From bc8c74eb422387a5537eb923c90a34c1196ce568 Mon Sep 17 00:00:00 2001
From: redmatrix <git@macgirvin.com>
Date: Wed, 20 Jul 2016 17:55:40 -0700
Subject: sort out some of the authentication mess - with luck this may fix the
 DAV auth issue which I simply could not duplicate or find a reason for.

---
 include/account.php  |   2 +-
 include/api_auth.php |  14 ++----
 include/auth.php     | 139 ++++++++++++++++++++++++++++++---------------------
 include/oauth.php    |   2 +-
 include/security.php |  29 +++++------
 5 files changed, 102 insertions(+), 84 deletions(-)

(limited to 'include')

diff --git a/include/account.php b/include/account.php
index c02a74928..142ad1bea 100644
--- a/include/account.php
+++ b/include/account.php
@@ -515,7 +515,7 @@ function account_approve($hash) {
 		auto_channel_create($register[0]['uid']);
 	else {
 		$_SESSION['login_return_url'] = 'new_channel';
-		authenticate_success($account[0],true,true,false,true);
+		authenticate_success($account[0],null,true,true,false,true);
 	}	
 
 
diff --git a/include/api_auth.php b/include/api_auth.php
index dc8492b20..7a71bad73 100644
--- a/include/api_auth.php
+++ b/include/api_auth.php
@@ -59,20 +59,12 @@ function api_login(&$a){
 	if(isset($_SERVER['PHP_AUTH_USER'])) {
 		$channel_login = 0;
 		$record = account_verify_password($_SERVER['PHP_AUTH_USER'],$_SERVER['PHP_AUTH_PW']);
-		if(! $record) {
-	        $r = q("select * from channel left join account on account.account_id = channel.channel_account_id 
-				where channel.channel_address = '%s' limit 1",
-		       dbesc($_SERVER['PHP_AUTH_USER'])
-			);
-        	if ($r) {
-				$record = account_verify_password($r[0]['account_email'],$_SERVER['PHP_AUTH_PW']);
-				if($record)
-					$channel_login = $r[0]['channel_id'];
-			}
+		if($record && $record['channel']) {
+			$channel_login = $record['channel']['channel_id'];
 		}
 	}
 
-	if($record) {
+	if($record['account']) {
 		authenticate_success($record);
 
 		if($channel_login)
diff --git a/include/auth.php b/include/auth.php
index 79d04c728..f8120981a 100644
--- a/include/auth.php
+++ b/include/auth.php
@@ -20,62 +20,85 @@ require_once('include/security.php');
  * attempts.
  *
  * @param string $email
- *  The email address to verify.
+ *  The login to verify (channel address, account email or guest login token).
  * @param string $pass
  *  The provided password to verify.
  * @return array|null
  *  Returns account record on success, null on failure.
  */
-function account_verify_password($email, $pass) {
+function account_verify_password($login, $pass) {
+
+	$ret = [ 'account' => null, 'channel' => null, 'xchan' => null ];
 
 	$email_verify = get_config('system', 'verify_email');
 	$register_policy = get_config('system', 'register_policy');
 
+	if(! $login)
+		return null;
+
+	$account = null;
+	$channel = null;
+	$xchan   = null;
+
+	if(! strpos($login,'@')) {
+		$channel = channelx_by_nick($login);
+		if(! $channel) {
+			$x = q("select * from atoken where atoken_name = '%s' and atoken_token = '%s' limit 1",
+				dbesc($login),
+				dbesc($pass)
+			);
+			if($x) {
+				$ret['xchan'] = atoken_xchan($x[0]);
+				return $ret;
+			}
+		}
+	}
+	if($channel) {
+		$where = " where account_id = " . intval($channel['channel_account_id']) . " ";
+	}
+	else {
+		$where = " where account_email = '" . dbesc($login) . "' ";
+	}
+
+	$a = q("select * from account $where");
+	if(! $a) {
+		return null;
+	}
+
+	$account = $a[0];
+
 	// Currently we only verify email address if there is an open registration policy.
 	// This isn't because of any policy - it's because the workflow gets too complicated if 
 	// you have to verify the email and then go through the account approval workflow before
 	// letting them login.
 
-	// @bug there is no record here
-	//if(($email_verify) && ($register_policy == REGISTER_OPEN) && ($record['account_flags'] & ACCOUNT_UNVERIFIED))
-	//	return null;
-
-	$r = q("select * from account where account_email = '%s'",
-		dbesc($email)
-	);
-	if($r) {
-
-		foreach($r as $record) {
-			if(($record['account_flags'] == ACCOUNT_OK)
-				&& (hash('whirlpool', $record['account_salt'] . $pass) === $record['account_password'])) {
-				logger('password verified for ' . $email);
-				return $record;
-			}
-		}
+	if(($email_verify) && ($register_policy == REGISTER_OPEN) && ($account['account_flags'] & ACCOUNT_UNVERIFIED)) {
+		logger('email verification required for ' . $login);
+		return null;
 	}
 
-	$x = q("select * from atoken where atoken_name = '%s' and atoken_token = '%s' limit 1",
-		dbesc($email),
-		dbesc($pass)
-	);
-	if($x) {
-		atoken_login($x[0]);		
-		return $x[0];
+	if(($account['account_flags'] == ACCOUNT_OK) 
+		&& (hash('whirlpool',$account['account_salt'] . $pass) === $account['account_password'])) {
+		logger('password verified for ' . $login);
+		$ret['account'] = $account;
+		if($channel)
+			$ret['channel'] = $channel;
+		return $ret;
 	}
 
-	$error = 'password failed for ' . $email;
+	$error = 'password failed for ' . $login;
 	logger($error);
 
-	if($record['account_flags'] & ACCOUNT_UNVERIFIED)
-		logger('Account is unverified. account_flags = ' . $record['account_flags']);
-	if($record['account_flags'] & ACCOUNT_BLOCKED)
-		logger('Account is blocked. account_flags = ' . $record['account_flags']);
-	if($record['account_flags'] & ACCOUNT_EXPIRED)
-		logger('Account is expired. account_flags = ' . $record['account_flags']);
-	if($record['account_flags'] & ACCOUNT_REMOVED)
-		logger('Account is removed. account_flags = ' . $record['account_flags']);
-	if($record['account_flags'] & ACCOUNT_PENDING)
-		logger('Account is pending. account_flags = ' . $record['account_flags']);
+	if($account['account_flags'] & ACCOUNT_UNVERIFIED)
+		logger('Account is unverified. account_flags = ' . $account['account_flags']);
+	if($account['account_flags'] & ACCOUNT_BLOCKED)
+		logger('Account is blocked. account_flags = ' . $account['account_flags']);
+	if($account['account_flags'] & ACCOUNT_EXPIRED)
+		logger('Account is expired. account_flags = ' . $account['account_flags']);
+	if($account['account_flags'] & ACCOUNT_REMOVED)
+		logger('Account is removed. account_flags = ' . $account['account_flags']);
+	if($account['account_flags'] & ACCOUNT_PENDING)
+		logger('Account is pending. account_flags = ' . $account['account_flags']);
 
 	log_failed_login($error);
 
@@ -131,7 +154,7 @@ if((isset($_SESSION)) && (x($_SESSION, 'authenticated')) &&
 				App::$session->new_cookie(60 * 60 * 24); // one day
 				$_SESSION['last_login_date'] = datetime_convert();
 				unset($_SESSION['visitor_id']); // no longer a visitor
-				authenticate_success($x[0], true, true);
+				authenticate_success($x[0], null, true, true);
 			}
 		}
 		if(array_key_exists('atoken',$_SESSION)) {
@@ -177,7 +200,8 @@ if((isset($_SESSION)) && (x($_SESSION, 'authenticated')) &&
 				App::$session->extend_cookie();
 				$login_refresh = true;
 			}
-			authenticate_success($r[0], false, false, false, $login_refresh);
+			$ch = (($_SESSION['uid']) ? channelx_by_n($_SESSION['uid']) : null);
+			authenticate_success($r[0], null, $ch, false, false, $login_refresh);
 		}
 		else {
 			$_SESSION['account_id'] = 0;
@@ -218,37 +242,38 @@ else {
 
 		call_hooks('authenticate', $addon_auth);
 
-		$atoken = false;
+		$atoken  = null;
+		$account = null;
 
 		if(($addon_auth['authenticated']) && (count($addon_auth['user_record']))) {
-			$record = $addon_auth['user_record'];
+			$account = $addon_auth['user_record'];
 		}
 		else {
-			$x = account_verify_password($_POST['username'], $_POST['password']);
-			if(array_key_exists('atoken',$x))
-				$atoken = true;
-			if(! $atoken) {
-				$record = App::$account = $x;
-
-				if(App::$account) {
-					$_SESSION['account_id'] = App::$account['account_id'];
-				}
-				else {
-					notice( t('Failed authentication') . EOL);
-				}
-
-				logger('authenticate: ' . print_r(App::$account, true), LOGGER_ALL);
+			$verify = account_verify_password($_POST['username'], $_POST['password']);
+			if($verify) {
+				$atoken  = $verify['xchan'];
+				$channel = $verify['channel'];
+				$account = App::$account = $verify['account'];
+			}
+
+			if(App::$account) {
+				$_SESSION['account_id'] = App::$account['account_id'];
+			}
+			elseif($atoken) {
+				atoken_login($atoken);
+			}
+			else {
+				notice( t('Failed authentication') . EOL);
 			}
 		}
 
-		if((! $record) || (! count($record))) {
+		if(! ($account || $atoken)) {
 			$error = 'authenticate: failed login attempt: ' . notags(trim($_POST['username'])) . ' from IP ' . $_SERVER['REMOTE_ADDR'];
 			logger($error); 
 			// Also log failed logins to a separate auth log to reduce overhead for server side intrusion prevention
 			$authlog = get_config('system', 'authlog');
 			if ($authlog)
 				@file_put_contents($authlog, datetime_convert() . ':' . session_id() . ' ' . $error . "\n", FILE_APPEND);
-
 			notice( t('Login failed.') . EOL );
 			goaway(z_root() . '/login');
 		}
@@ -279,7 +304,7 @@ else {
 
 		$_SESSION['last_login_date'] = datetime_convert();
 		if(! $atoken)
-			authenticate_success($record, true, true);
+			authenticate_success($account,$channel,true, true);
 	}
 }
 
diff --git a/include/oauth.php b/include/oauth.php
index 984e0e6c6..a3c52bf27 100644
--- a/include/oauth.php
+++ b/include/oauth.php
@@ -170,7 +170,7 @@ class ZotOAuth1 extends OAuth1Server {
 		);
 		if($x) {
 			require_once('include/security.php');
-			authenticate_success($x[0],true,false,true,true);
+			authenticate_success($x[0],null,true,false,true,true);
 			$_SESSION['allow_api'] = true;
 		}
 	}
diff --git a/include/security.php b/include/security.php
index e345636e7..2107ed819 100644
--- a/include/security.php
+++ b/include/security.php
@@ -12,7 +12,7 @@
  * @param bool $return
  * @param bool $update_lastlog
  */
-function authenticate_success($user_record, $login_initial = false, $interactive = false, $return = false, $update_lastlog = false) {
+function authenticate_success($user_record, $channel = null, $login_initial = false, $interactive = false, $return = false, $update_lastlog = false) {
 
 	$_SESSION['addr'] = $_SERVER['REMOTE_ADDR'];
 
@@ -23,11 +23,15 @@ function authenticate_success($user_record, $login_initial = false, $interactive
 		$_SESSION['account_id'] = $user_record['account_id'];
 		$_SESSION['authenticated'] = 1;
 
+		if($channel)
+			$uid_to_load = $channel['channel_id'];
 
-		$uid_to_load = (((x($_SESSION,'uid')) && (intval($_SESSION['uid']))) 
-			? intval($_SESSION['uid']) 
-			: intval(App::$account['account_default_channel'])
-		);
+		if(! $uid_to_load) {
+			$uid_to_load = (((x($_SESSION,'uid')) && (intval($_SESSION['uid']))) 
+				? intval($_SESSION['uid']) 
+				: intval(App::$account['account_default_channel'])
+			);
+		}
 
 		if($uid_to_load) {
 			change_channel($uid_to_load);
@@ -85,16 +89,12 @@ function authenticate_success($user_record, $login_initial = false, $interactive
 function atoken_login($atoken) {
 	if(! $atoken)
 		return false;
-
-	$xchan = atoken_xchan($atoken);
-
 	$_SESSION['authenticated'] = 1;
-	$_SESSION['visitor_id'] = $xchan['xchan_hash'];
+	$_SESSION['visitor_id'] = $atoken['xchan_hash'];
 	$_SESSION['atoken'] = $atoken['atoken_id'];
 
-	\App::set_observer($xchan);
-
-	return [ 'atoken' => true ];
+	\App::set_observer($atoken);
+	return true;
 }
 
 
@@ -102,7 +102,8 @@ function atoken_xchan($atoken) {
 
 	$c = channelx_by_n($atoken['atoken_uid']);
 	if($c) {
-		return [ 
+		return [
+			'atoken_id' => $atoken['atoken_id'], 
 			'xchan_hash' =>  substr($c['channel_hash'],0,16) . '.' . $atoken['atoken_name'],
 			'xchan_name' => $atoken['atoken_name'],
 			'xchan_addr' => t('guest:') . $atoken['atoken_name'] . '@' . \App::get_hostname(),
@@ -115,7 +116,7 @@ function atoken_xchan($atoken) {
 	
 		];
 	}
-
+	return null;
 }
 
 
-- 
cgit v1.2.3