2016-09-01 23:13:23 +02:00
|
|
|
<?php
|
|
|
|
/*****************************************************************************
|
|
|
|
* Authentication.php
|
|
|
|
* Contains key class Authentication.
|
|
|
|
*
|
|
|
|
* Kabuki CMS (C) 2013-2015, Aaron van Geffen
|
|
|
|
*****************************************************************************/
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Authentication class, containing various static functions used for account verification
|
|
|
|
* and session management.
|
|
|
|
*/
|
|
|
|
class Authentication
|
|
|
|
{
|
2024-11-05 17:19:59 +01:00
|
|
|
const DEFAULT_RESET_TIMEOUT = 30;
|
|
|
|
|
2016-09-01 23:13:23 +02:00
|
|
|
/**
|
2024-11-05 16:39:42 +01:00
|
|
|
* Checks a password for a given username against the database.
|
2016-09-01 23:13:23 +02:00
|
|
|
*/
|
2024-11-05 16:39:42 +01:00
|
|
|
public static function checkPassword($emailaddress, $password)
|
2016-09-01 23:13:23 +02:00
|
|
|
{
|
2024-11-05 16:39:42 +01:00
|
|
|
// Retrieve password hash for user matching the provided emailaddress.
|
|
|
|
$password_hash = Registry::get('db')->queryValue('
|
|
|
|
SELECT password_hash
|
2016-09-01 23:13:23 +02:00
|
|
|
FROM users
|
|
|
|
WHERE emailaddress = {string:emailaddress}',
|
|
|
|
[
|
|
|
|
'emailaddress' => $emailaddress,
|
|
|
|
]);
|
|
|
|
|
2024-11-05 16:39:42 +01:00
|
|
|
// If there's no hash, the user likely does not exist.
|
|
|
|
if (!$password_hash)
|
|
|
|
return false;
|
2016-09-01 23:13:23 +02:00
|
|
|
|
2024-11-05 16:39:42 +01:00
|
|
|
return password_verify($password, $password_hash);
|
2016-09-02 11:17:10 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
public static function checkResetKey($id_user, $reset_key)
|
|
|
|
{
|
|
|
|
$key = Registry::get('db')->queryValue('
|
|
|
|
SELECT reset_key
|
|
|
|
FROM users
|
|
|
|
WHERE id_user = {int:id}',
|
|
|
|
[
|
|
|
|
'id' => $id_user,
|
|
|
|
]);
|
|
|
|
|
|
|
|
return $key == $reset_key;
|
|
|
|
}
|
|
|
|
|
2024-11-05 16:39:42 +01:00
|
|
|
/**
|
|
|
|
* Computes a password hash.
|
|
|
|
*/
|
|
|
|
public static function computeHash($password)
|
|
|
|
{
|
|
|
|
$hash = password_hash($password, PASSWORD_DEFAULT);
|
|
|
|
if (!$hash)
|
|
|
|
throw new Exception('Hash creation failed!');
|
|
|
|
return $hash;
|
|
|
|
}
|
|
|
|
|
2024-11-05 17:19:59 +01:00
|
|
|
public static function consumeResetKey($id_user)
|
|
|
|
{
|
|
|
|
return Registry::get('db')->query('
|
|
|
|
UPDATE users
|
|
|
|
SET reset_key = NULL,
|
|
|
|
reset_blocked_until = NULL
|
|
|
|
WHERE id_user = {int:id_user}',
|
|
|
|
['id_user' => $id_user]);
|
|
|
|
}
|
|
|
|
|
|
|
|
public static function getResetTimeOut($id_user)
|
|
|
|
{
|
|
|
|
$resetTime = Registry::get('db')->queryValue('
|
|
|
|
SELECT reset_blocked_until
|
|
|
|
FROM users
|
|
|
|
WHERE id_user = {int:id_user}',
|
|
|
|
['id_user' => $id_user]);
|
|
|
|
|
|
|
|
return max(0, $resetTime - time());
|
|
|
|
}
|
|
|
|
|
2016-09-01 23:13:23 +02:00
|
|
|
/**
|
|
|
|
* Verifies whether the user is currently logged in.
|
|
|
|
*/
|
|
|
|
public static function isLoggedIn()
|
|
|
|
{
|
2024-11-05 16:46:53 +01:00
|
|
|
if (!isset($_SESSION['user_id']))
|
|
|
|
return false;
|
|
|
|
|
|
|
|
try
|
|
|
|
{
|
|
|
|
$exists = Member::fromId($_SESSION['user_id']);
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
catch (NotFoundException $e)
|
|
|
|
{
|
|
|
|
return false;
|
|
|
|
}
|
2016-09-01 23:13:23 +02:00
|
|
|
}
|
|
|
|
|
2016-09-02 11:17:10 +02:00
|
|
|
/**
|
|
|
|
* Generates a new activation key.
|
|
|
|
*/
|
|
|
|
public static function newActivationKey()
|
|
|
|
{
|
|
|
|
$alpha = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
|
|
|
|
$string = '';
|
|
|
|
for ($i = 0; $i < 16; $i++)
|
|
|
|
$string .= $alpha[mt_rand(0, strlen($alpha) - 1)];
|
|
|
|
return $string;
|
|
|
|
}
|
|
|
|
|
2024-11-05 16:39:42 +01:00
|
|
|
public static function setResetKey($id_user)
|
2016-09-01 23:13:23 +02:00
|
|
|
{
|
2024-11-05 16:39:42 +01:00
|
|
|
return Registry::get('db')->query('
|
|
|
|
UPDATE users
|
2024-11-05 17:19:59 +01:00
|
|
|
SET reset_key = {string:key},
|
|
|
|
reset_blocked_until = UNIX_TIMESTAMP() + ' . static::DEFAULT_RESET_TIMEOUT . '
|
2024-11-05 16:39:42 +01:00
|
|
|
WHERE id_user = {int:id}',
|
2016-09-01 23:13:23 +02:00
|
|
|
[
|
2024-11-05 16:39:42 +01:00
|
|
|
'id' => $id_user,
|
|
|
|
'key' => self::newActivationKey(),
|
2016-09-01 23:13:23 +02:00
|
|
|
]);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Resets a password for a certain user.
|
|
|
|
*/
|
|
|
|
public static function updatePassword($id_user, $hash)
|
|
|
|
{
|
|
|
|
return Registry::get('db')->query('
|
|
|
|
UPDATE users
|
|
|
|
SET
|
|
|
|
password_hash = {string:hash},
|
|
|
|
reset_key = {string:blank}
|
|
|
|
WHERE id_user = {int:id_user}',
|
|
|
|
[
|
|
|
|
'id_user' => $id_user,
|
|
|
|
'hash' => $hash,
|
|
|
|
'blank' => '',
|
|
|
|
]);
|
|
|
|
}
|
2024-11-05 17:19:59 +01:00
|
|
|
|
|
|
|
public static function updateResetTimeOut($id_user)
|
|
|
|
{
|
|
|
|
$currentResetTimeOut = static::getResetTimeOut($id_user);
|
|
|
|
|
|
|
|
// New timeout: between 30 seconds, double the current timeout, and a full day
|
|
|
|
$newResetTimeOut = min(max(static::DEFAULT_RESET_TIMEOUT, $currentResetTimeOut * 2), 60 * 60 * 24);
|
|
|
|
|
|
|
|
$success = Registry::get('db')->query('
|
|
|
|
UPDATE users
|
|
|
|
SET reset_blocked_until = {int:new_time_out}
|
|
|
|
WHERE id_user = {int:id_user}',
|
|
|
|
[
|
|
|
|
'id_user' => $id_user,
|
|
|
|
'new_time_out' => time() + $newResetTimeOut,
|
|
|
|
]);
|
|
|
|
|
|
|
|
if (!$success)
|
|
|
|
throw new UnexpectedValueException('Could not set password reset timeout!');
|
|
|
|
|
|
|
|
return $newResetTimeOut;
|
|
|
|
}
|
2016-09-01 23:13:23 +02:00
|
|
|
}
|