aboutsummaryrefslogtreecommitdiff
blob: 68bf91a1da6d5150ccc99c1f21f8b1fe35c199e3 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
<?php

class Auth {
/**
 *  Home-cooked auth libraries - because PEAR is fat.
 *  @package mirror
 *  @subpackage lib
 *  @todo re-enforce one-per-user session limit
 */

/**
 *  Check admin session against sessions table in database.
 *  @return bool
 */
public static function is_valid_session()
{
    $cookieAdmin = filter_input(INPUT_COOKIE, 'mozilla-mirror-admin');
    if (!empty($cookieAdmin)) {  // check cookie
        $res = DB::query("SELECT * FROM mirror_sessions WHERE session_id = ?", [$cookieAdmin]);  // check db for id
        if ($res && DB::numrows($res)>0) {
            $buf = DB::fetch($res,PDO::FETCH_ASSOC);
            // comment line below to disable gc and allow multiple sessions per username
            DB::query("DELETE FROM mirror_sessions WHERE username=? AND session_id != ?", [$buf['username'], $cookieAdmin]);  // garbage collection
            $user = DB::fetch(DB::query("SELECT * FROM mirror_users WHERE username=?", [$buf['username']]),PDO::FETCH_ASSOC);
            if (empty($_SESSION)) {
                static::create_session($user);  // if session isn't started, create it and push user data
            }
            return true;
        }
    }
    return false;
}

/**
 *  Authentication a user.
 *  @param string $username
 *  @param string $password
 *  @return array|bool array containing user data or false on failure
 */
public static function query($username,$password)
{
    if (empty($username)||empty($password)) {
        return false;
    }
    $username = trim(strip_tags($username));
    $password = trim(strip_tags($password));
    $res = DB::query("SELECT * FROM mirror_users WHERE username=?", [$username]);
    if ($res && DB::numrows($res)>0) {
        $userrow = DB::fetch($res,PDO::FETCH_ASSOC);
	if (!password_verify($password, $userrow['password'])) {
		if ($userrow['password'] !== md5($password))
			return false;
		static::password_upgrade($userrow, $username, $password);
	}
	if (password_needs_rehash($userrow['password'], PASSWORD_DEFAULT))
		static::password_upgrade($userrow, $username, $password);
	return $userrow;
    } else {
        return false;
    }
}

private static function password_upgrade($userrow, $username, $password) {
	require_once(LIB.'/mirror.php'); //Upgrade password security
	Mirror::update_user($userrow['user_id'],$username,$password,$password,$userrow['user_firstname'],$userrow['user_lastname'],$userrow['user_email']);
}

/**
 *  Start a valid session.
 *  @param array $user array containing user information.
 */
public static function create_session($user,$secure=0)
{
    session_name('mozilla-mirror-admin');
    session_set_cookie_params(0,'/',$_SERVER['HTTP_HOST'],$secure);
    session_start();
    DB::query("INSERT INTO mirror_sessions(session_id,username) VALUES(?,?)", [session_id(), $user['username']]);
    $_SESSION['user']=$user;
}

/**
 *  Logout.
 */
public static function logout()
{
    // comment line below to keep gc from deleting other sessions for this user
    $cookieAdmin = filter_input(INPUT_COOKIE, 'mozilla-mirror-admin');
    DB::query("DELETE FROM mirror_sessions WHERE session_id=? OR username=?", [$cookieAdmin, $_SESSION['user']['username']]);
    $_COOKIE = array();
    $_SESSION = array();
}

}