From: Robert Kaiser Date: Tue, 3 Jan 2023 01:06:27 +0000 (+0100) Subject: add a human check to registrations X-Git-Url: https://git-public.kairo.at/?p=authserver.git;a=commitdiff_plain;h=refs%2Fheads%2Fmaster;hp=8167411ce156c76374f43e771e7f33759e23c8a1;ds=sidebyside add a human check to registrations --- diff --git a/app/api.php b/app/api.php index 0efc179..605a7d7 100644 --- a/app/api.php +++ b/app/api.php @@ -62,7 +62,7 @@ if (!count($errors)) { } elseif (array_key_exists('newclient', $_GET)) { if ($token['scope'] == 'clientreg') { - if (intval(@$token['user_id'])) { + if (intval($token['user_id'] ?? 0)) { $result = $db->prepare('SELECT `id`,`email` FROM `auth_users` WHERE `id` = :userid;'); $result->execute(array(':userid' => $token['user_id'])); $user = $result->fetch(PDO::FETCH_ASSOC); @@ -73,7 +73,7 @@ if (!count($errors)) { } else { if (($utils->client_reg_email_whitelist === false) || (in_array($user['email'], $utils->client_reg_email_whitelist))) { - if (strlen(@$_GET['client_id']) >= 5) { + if (strlen($_GET['client_id'] ?? '') >= 5) { $result = $db->prepare('SELECT `client_id`,`user_id` FROM `oauth_clients` WHERE `client_id` = :clientid;'); $result->execute(array(':clientid' => $_GET['client_id'])); $client = $result->fetch(PDO::FETCH_ASSOC); @@ -104,13 +104,13 @@ if (!count($errors)) { 'error_description' => 'Unexpectedly failed to save new secret.'))); } else { - if (strlen(@$_GET['redirect_uri'])) { + if (strlen($_GET['redirect_uri'] ?? '')) { $result = $db->prepare('UPDATE `oauth_clients` SET `redirect_uri` = :rediruri WHERE `client_id` = :clientid;'); if (!$result->execute(array(':rediruri' => $_GET['redirect_uri'],':clientid' => $client['client_id']))) { $utils->log('client_save_failure', 'client: '.$client['client_id'].', new redirect_uri: '.$_GET['redirect_uri'].' - '.$result->errorInfo()[2]); } } - if (strlen(@$_GET['scope'])) { + if (strlen($_GET['scope'] ?? '')) { $result = $db->prepare('UPDATE `oauth_clients` SET `scope` = :scope WHERE `client_id` = :clientid;'); if (!$result->execute(array(':scope' => $_GET['scope'],':clientid' => $client['client_id']))) { $utils->log('client_save_failure', 'client: '.$client['client_id'].', new scope: '.$_GET['scope'].' - '.$result->errorInfo()[2]); diff --git a/app/authutils.php-class b/app/authutils.php-class index d2737d9..17eb8da 100755 --- a/app/authutils.php-class +++ b/app/authutils.php-class @@ -119,14 +119,14 @@ class AuthUtils { if (!is_array($this->settings)) { throw new ErrorException('Authentication system settings not found', 0); } // Sanitize settings. - $this->settings['piwik_enabled'] = (@$this->settings['piwik_enabled']) ? true : false; - $this->settings['piwik_site_id'] = intval(@$this->settings['piwik_site_id']); - $this->settings['piwik_url'] = strlen(@$this->settings['piwik_url']) ? $this->settings['piwik_url'] : '/matomo/'; - $this->settings['piwik_tracker_path'] = strlen(@$this->settings['piwik_tracker_path']) ? $this->settings['piwik_tracker_path'] : '../vendor/matomo/matomo-php-tracker/'; - $this->settings['skin'] = (@$this->settings['skin'] && is_dir('skin/'.$this->settings['skin'])) ? $this->settings['skin'] : 'default'; - $this->settings['operator_name'] = (@$this->settings['operator_name']) ? $this->settings['operator_name'] : 'Example'; - $this->settings['operator_contact_url'] = (@$this->settings['operator_contact_url']) ? $this->settings['operator_contact_url'] : 'https://github.com/KaiRo_at/authserver/'; - $this->settings['info_from_email'] = (@$this->settings['info_from_email']) ? $this->settings['info_from_email'] : 'noreply@example.com'; + $this->settings['piwik_enabled'] = $this->settings['piwik_enabled'] ?? false; + $this->settings['piwik_site_id'] = intval($this->settings['piwik_site_id'] ?? 0); + $this->settings['piwik_url'] = strlen($this->settings['piwik_url'] ?? '') ? $this->settings['piwik_url'] : '/matomo/'; + $this->settings['piwik_tracker_path'] = strlen($this->settings['piwik_tracker_path'] ?? '') ? $this->settings['piwik_tracker_path'] : '../vendor/matomo/matomo-php-tracker/'; + $this->settings['skin'] = (($this->settings['skin'] ?? false) && is_dir('skin/'.$this->settings['skin'])) ? $this->settings['skin'] : 'default'; + $this->settings['operator_name'] = $this->settings['operator_name'] ?? 'Example'; + $this->settings['operator_contact_url'] = $this->settings['operator_contact_url'] ?? 'https://github.com/KaiRo_at/authserver/'; + $this->settings['info_from_email'] = $this->settings['info_from_email'] ?? 'noreply@example.com'; // Initialize database. $config = new \Doctrine\DBAL\Configuration(); @@ -210,7 +210,7 @@ class AuthUtils { function initSession() { $session = null; - if (strlen(@$_COOKIE['sessionkey'])) { + if (strlen($_COOKIE['sessionkey'] ?? '')) { // Fetch the session - or at least try to. $result = $this->db->prepare('SELECT * FROM `auth_sessions` WHERE `sesskey` = :sesskey AND `time_expire` > :expire;'); $result->execute(array(':sesskey' => $_COOKIE['sessionkey'], ':expire' => gmdate('Y-m-d H:i:s'))); @@ -296,7 +296,7 @@ class AuthUtils { function doRedirectIfSet($session) { $success = false; // If the session has a redirect set, make sure it's performed. - if (strlen(@$session['saved_redirect'])) { + if (strlen($session['saved_redirect'] ?? '')) { // Remove redirect. $result = $this->db->prepare('UPDATE `auth_sessions` SET `saved_redirect` = :redir WHERE `id` = :sessid;'); if (!$result->execute(array(':redir' => '', ':sessid' => $session['id']))) { @@ -313,7 +313,7 @@ class AuthUtils { function resetRedirect($session) { $success = false; // If the session has a redirect set, remove it. - if (strlen(@$session['saved_redirect'])) { + if (strlen($session['saved_redirect'] ?? '')) { $result = $this->db->prepare('UPDATE `auth_sessions` SET `saved_redirect` = :redir WHERE `id` = :sessid;'); if (!$result->execute(array(':redir' => '', ':sessid' => $session['id']))) { $this->log('redir_save_failure', 'session: '.$session['id'].', redirect: (empty)'); @@ -372,9 +372,9 @@ class AuthUtils { $time = time(); $rest = is_null($offset)?($time % $valid_seconds):intval($offset); // T0, will be sent as part of code to make it valid for the full duration. $counter = floor(($time - $rest) / $valid_seconds); - $hmac = mhash(MHASH_SHA1, $counter, $session['id'].$session['sesskey']); - $offset = hexdec(substr(bin2hex(substr($hmac, -1)), -1)); // Get the last 4 bits as a number. - $totp = hexdec(bin2hex(substr($hmac, $offset, 4))) & 0x7FFFFFFF; // Take 4 bytes at the offset, discard highest bit. + $hmac_hex = hash_hmac('sha1', $counter, $session['id'].$session['sesskey']); + $offset = hexdec(substr($hmac_hex, -1)); // Get the last 4 bits as a number. + $totp = hexdec(substr($hmac_hex, $offset, 8)) & 0x7FFFFFFF; // Take 4 bytes (8 hex chars) at the offset, discard highest bit. $totp_value = sprintf('%0'.$code_digits.'d', substr($totp, -$code_digits)); return $rest.'.'.$totp_value; } @@ -444,12 +444,17 @@ class AuthUtils { function negotiateLocale($supportedLanguages) { $nlocale = $supportedLanguages[0]; $headers = getAllHeaders(); - $accLcomp = explode(',', @$headers['Accept-Language']); + $accLcomp = explode(',', ($headers['Accept-Language'] ?? '')); $accLang = array(); foreach ($accLcomp as $lcomp) { if (strlen($lcomp)) { $ldef = explode(';', $lcomp); - $accLang[$ldef[0]] = (float)((strpos(@$ldef[1],'q=')===0)?substr($ldef[1],2):1); + if (count($ldef) > 1 && strpos($ldef[1], 'q=') === 0) { + $accLang[$ldef[0]] = substr($ldef[1], 2); + } + else { + $accLang[$ldef[0]] = 1; + } } } if (count($accLang)) { @@ -569,7 +574,7 @@ class AuthUtils { $ulist = $form->appendElement('ul'); $ulist->setAttribute('class', 'flat login'); $litem = $ulist->appendElement('li'); - $inptxt = $litem->appendInputEmail('email', 30, 20, 'login_email', (intval(@$user['id'])?$user['email']:'')); + $inptxt = $litem->appendInputEmail('email', 30, 20, 'login_email', (intval($user['id'] ?? 0) ? $user['email'] : '')); $inptxt->setAttribute('autocomplete', 'email'); $inptxt->setAttribute('required', ''); $inptxt->setAttribute('placeholder', _('Email')); @@ -628,6 +633,8 @@ class AuthUtils { $table->addColumn('status', 'string', array('length' => 20, 'notnull' => true, 'default' => 'unverified')); $table->addColumn('verify_hash', 'string', array('length' => 150, 'notnull' => false, 'default' => null)); $table->addColumn('group_id', 'integer', array('unsigned' => true, 'notnull' => true, 'default' => 0)); + $table->addColumn('hcheck_question', 'string', array('length' => 100, 'notnull' => false, 'default' => null)); + $table->addColumn('hcheck_solution', 'string', array('length' => 20, 'notnull' => false, 'default' => null)); $table->setPrimaryKey(array('id'), 'id'); $table->addUniqueIndex(array('email'), 'email'); diff --git a/app/index.php b/app/index.php index e1be02d..5ca4196 100644 --- a/app/index.php +++ b/app/index.php @@ -32,13 +32,16 @@ if (!count($errors)) { if (!preg_match('/^[^@]+@([^@]+\.[^@]+|localhost)$/', $_POST['email'])) { $errors[] = _('The email address is invalid.'); } - elseif ($utils->verifyTimeCode(@$_POST['tcode'], $session)) { - $result = $db->prepare('SELECT `id`, `pwdhash`, `email`, `status`, `verify_hash`,`group_id` FROM `auth_users` WHERE `email` = :email;'); + elseif ($utils->verifyTimeCode($_POST['tcode'] ?? '', $session)) { + $result = $db->prepare('SELECT `id`, `pwdhash`, `email`, `status`, `verify_hash`, `group_id`, `hcheck_question`, `hcheck_solution` FROM `auth_users` WHERE `email` = :email;'); $result->execute(array(':email' => $_POST['email'])); - $user = $result->fetch(PDO::FETCH_ASSOC); + $user_data = $result->fetch(PDO::FETCH_ASSOC); + if ($user_data) { + $user = $user_data; + } // If we need to add the email to a group, note here which user's group we should be added to - otherwise, set to 0. $addgroup = (array_key_exists('grouptoexisting', $_POST) && intval($session['user']) && ($session['user'] != @$user['id'])) ? $session['user'] : 0; - if ($user['id'] && array_key_exists('pwd', $_POST)) { + if ($user['id'] && $user['status'] != 'unchecked' && array_key_exists('pwd', $_POST)) { // existing user, check password if (($user['status'] == 'ok') && $utils->pwdVerify(@$_POST['pwd'], $user)) { // Check if a newer hashing algorithm is available @@ -85,20 +88,61 @@ if (!count($errors)) { if (!$user['id']) { $newHash = $utils->pwdHash($_POST['pwd']); $vcode = $utils->createVerificationCode(); - $result = $db->prepare('INSERT INTO `auth_users` (`email`, `pwdhash`, `status`, `verify_hash`) VALUES (:email, :pwdhash, \'unverified\', :vcode);'); - if (!$result->execute(array(':email' => $_POST['email'], ':pwdhash' => $newHash, ':vcode' => $vcode))) { + $result = $db->prepare('INSERT INTO `auth_users` (`email`, `pwdhash`, `status`, `verify_hash`) VALUES (:email, :pwdhash, :status, :vcode);'); + if (!$result->execute(array(':email' => $_POST['email'], ':pwdhash' => $newHash, ':status' => 'unchecked', ':vcode' => $vcode))) { $utils->log('user_insert_failure', 'email: '.$_POST['email'].' - '.$result->errorInfo()[2]); $errors[] = _('Could not add user.').' ' .sprintf(_('Please contact %s and tell the team about this.'), $utils->settings['operator_contact_url'], $utils->settings['operator_name']); } - $user = array('id' => $db->lastInsertId(), - 'email' => $_POST['email'], - 'pwdhash' => $newHash, - 'status' => 'unverified', - 'verify_hash' => $vcode); + $user = [ + 'id' => $db->lastInsertId(), + 'email' => $_POST['email'], + 'pwdhash' => $newHash, + 'status' => 'unchecked', + 'verify_hash' => $vcode, + 'hcheck_question' => null, + 'hcheck_solution' => null, + ]; $utils->log('new_user', 'user: '.$user['id'].', email: '.$user['email']); } - if ($user['status'] == 'unverified') { + $utils->log('user_log_check', 'user: '.$user['id'].', email: '.$user['email'].', status: '.$user['status']); + if ($user['status'] == 'unchecked' && !is_null($user['hcheck_question']) && array_key_exists('hcheck_solution', $_POST)) { + if ($_POST['hcheck_solution'] == $user['hcheck_solution']) { + $result = $db->prepare('UPDATE `auth_users` SET `status` = :status, `hcheck_question` = :hcquestion, `hcheck_solution` = :hcsolution WHERE `id` = :userid;'); + if (!$result->execute(array(':status' => 'unverified', ':hcquestion' => null, ':hcsolution' => null, ':userid' => $user['id']))) { + $errors[] = _('Could not update user status.').' ' + .sprintf(_('Please contact %s and tell the team about this.'), $utils->settings['operator_contact_url'], $utils->settings['operator_name']); + } + $user['status'] = 'unverified'; + $utils->log('user_checked', 'user: '.$user['id'].', email: '.$user['email']); + } + else { + $errors[] = _('Solution was not correct. Please start over.'); + $utils->log('user_check_failed', 'user: '.$user['id'].', email: '.$user['email']); + } + } + if ($user['status'] == 'unchecked') { + // Display a humanity check. + $pagetype = 'human_check'; + // simple numbers, we stay within the 0 to 100 range + $num1 = mt_rand(0, 10); + $num2 = mt_rand($num1, 100); + $operation = mt_rand(0, 1); // 0 is addition, 1 is subtraction + if ($operation == 0) { + $user['hcheck_question'] = sprintf(_('%s plus %s equals'), ($num2 - $num1), $num1); + $user['hcheck_solution'] = $num2; + } + else { + $user['hcheck_question'] = sprintf(_('%s minus %s equals'), $num2, $num1); + $user['hcheck_solution'] = $num2 - $num1; + } + $result = $db->prepare('UPDATE `auth_users` SET `hcheck_question` = :hcquestion, `hcheck_solution` = :hcsolution WHERE `id` = :userid;'); + if (!$result->execute(array(':hcquestion' => $user['hcheck_question'], ':hcsolution' => $user['hcheck_solution'], ':userid' => $user['id']))) { + $errors[] = _('Could not generate check for being a human.').' ' + .sprintf(_('Please contact %s and tell the team about this.'), $utils->settings['operator_contact_url'], $utils->settings['operator_name']); + } + } + elseif ($user['status'] == 'unverified') { // Send email for verification and show message to point to it. $mail = new email(); $mail->setCharset('utf-8'); @@ -342,7 +386,29 @@ if (!count($errors)) { } if (!count($errors)) { - if ($pagetype == 'verification_sent') { + if ($pagetype == 'human_check') { + $para = $body->appendElement('p', _('This is a new registration, please verify that you are a human by solving the calculation below.')); + $para->setAttribute('class', 'humancheckinfo'); + $form = $body->appendForm('./', 'POST', 'humancheckform'); + $form->setAttribute('id', 'humancheckform'); + $ulist = $form->appendElement('ul'); + $ulist->setAttribute('class', 'flat humancheck'); + $litem = $ulist->appendElement('li'); + $litem->setAttribute('class', 'donotshow'); + $inptxt = $litem->appendInputEmail('email', 30, 20, 'login_email', $user['email']); + $inptxt->setAttribute('autocomplete', 'email'); + $inptxt->setAttribute('placeholder', _('Email')); + $litem = $ulist->appendElement('li'); + $litem->appendText($user['hcheck_question'].' '); + $inptxt = $litem->appendInputText('hcheck_solution', 20, 10, 'hcheck_solution'); + $litem = $ulist->appendElement('li'); + $litem->appendInputHidden('tcode', $utils->createTimeCode($session)); + $submit = $litem->appendInputSubmit(_('Continue Registration')); + $para = $form->appendElement('p'); + $para->setAttribute('class', 'toplink small'); + $link = $para->appendLink('./', _('Cancel')); + } + elseif ($pagetype == 'verification_sent') { $para = $body->appendElement('p', sprintf(_('An email for confirmation has been sent to %s. Please follow the link provided there to complete the process.'), $user['email'])); $para->setAttribute('class', 'verifyinfo pending'); $para = $body->appendElement('p', _('Reload this page after you confirm to continue.')); diff --git a/composer.json b/composer.json index a448d97..9a4a94f 100644 --- a/composer.json +++ b/composer.json @@ -1,6 +1,6 @@ { -"require": { - "doctrine/dbal": "v2.5.5", - "bshaffer/oauth2-server-php": "~1.8" -} + "require": { + "doctrine/dbal": "^v2.12.1", + "bshaffer/oauth2-server-php": "~1.11.1" + } } \ No newline at end of file