move session init into utils, re-fetch session after login

[authserver.git] / authutils.php-class

diff --git a/authutils.php-class b/authutils.php-class
index 0b7d4b1e2acd4328e7ec0b25cc8160d119dae91e..bcf1b38dbb0a4e92929b6d7d5935977c0a6e06a2 100755 (executable)
--- a/authutils.php-class
+++ b/authutils.php-class
@@ -7,8 +7,16 @@ class AuthUtils {
   // KaiRo.at authentication utilities PHP class
   // This class contains helper functions for the authentication system.
   //
   // KaiRo.at authentication utilities PHP class
   // This class contains helper functions for the authentication system.
   //

-  // function __construct()
+  // function __construct($settings, $db)

   //   CONSTRUCTOR
   //   CONSTRUCTOR

+  //   Settings are an associative array with a numeric pwd_cost field and an array pwd_nonces field.
+  //   The DB is a PDO object.
+  //
+  // public $db
+  //   A PDO database object for interaction.
+  //
+  // public $running_on_localhost
+  //   A boolean telling if the system is running on localhost (where https is not required).

   //
   // private $pwd_cost
   //   The cost parameter for use with PHP password_hash function.
   //
   // private $pwd_cost
   //   The cost parameter for use with PHP password_hash function.


@@ -17,6 +25,15 @@ class AuthUtils {
   //   The array of nonces to use for "peppering" passwords. For new hashes, the last one of those will be used.
   //     Generate a nonce with this command: |openssl rand -base64 48|
   //
   //   The array of nonces to use for "peppering" passwords. For new hashes, the last one of those will be used.
   //     Generate a nonce with this command: |openssl rand -base64 48|
   //

+  // function log($code, $additional_info)
+  //   Log an entry for admin purposes, with a code and some additional info.
+  //
+  // function checkForSecureConnection()
+  //   Check is the connection is secure and return an array of error messages (empty if it's secure).
+  //
+  // function initSession()
+  //   Initialize a session. Returns an associative array of all the DB fields of the session.
+  //

   // function checkPasswordConstraints($new_password, $user_email)
   //   Check password constraints and return an array of error messages (empty if all constraints are met).
   //
   // function checkPasswordConstraints($new_password, $user_email)
   //   Check password constraints and return an array of error messages (empty if all constraints are met).
   //


@@ -44,19 +61,70 @@ class AuthUtils {
   // function pwdNeedsRehash($user)
   //   Return true if the pwdhash field of the user uses an outdated standard and needs to be rehashed.
 
   // function pwdNeedsRehash($user)
   //   Return true if the pwdhash field of the user uses an outdated standard and needs to be rehashed.
 

-  function __construct($settings) {
+  function __construct($settings, $db) {

     // *** constructor ***
     // *** constructor ***

-    if (array_key_exists('pwd_nonces', $settings)) {
-      $this->pwd_nonces = $settings['pwd_nonces'];
-    }
+    $this->db = $db;
+    $this->db->exec("SET time_zone='+00:00';"); // Execute directly on PDO object, set session to UTC to make our gmdate() values match correctly.
+    $this->running_on_localhost = preg_match('/^((.+\.)?localhost|127\.0\.0\.\d+)$/', $_SERVER['SERVER_NAME']);

     if (array_key_exists('pwd_cost', $settings)) {
       $this->pwd_cost = $settings['pwd_cost'];
     }
     if (array_key_exists('pwd_cost', $settings)) {
       $this->pwd_cost = $settings['pwd_cost'];
     }

+    if (array_key_exists('pwd_nonces', $settings)) {
+      $this->pwd_nonces = $settings['pwd_nonces'];
+    }

   }
 
   }
 

+  public $db = null;
+  public $running_on_localhost = false;

   private $pwd_cost = 10;
   private $pwd_nonces = array();
 
   private $pwd_cost = 10;
   private $pwd_nonces = array();
 

+  function log($code, $info) {
+    $result = $this->db->prepare('INSERT INTO `auth_log` (`code`, `info`, `ip_addr`) VALUES (:code, :info, :ipaddr);');
+    if (!$result->execute(array(':code' => $code, ':info' => $info, ':ipaddr' => $_SERVER['REMOTE_ADDR']))) {
+      // print($result->errorInfo()[2]);
+    }
+  }
+
+  function checkForSecureConnection() {
+    $errors = array();
+    if (($_SERVER['SERVER_PORT'] != 443) && !$this->running_on_localhost) {
+      $errors[] = _('You are not accessing this site on a secure connection, so authentication doesn\'t work.');
+    }
+    return $errors;
+  }
+
+  function initSession() {
+    $session = null;
+    if (strlen(@$_COOKIE['sessionkey'])) {
+      // Fetch the session - or at least try to.
+      $result = $this->db->prepare('SELECT * FROM `auth_sessions` WHERE `sesskey` = :sesskey AND `time_expire` > :expire;');
+      $result->execute(array(':sesskey' => $_COOKIE['sessionkey'], ':expire' => gmdate('Y-m-d H:i:s')));
+      $row = $result->fetch(PDO::FETCH_ASSOC);
+      if ($row) {
+        $session = $row;
+      }
+    }
+    if (is_null($session)) {
+      // Create new session and set cookie.
+      $sesskey = $this->createSessionKey();
+      setcookie('sessionkey', $sesskey, 0, "", "", !$this->running_on_localhost, true); // Last two params are secure and httponly, secure is not set on localhost.
+      $result = $this->db->prepare('INSERT INTO `auth_sessions` (`sesskey`, `time_expire`) VALUES (:sesskey, :expire);');
+      $result->execute(array(':sesskey' => $sesskey, ':expire' => gmdate('Y-m-d H:i:s', strtotime('+5 minutes'))));
+      // After insert, actually fetch the session row from the DB so we have all values.
+      $result = $this->db->prepare('SELECT * FROM auth_sessions WHERE `sesskey` = :sesskey AND `time_expire` > :expire;');
+      $result->execute(array(':sesskey' => $sesskey, ':expire' => gmdate('Y-m-d H:i:s')));
+      $row = $result->fetch(PDO::FETCH_ASSOC);
+      if ($row) {
+        $session = $row;
+      }
+      else {
+        $this->log('session_create_failure', 'key: '.$sesskey);
+      }
+    }
+    return $session;
+  }
+

   function checkPasswordConstraints($new_password, $user_email) {
     $errors = array();
     if ($new_password != trim($new_password)) {
   function checkPasswordConstraints($new_password, $user_email) {
     $errors = array();
     if ($new_password != trim($new_password)) {