-validate an existing session + * also handles logout + */ +if((isset($_SESSION)) && (x($_SESSION,'authenticated')) && ((! (x($_POST,'auth-params'))) || ($_POST['auth-params'] !== 'login'))) { - -if((isset($_SESSION)) && (x($_SESSION,'authenticated')) && ((! (x($_POST,'auth-params'))) || ($_POST['auth-params'] !== 'login'))) { + // process a logout request if(((x($_POST,'auth-params')) && ($_POST['auth-params'] === 'logout')) || ($a->module === 'logout')) { @@ -77,6 +80,8 @@ if((isset($_SESSION)) && (x($_SESSION,'authenticated')) && ((! (x($_POST,'auth-p goaway(z_root()); } + // re-validate a visitor, optionally invoke "su" if permitted to do so + if(x($_SESSION,'visitor_id') && (! x($_SESSION,'uid'))) { // if our authenticated guest is allowed to take control of the admin channel, make it so. $admins = get_config('system','remote_admin'); @@ -106,9 +111,11 @@ if((isset($_SESSION)) && (x($_SESSION,'authenticated')) && ((! (x($_POST,'auth-p $a->set_groups(init_groups_visitor($_SESSION['visitor_id'])); } + // already logged in user returning + if(x($_SESSION,'uid') || x($_SESSION,'account_id')) { - // already logged in user returning + // first check if we're enforcing that sessions can't change IP address $check = get_config('system','paranoia'); // extra paranoia - if the IP changed, log them out @@ -150,6 +157,8 @@ else { nuke_session(); } + // handle a fresh login request + if((x($_POST,'password')) && strlen($_POST['password'])) $encrypted = hash('whirlpool',trim($_POST['password'])); @@ -188,7 +197,7 @@ else { notice( t('Failed authentication') . EOL); } - logger('authenticate: ' . print_r(get_app()->account,true)); + logger('authenticate: ' . print_r(get_app()->account,true), LOGGER_DEBUG); } -- cgit v1.2.3 From ef5ffad69073ca047beeed23c508def4e1843922 Mon Sep 17 00:00:00 2001 From: friendica Date: Sun, 11 May 2014 22:01:53 -0700 Subject: log IP mis-matches even if paranoia isn't set. --- include/auth.php | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) (limited to 'include/auth.php') diff --git a/include/auth.php b/include/auth.php index c21705c99..e8f13d0fb 100644 --- a/include/auth.php +++ b/include/auth.php @@ -117,13 +117,14 @@ if((isset($_SESSION)) && (x($_SESSION,'authenticated')) && ((! (x($_POST,'auth-p // first check if we're enforcing that sessions can't change IP address - $check = get_config('system','paranoia'); - // extra paranoia - if the IP changed, log them out - if($check && ($_SESSION['addr'] != $_SERVER['REMOTE_ADDR'])) { - logger('Session address changed. Paranoid setting in effect, blocking session. ' - . $_SESSION['addr'] . ' != ' . $_SERVER['REMOTE_ADDR']); - nuke_session(); - goaway(z_root()); + if($_SESSION['addr'] != $_SERVER['REMOTE_ADDR']) { + logger('SECURITY: Session IP address changed: ' . $_SESSION['addr'] . ' != ' . $_SERVER['REMOTE_ADDR']); + if(get_config('system','paranoia')) { + logger('Session address changed. Paranoid setting in effect, blocking session. ' + . $_SESSION['addr'] . ' != ' . $_SERVER['REMOTE_ADDR']); + nuke_session(); + goaway(z_root()); + } } $r = q("select * from account where account_id = %d limit 1", -- cgit v1.2.3