diff options
Diffstat (limited to 'php/lib/auth.php')
-rw-r--r-- | php/lib/auth.php | 60 |
1 files changed, 39 insertions, 21 deletions
diff --git a/php/lib/auth.php b/php/lib/auth.php index f03db32..eb6319c 100644 --- a/php/lib/auth.php +++ b/php/lib/auth.php @@ -1,4 +1,6 @@ <?php + +class Auth { /** * Home-cooked auth libraries - because PEAR is fat. * @package mirror @@ -10,17 +12,18 @@ * Check admin session against sessions table in database. * @return bool */ -function auth_is_valid_session() +public static function is_valid_session() { - if (!empty($_COOKIE['mozilla-mirror-admin'])) { // check cookie - $res = db_query("SELECT * FROM mirror_sessions WHERE session_id = '{$_COOKIE['mozilla-mirror-admin']}'"); // check db for id - if ($res && db_numrows($res)>0) { - $buf = db_fetch($res,MYSQL_ASSOC); + $cookieAdmin = filter_input(INPUT_COOKIE, 'mozilla-mirror-admin'); + if (!empty($cookieAdmin)) { // check cookie + $res = DB::query("SELECT * FROM mirror_sessions WHERE session_id = ?", [$cookieAdmin]); // check db for id + if ($res && DB::numrows($res)>0) { + $buf = DB::fetch($res,PDO::FETCH_ASSOC); // comment line below to disable gc and allow multiple sessions per username - db_query("DELETE FROM mirror_sessions WHERE username='{$buf['username']}' AND session_id != '{$_COOKIE['mozilla-mirror-admin']}'"); // garbage collection - $user = db_fetch(db_query("SELECT * FROM mirror_users WHERE username='{$buf['username']}'"),MYSQL_ASSOC); + DB::query("DELETE FROM mirror_sessions WHERE username=? AND session_id != ?", [$buf['username'], $cookieAdmin]); // garbage collection + $user = DB::fetch(DB::query("SELECT * FROM mirror_users WHERE username=?", [$buf['username']]),PDO::FETCH_ASSOC); if (empty($_SESSION)) { - auth_create_session($user); // if session isn't started, create it and push user data + static::create_session($user); // if session isn't started, create it and push user data } return true; } @@ -34,42 +37,57 @@ function auth_is_valid_session() * @param string $password * @return array|bool array containing user data or false on failure */ -function auth_mysql($username,$password) +public static function query($username,$password) { if (empty($username)||empty($password)) { return false; - } - $username = trim(strip_tags(addslashes($username))); - $password = trim(strip_tags(addslashes($password))); - $res = db_query("SELECT * FROM mirror_users WHERE username='{$username}' AND password=MD5('{$password}')"); - if ($res && db_numrows($res)>0) { - return db_fetch($res,MYSQL_ASSOC); + } + $username = trim(strip_tags($username)); + $password = trim(strip_tags($password)); + $res = DB::query("SELECT * FROM mirror_users WHERE username=?", [$username]); + if ($res && DB::numrows($res)>0) { + $userrow = DB::fetch($res,PDO::FETCH_ASSOC); + if (!password_verify($password, $userrow['password'])) { + if ($userrow['password'] !== md5($password)) + return false; + static::password_upgrade($userrow, $username, $password); + } + if (password_needs_rehash($userrow['password'], PASSWORD_DEFAULT)) + static::password_upgrade($userrow, $username, $password); + return $userrow; } else { return false; } } +private static function password_upgrade($userrow, $username, $password) { + require_once(LIB.'/mirror.php'); //Upgrade password security + Mirror::update_user($userrow['user_id'],$username,$password,$password,$userrow['firstname'],$userrow['lastname'],$userrow['email']); +} + /** * Start a valid session. * @param array $user array containing user information. */ -function auth_create_session($user,$secure=0) +public static function create_session($user,$secure=0) { session_name('mozilla-mirror-admin'); session_set_cookie_params(0,'/',$_SERVER['HTTP_HOST'],$secure); session_start(); - db_query("INSERT INTO mirror_sessions(session_id,username) VALUES('".session_id()."','{$user['username']}')"); + DB::query("INSERT INTO mirror_sessions(session_id,username) VALUES(?,?)", [session_id(), $user['username']]); $_SESSION['user']=$user; } /** * Logout. */ -function auth_logout() +public static function logout() { // comment line below to keep gc from deleting other sessions for this user - db_query("DELETE FROM mirror_sessions WHERE session_id='{$_COOKIE['mozilla-mirror-admin']}' OR username='{$_SESSION['user']['username']}'"); - $_COOKIE = array(); + $cookieAdmin = filter_input(INPUT_COOKIE, 'mozilla-mirror-admin'); + DB::query("DELETE FROM mirror_sessions WHERE session_id=? OR username=?", [$cookieAdmin, $_SESSION['user']['username']]); + $_COOKIE = array(); $_SESSION = array(); } -?> + +} |