// KaiRo.at authentication utilities PHP class
// This class contains helper functions for the authentication system.
//
- // function __construct()
+ // function __construct($settings, $db)
// CONSTRUCTOR
+ // Settings are an associative array with a numeric pwd_cost field and an array pwd_nonces field.
+ // The DB is a PDO object.
+ //
+ // public $db
+ // A PDO database object for interaction.
//
// private $pwd_cost
// The cost parameter for use with PHP password_hash function.
// The array of nonces to use for "peppering" passwords. For new hashes, the last one of those will be used.
// Generate a nonce with this command: |openssl rand -base64 48|
//
+ // function log($code, $additional_info)
+ // Log an entry for admin purposes, with a code and some additional info.
+ //
// function checkPasswordConstraints($new_password, $user_email)
// Check password constraints and return an array of error messages (empty if all constraints are met).
//
// function pwdNeedsRehash($user)
// Return true if the pwdhash field of the user uses an outdated standard and needs to be rehashed.
- function __construct($settings) {
+ function __construct($settings, $db) {
// *** constructor ***
- if (array_key_exists('pwd_nonces', $settings)) {
- $this->pwd_nonces = $settings['pwd_nonces'];
- }
+ $this->db = $db;
if (array_key_exists('pwd_cost', $settings)) {
$this->pwd_cost = $settings['pwd_cost'];
}
+ if (array_key_exists('pwd_nonces', $settings)) {
+ $this->pwd_nonces = $settings['pwd_nonces'];
+ }
}
+ public $db = null;
private $pwd_cost = 10;
private $pwd_nonces = array();
+ function log($code, $info) {
+ $result = $this->db->prepare('INSERT INTO `auth_log` (`code`, `info`, `ip_addr`) VALUES (:code, :info, :ipaddr);');
+ if (!$result->execute(array(':code' => $code, ':info' => $info, ':ipaddr' => $_SERVER['REMOTE_ADDR']))) {
+ // print($result->errorInfo()[2]);
+ }
+ }
+
function checkPasswordConstraints($new_password, $user_email) {
$errors = array();
if ($new_password != trim($new_password)) {
if (array_key_exists('logout', $_GET)) {
$result = $db->prepare('UPDATE `auth_sessions` SET `logged_in` = FALSE WHERE `id` = :sessid;');
if (!$result->execute(array(':sessid' => $session['id']))) {
- // XXXlog: Unexpected logout failure!
+ $utils->log('logout_failure', 'session: '.$session['id']);
$errors[] = _('The email address is invalid.');
}
$session['logged_in'] = 0;
$newHash = $utils->pwdHash($_POST['pwd']);
$result = $db->prepare('UPDATE `auth_users` SET `pwdhash` = :pwdhash WHERE `id` = :userid;');
if (!$result->execute(array(':pwdhash' => $newHash, ':userid' => $user['id']))) {
- // XXXlog: Failed to update user hash!
+ $utils->log('user_hash_save_failure', 'user: '.$user['id']);
+ }
+ else {
+ $utils->log('pwd_rehash_success', 'user: '.$user['id']);
}
}
// Log user in - update session key for that, see https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines#Login
+ $utils->log('login', 'user: '.$user['id']);
$sesskey = $utils->createSessionKey();
setcookie('sessionkey', $sesskey, 0, "", "", !$running_on_localhost, true); // Last two params are secure and httponly, secure is not set on localhost.
// If the session has a user set, create a new one - otherwise take existing session entry.
$session = $row;
}
else {
- // XXXlog: Unexpected failure to create session!
+ $utils->log('create_session_failure', 'at login, prev session: '.$session['id'].', new user: '.$user['id']);
$errors[] = _('The session system is not working. Please <a href="https://www.kairo.at/contact">contact KaiRo.at</a> and tell the team about this.');
}
}
else {
$result = $db->prepare('UPDATE `auth_sessions` SET `sesskey` = :sesskey, `user` = :userid, `logged_in` = TRUE, `time_expire` = :expire WHERE `id` = :sessid;');
if (!$result->execute(array(':sesskey' => $sesskey, ':userid' => $user['id'], ':expire' => gmdate('Y-m-d H:i:s', strtotime('+1 day')), ':sessid' => $session['id']))) {
- // XXXlog: Unexpected login failure!
+ $utils->log('login_failure', 'session: '.$session['id'].', user: '.$user['id']);
$errors[] = _('Login failed unexpectedly. Please <a href="https://www.kairo.at/contact">contact KaiRo.at</a> and tell the team about this.');
}
}
if (strlen(@$user['verify_hash'])) {
$result = $db->prepare('UPDATE `auth_users` SET `verify_hash` = \'\' WHERE `id` = :userid;');
if (!$result->execute(array(':userid' => $user['id']))) {
- // XXXlog: verify_hash could not be emptied!
+ $utils->log('empty_vhash_failure', 'user: '.$user['id']);
}
else {
$user['verify_hash'] = '';
$vcode = $utils->createVerificationCode();
$result = $db->prepare('INSERT INTO `auth_users` (`email`, `pwdhash`, `status`, `verify_hash`) VALUES (:email, :pwdhash, \'unverified\', :vcode);');
if (!$result->execute(array(':email' => $_POST['email'], ':pwdhash' => $newHash, ':vcode' => $vcode))) {
- // XXXlog: User insertion failure!
+ $utils->log('user_insert_failure', 'email: '.$_POST['email']);
$errors[] = _('Could not add user. Please <a href="https://www.kairo.at/contact">contact KaiRo.at</a> and tell the team about this.');
}
$user = array('id' => $db->lastInsertId(),
'pwdhash' => $newHash,
'status' => 'unverified',
'verify_hash' => $vcode);
+ $utils->log('new_user', 'user: '.$user['id'].', email: '.$user['email']);
}
if ($user['status'] == 'unverified') {
// Send email for verification and show message to point to it.
$pagetype = 'verification_sent';
}
else {
+ $utils->log('verify_mail_failure', 'user: '.$user['id'].', email: '.$user['email']);
$errors[] = _('The confirmation email could not be sent to you. Please <a href="https://www.kairo.at/contact">contact KaiRo.at</a> and tell the team about this.');
}
}
$vcode = $utils->createVerificationCode();
$result = $db->prepare('UPDATE `auth_users` SET `verify_hash` = :vcode WHERE `id` = :userid;');
if (!$result->execute(array(':vcode' => $vcode, ':userid' => $user['id']))) {
- // XXXlog: User insertion failure!
+ $utils->log('vhash_set_failure', 'user: '.$user['id']);
$errors[] = _('Could not initiate reset request. Please <a href="https://www.kairo.at/contact">contact KaiRo.at</a> and tell the team about this.');
}
else {
+ $utils->log('pwd_reset_request', 'user: '.$user['id'].', email: '.$user['email']);
$resetcode = $vcode.dechex($user['id'] + $session['id']).'_'.$utils->createTimeCode($session, null, 60);
// Send email with instructions for resetting the password.
$mail = new email();
$pagetype = 'resetmail_sent';
}
else {
+ $utils->log('pwd_reset_mail_failure', 'user: '.$user['id'].', email: '.$user['email']);
$errors[] = _('The email with password reset instructions could not be sent to you. Please <a href="https://www.kairo.at/contact">contact KaiRo.at</a> and tell the team about this.');
}
}
$result->execute(array(':userid' => $session['user']));
$user = $result->fetch(PDO::FETCH_ASSOC);
if (!$user['id']) {
- // XXXlog: Unexpected failure to fetch user data!
+ $utils->log('reset_user_read_failure', 'user: '.$session['user']);
}
$pagetype = 'resetpwd';
}
if ($user['id']) {
$result = $db->prepare('UPDATE `auth_users` SET `verify_hash` = \'\', `status` = \'ok\' WHERE `id` = :userid;');
if (!$result->execute(array(':userid' => $user['id']))) {
- // XXXlog: Unexpected failure to save verification!
+ $utils->log('verification_save_failure', 'user: '.$user['id']);
$errors[] = _('Could not save confirmation. Please <a href="https://www.kairo.at/contact">contact KaiRo.at</a> and tell the team about this.');
}
$pagetype = 'verification_done';
$user['verify_hash'] = $utils->createVerificationCode();
$result = $db->prepare('UPDATE `auth_users` SET `verify_hash` = :vcode WHERE `id` = :userid;');
if (!$result->execute(array(':vcode' => $user['verify_hash'], ':userid' => $user['id']))) {
- // XXXlog: Unexpected failure to reset verify_hash!
+ $utils->log('vhash_reset_failure', 'user: '.$user['id']);
}
$result = $db->prepare('UPDATE `auth_sessions` SET `user` = :userid WHERE `id` = :sessid;');
if (!$result->execute(array(':userid' => $user['id'], ':sessid' => $session['id']))) {
- // XXXlog: Unexpected failure to update session!
+ $utils->log('reset_session_set_user_failure', 'session: '.$session['id']);
}
$pagetype = 'resetpwd';
$reset_fail = false;
$result->execute(array(':userid' => $session['user']));
$user = $result->fetch(PDO::FETCH_ASSOC);
if (!$user['id']) {
- // XXXlog: Unexpected failure to fetch user data!
+ $utils->log('user_read_failure', 'user: '.$session['user']);
}
// Password reset requested.
if (array_key_exists('pwd', $_POST) && array_key_exists('reset', $_POST) && array_key_exists('tcode', $_POST)) {
$newHash = $utils->pwdHash($_POST['pwd']);
$result = $db->prepare('UPDATE `auth_users` SET `pwdhash` = :pwdhash, `verify_hash` = \'\' WHERE `id` = :userid;');
if (!$result->execute(array(':pwdhash' => $newHash, ':userid' => $session['user']))) {
- // XXXlog: Password reset failure!
+ $utils->log('pwd_reset_failure', 'user: '.$session['user']);
$errors[] = _('Password reset failed. Please <a href="https://www.kairo.at/contact">contact KaiRo.at</a> and tell the team about this.');
}
else {
$session = $row;
}
else {
- // XXXlog: Unexpected failure to create session!
+ $utils->log('session_create_failure', 'key: '.$sesskey);
$errors[] = _('The session system is not working. Please <a href="https://www.kairo.at/contact">contact KaiRo.at</a> and tell the team about this.');
}
}
projects / authserver.git / commitdiff