X-Git-Url: https://git-public.kairo.at/?p=authserver.git;a=blobdiff_plain;f=index.php;h=94812dc4a7d8dea4e0afe2f2c34a36923e0d8776;hp=2a560e8928dd54abb9096aa223d12112e690e97e;hb=558e9862bdf09a65cb41c76569cdb3f4021fa356;hpb=d46a42f1c9fcf2191b42f9df10ae6dd876e6f10b
diff --git a/index.php b/index.php
index 2a560e8..94812dc 100644
--- a/index.php
+++ b/index.php
@@ -44,7 +44,7 @@ if (!count($errors)) {
if (array_key_exists('logout', $_GET)) {
$result = $db->prepare('UPDATE `auth_sessions` SET `logged_in` = FALSE WHERE `id` = :sessid;');
if (!$result->execute(array(':sessid' => $session['id']))) {
- // XXXlog: Unexpected logout failure!
+ $utils->log('logout_failure', 'session: '.$session['id']);
$errors[] = _('The email address is invalid.');
}
$session['logged_in'] = 0;
@@ -53,26 +53,30 @@ if (!count($errors)) {
if (!preg_match('/^[^@]+@[^@]+\.[^@]+$/', $_POST['email'])) {
$errors[] = _('The email address is invalid.');
}
- elseif (AuthUtils::verifyTimeCode(@$_POST['tcode'], $session)) {
+ elseif ($utils->verifyTimeCode(@$_POST['tcode'], $session)) {
$result = $db->prepare('SELECT `id`, `pwdhash`, `email`, `status`, `verify_hash` FROM `auth_users` WHERE `email` = :email;');
$result->execute(array(':email' => $_POST['email']));
$user = $result->fetch(PDO::FETCH_ASSOC);
if ($user['id'] && array_key_exists('pwd', $_POST)) {
// existing user, check password
- if (($user['status'] == 'ok') && password_verify(@$_POST['pwd'], $user['pwdhash'])) {
+ if (($user['status'] == 'ok') && $utils->pwdVerify(@$_POST['pwd'], $user)) {
// Check if a newer hashing algorithm is available
// or the cost has changed
- if (password_needs_rehash($user['pwdhash'], PASSWORD_DEFAULT, $pwd_options)) {
+ if ($utils->pwdNeedsRehash($user)) {
// If so, create a new hash, and replace the old one
- $newHash = password_hash($_POST['pwd'], PASSWORD_DEFAULT, $pwd_options);
+ $newHash = $utils->pwdHash($_POST['pwd']);
$result = $db->prepare('UPDATE `auth_users` SET `pwdhash` = :pwdhash WHERE `id` = :userid;');
if (!$result->execute(array(':pwdhash' => $newHash, ':userid' => $user['id']))) {
- // XXXlog: Failed to update user hash!
+ $utils->log('user_hash_save_failure', 'user: '.$user['id']);
+ }
+ else {
+ $utils->log('pwd_rehash_success', 'user: '.$user['id']);
}
}
// Log user in - update session key for that, see https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines#Login
- $sesskey = AuthUtils::createSessionKey();
+ $utils->log('login', 'user: '.$user['id']);
+ $sesskey = $utils->createSessionKey();
setcookie('sessionkey', $sesskey, 0, "", "", !$running_on_localhost, true); // Last two params are secure and httponly, secure is not set on localhost.
// If the session has a user set, create a new one - otherwise take existing session entry.
if (intval($session['user'])) {
@@ -86,14 +90,14 @@ if (!count($errors)) {
$session = $row;
}
else {
- // XXXlog: Unexpected failure to create session!
+ $utils->log('create_session_failure', 'at login, prev session: '.$session['id'].', new user: '.$user['id']);
$errors[] = _('The session system is not working. Please contact KaiRo.at and tell the team about this.');
}
}
else {
$result = $db->prepare('UPDATE `auth_sessions` SET `sesskey` = :sesskey, `user` = :userid, `logged_in` = TRUE, `time_expire` = :expire WHERE `id` = :sessid;');
if (!$result->execute(array(':sesskey' => $sesskey, ':userid' => $user['id'], ':expire' => gmdate('Y-m-d H:i:s', strtotime('+1 day')), ':sessid' => $session['id']))) {
- // XXXlog: Unexpected login failure!
+ $utils->log('login_failure', 'session: '.$session['id'].', user: '.$user['id']);
$errors[] = _('Login failed unexpectedly. Please contact KaiRo.at and tell the team about this.');
}
}
@@ -101,7 +105,7 @@ if (!count($errors)) {
if (strlen(@$user['verify_hash'])) {
$result = $db->prepare('UPDATE `auth_users` SET `verify_hash` = \'\' WHERE `id` = :userid;');
if (!$result->execute(array(':userid' => $user['id']))) {
- // XXXlog: verify_hash could not be emptied!
+ $utils->log('empty_vhash_failure', 'user: '.$user['id']);
}
else {
$user['verify_hash'] = '';
@@ -115,16 +119,16 @@ if (!count($errors)) {
else {
// new user: check password, create user and send verification; existing users: re-send verification or send password change instructions
if (array_key_exists('pwd', $_POST)) {
- $errors += AuthUtils::checkPasswordConstraints(strval($_POST['pwd']), $_POST['email']);
+ $errors += $utils->checkPasswordConstraints(strval($_POST['pwd']), $_POST['email']);
}
if (!count($errors)) {
// Put user into the DB
if (!$user['id']) {
- $newHash = password_hash($_POST['pwd'], PASSWORD_DEFAULT, $pwd_options);
- $vcode = AuthUtils::createVerificationCode();
+ $newHash = $utils->pwdHash($_POST['pwd']);
+ $vcode = $utils->createVerificationCode();
$result = $db->prepare('INSERT INTO `auth_users` (`email`, `pwdhash`, `status`, `verify_hash`) VALUES (:email, :pwdhash, \'unverified\', :vcode);');
if (!$result->execute(array(':email' => $_POST['email'], ':pwdhash' => $newHash, ':vcode' => $vcode))) {
- // XXXlog: User insertion failure!
+ $utils->log('user_insert_failure', 'email: '.$_POST['email']);
$errors[] = _('Could not add user. Please contact KaiRo.at and tell the team about this.');
}
$user = array('id' => $db->lastInsertId(),
@@ -132,6 +136,7 @@ if (!count($errors)) {
'pwdhash' => $newHash,
'status' => 'unverified',
'verify_hash' => $vcode);
+ $utils->log('new_user', 'user: '.$user['id'].', email: '.$user['email']);
}
if ($user['status'] == 'unverified') {
// Send email for verification and show message to point to it.
@@ -157,19 +162,21 @@ if (!count($errors)) {
$pagetype = 'verification_sent';
}
else {
+ $utils->log('verify_mail_failure', 'user: '.$user['id'].', email: '.$user['email']);
$errors[] = _('The confirmation email could not be sent to you. Please contact KaiRo.at and tell the team about this.');
}
}
else {
// Password reset requested with "Password forgotten?" function.
- $vcode = AuthUtils::createVerificationCode();
+ $vcode = $utils->createVerificationCode();
$result = $db->prepare('UPDATE `auth_users` SET `verify_hash` = :vcode WHERE `id` = :userid;');
if (!$result->execute(array(':vcode' => $vcode, ':userid' => $user['id']))) {
- // XXXlog: User insertion failure!
+ $utils->log('vhash_set_failure', 'user: '.$user['id']);
$errors[] = _('Could not initiate reset request. Please contact KaiRo.at and tell the team about this.');
}
else {
- $resetcode = $vcode.dechex($user['id'] + $session['id']).'_'.AuthUtils::createTimeCode($session, null, 60);
+ $utils->log('pwd_reset_request', 'user: '.$user['id'].', email: '.$user['email']);
+ $resetcode = $vcode.dechex($user['id'] + $session['id']).'_'.$utils->createTimeCode($session, null, 60);
// Send email with instructions for resetting the password.
$mail = new email();
$mail->setCharset('utf-8');
@@ -191,6 +198,7 @@ if (!count($errors)) {
$pagetype = 'resetmail_sent';
}
else {
+ $utils->log('pwd_reset_mail_failure', 'user: '.$user['id'].', email: '.$user['email']);
$errors[] = _('The email with password reset instructions could not be sent to you. Please contact KaiRo.at and tell the team about this.');
}
}
@@ -208,7 +216,7 @@ if (!count($errors)) {
$result->execute(array(':userid' => $session['user']));
$user = $result->fetch(PDO::FETCH_ASSOC);
if (!$user['id']) {
- // XXXlog: Unexpected failure to fetch user data!
+ $utils->log('reset_user_read_failure', 'user: '.$session['user']);
}
$pagetype = 'resetpwd';
}
@@ -224,7 +232,7 @@ if (!count($errors)) {
if ($user['id']) {
$result = $db->prepare('UPDATE `auth_users` SET `verify_hash` = \'\', `status` = \'ok\' WHERE `id` = :userid;');
if (!$result->execute(array(':userid' => $user['id']))) {
- // XXXlog: Unexpected failure to save verification!
+ $utils->log('verification_save_failure', 'user: '.$user['id']);
$errors[] = _('Could not save confirmation. Please contact KaiRo.at and tell the team about this.');
}
$pagetype = 'verification_done';
@@ -248,16 +256,16 @@ if (!count($errors)) {
if ($row) {
$tcode_session = $row;
if (($regs[1] == $user['verify_hash']) &&
- AuthUtils::verifyTimeCode($regs[3], $session, 60)) {
+ $utils->verifyTimeCode($regs[3], $session, 60)) {
// Set a new verify_hash for the actual password reset.
- $user['verify_hash'] = AuthUtils::createVerificationCode();
+ $user['verify_hash'] = $utils->createVerificationCode();
$result = $db->prepare('UPDATE `auth_users` SET `verify_hash` = :vcode WHERE `id` = :userid;');
if (!$result->execute(array(':vcode' => $user['verify_hash'], ':userid' => $user['id']))) {
- // XXXlog: Unexpected failure to reset verify_hash!
+ $utils->log('vhash_reset_failure', 'user: '.$user['id']);
}
$result = $db->prepare('UPDATE `auth_sessions` SET `user` = :userid WHERE `id` = :sessid;');
if (!$result->execute(array(':userid' => $user['id'], ':sessid' => $session['id']))) {
- // XXXlog: Unexpected failure to update session!
+ $utils->log('reset_session_set_user_failure', 'session: '.$session['id']);
}
$pagetype = 'resetpwd';
$reset_fail = false;
@@ -274,7 +282,7 @@ if (!count($errors)) {
$result->execute(array(':userid' => $session['user']));
$user = $result->fetch(PDO::FETCH_ASSOC);
if (!$user['id']) {
- // XXXlog: Unexpected failure to fetch user data!
+ $utils->log('user_read_failure', 'user: '.$session['user']);
}
// Password reset requested.
if (array_key_exists('pwd', $_POST) && array_key_exists('reset', $_POST) && array_key_exists('tcode', $_POST)) {
@@ -287,15 +295,15 @@ if (!count($errors)) {
$errors[] = _('Password reset failed. The reset form you used was not valid. Possibly it has expired and you need to initiate the password reset again.');
}
// Check validity of time code.
- if (!count($errors) && !AuthUtils::verifyTimeCode($_POST['tcode'], $session)) {
+ if (!count($errors) && !$utils->verifyTimeCode($_POST['tcode'], $session)) {
$errors[] = _('Password reset failed. The reset form you used was not valid. Possibly it has expired and you need to initiate the password reset again.');
}
- $errors += AuthUtils::checkPasswordConstraints(strval($_POST['pwd']), $user['email']);
+ $errors += $utils->checkPasswordConstraints(strval($_POST['pwd']), $user['email']);
if (!count($errors)) {
- $newHash = password_hash($_POST['pwd'], PASSWORD_DEFAULT, $pwd_options);
+ $newHash = $utils->pwdHash($_POST['pwd']);
$result = $db->prepare('UPDATE `auth_users` SET `pwdhash` = :pwdhash, `verify_hash` = \'\' WHERE `id` = :userid;');
if (!$result->execute(array(':pwdhash' => $newHash, ':userid' => $session['user']))) {
- // XXXlog: Password reset failure!
+ $utils->log('pwd_reset_failure', 'user: '.$session['user']);
$errors[] = _('Password reset failed. Please contact KaiRo.at and tell the team about this.');
}
else {
@@ -308,7 +316,7 @@ if (!count($errors)) {
}
if (is_null($session)) {
// Create new session and set cookie.
- $sesskey = AuthUtils::createSessionKey();
+ $sesskey = $utils->createSessionKey();
setcookie('sessionkey', $sesskey, 0, "", "", !$running_on_localhost, true); // Last two params are secure and httponly, secure is not set on localhost.
$result = $db->prepare('INSERT INTO `auth_sessions` (`sesskey`, `time_expire`) VALUES (:sesskey, :expire);');
$result->execute(array(':sesskey' => $sesskey, ':expire' => gmdate('Y-m-d H:i:s', strtotime('+5 minutes'))));
@@ -320,7 +328,7 @@ if (!count($errors)) {
$session = $row;
}
else {
- // XXXlog: Unexpected failure to create session!
+ $utils->log('session_create_failure', 'key: '.$sesskey);
$errors[] = _('The session system is not working. Please contact KaiRo.at and tell the team about this.');
}
}
@@ -350,7 +358,7 @@ if (!count($errors)) {
$inptxt->setAttribute('required', '');
$inptxt->setAttribute('placeholder', _('Email'));
$litem = $ulist->appendElement('li');
- $litem->appendInputHidden('tcode', AuthUtils::createTimeCode($session));
+ $litem->appendInputHidden('tcode', $utils->createTimeCode($session));
$submit = $litem->appendInputSubmit(_('Send instructions to email'));
}
elseif ($pagetype == 'resetpwd') {
@@ -373,7 +381,7 @@ if (!count($errors)) {
$inptxt->setAttribute('class', 'login');
$litem = $ulist->appendElement('li');
$litem->appendInputHidden('reset', '');
- $litem->appendInputHidden('tcode', AuthUtils::createTimeCode($session));
+ $litem->appendInputHidden('tcode', $utils->createTimeCode($session));
if (!$session['logged_in'] && strlen(@$user['verify_hash'])) {
$litem->appendInputHidden('vcode', $user['verify_hash']);
}
@@ -429,7 +437,7 @@ if (!count($errors)) {
$label->setAttribute('id', 'rememprompt');
$label->setAttribute('class', 'loginprompt');
$litem = $ulist->appendElement('li');
- $litem->appendInputHidden('tcode', AuthUtils::createTimeCode($session));
+ $litem->appendInputHidden('tcode', $utils->createTimeCode($session));
$submit = $litem->appendInputSubmit(_('Log in / Register'));
$submit->setAttribute('class', 'loginbutton');
}