1
0
mirror of https://github.com/delight-im/PHP-Auth.git synced 2025-08-08 09:06:29 +02:00

52 Commits

Author SHA1 Message Date
Marco
7bcf201972 Improve documentation on default value for IP address in README 2017-11-08 21:34:50 +01:00
Marco
09247e7203 Provide possibility to disable throttling during development 2017-11-08 21:34:05 +01:00
Marco
ab1c54fae2 Optimize order of throttling in 'changeEmail' method from class 'Auth' 2017-11-08 20:40:37 +01:00
Marco
23acb66cc7 Reduce permitted frequency of requests to change one's email address 2017-11-08 20:38:16 +01:00
Marco
a7a9d45302 Drop constant 'CONFIRMATION_REQUESTS_TTL_IN_SECONDS' in 'UserManager' 2017-11-08 20:30:09 +01:00
Marco
ba4dc29ca5 Optimize order of throttling in 'resendConfirmationForColumnValue' 2017-11-08 20:23:34 +01:00
Marco
0a97f67515 Enforce limits for resending confirmations solely via throttling 2017-11-08 20:21:35 +01:00
Marco
7a94c6acef Improve documentation in 'confirmEmail' method from 'Auth' class 2017-11-08 19:23:22 +01:00
Marco
dbbbf1b193 Remove superfluous comment in 'UserManager' 2017-11-08 19:18:14 +01:00
Marco
9637dfa60d Improve language 2017-11-05 02:37:48 +01:00
Marco
aec738a9db Document methods for impersonating users in class 'Administration' 2017-11-03 15:48:21 +01:00
Marco
382ee5bf93 Add tests for methods to impersonate users in class 'Administration' 2017-11-03 15:44:39 +01:00
Marco
47d1e303aa Implement methods for impersonating users in class 'Administration' 2017-11-03 15:21:45 +01:00
Marco
67443c122a Move core logic of 'onLoginSuccessful' from 'Auth' to 'UserManager' 2017-11-03 08:50:59 +01:00
Marco
24056e89a4 Move constants holding names of session fields to 'UserManager' 2017-11-03 08:49:10 +01:00
Marco
c06bc7da1a Improve documentation for method 'onLoginSuccessful' in class 'Auth' 2017-11-03 08:38:17 +01:00
Marco
aedd2125fc Document constants holding names of session fields 2017-11-03 08:36:03 +01:00
Marco
425cf9b6f6 Write to session fields directly instead of using accessor methods 2017-11-03 08:33:41 +01:00
Marco
739fa7d574 Fix internal links in migration guide that should point to README 2017-10-21 23:15:15 +02:00
Marco
302feb5da2 Document 'secure' cookie attribute and how to change it in README 2017-10-21 22:32:01 +02:00
Marco
2ded232d8e Document 'httponly' cookie attribute and how to change it in README 2017-10-21 22:30:41 +02:00
Marco
70a905afd7 Document 'path' cookie attribute and how to change it in README 2017-10-21 22:29:19 +02:00
Marco
84f3ad10a9 Document 'domain' cookie attribute and how to change it in README 2017-10-21 22:26:25 +02:00
Marco
81091df66b Drop constructor arguments 'useHttps' and 'allowCookiesScriptAccess' 2017-10-20 23:07:36 +02:00
Marco
8926e7e708 Improve general upgrade guide in migration notes 2017-10-20 22:46:01 +02:00
Marco
eec450677f Do not duplicate and overwrite parts of cookie configuration anymore
Previously, PHP's configuration directives 'session.cookie_httponly'
and 'session.cookie_secure' were always overwritten with duplicated
and separately tracked variants of each directive
2017-10-20 22:30:16 +02:00
Marco
f1360dceba Improve code style 2017-10-20 08:53:02 +02:00
Marco
2cf7b27ba3 Support empty path scope for cookies to restrict to current directory 2017-10-20 08:47:56 +02:00
Marco
ecd8015acf Explain changes to domain scope of cookies in migration guide 2017-10-20 08:01:00 +02:00
Marco
1eedfd0e02 Simplify code based on assumptions about new 'Delight\Cookie' behavior 2017-10-20 01:12:04 +02:00
Marco
757579523c Use constants from 'Delight\Cookie\Cookie' class for cookie prefixes 2017-10-19 22:33:18 +02:00
Marco
d695328a5a Update dependencies 2017-10-19 22:29:50 +02:00
Marco
71506eaa05 Rename two methods for logout to highlight the better default version 2017-10-19 20:25:11 +02:00
Marco
ce8dbbc436 Delete 'remember me' cookies from previous major versions as well 2017-10-19 20:19:19 +02:00
Marco
d181219e40 Add documentation about cookies and their usage to README 2017-10-19 20:11:28 +02:00
Marco
891cef2511 Do not make repeated attempts to use invalid 'remember me' cookies 2017-10-19 03:00:28 +02:00
Marco
f70613b2b8 Ignore defined but empty selectors and tokens from 'remember me' 2017-10-19 02:55:49 +02:00
Marco
59816d1a40 Re-use 'remember me' cookie from previous major versions if available 2017-10-19 02:50:24 +02:00
Marco
1284f64f04 Fix documentation for method 'setRememberCookie' in class 'Auth' 2017-10-19 02:27:42 +02:00
Marco
8165e8917b Change name of 'remember me' cookie to be dependent on session name 2017-10-19 01:44:19 +02:00
Marco
a4b68167a1 Prepare migration guide for next major release 2017-10-19 00:47:47 +02:00
Marco
fc2fb4bb44 Move 'Refresh' button from bottom to top in 'tests' 2017-10-19 00:36:08 +02:00
Marco
b2a3fde696 Add tests for method 'createRememberCookieName' from class 'Auth' 2017-10-18 23:08:01 +02:00
Marco
36880b87c9 Implement method 'createRememberCookieName' in class 'Auth' 2017-10-18 23:03:41 +02:00
Marco
4a66965994 Add tests for method 'createCookieName' from class 'Auth' 2017-10-18 23:01:15 +02:00
Marco
e7b590dc80 Implement method 'createCookieName' in class 'Auth' 2017-10-18 22:52:00 +02:00
Marco
33d2384c93 Add list of available cookie prefixes as constant in class 'Auth' 2017-10-18 22:48:14 +02:00
Marco
1169856217 Improve code style 2017-10-18 22:47:24 +02:00
Marco
fa75811679 Display current session name in 'tests' 2017-10-18 22:30:06 +02:00
Marco
fa8fa4887e Improve documentation in class 'Auth' 2017-10-18 21:59:25 +02:00
Marco
8fecb86f15 Improve code style 2017-10-12 02:42:40 +02:00
Pavel Levin
04c466b309 Drop superfluous check using 'isset' 2017-10-12 02:32:13 +02:00
8 changed files with 719 additions and 328 deletions

View File

@@ -1,6 +1,7 @@
# Migration # Migration
* [General](#general) * [General](#general)
* [From `v6.x.x` to `v7.x.x`](#from-v6xx-to-v7xx)
* [From `v5.x.x` to `v6.x.x`](#from-v5xx-to-v6xx) * [From `v5.x.x` to `v6.x.x`](#from-v5xx-to-v6xx)
* [From `v4.x.x` to `v5.x.x`](#from-v4xx-to-v5xx) * [From `v4.x.x` to `v5.x.x`](#from-v4xx-to-v5xx)
* [From `v3.x.x` to `v4.x.x`](#from-v3xx-to-v4xx) * [From `v3.x.x` to `v4.x.x`](#from-v3xx-to-v4xx)
@@ -15,6 +16,62 @@ Update your version of this library via Composer [[?]](https://github.com/deligh
$ composer update delight-im/auth $ composer update delight-im/auth
``` ```
If you want to perform a major version upgrade (e.g. from version `1.x.x` to version `2.x.x`), the version constraints defined in your `composer.json` [[?]](https://github.com/delight-im/Knowledge/blob/master/Composer%20(PHP).md) may not allow this. In that case, just add the dependency again to overwrite it with the latest version (or optionally with a specified version):
```
$ composer require delight-im/auth
```
## From `v6.x.x` to `v7.x.x`
* The method `logOutButKeepSession` from class `Auth` is now simply called `logOut`. Therefore, the former method `logout` is now called `logOutAndDestroySession`. With both methods, mind the capitalization of the letter “O”.
* The second argument of the `Auth` constructor, which was named `$useHttps`, has been removed. If you previously had it set to `true`, make sure to set the value of the `session.cookie_secure` directive to `1` now. You may do so either directly in your [PHP configuration](http://php.net/manual/en/configuration.file.php) (`php.ini`), via the `\ini_set` method or via the `\session_set_cookie_params` method. Otherwise, make sure that directive is set to `0`.
* The third argument of the `Auth` constructor, which was named `$allowCookiesScriptAccess`, has been removed. If you previously had it set to `true`, make sure to set the value of the `session.cookie_httponly` directive to `0` now. You may do so either directly in your [PHP configuration](http://php.net/manual/en/configuration.file.php) (`php.ini`), via the `\ini_set` method or via the `\session_set_cookie_params` method. Otherwise, make sure that directive is set to `1`.
* Only if *both* of the following two conditions are met:
* The directive `session.cookie_domain` is set to an empty value. It may have been set directly in your [PHP configuration](http://php.net/manual/en/configuration.file.php) (`php.ini`), via the `\ini_set` method or via the `\session_set_cookie_params` method. You can check the value of that directive by executing the following statement somewhere in your application:
```php
\var_dump(\ini_get('session.cookie_domain'));
```
* Your application is accessed via a registered or registrable *domain name*, either by yourself during development and testing or by your visitors and users in production. That means your application is *not*, or *not only*, accessed via `localhost` or via an IP address.
Then the domain scope for the [two cookies](README.md#cookies) used by this library has changed. You can handle this change in one of two different ways:
* Restore the old behavior by placing the following statement as early as possible in your application, and before you create the `Auth` instance:
```php
\ini_set('session.cookie_domain', \preg_replace('/^www\./', '', $_SERVER['HTTP_HOST']));
```
You may also evaluate the complete second parameter and put its value directly into your [PHP configuration](http://php.net/manual/en/configuration.file.php) (`php.ini`).
* Use the new domain scope for your application. To do so, you only need to [rename the cookies](README.md#renaming-the-librarys-cookies) used by this library in order to prevent conflicts with old cookies that have been created previously. Renaming the cookies is critically important here. We recommend a versioned name such as `session_v1` for the session cookie.
* Only if *both* of the following two conditions are met:
* The directive `session.cookie_domain` is set to a value that starts with the `www` subdomain. It may have been set directly in your [PHP configuration](http://php.net/manual/en/configuration.file.php) (`php.ini`), via the `\ini_set` method or via the `\session_set_cookie_params` method. You can check the value of that directive by executing the following statement somewhere in your application:
```php
\var_dump(\ini_get('session.cookie_domain'));
```
* Your application is accessed via a registered or registrable *domain name*, either by yourself during development and testing or by your visitors and users in production. That means your application is *not*, or *not only*, accessed via `localhost` or via an IP address.
Then the domain scope for [one of the cookies](README.md#cookies) used by this library has changed. To make your application work correctly with the new scope, [rename the cookies](README.md#renaming-the-librarys-cookies) used by this library in order to prevent conflicts with old cookies that have been created previously. Renaming the cookies is critically important here. We recommend a versioned name such as `session_v1` for the session cookie.
* If the directive `session.cookie_path` is set to an empty value, then the path scope for [one of the cookies](README.md#cookies) used by this library has changed. To make your application work correctly with the new scope, [rename the cookies](README.md#renaming-the-librarys-cookies) used by this library in order to prevent conflicts with old cookies that have been created previously. Renaming the cookies is critically important here. We recommend a versioned name such as `session_v1` for the session cookie.
The directive may have been set directly in your [PHP configuration](http://php.net/manual/en/configuration.file.php) (`php.ini`), via the `\ini_set` method or via the `\session_set_cookie_params` method. You can check the value of that directive by executing the following statement somewhere in your application:
```php
\var_dump(\ini_get('session.cookie_path'));
```
## From `v5.x.x` to `v6.x.x` ## From `v5.x.x` to `v6.x.x`
* The database schema has changed. * The database schema has changed.

192
README.md
View File

@@ -79,6 +79,13 @@ Migrating from an earlier version of this project? See our [upgrade guide](Migra
* [Assigning roles to users](#assigning-roles-to-users) * [Assigning roles to users](#assigning-roles-to-users)
* [Taking roles away from users](#taking-roles-away-from-users) * [Taking roles away from users](#taking-roles-away-from-users)
* [Checking roles](#checking-roles-1) * [Checking roles](#checking-roles-1)
* [Impersonating users (logging in as user)](#impersonating-users-logging-in-as-user)
* [Cookies](#cookies)
* [Renaming the librarys cookies](#renaming-the-librarys-cookies)
* [Defining the domain scope for cookies](#defining-the-domain-scope-for-cookies)
* [Restricting the path where cookies are available](#restricting-the-path-where-cookies-are-available)
* [Controlling client-side script access to cookies](#controlling-client-side-script-access-to-cookies)
* [Configuring transport security for cookies](#configuring-transport-security-for-cookies)
* [Utilities](#utilities) * [Utilities](#utilities)
* [Creating a random string](#creating-a-random-string) * [Creating a random string](#creating-a-random-string)
* [Creating a UUID v4 as per RFC 4122](#creating-a-uuid-v4-as-per-rfc-4122) * [Creating a UUID v4 as per RFC 4122](#creating-a-uuid-v4-as-per-rfc-4122)
@@ -102,13 +109,11 @@ $auth = new \Delight\Auth\Auth($db);
If you have an open `PDO` connection already, just re-use it. If you have an open `PDO` connection already, just re-use it.
If you do enforce HTTPS on your site, pass `true` as the second parameter to the constructor. This is optional and the default is `false`. If your web server is behind a proxy server and `$_SERVER['REMOTE_ADDR']` only contains the proxys IP address, you must pass the users real IP address to the constructor in the second argument, which is named `$ipAddress`. The default is the usual remote IP address received by PHP.
Only in the very rare case that you need access to your cookies from JavaScript, pass `true` as the third argument to the constructor. This is optional and the default is `false`. There is almost always a *better* solution than enabling this, however. Should your database tables for this library need a common prefix, e.g. `my_users` instead of `users` (and likewise for the other tables), pass the prefix (e.g. `my_`) as the third parameter to the constructor, which is named `$dbTablePrefix`. This is optional and the prefix is empty by default.
If your web server is behind a proxy server and `$_SERVER['REMOTE_ADDR']` only contains the proxys IP address, you must pass the users real IP address to the constructor in the fourth argument. The default is `null`. During development, you may want to disable the request limiting or throttling performed by this library. To do so, pass `false` to the constructor as the fourth argument, which is named `$throttling`. The feature is enabled by default.
Should your database tables for this library need a common prefix, e.g. `my_users` instead of `users` (and likewise for the other tables), pass the prefix (e.g. `my_`) as the fifth parameter to the constructor. This is optional and the prefix is empty by default.
### Registration (sign up) ### Registration (sign up)
@@ -405,9 +410,9 @@ $url = 'https://www.example.com/verify_email?selector=' . \urlencode($selector)
### Logout ### Logout
```php ```php
$auth->logOutButKeepSession(); $auth->logOut();
// or // or
$auth->logout(); $auth->logOutAndDestroySession();
// user has been signed out // user has been signed out
``` ```
@@ -896,6 +901,179 @@ catch (\Delight\Auth\UnknownIdException $e) {
} }
``` ```
#### Impersonating users (logging in as user)
```php
try {
$auth->admin()->logInAsUserById($_POST['id']);
}
catch (\Delight\Auth\UnknownIdException $e) {
// unknown ID
}
catch (\Delight\Auth\EmailNotVerifiedException $e) {
// email address not verified
}
// or
try {
$auth->admin()->logInAsUserByEmail($_POST['email']);
}
catch (\Delight\Auth\InvalidEmailException $e) {
// unknown email address
}
catch (\Delight\Auth\EmailNotVerifiedException $e) {
// email address not verified
}
// or
try {
$auth->admin()->logInAsUserByUsername($_POST['username']);
}
catch (\Delight\Auth\UnknownUsernameException $e) {
// unknown username
}
catch (\Delight\Auth\AmbiguousUsernameException $e) {
// ambiguous username
}
catch (\Delight\Auth\EmailNotVerifiedException $e) {
// email address not verified
}
```
### Cookies
This library uses two cookies to keep state on the client: The first, whose name you can retrieve using
```php
\session_name();
```
is the general (mandatory) session cookie. The second (optional) cookie is only used for [persistent logins](#keeping-the-user-logged-in) and its name can be retrieved as follows:
```php
\Delight\Auth\Auth::createRememberCookieName();
```
#### Renaming the librarys cookies
You can rename the session cookie used by this library through one of the following means, in order of recommendation:
* In the [PHP configuration](http://php.net/manual/en/configuration.file.php) (`php.ini`), find the line with the `session.name` directive and change its value to something like `session_v1`, as in:
```
session.name = session_v1
```
* As early as possible in your application, and before you create the `Auth` instance, call `\ini_set` to change `session.name` to something like `session_v1`, as in:
```php
\ini_set('session.name', 'session_v1');
```
For this to work, `session.auto_start` must be set to `0` in the [PHP configuration](http://php.net/manual/en/configuration.file.php) (`php.ini`).
* As early as possible in your application, and before you create the `Auth` instance, call `\session_name` with an argument like `session_v1`, as in:
```php
\session_name('session_v1');
```
For this to work, `session.auto_start` must be set to `0` in the [PHP configuration](http://php.net/manual/en/configuration.file.php) (`php.ini`).
The name of the cookie for [persistent logins](#keeping-the-user-logged-in) will change as well automatically following your change of the session cookies name.
#### Defining the domain scope for cookies
A cookies `domain` attribute controls which domain (and which subdomains) the cookie will be valid for, and thus where the users session and authentication state will be available.
The recommended default is an empty string, which means that the cookie will only be valid for the *exact* current host, *excluding* any subdomains that may exist. You should only use a different value if you need to share cookies between different subdomains. Often, youll want to share cookies between the bare domain and the `www` subdomain, but you might also want to share them between any other set of subdomains.
Whatever set of subdomains you choose, you should set the cookies attribute to the *most specific* domain name that still includes all your required subdomains. For example, to share cookies between `example.com` and `www.example.com`, you would set the attribute to `example.com`. But if you wanted to share cookies between `sub1.app.example.com` and `sub2.app.example.com`, you should set the attribute to `app.example.com`. Any explicitly specified domain name will always *include* all subdomains that may exist.
You can change the attribute through one of the following means, in order of recommendation:
* In the [PHP configuration](http://php.net/manual/en/configuration.file.php) (`php.ini`), find the line with the `session.cookie_domain` directive and change its value as desired, e.g.:
```
session.cookie_domain = example.com
```
* As early as possible in your application, and before you create the `Auth` instance, call `\ini_set` to change the value of the `session.cookie_domain` directive as desired, e.g.:
```php
\ini_set('session.cookie_domain', 'example.com');
```
For this to work, `session.auto_start` must be set to `0` in the [PHP configuration](http://php.net/manual/en/configuration.file.php) (`php.ini`).
#### Restricting the path where cookies are available
A cookies `path` attribute controls which directories (and subdirectories) the cookie will be valid for, and thus where the users session and authentication state will be available.
In most cases, youll want to make cookies available for all paths, i.e. any directory and file, starting in the root directory. That is what a value of `/` for the attribute does, which is also the recommended default. You should only change this attribute to a different value, e.g. `/path/to/subfolder`, if you want to restrict which directories your cookies will be available in, e.g. to host multiple applications side-by-side, in different directories, under the same domain name.
You can change the attribute through one of the following means, in order of recommendation:
* In the [PHP configuration](http://php.net/manual/en/configuration.file.php) (`php.ini`), find the line with the `session.cookie_path` directive and change its value as desired, e.g.:
```
session.cookie_path = /
```
* As early as possible in your application, and before you create the `Auth` instance, call `\ini_set` to change the value of the `session.cookie_path` directive as desired, e.g.:
```php
\ini_set('session.cookie_path', '/');
```
For this to work, `session.auto_start` must be set to `0` in the [PHP configuration](http://php.net/manual/en/configuration.file.php) (`php.ini`).
#### Controlling client-side script access to cookies
Using the `httponly` attribute, you can control whether client-side scripts, i.e. JavaScript, should be able to access your cookies or not. For security reasons, it is best to *deny* script access to your cookies, which reduces the damage that successful XSS attacks against your application could do, for example.
Thus, you should always set `httponly` to `1`, except for the rare cases where you really need access to your cookies from JavaScript and cant find any better solution. In those cases, set the attribute to `0`, but be aware of the consequences.
You can change the attribute through one of the following means, in order of recommendation:
* In the [PHP configuration](http://php.net/manual/en/configuration.file.php) (`php.ini`), find the line with the `session.cookie_httponly` directive and change its value as desired, e.g.:
```
session.cookie_httponly = 1
```
* As early as possible in your application, and before you create the `Auth` instance, call `\ini_set` to change the value of the `session.cookie_httponly` directive as desired, e.g.:
```php
\ini_set('session.cookie_httponly', 1);
```
For this to work, `session.auto_start` must be set to `0` in the [PHP configuration](http://php.net/manual/en/configuration.file.php) (`php.ini`).
#### Configuring transport security for cookies
Using the `secure` attribute, you can control whether cookies should be sent over *any* connection, including plain HTTP, or whether a secure connection, i.e. HTTPS (with SSL/TLS), should be required. The former (less secure) mode can be chosen by setting the attribute to `0`, and the latter (more secure) mode can be chosen by setting the attribute to `1`.
Obviously, this solely depends on whether you are able to serve *all* pages exclusively via HTTPS. If you can, you should set the attribute to `1` and possibly combine it with HTTP redirects to the secure protocol and HTTP Strict Transport Security (HSTS). Otherwise, you may have to keep the attribute set to `0`.
You can change the attribute through one of the following means, in order of recommendation:
* In the [PHP configuration](http://php.net/manual/en/configuration.file.php) (`php.ini`), find the line with the `session.cookie_secure` directive and change its value as desired, e.g.:
```
session.cookie_secure = 1
```
* As early as possible in your application, and before you create the `Auth` instance, call `\ini_set` to change the value of the `session.cookie_secure` directive as desired, e.g.:
```php
\ini_set('session.cookie_secure', 1);
```
For this to work, `session.auto_start` must be set to `0` in the [PHP configuration](http://php.net/manual/en/configuration.file.php) (`php.ini`).
### Utilities ### Utilities
#### Creating a random string #### Creating a random string

View File

@@ -5,7 +5,7 @@
"php": ">=5.6.0", "php": ">=5.6.0",
"ext-openssl": "*", "ext-openssl": "*",
"delight-im/base64": "^1.0", "delight-im/base64": "^1.0",
"delight-im/cookie": "^2.1", "delight-im/cookie": "^3.1",
"delight-im/db": "^1.2" "delight-im/db": "^1.2"
}, },
"type": "library", "type": "library",

12
composer.lock generated
View File

@@ -4,7 +4,7 @@
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file", "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file",
"This file is @generated automatically" "This file is @generated automatically"
], ],
"content-hash": "8ab7c9ad8ef2bc7d9a6beb27f9bf4df5", "content-hash": "54d541ae3c5ba25b0cc06688d2b65467",
"packages": [ "packages": [
{ {
"name": "delight-im/base64", "name": "delight-im/base64",
@@ -49,16 +49,16 @@
}, },
{ {
"name": "delight-im/cookie", "name": "delight-im/cookie",
"version": "v2.1.3", "version": "v3.1.0",
"source": { "source": {
"type": "git", "type": "git",
"url": "https://github.com/delight-im/PHP-Cookie.git", "url": "https://github.com/delight-im/PHP-Cookie.git",
"reference": "a66c8a02aa4776c4b7d3d04c695411f73e04e1eb" "reference": "76ef2a21817cf7a034f85fc3f4d4bfc60f873947"
}, },
"dist": { "dist": {
"type": "zip", "type": "zip",
"url": "https://api.github.com/repos/delight-im/PHP-Cookie/zipball/a66c8a02aa4776c4b7d3d04c695411f73e04e1eb", "url": "https://api.github.com/repos/delight-im/PHP-Cookie/zipball/76ef2a21817cf7a034f85fc3f4d4bfc60f873947",
"reference": "a66c8a02aa4776c4b7d3d04c695411f73e04e1eb", "reference": "76ef2a21817cf7a034f85fc3f4d4bfc60f873947",
"shasum": "" "shasum": ""
}, },
"require": { "require": {
@@ -86,7 +86,7 @@
"samesite", "samesite",
"xss" "xss"
], ],
"time": "2017-07-26T14:03:38+00:00" "time": "2017-10-18T19:48:59+00:00"
}, },
{ {
"name": "delight-im/db", "name": "delight-im/db",

View File

@@ -107,7 +107,7 @@ final class Administration extends UserManager {
*/ */
public function deleteUserByUsername($username) { public function deleteUserByUsername($username) {
$userData = $this->getUserDataByUsername( $userData = $this->getUserDataByUsername(
trim($username), \trim($username),
[ 'id' ] [ 'id' ]
); );
@@ -286,6 +286,60 @@ final class Administration extends UserManager {
return ($rolesBitmask & $role) === $role; return ($rolesBitmask & $role) === $role;
} }
/**
* Signs in as the user with the specified ID
*
* @param int $id the ID of the user to sign in as
* @throws UnknownIdException if no user with the specified ID has been found
* @throws EmailNotVerifiedException if the user has not verified their email address via a confirmation method yet
* @throws AuthError if an internal problem occurred (do *not* catch)
*/
public function logInAsUserById($id) {
$numberOfMatchedUsers = $this->logInAsUserByColumnValue('id', (int) $id);
if ($numberOfMatchedUsers === 0) {
throw new UnknownIdException();
}
}
/**
* Signs in as the user with the specified email address
*
* @param string $email the email address of the user to sign in as
* @throws InvalidEmailException if no user with the specified email address has been found
* @throws EmailNotVerifiedException if the user has not verified their email address via a confirmation method yet
* @throws AuthError if an internal problem occurred (do *not* catch)
*/
public function logInAsUserByEmail($email) {
$email = self::validateEmailAddress($email);
$numberOfMatchedUsers = $this->logInAsUserByColumnValue('email', $email);
if ($numberOfMatchedUsers === 0) {
throw new InvalidEmailException();
}
}
/**
* Signs in as the user with the specified display name
*
* @param string $username the display name of the user to sign in as
* @throws UnknownUsernameException if no user with the specified username has been found
* @throws AmbiguousUsernameException if multiple users with the specified username have been found
* @throws EmailNotVerifiedException if the user has not verified their email address via a confirmation method yet
* @throws AuthError if an internal problem occurred (do *not* catch)
*/
public function logInAsUserByUsername($username) {
$numberOfMatchedUsers = $this->logInAsUserByColumnValue('username', \trim($username));
if ($numberOfMatchedUsers === 0) {
throw new UnknownUsernameException();
}
elseif ($numberOfMatchedUsers > 1) {
throw new AmbiguousUsernameException();
}
}
/** /**
* Deletes all existing users where the column with the specified name has the given value * Deletes all existing users where the column with the specified name has the given value
* *
@@ -404,4 +458,42 @@ final class Administration extends UserManager {
); );
} }
/**
* Signs in as the user for which the column with the specified name has the given value
*
* You must never pass untrusted input to the parameter that takes the column name
*
* @param string $columnName the name of the column to filter by
* @param mixed $columnValue the value to look for in the selected column
* @return int the number of matched users (where only a value of one means that the login may have been successful)
* @throws EmailNotVerifiedException if the user has not verified their email address via a confirmation method yet
* @throws AuthError if an internal problem occurred (do *not* catch)
*/
private function logInAsUserByColumnValue($columnName, $columnValue) {
try {
$users = $this->db->select(
'SELECT verified, id, email, username, status, roles_mask FROM ' . $this->dbTablePrefix . 'users WHERE ' . $columnName . ' = ? LIMIT 2 OFFSET 0',
[ $columnValue ]
);
}
catch (Error $e) {
throw new DatabaseError();
}
$numberOfMatchingUsers = \count($users);
if ($numberOfMatchingUsers === 1) {
$user = $users[0];
if ((int) $user['verified'] === 1) {
$this->onLoginSuccessful($user['id'], $user['email'], $user['username'], $user['status'], $user['roles_mask'], false);
}
else {
throw new EmailNotVerifiedException();
}
}
return $numberOfMatchingUsers;
}
} }

View File

@@ -21,36 +21,28 @@ require_once __DIR__ . '/Exceptions.php';
/** Component that provides all features and utilities for secure authentication of individual users */ /** Component that provides all features and utilities for secure authentication of individual users */
final class Auth extends UserManager { final class Auth extends UserManager {
const SESSION_FIELD_LOGGED_IN = 'auth_logged_in'; const COOKIE_PREFIXES = [ Cookie::PREFIX_SECURE, Cookie::PREFIX_HOST ];
const SESSION_FIELD_USER_ID = 'auth_user_id';
const SESSION_FIELD_EMAIL = 'auth_email';
const SESSION_FIELD_USERNAME = 'auth_username';
const SESSION_FIELD_STATUS = 'auth_status';
const SESSION_FIELD_ROLES = 'auth_roles';
const SESSION_FIELD_REMEMBERED = 'auth_remembered';
const COOKIE_CONTENT_SEPARATOR = '~'; const COOKIE_CONTENT_SEPARATOR = '~';
const COOKIE_NAME_REMEMBER = 'auth_remember';
/** @var boolean whether HTTPS (TLS/SSL) will be used (recommended) */
private $useHttps;
/** @var boolean whether cookies should be accessible via client-side scripts (*not* recommended) */
private $allowCookiesScriptAccess;
/** @var string the user's current IP address */ /** @var string the user's current IP address */
private $ipAddress; private $ipAddress;
/** @var bool whether throttling should be enabled (e.g. in production) or disabled (e.g. during development) */
private $throttling;
/** @var string the name of the cookie used for the 'remember me' feature */
private $rememberCookieName;
/** /**
* @param PdoDatabase|PdoDsn|\PDO $databaseConnection the database connection to operate on * @param PdoDatabase|PdoDsn|\PDO $databaseConnection the database connection to operate on
* @param bool $useHttps whether HTTPS (TLS/SSL) will be used (recommended)
* @param bool $allowCookiesScriptAccess whether cookies should be accessible via client-side scripts (*not* recommended)
* @param string $ipAddress the IP address that should be used instead of the default setting (if any), e.g. when behind a proxy * @param string $ipAddress the IP address that should be used instead of the default setting (if any), e.g. when behind a proxy
* @param string|null $dbTablePrefix (optional) the prefix for the names of all database tables used by this component * @param string|null $dbTablePrefix (optional) the prefix for the names of all database tables used by this component
* @param bool|null $throttling (optional) whether throttling should be enabled (e.g. in production) or disabled (e.g. during development)
*/ */
public function __construct($databaseConnection, $useHttps = false, $allowCookiesScriptAccess = false, $ipAddress = null, $dbTablePrefix = null) { public function __construct($databaseConnection, $ipAddress = null, $dbTablePrefix = null, $throttling = null) {
parent::__construct($databaseConnection, $dbTablePrefix); parent::__construct($databaseConnection, $dbTablePrefix);
$this->useHttps = $useHttps;
$this->allowCookiesScriptAccess = $allowCookiesScriptAccess;
$this->ipAddress = !empty($ipAddress) ? $ipAddress : (isset($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : null); $this->ipAddress = !empty($ipAddress) ? $ipAddress : (isset($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : null);
$this->throttling = isset($throttling) ? (bool) $throttling : true;
$this->rememberCookieName = self::createRememberCookieName();
$this->initSession(); $this->initSession();
$this->enhanceHttpSecurity(); $this->enhanceHttpSecurity();
@@ -61,37 +53,32 @@ final class Auth extends UserManager {
/** Initializes the session and sets the correct configuration */ /** Initializes the session and sets the correct configuration */
private function initSession() { private function initSession() {
// use cookies to store session IDs // use cookies to store session IDs
ini_set('session.use_cookies', 1); \ini_set('session.use_cookies', 1);
// use cookies only (do not send session IDs in URLs) // use cookies only (do not send session IDs in URLs)
ini_set('session.use_only_cookies', 1); \ini_set('session.use_only_cookies', 1);
// do not send session IDs in URLs // do not send session IDs in URLs
ini_set('session.use_trans_sid', 0); \ini_set('session.use_trans_sid', 0);
// get our cookie settings // start the session (requests a cookie to be written on the client)
$params = $this->createCookieSettings();
// define our new cookie settings
session_set_cookie_params($params['lifetime'], $params['path'], $params['domain'], $params['secure'], $params['httponly']);
// start the session
@Session::start(); @Session::start();
} }
/** Improves the application's security over HTTP(S) by setting specific headers */ /** Improves the application's security over HTTP(S) by setting specific headers */
private function enhanceHttpSecurity() { private function enhanceHttpSecurity() {
// remove exposure of PHP version (at least where possible) // remove exposure of PHP version (at least where possible)
header_remove('X-Powered-By'); \header_remove('X-Powered-By');
// if the user is signed in // if the user is signed in
if ($this->isLoggedIn()) { if ($this->isLoggedIn()) {
// prevent clickjacking // prevent clickjacking
header('X-Frame-Options: sameorigin'); \header('X-Frame-Options: sameorigin');
// prevent content sniffing (MIME sniffing) // prevent content sniffing (MIME sniffing)
header('X-Content-Type-Options: nosniff'); \header('X-Content-Type-Options: nosniff');
// disable caching of potentially sensitive data // disable caching of potentially sensitive data
header('Cache-Control: no-store, no-cache, must-revalidate', true); \header('Cache-Control: no-store, no-cache, must-revalidate', true);
header('Expires: Thu, 19 Nov 1981 00:00:00 GMT', true); \header('Expires: Thu, 19 Nov 1981 00:00:00 GMT', true);
header('Pragma: no-cache', true); \header('Pragma: no-cache', true);
} }
} }
@@ -99,12 +86,25 @@ final class Auth extends UserManager {
private function processRememberDirective() { private function processRememberDirective() {
// if the user is not signed in yet // if the user is not signed in yet
if (!$this->isLoggedIn()) { if (!$this->isLoggedIn()) {
// if there is currently no cookie for the 'remember me' feature
if (!isset($_COOKIE[$this->rememberCookieName])) {
// if an old cookie for that feature from versions v1.x.x to v6.x.x has been found
if (isset($_COOKIE['auth_remember'])) {
// use the value from that old cookie instead
$_COOKIE[$this->rememberCookieName] = $_COOKIE['auth_remember'];
}
}
// if a remember cookie is set // if a remember cookie is set
if (isset($_COOKIE[self::COOKIE_NAME_REMEMBER])) { if (isset($_COOKIE[$this->rememberCookieName])) {
// assume the cookie and its contents to be invalid until proven otherwise
$valid = false;
// split the cookie's content into selector and token // split the cookie's content into selector and token
$parts = explode(self::COOKIE_CONTENT_SEPARATOR, $_COOKIE[self::COOKIE_NAME_REMEMBER], 2); $parts = \explode(self::COOKIE_CONTENT_SEPARATOR, $_COOKIE[$this->rememberCookieName], 2);
// if both selector and token were found // if both selector and token were found
if (isset($parts[0]) && isset($parts[1])) { if (!empty($parts[0]) && !empty($parts[1])) {
try { try {
$rememberData = $this->db->selectRow( $rememberData = $this->db->selectRow(
'SELECT a.user, a.token, a.expires, b.email, b.username, b.status, b.roles_mask FROM ' . $this->dbTablePrefix . 'users_remembered AS a JOIN ' . $this->dbTablePrefix . 'users AS b ON a.user = b.id WHERE a.selector = ?', 'SELECT a.user, a.token, a.expires, b.email, b.username, b.status, b.roles_mask FROM ' . $this->dbTablePrefix . 'users_remembered AS a JOIN ' . $this->dbTablePrefix . 'users AS b ON a.user = b.id WHERE a.selector = ?',
@@ -116,13 +116,22 @@ final class Auth extends UserManager {
} }
if (!empty($rememberData)) { if (!empty($rememberData)) {
if ($rememberData['expires'] >= time()) { if ($rememberData['expires'] >= \time()) {
if (password_verify($parts[1], $rememberData['token'])) { if (\password_verify($parts[1], $rememberData['token'])) {
// the cookie and its contents have now been proven to be valid
$valid = true;
$this->onLoginSuccessful($rememberData['user'], $rememberData['email'], $rememberData['username'], $rememberData['status'], $rememberData['roles_mask'], true); $this->onLoginSuccessful($rememberData['user'], $rememberData['email'], $rememberData['username'], $rememberData['status'], $rememberData['roles_mask'], true);
} }
} }
} }
} }
// if the cookie or its contents have been invalid
if (!$valid) {
// mark the cookie as such to prevent any further futile attempts
$this->setRememberCookie('', '', \time() + 60 * 60 * 24 * 365.25);
}
} }
} }
} }
@@ -314,7 +323,7 @@ final class Auth extends UserManager {
* *
* @throws AuthError if an internal problem occurred (do *not* catch) * @throws AuthError if an internal problem occurred (do *not* catch)
*/ */
public function logOutButKeepSession() { public function logOut() {
// if the user has been signed in // if the user has been signed in
if ($this->isLoggedIn()) { if ($this->isLoggedIn()) {
// get the user's ID // get the user's ID
@@ -361,8 +370,8 @@ final class Auth extends UserManager {
private function createRememberDirective($userId, $duration) { private function createRememberDirective($userId, $duration) {
$selector = self::createRandomString(24); $selector = self::createRandomString(24);
$token = self::createRandomString(32); $token = self::createRandomString(32);
$tokenHashed = password_hash($token, PASSWORD_DEFAULT); $tokenHashed = \password_hash($token, \PASSWORD_DEFAULT);
$expires = time() + ((int) $duration); $expires = \time() + ((int) $duration);
try { try {
$this->db->insert( $this->db->insert(
@@ -399,20 +408,19 @@ final class Auth extends UserManager {
throw new DatabaseError(); throw new DatabaseError();
} }
$this->setRememberCookie(null, null, time() - 3600); $this->setRememberCookie(null, null, \time() - 3600);
} }
/** /**
* Sets or updates the cookie that manages the "remember me" token * Sets or updates the cookie that manages the "remember me" token
* *
* @param string $selector the selector from the selector/token pair * @param string|null $selector the selector from the selector/token pair
* @param string $token the token from the selector/token pair * @param string|null $token the token from the selector/token pair
* @param int $expires the interval in seconds after which the token should expire * @param int $expires the UNIX time in seconds which the token should expire at
* @throws AuthError if an internal problem occurred (do *not* catch) * @throws AuthError if an internal problem occurred (do *not* catch)
*/ */
private function setRememberCookie($selector, $token, $expires) { private function setRememberCookie($selector, $token, $expires) {
// get our cookie settings $params = \session_get_cookie_params();
$params = $this->createCookieSettings();
if (isset($selector) && isset($token)) { if (isset($selector) && isset($token)) {
$content = $selector . self::COOKIE_CONTENT_SEPARATOR . $token; $content = $selector . self::COOKIE_CONTENT_SEPARATOR . $token;
@@ -421,47 +429,38 @@ final class Auth extends UserManager {
$content = ''; $content = '';
} }
// set the cookie with the selector and token // save the cookie with the selector and token (requests a cookie to be written on the client)
$cookie = new Cookie($this->rememberCookieName);
$cookie = new Cookie(self::COOKIE_NAME_REMEMBER);
$cookie->setValue($content); $cookie->setValue($content);
$cookie->setExpiryTime($expires); $cookie->setExpiryTime($expires);
$cookie->setPath($params['path']);
if (!empty($params['path'])) { $cookie->setDomain($params['domain']);
$cookie->setPath($params['path']);
}
if (!empty($params['domain'])) {
$cookie->setDomain($params['domain']);
}
$cookie->setHttpOnly($params['httponly']); $cookie->setHttpOnly($params['httponly']);
$cookie->setSecureOnly($params['secure']); $cookie->setSecureOnly($params['secure']);
$result = $cookie->save(); $result = $cookie->save();
if ($result === false) { if ($result === false) {
throw new HeadersAlreadySentError(); throw new HeadersAlreadySentError();
} }
// if we've been deleting the cookie above
if (!isset($selector) || !isset($token)) {
// attempt to delete a potential old cookie from versions v1.x.x to v6.x.x as well (requests a cookie to be written on the client)
$cookie = new Cookie('auth_remember');
$cookie->setPath((!empty($params['path'])) ? $params['path'] : '/');
$cookie->setDomain($params['domain']);
$cookie->setHttpOnly($params['httponly']);
$cookie->setSecureOnly($params['secure']);
$cookie->delete();
}
} }
/** protected function onLoginSuccessful($userId, $email, $username, $status, $roles, $remembered) {
* Called when the user has successfully logged in (via standard login or "remember me") // update the timestamp of the user's last login
*
* @param int $userId the ID of the user who has just logged in
* @param string $email the email address of the user who has just logged in
* @param string $username the username (if any)
* @param int $status the status as one of the constants from the {@see Status} class
* @param int $roles the bitmask containing the roles of the user
* @param bool $remembered whether the user was remembered ("remember me") or logged in actively
* @throws AuthError if an internal problem occurred (do *not* catch)
*/
private function onLoginSuccessful($userId, $email, $username, $status, $roles, $remembered) {
try { try {
$this->db->update( $this->db->update(
$this->dbTablePrefix . 'users', $this->dbTablePrefix . 'users',
[ 'last_login' => time() ], [ 'last_login' => \time() ],
[ 'id' => $userId ] [ 'id' => $userId ]
); );
} }
@@ -469,17 +468,7 @@ final class Auth extends UserManager {
throw new DatabaseError(); throw new DatabaseError();
} }
// re-generate the session ID to prevent session fixation attacks parent::onLoginSuccessful($userId, $email, $username, $status, $roles, $remembered);
Session::regenerate(true);
// save the user data in the session
$this->setLoggedIn(true);
$this->setUserId($userId);
$this->setEmail($email);
$this->setUsername($username);
$this->setStatus($status);
$this->setRoles($roles);
$this->setRemembered($remembered);
} }
/** /**
@@ -487,8 +476,8 @@ final class Auth extends UserManager {
* *
* @throws AuthError if an internal problem occurred (do *not* catch) * @throws AuthError if an internal problem occurred (do *not* catch)
*/ */
public function logout() { public function logOutAndDestroySession() {
$this->logOutButKeepSession(); $this->logOut();
$this->destroySession(); $this->destroySession();
} }
@@ -498,17 +487,12 @@ final class Auth extends UserManager {
* @throws AuthError if an internal problem occurred (do *not* catch) * @throws AuthError if an internal problem occurred (do *not* catch)
*/ */
private function deleteSessionCookie() { private function deleteSessionCookie() {
// get our cookie settings $params = \session_get_cookie_params();
$params = $this->createCookieSettings();
// cause the session cookie to be deleted // ask for the session cookie to be deleted (requests a cookie to be written on the client)
$cookie = new Cookie(session_name()); $cookie = new Cookie(\session_name());
if (!empty($params['path'])) { $cookie->setPath($params['path']);
$cookie->setPath($params['path']); $cookie->setDomain($params['domain']);
}
if (!empty($params['domain'])) {
$cookie->setDomain($params['domain']);
}
$cookie->setHttpOnly($params['httponly']); $cookie->setHttpOnly($params['httponly']);
$cookie->setSecureOnly($params['secure']); $cookie->setSecureOnly($params['secure']);
$result = $cookie->delete(); $result = $cookie->delete();
@@ -548,8 +532,8 @@ final class Auth extends UserManager {
} }
if (!empty($confirmationData)) { if (!empty($confirmationData)) {
if (password_verify($token, $confirmationData['token'])) { if (\password_verify($token, $confirmationData['token'])) {
if ($confirmationData['expires'] >= time()) { if ($confirmationData['expires'] >= \time()) {
// invalidate any potential outstanding password reset requests // invalidate any potential outstanding password reset requests
try { try {
$this->db->delete( $this->db->delete(
@@ -584,10 +568,11 @@ final class Auth extends UserManager {
// if the user has just confirmed an email address for their own account // if the user has just confirmed an email address for their own account
if ($this->getUserId() === $confirmationData['user_id']) { if ($this->getUserId() === $confirmationData['user_id']) {
// immediately update the email address in the current session as well // immediately update the email address in the current session as well
$this->setEmail($confirmationData['email']); $_SESSION[self::SESSION_FIELD_EMAIL] = $confirmationData['email'];
} }
} }
// consume the token just being used for confirmation
try { try {
$this->db->delete( $this->db->delete(
$this->dbTablePrefix . 'users_confirmations', $this->dbTablePrefix . 'users_confirmations',
@@ -700,7 +685,7 @@ final class Auth extends UserManager {
* @throws AuthError if an internal problem occurred (do *not* catch) * @throws AuthError if an internal problem occurred (do *not* catch)
*/ */
private function updatePassword($userId, $newPassword) { private function updatePassword($userId, $newPassword) {
$newPassword = password_hash($newPassword, PASSWORD_DEFAULT); $newPassword = \password_hash($newPassword, \PASSWORD_DEFAULT);
try { try {
$this->db->update( $this->db->update(
@@ -772,8 +757,8 @@ final class Auth extends UserManager {
throw new EmailNotVerifiedException(); throw new EmailNotVerifiedException();
} }
$this->throttle([ 'requestEmailChange', 'userId', $this->getUserId() ], 1, (60 * 60 * 24));
$this->throttle([ 'requestEmailChange', $this->getIpAddress() ], 1, (60 * 60 * 24), 3); $this->throttle([ 'requestEmailChange', $this->getIpAddress() ], 1, (60 * 60 * 24), 3);
$this->throttle([ 'requestEmailChange', 'user', $this->getUserId() ], 1, (60 * 60 * 24), 3);
$this->createConfirmationRequest($this->getUserId(), $newEmail, $callback); $this->createConfirmationRequest($this->getUserId(), $newEmail, $callback);
} }
@@ -847,7 +832,7 @@ final class Auth extends UserManager {
private function resendConfirmationForColumnValue($columnName, $columnValue, callable $callback) { private function resendConfirmationForColumnValue($columnName, $columnValue, callable $callback) {
try { try {
$latestAttempt = $this->db->selectRow( $latestAttempt = $this->db->selectRow(
'SELECT user_id, email, expires FROM ' . $this->dbTablePrefix . 'users_confirmations WHERE ' . $columnName . ' = ? ORDER BY id DESC LIMIT 1 OFFSET 0', 'SELECT user_id, email FROM ' . $this->dbTablePrefix . 'users_confirmations WHERE ' . $columnName . ' = ? ORDER BY id DESC LIMIT 1 OFFSET 0',
[ $columnValue ] [ $columnValue ]
); );
} }
@@ -859,14 +844,8 @@ final class Auth extends UserManager {
throw new ConfirmationRequestNotFound(); throw new ConfirmationRequestNotFound();
} }
$retryAt = $latestAttempt['expires'] - 0.75 * self::CONFIRMATION_REQUESTS_TTL_IN_SECONDS; $this->throttle([ 'resendConfirmation', 'userId', $latestAttempt['user_id'] ], 1, (60 * 60 * 6));
if ($retryAt > \time()) {
throw new TooManyRequestsException('', $retryAt - \time());
}
$this->throttle([ 'resendConfirmation', $this->getIpAddress() ], 4, (60 * 60 * 24 * 7), 2); $this->throttle([ 'resendConfirmation', $this->getIpAddress() ], 4, (60 * 60 * 24 * 7), 2);
$this->throttle([ 'resendConfirmation', 'user', $latestAttempt['user_id'] ], 4, (60 * 60 * 24 * 7), 2);
$this->createConfirmationRequest( $this->createConfirmationRequest(
$latestAttempt['user_id'], $latestAttempt['user_id'],
@@ -978,7 +957,7 @@ final class Auth extends UserManager {
); );
} }
elseif ($username !== null) { elseif ($username !== null) {
$username = trim($username); $username = \trim($username);
// attempt to look up the account information using the specified username // attempt to look up the account information using the specified username
$userData = $this->getUserDataByUsername( $userData = $this->getUserDataByUsername(
@@ -994,9 +973,9 @@ final class Auth extends UserManager {
$password = self::validatePassword($password); $password = self::validatePassword($password);
if (password_verify($password, $userData['password'])) { if (\password_verify($password, $userData['password'])) {
// if the password needs to be re-hashed to keep up with improving password cracking techniques // if the password needs to be re-hashed to keep up with improving password cracking techniques
if (password_needs_rehash($userData['password'], PASSWORD_DEFAULT)) { if (\password_needs_rehash($userData['password'], \PASSWORD_DEFAULT)) {
// create a new hash from the password and update it in the database // create a new hash from the password and update it in the database
$this->updatePassword($userData['id'], $password); $this->updatePassword($userData['id'], $password);
} }
@@ -1064,7 +1043,7 @@ final class Auth extends UserManager {
*/ */
private function getUserDataByEmailAddress($email, array $requestedColumns) { private function getUserDataByEmailAddress($email, array $requestedColumns) {
try { try {
$projection = implode(', ', $requestedColumns); $projection = \implode(', ', $requestedColumns);
$userData = $this->db->selectRow( $userData = $this->db->selectRow(
'SELECT ' . $projection . ' FROM ' . $this->dbTablePrefix . 'users WHERE email = ?', 'SELECT ' . $projection . ' FROM ' . $this->dbTablePrefix . 'users WHERE email = ?',
[ $email ] [ $email ]
@@ -1095,7 +1074,7 @@ final class Auth extends UserManager {
'SELECT COUNT(*) FROM ' . $this->dbTablePrefix . 'users_resets WHERE user = ? AND expires > ?', 'SELECT COUNT(*) FROM ' . $this->dbTablePrefix . 'users_resets WHERE user = ? AND expires > ?',
[ [
$userId, $userId,
time() \time()
] ]
); );
@@ -1130,8 +1109,8 @@ final class Auth extends UserManager {
private function createPasswordResetRequest($userId, $expiresAfter, callable $callback) { private function createPasswordResetRequest($userId, $expiresAfter, callable $callback) {
$selector = self::createRandomString(20); $selector = self::createRandomString(20);
$token = self::createRandomString(20); $token = self::createRandomString(20);
$tokenHashed = password_hash($token, PASSWORD_DEFAULT); $tokenHashed = \password_hash($token, \PASSWORD_DEFAULT);
$expiresAt = time() + $expiresAfter; $expiresAt = \time() + $expiresAfter;
try { try {
$this->db->insert( $this->db->insert(
@@ -1148,7 +1127,7 @@ final class Auth extends UserManager {
throw new DatabaseError(); throw new DatabaseError();
} }
if (isset($callback) && is_callable($callback)) { if (\is_callable($callback)) {
$callback($selector, $token); $callback($selector, $token);
} }
else { else {
@@ -1188,8 +1167,8 @@ final class Auth extends UserManager {
if (!empty($resetData)) { if (!empty($resetData)) {
if ((int) $resetData['resettable'] === 1) { if ((int) $resetData['resettable'] === 1) {
if (password_verify($token, $resetData['token'])) { if (\password_verify($token, $resetData['token'])) {
if ($resetData['expires'] >= time()) { if ($resetData['expires'] >= \time()) {
$newPassword = self::validatePassword($newPassword); $newPassword = self::validatePassword($newPassword);
// update the password in the database // update the password in the database
@@ -1311,15 +1290,6 @@ final class Auth extends UserManager {
} }
} }
/**
* Sets whether the user is currently logged in and updates the session
*
* @param bool $loggedIn whether the user is logged in or not
*/
private function setLoggedIn($loggedIn) {
$_SESSION[self::SESSION_FIELD_LOGGED_IN] = $loggedIn;
}
/** /**
* Returns whether the user is currently logged in by reading from the session * Returns whether the user is currently logged in by reading from the session
* *
@@ -1338,15 +1308,6 @@ final class Auth extends UserManager {
return $this->isLoggedIn(); return $this->isLoggedIn();
} }
/**
* Sets the currently signed-in user's ID and updates the session
*
* @param int $userId the user's ID
*/
private function setUserId($userId) {
$_SESSION[self::SESSION_FIELD_USER_ID] = intval($userId);
}
/** /**
* Returns the currently signed-in user's ID by reading from the session * Returns the currently signed-in user's ID by reading from the session
* *
@@ -1370,15 +1331,6 @@ final class Auth extends UserManager {
return $this->getUserId(); return $this->getUserId();
} }
/**
* Sets the currently signed-in user's email address and updates the session
*
* @param string $email the email address
*/
private function setEmail($email) {
$_SESSION[self::SESSION_FIELD_EMAIL] = $email;
}
/** /**
* Returns the currently signed-in user's email address by reading from the session * Returns the currently signed-in user's email address by reading from the session
* *
@@ -1393,15 +1345,6 @@ final class Auth extends UserManager {
} }
} }
/**
* Sets the currently signed-in user's display name and updates the session
*
* @param string $username the display name
*/
private function setUsername($username) {
$_SESSION[self::SESSION_FIELD_USERNAME] = $username;
}
/** /**
* Returns the currently signed-in user's display name by reading from the session * Returns the currently signed-in user's display name by reading from the session
* *
@@ -1416,24 +1359,6 @@ final class Auth extends UserManager {
} }
} }
/**
* Sets the currently signed-in user's status and updates the session
*
* @param int $status the status as one of the constants from the {@see Status} class
*/
private function setStatus($status) {
$_SESSION[self::SESSION_FIELD_STATUS] = (int) $status;
}
/**
* Sets the currently signed-in user's roles and updates the session
*
* @param int $roles the bitmask containing the roles
*/
private function setRoles($roles) {
$_SESSION[self::SESSION_FIELD_ROLES] = (int) $roles;
}
/** /**
* Returns the currently signed-in user's status by reading from the session * Returns the currently signed-in user's status by reading from the session
* *
@@ -1575,15 +1500,6 @@ final class Auth extends UserManager {
return true; return true;
} }
/**
* Sets whether the currently signed-in user has been remembered by a long-lived cookie
*
* @param bool $remembered whether the user was remembered
*/
private function setRemembered($remembered) {
$_SESSION[self::SESSION_FIELD_REMEMBERED] = $remembered;
}
/** /**
* Returns whether the currently signed-in user has been remembered by a long-lived cookie * Returns whether the currently signed-in user has been remembered by a long-lived cookie
* *
@@ -1621,6 +1537,10 @@ final class Auth extends UserManager {
* @throws AuthError if an internal problem occurred (do *not* catch) * @throws AuthError if an internal problem occurred (do *not* catch)
*/ */
public function throttle(array $criteria, $supply, $interval, $burstiness = null, $simulated = null, $cost = null) { public function throttle(array $criteria, $supply, $interval, $burstiness = null, $simulated = null, $cost = null) {
if (!$this->throttling) {
return $supply;
}
// generate a unique key for the bucket (consisting of 44 or fewer ASCII characters) // generate a unique key for the bucket (consisting of 44 or fewer ASCII characters)
$key = Base64::encodeUrlSafeWithoutPadding( $key = Base64::encodeUrlSafeWithoutPadding(
\hash( \hash(
@@ -1729,24 +1649,6 @@ final class Auth extends UserManager {
return new Administration($this->db, $this->dbTablePrefix); return new Administration($this->db, $this->dbTablePrefix);
} }
/**
* Creates the cookie settings that will be used to create and update cookies on the client
*
* @return array the cookie settings
*/
private function createCookieSettings() {
// get the default cookie settings
$params = session_get_cookie_params();
// check if we want to send cookies via SSL/TLS only
$params['secure'] = $params['secure'] || $this->useHttps;
// check if we want to send cookies via HTTP(S) only
$params['httponly'] = $params['httponly'] || !$this->allowCookiesScriptAccess;
// return the modified settings
return $params;
}
/** /**
* Creates a UUID v4 as per RFC 4122 * Creates a UUID v4 as per RFC 4122
* *
@@ -1756,14 +1658,57 @@ final class Auth extends UserManager {
* @author Jack @ Stack Overflow * @author Jack @ Stack Overflow
*/ */
public static function createUuid() { public static function createUuid() {
$data = openssl_random_pseudo_bytes(16); $data = \openssl_random_pseudo_bytes(16);
// set the version to 0100 // set the version to 0100
$data[6] = chr(ord($data[6]) & 0x0f | 0x40); $data[6] = \chr(\ord($data[6]) & 0x0f | 0x40);
// set bits 6-7 to 10 // set bits 6-7 to 10
$data[8] = chr(ord($data[8]) & 0x3f | 0x80); $data[8] = \chr(\ord($data[8]) & 0x3f | 0x80);
return vsprintf('%s%s-%s-%s-%s-%s%s%s', str_split(bin2hex($data), 4)); return \vsprintf('%s%s-%s-%s-%s-%s%s%s', \str_split(\bin2hex($data), 4));
}
/**
* Generates a unique cookie name for the given descriptor based on the supplied seed
*
* @param string $descriptor a short label describing the purpose of the cookie, e.g. 'session'
* @param string|null $seed (optional) the data to deterministically generate the name from
* @return string
*/
public static function createCookieName($descriptor, $seed = null) {
// use the supplied seed or the current UNIX time in seconds
$seed = ($seed !== null) ? $seed : \time();
foreach (self::COOKIE_PREFIXES as $cookiePrefix) {
// if the seed contains a certain cookie prefix
if (\strpos($seed, $cookiePrefix) === 0) {
// prepend the same prefix to the descriptor
$descriptor = $cookiePrefix . $descriptor;
}
}
// generate a unique token based on the name(space) of this library and on the seed
$token = Base64::encodeUrlSafeWithoutPadding(
\md5(
__NAMESPACE__ . "\n" . $seed,
true
)
);
return $descriptor . '_' . $token;
}
/**
* Generates a unique cookie name for the 'remember me' feature
*
* @param string|null $sessionName (optional) the session name that the output should be based on
* @return string
*/
public static function createRememberCookieName($sessionName = null) {
return self::createCookieName(
'remember',
($sessionName !== null) ? $sessionName : \session_name()
);
} }
} }

View File

@@ -9,6 +9,7 @@
namespace Delight\Auth; namespace Delight\Auth;
use Delight\Base64\Base64; use Delight\Base64\Base64;
use Delight\Cookie\Session;
use Delight\Db\PdoDatabase; use Delight\Db\PdoDatabase;
use Delight\Db\PdoDsn; use Delight\Db\PdoDsn;
use Delight\Db\Throwable\Error; use Delight\Db\Throwable\Error;
@@ -23,7 +24,20 @@ require_once __DIR__ . '/Exceptions.php';
*/ */
abstract class UserManager { abstract class UserManager {
const CONFIRMATION_REQUESTS_TTL_IN_SECONDS = 60 * 60 * 24; /** @var string session field for whether the client is currently signed in */
const SESSION_FIELD_LOGGED_IN = 'auth_logged_in';
/** @var string session field for the ID of the user who is currently signed in (if any) */
const SESSION_FIELD_USER_ID = 'auth_user_id';
/** @var string session field for the email address of the user who is currently signed in (if any) */
const SESSION_FIELD_EMAIL = 'auth_email';
/** @var string session field for the display name (if any) of the user who is currently signed in (if any) */
const SESSION_FIELD_USERNAME = 'auth_username';
/** @var string session field for the status of the user who is currently signed in (if any) as one of the constants from the {@see Status} class */
const SESSION_FIELD_STATUS = 'auth_status';
/** @var string session field for the roles of the user who is currently signed in (if any) as a bitmask using constants from the {@see Role} class */
const SESSION_FIELD_ROLES = 'auth_roles';
/** @var string session field for whether the user who is currently signed in (if any) has been remembered (instead of them having authenticated actively) */
const SESSION_FIELD_REMEMBERED = 'auth_remembered';
/** @var PdoDatabase the database connection to operate on */ /** @var PdoDatabase the database connection to operate on */
protected $db; protected $db;
@@ -40,10 +54,10 @@ abstract class UserManager {
*/ */
public static function createRandomString($maxLength = 24) { public static function createRandomString($maxLength = 24) {
// calculate how many bytes of randomness we need for the specified string length // calculate how many bytes of randomness we need for the specified string length
$bytes = floor(intval($maxLength) / 4) * 3; $bytes = \floor((int) $maxLength / 4) * 3;
// get random data // get random data
$data = openssl_random_pseudo_bytes($bytes); $data = \openssl_random_pseudo_bytes($bytes);
// return the Base64-encoded result // return the Base64-encoded result
return Base64::encodeUrlSafe($data); return Base64::encodeUrlSafe($data);
@@ -103,12 +117,12 @@ abstract class UserManager {
* @see confirmEmailAndSignIn * @see confirmEmailAndSignIn
*/ */
protected function createUserInternal($requireUniqueUsername, $email, $password, $username = null, callable $callback = null) { protected function createUserInternal($requireUniqueUsername, $email, $password, $username = null, callable $callback = null) {
ignore_user_abort(true); \ignore_user_abort(true);
$email = self::validateEmailAddress($email); $email = self::validateEmailAddress($email);
$password = self::validatePassword($password); $password = self::validatePassword($password);
$username = isset($username) ? trim($username) : null; $username = isset($username) ? \trim($username) : null;
// if the supplied username is the empty string or has consisted of whitespace only // if the supplied username is the empty string or has consisted of whitespace only
if ($username === '') { if ($username === '') {
@@ -134,8 +148,8 @@ abstract class UserManager {
} }
} }
$password = password_hash($password, PASSWORD_DEFAULT); $password = \password_hash($password, \PASSWORD_DEFAULT);
$verified = isset($callback) && is_callable($callback) ? 0 : 1; $verified = \is_callable($callback) ? 0 : 1;
try { try {
$this->db->insert( $this->db->insert(
@@ -145,7 +159,7 @@ abstract class UserManager {
'password' => $password, 'password' => $password,
'username' => $username, 'username' => $username,
'verified' => $verified, 'verified' => $verified,
'registered' => time() 'registered' => \time()
] ]
); );
} }
@@ -166,6 +180,33 @@ abstract class UserManager {
return $newUserId; return $newUserId;
} }
/**
* Called when a user has successfully logged in
*
* This may happen via the standard login, via the "remember me" feature, or due to impersonation by administrators
*
* @param int $userId the ID of the user
* @param string $email the email address of the user
* @param string $username the display name (if any) of the user
* @param int $status the status of the user as one of the constants from the {@see Status} class
* @param int $roles the roles of the user as a bitmask using constants from the {@see Role} class
* @param bool $remembered whether the user has been remembered (instead of them having authenticated actively)
* @throws AuthError if an internal problem occurred (do *not* catch)
*/
protected function onLoginSuccessful($userId, $email, $username, $status, $roles, $remembered) {
// re-generate the session ID to prevent session fixation attacks (requests a cookie to be written on the client)
Session::regenerate(true);
// save the user data in the session variables maintained by this library
$_SESSION[self::SESSION_FIELD_LOGGED_IN] = true;
$_SESSION[self::SESSION_FIELD_USER_ID] = (int) $userId;
$_SESSION[self::SESSION_FIELD_EMAIL] = $email;
$_SESSION[self::SESSION_FIELD_USERNAME] = $username;
$_SESSION[self::SESSION_FIELD_STATUS] = (int) $status;
$_SESSION[self::SESSION_FIELD_ROLES] = (int) $roles;
$_SESSION[self::SESSION_FIELD_REMEMBERED] = $remembered;
}
/** /**
* Returns the requested user data for the account with the specified username (if any) * Returns the requested user data for the account with the specified username (if any)
* *
@@ -180,7 +221,7 @@ abstract class UserManager {
*/ */
protected function getUserDataByUsername($username, array $requestedColumns) { protected function getUserDataByUsername($username, array $requestedColumns) {
try { try {
$projection = implode(', ', $requestedColumns); $projection = \implode(', ', $requestedColumns);
$users = $this->db->select( $users = $this->db->select(
'SELECT ' . $projection . ' FROM ' . $this->dbTablePrefix . 'users WHERE username = ? LIMIT 2 OFFSET 0', 'SELECT ' . $projection . ' FROM ' . $this->dbTablePrefix . 'users WHERE username = ? LIMIT 2 OFFSET 0',
@@ -195,7 +236,7 @@ abstract class UserManager {
throw new UnknownUsernameException(); throw new UnknownUsernameException();
} }
else { else {
if (count($users) === 1) { if (\count($users) === 1) {
return $users[0]; return $users[0];
} }
else { else {
@@ -216,9 +257,9 @@ abstract class UserManager {
throw new InvalidEmailException(); throw new InvalidEmailException();
} }
$email = trim($email); $email = \trim($email);
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) { if (!\filter_var($email, \FILTER_VALIDATE_EMAIL)) {
throw new InvalidEmailException(); throw new InvalidEmailException();
} }
@@ -237,9 +278,9 @@ abstract class UserManager {
throw new InvalidPasswordException(); throw new InvalidPasswordException();
} }
$password = trim($password); $password = \trim($password);
if (strlen($password) < 1) { if (\strlen($password) < 1) {
throw new InvalidPasswordException(); throw new InvalidPasswordException();
} }
@@ -265,10 +306,8 @@ abstract class UserManager {
protected function createConfirmationRequest($userId, $email, callable $callback) { protected function createConfirmationRequest($userId, $email, callable $callback) {
$selector = self::createRandomString(16); $selector = self::createRandomString(16);
$token = self::createRandomString(16); $token = self::createRandomString(16);
$tokenHashed = password_hash($token, PASSWORD_DEFAULT); $tokenHashed = \password_hash($token, \PASSWORD_DEFAULT);
$expires = \time() + 60 * 60 * 24;
// the request shall be valid for one day
$expires = time() + self::CONFIRMATION_REQUESTS_TTL_IN_SECONDS;
try { try {
$this->db->insert( $this->db->insert(
@@ -286,7 +325,7 @@ abstract class UserManager {
throw new DatabaseError(); throw new DatabaseError();
} }
if (isset($callback) && is_callable($callback)) { if (\is_callable($callback)) {
$callback($selector, $token); $callback($selector, $token);
} }
else { else {

View File

@@ -15,33 +15,34 @@
*/ */
// enable error reporting // enable error reporting
error_reporting(E_ALL); \error_reporting(\E_ALL);
ini_set('display_errors', 'stdout'); \ini_set('display_errors', 'stdout');
// enable assertions // enable assertions
ini_set('assert.active', 1); \ini_set('assert.active', 1);
@ini_set('zend.assertions', 1); @\ini_set('zend.assertions', 1);
ini_set('assert.exception', 1); \ini_set('assert.exception', 1);
header('Content-type: text/html; charset=utf-8'); \header('Content-type: text/html; charset=utf-8');
require __DIR__.'/../vendor/autoload.php'; require __DIR__.'/../vendor/autoload.php';
$db = new PDO('mysql:dbname=php_auth;host=127.0.0.1;charset=utf8mb4', 'root', 'monkey'); $db = new \PDO('mysql:dbname=php_auth;host=127.0.0.1;charset=utf8mb4', 'root', 'monkey');
// or // or
// $db = new PDO('sqlite:../Databases/php_auth.sqlite'); // $db = new \PDO('sqlite:../Databases/php_auth.sqlite');
$auth = new \Delight\Auth\Auth($db); $auth = new \Delight\Auth\Auth($db);
$result = processRequestData($auth); $result = \processRequestData($auth);
showDebugData($auth, $result); \showGeneralForm();
\showDebugData($auth, $result);
if ($auth->check()) { if ($auth->check()) {
showAuthenticatedUserForm($auth); \showAuthenticatedUserForm($auth);
} }
else { else {
showGuestUserForm(); \showGuestUserForm();
} }
function processRequestData(\Delight\Auth\Auth $auth) { function processRequestData(\Delight\Auth\Auth $auth) {
@@ -83,7 +84,7 @@ function processRequestData(\Delight\Auth\Auth $auth) {
return 'wrong password'; return 'wrong password';
} }
catch (\Delight\Auth\EmailNotVerifiedException $e) { catch (\Delight\Auth\EmailNotVerifiedException $e) {
return 'email not verified'; return 'email address not verified';
} }
catch (\Delight\Auth\TooManyRequestsException $e) { catch (\Delight\Auth\TooManyRequestsException $e) {
return 'too many requests'; return 'too many requests';
@@ -98,11 +99,11 @@ function processRequestData(\Delight\Auth\Auth $auth) {
echo "\n"; echo "\n";
echo ' > Selector'; echo ' > Selector';
echo "\t\t\t\t"; echo "\t\t\t\t";
echo htmlspecialchars($selector); echo \htmlspecialchars($selector);
echo "\n"; echo "\n";
echo ' > Token'; echo ' > Token';
echo "\t\t\t\t"; echo "\t\t\t\t";
echo htmlspecialchars($token); echo \htmlspecialchars($token);
echo '</pre>'; echo '</pre>';
}; };
} }
@@ -177,11 +178,11 @@ function processRequestData(\Delight\Auth\Auth $auth) {
echo "\n"; echo "\n";
echo ' > Selector'; echo ' > Selector';
echo "\t\t\t\t"; echo "\t\t\t\t";
echo htmlspecialchars($selector); echo \htmlspecialchars($selector);
echo "\n"; echo "\n";
echo ' > Token'; echo ' > Token';
echo "\t\t\t\t"; echo "\t\t\t\t";
echo htmlspecialchars($token); echo \htmlspecialchars($token);
echo '</pre>'; echo '</pre>';
}); });
@@ -202,11 +203,11 @@ function processRequestData(\Delight\Auth\Auth $auth) {
echo "\n"; echo "\n";
echo ' > Selector'; echo ' > Selector';
echo "\t\t\t\t"; echo "\t\t\t\t";
echo htmlspecialchars($selector); echo \htmlspecialchars($selector);
echo "\n"; echo "\n";
echo ' > Token'; echo ' > Token';
echo "\t\t\t\t"; echo "\t\t\t\t";
echo htmlspecialchars($token); echo \htmlspecialchars($token);
echo '</pre>'; echo '</pre>';
}); });
@@ -227,11 +228,11 @@ function processRequestData(\Delight\Auth\Auth $auth) {
echo "\n"; echo "\n";
echo ' > Selector'; echo ' > Selector';
echo "\t\t\t\t"; echo "\t\t\t\t";
echo htmlspecialchars($selector); echo \htmlspecialchars($selector);
echo "\n"; echo "\n";
echo ' > Token'; echo ' > Token';
echo "\t\t\t\t"; echo "\t\t\t\t";
echo htmlspecialchars($token); echo \htmlspecialchars($token);
echo '</pre>'; echo '</pre>';
}); });
@@ -241,7 +242,7 @@ function processRequestData(\Delight\Auth\Auth $auth) {
return 'invalid email address'; return 'invalid email address';
} }
catch (\Delight\Auth\EmailNotVerifiedException $e) { catch (\Delight\Auth\EmailNotVerifiedException $e) {
return 'email not verified'; return 'email address not verified';
} }
catch (\Delight\Auth\ResetDisabledException $e) { catch (\Delight\Auth\ResetDisabledException $e) {
return 'password reset disabled'; return 'password reset disabled';
@@ -320,11 +321,11 @@ function processRequestData(\Delight\Auth\Auth $auth) {
echo "\n"; echo "\n";
echo ' > Selector'; echo ' > Selector';
echo "\t\t\t\t"; echo "\t\t\t\t";
echo htmlspecialchars($selector); echo \htmlspecialchars($selector);
echo "\n"; echo "\n";
echo ' > Token'; echo ' > Token';
echo "\t\t\t\t"; echo "\t\t\t\t";
echo htmlspecialchars($token); echo \htmlspecialchars($token);
echo '</pre>'; echo '</pre>';
}); });
@@ -356,13 +357,13 @@ function processRequestData(\Delight\Auth\Auth $auth) {
return 'not logged in'; return 'not logged in';
} }
} }
else if ($_POST['action'] === 'logOutButKeepSession') { else if ($_POST['action'] === 'logOut') {
$auth->logOutButKeepSession(); $auth->logOut();
return 'ok'; return 'ok';
} }
else if ($_POST['action'] === 'logout') { else if ($_POST['action'] === 'logOutAndDestroySession') {
$auth->logout(); $auth->logOutAndDestroySession();
return 'ok'; return 'ok';
} }
@@ -421,7 +422,7 @@ function processRequestData(\Delight\Auth\Auth $auth) {
} }
} }
else { else {
return 'either ID, email or username required'; return 'either ID, email address or username required';
} }
return 'ok'; return 'ok';
@@ -456,7 +457,7 @@ function processRequestData(\Delight\Auth\Auth $auth) {
} }
} }
else { else {
return 'either ID, email or username required'; return 'either ID, email address or username required';
} }
} }
else { else {
@@ -495,7 +496,7 @@ function processRequestData(\Delight\Auth\Auth $auth) {
} }
} }
else { else {
return 'either ID, email or username required'; return 'either ID, email address or username required';
} }
} }
else { else {
@@ -522,8 +523,65 @@ function processRequestData(\Delight\Auth\Auth $auth) {
return 'ID required'; return 'ID required';
} }
} }
else if ($_POST['action'] === 'admin.logInAsUserById') {
if (isset($_POST['id'])) {
try {
$auth->admin()->logInAsUserById($_POST['id']);
return 'ok';
}
catch (\Delight\Auth\UnknownIdException $e) {
return 'unknown ID';
}
catch (\Delight\Auth\EmailNotVerifiedException $e) {
return 'email address not verified';
}
}
else {
return 'ID required';
}
}
else if ($_POST['action'] === 'admin.logInAsUserByEmail') {
if (isset($_POST['email'])) {
try {
$auth->admin()->logInAsUserByEmail($_POST['email']);
return 'ok';
}
catch (\Delight\Auth\InvalidEmailException $e) {
return 'unknown email address';
}
catch (\Delight\Auth\EmailNotVerifiedException $e) {
return 'email address not verified';
}
}
else {
return 'Email address required';
}
}
else if ($_POST['action'] === 'admin.logInAsUserByUsername') {
if (isset($_POST['username'])) {
try {
$auth->admin()->logInAsUserByUsername($_POST['username']);
return 'ok';
}
catch (\Delight\Auth\UnknownUsernameException $e) {
return 'unknown username';
}
catch (\Delight\Auth\AmbiguousUsernameException $e) {
return 'ambiguous username';
}
catch (\Delight\Auth\EmailNotVerifiedException $e) {
return 'email address not verified';
}
}
else {
return 'Username required';
}
}
else { else {
throw new Exception('Unexpected action: '.$_POST['action']); throw new Exception('Unexpected action: ' . $_POST['action']);
} }
} }
} }
@@ -534,57 +592,65 @@ function processRequestData(\Delight\Auth\Auth $auth) {
function showDebugData(\Delight\Auth\Auth $auth, $result) { function showDebugData(\Delight\Auth\Auth $auth, $result) {
echo '<pre>'; echo '<pre>';
echo 'Last operation'."\t\t\t\t"; echo 'Last operation' . "\t\t\t\t";
var_dump($result); \var_dump($result);
echo 'Session ID'."\t\t\t\t"; echo 'Session ID' . "\t\t\t\t";
var_dump(session_id()); \var_dump(\session_id());
echo "\n"; echo "\n";
echo '$auth->isLoggedIn()'."\t\t\t"; echo '$auth->isLoggedIn()' . "\t\t\t";
var_dump($auth->isLoggedIn()); \var_dump($auth->isLoggedIn());
echo '$auth->check()'."\t\t\t\t"; echo '$auth->check()' . "\t\t\t\t";
var_dump($auth->check()); \var_dump($auth->check());
echo "\n"; echo "\n";
echo '$auth->getUserId()'."\t\t\t"; echo '$auth->getUserId()' . "\t\t\t";
var_dump($auth->getUserId()); \var_dump($auth->getUserId());
echo '$auth->id()'."\t\t\t\t"; echo '$auth->id()' . "\t\t\t\t";
var_dump($auth->id()); \var_dump($auth->id());
echo "\n"; echo "\n";
echo '$auth->getEmail()'."\t\t\t"; echo '$auth->getEmail()' . "\t\t\t";
var_dump($auth->getEmail()); \var_dump($auth->getEmail());
echo '$auth->getUsername()'."\t\t\t"; echo '$auth->getUsername()' . "\t\t\t";
var_dump($auth->getUsername()); \var_dump($auth->getUsername());
echo '$auth->getStatus()'."\t\t\t"; echo '$auth->getStatus()' . "\t\t\t";
echo convertStatusToText($auth); echo \convertStatusToText($auth);
echo ' / '; echo ' / ';
var_dump($auth->getStatus()); \var_dump($auth->getStatus());
echo "\n"; echo "\n";
echo 'Roles (super moderator)'."\t\t\t"; echo 'Roles (super moderator)' . "\t\t\t";
var_dump($auth->hasRole(\Delight\Auth\Role::SUPER_MODERATOR)); \var_dump($auth->hasRole(\Delight\Auth\Role::SUPER_MODERATOR));
echo 'Roles (developer *or* manager)'."\t\t"; echo 'Roles (developer *or* manager)' . "\t\t";
var_dump($auth->hasAnyRole(\Delight\Auth\Role::DEVELOPER, \Delight\Auth\Role::MANAGER)); \var_dump($auth->hasAnyRole(\Delight\Auth\Role::DEVELOPER, \Delight\Auth\Role::MANAGER));
echo 'Roles (developer *and* manager)'."\t\t"; echo 'Roles (developer *and* manager)' . "\t\t";
var_dump($auth->hasAllRoles(\Delight\Auth\Role::DEVELOPER, \Delight\Auth\Role::MANAGER)); \var_dump($auth->hasAllRoles(\Delight\Auth\Role::DEVELOPER, \Delight\Auth\Role::MANAGER));
echo "\n"; echo "\n";
echo '$auth->isRemembered()'."\t\t\t"; echo '$auth->isRemembered()' . "\t\t\t";
var_dump($auth->isRemembered()); \var_dump($auth->isRemembered());
echo '$auth->getIpAddress()'."\t\t\t"; echo '$auth->getIpAddress()' . "\t\t\t";
var_dump($auth->getIpAddress()); \var_dump($auth->getIpAddress());
echo "\n"; echo "\n";
echo 'Auth::createRandomString()'."\t\t"; echo 'Session name' . "\t\t\t\t";
var_dump(\Delight\Auth\Auth::createRandomString()); \var_dump(\session_name());
echo 'Auth::createUuid()'."\t\t\t"; echo 'Auth::createRememberCookieName()' . "\t";
var_dump(\Delight\Auth\Auth::createUuid()); \var_dump(\Delight\Auth\Auth::createRememberCookieName());
echo "\n";
echo 'Auth::createCookieName(\'session\')' . "\t";
\var_dump(\Delight\Auth\Auth::createCookieName('session'));
echo 'Auth::createRandomString()' . "\t\t";
\var_dump(\Delight\Auth\Auth::createRandomString());
echo 'Auth::createUuid()' . "\t\t\t";
\var_dump(\Delight\Auth\Auth::createUuid());
echo '</pre>'; echo '</pre>';
} }
@@ -626,8 +692,6 @@ function showGeneralForm() {
} }
function showAuthenticatedUserForm(\Delight\Auth\Auth $auth) { function showAuthenticatedUserForm(\Delight\Auth\Auth $auth) {
showGeneralForm();
echo '<form action="" method="post" accept-charset="utf-8">'; echo '<form action="" method="post" accept-charset="utf-8">';
echo '<input type="hidden" name="action" value="reconfirmPassword" />'; echo '<input type="hidden" name="action" value="reconfirmPassword" />';
echo '<input type="text" name="password" placeholder="Password" /> '; echo '<input type="text" name="password" placeholder="Password" /> ';
@@ -653,7 +717,7 @@ function showAuthenticatedUserForm(\Delight\Auth\Auth $auth) {
echo '<button type="submit">Change email address</button>'; echo '<button type="submit">Change email address</button>';
echo '</form>'; echo '</form>';
showConfirmEmailForm(); \showConfirmEmailForm();
echo '<form action="" method="post" accept-charset="utf-8">'; echo '<form action="" method="post" accept-charset="utf-8">';
echo '<input type="hidden" name="action" value="setPasswordResetEnabled" />'; echo '<input type="hidden" name="action" value="setPasswordResetEnabled" />';
@@ -665,24 +729,22 @@ function showAuthenticatedUserForm(\Delight\Auth\Auth $auth) {
echo '</form>'; echo '</form>';
echo '<form action="" method="post" accept-charset="utf-8">'; echo '<form action="" method="post" accept-charset="utf-8">';
echo '<input type="hidden" name="action" value="logOutButKeepSession" />'; echo '<input type="hidden" name="action" value="logOut" />';
echo '<button type="submit">Log out but keep session</button>'; echo '<button type="submit">Log out</button>';
echo '</form>'; echo '</form>';
echo '<form action="" method="post" accept-charset="utf-8">'; echo '<form action="" method="post" accept-charset="utf-8">';
echo '<input type="hidden" name="action" value="logout" />'; echo '<input type="hidden" name="action" value="logOutAndDestroySession" />';
echo '<button type="submit">Log out</button>'; echo '<button type="submit">Log out and destroy session</button>';
echo '</form>'; echo '</form>';
} }
function showGuestUserForm() { function showGuestUserForm() {
showGeneralForm();
echo '<h1>Public</h1>'; echo '<h1>Public</h1>';
echo '<form action="" method="post" accept-charset="utf-8">'; echo '<form action="" method="post" accept-charset="utf-8">';
echo '<input type="hidden" name="action" value="login" />'; echo '<input type="hidden" name="action" value="login" />';
echo '<input type="text" name="email" placeholder="Email" /> '; echo '<input type="text" name="email" placeholder="Email address" /> ';
echo '<input type="text" name="password" placeholder="Password" /> '; echo '<input type="text" name="password" placeholder="Password" /> ';
echo '<select name="remember" size="1">'; echo '<select name="remember" size="1">';
echo '<option value="0">Remember (keep logged in)? — No</option>'; echo '<option value="0">Remember (keep logged in)? — No</option>';
@@ -704,7 +766,7 @@ function showGuestUserForm() {
echo '<form action="" method="post" accept-charset="utf-8">'; echo '<form action="" method="post" accept-charset="utf-8">';
echo '<input type="hidden" name="action" value="register" />'; echo '<input type="hidden" name="action" value="register" />';
echo '<input type="text" name="email" placeholder="Email" /> '; echo '<input type="text" name="email" placeholder="Email address" /> ';
echo '<input type="text" name="password" placeholder="Password" /> '; echo '<input type="text" name="password" placeholder="Password" /> ';
echo '<input type="text" name="username" placeholder="Username (optional)" /> '; echo '<input type="text" name="username" placeholder="Username (optional)" /> ';
echo '<select name="require_verification" size="1">'; echo '<select name="require_verification" size="1">';
@@ -718,11 +780,11 @@ function showGuestUserForm() {
echo '<button type="submit">Register</button>'; echo '<button type="submit">Register</button>';
echo '</form>'; echo '</form>';
showConfirmEmailForm(); \showConfirmEmailForm();
echo '<form action="" method="post" accept-charset="utf-8">'; echo '<form action="" method="post" accept-charset="utf-8">';
echo '<input type="hidden" name="action" value="forgotPassword" />'; echo '<input type="hidden" name="action" value="forgotPassword" />';
echo '<input type="text" name="email" placeholder="Email" /> '; echo '<input type="text" name="email" placeholder="Email address" /> ';
echo '<button type="submit">Forgot password</button>'; echo '<button type="submit">Forgot password</button>';
echo '</form>'; echo '</form>';
@@ -738,7 +800,7 @@ function showGuestUserForm() {
echo '<form action="" method="post" accept-charset="utf-8">'; echo '<form action="" method="post" accept-charset="utf-8">';
echo '<input type="hidden" name="action" value="admin.createUser" />'; echo '<input type="hidden" name="action" value="admin.createUser" />';
echo '<input type="text" name="email" placeholder="Email" /> '; echo '<input type="text" name="email" placeholder="Email address" /> ';
echo '<input type="text" name="password" placeholder="Password" /> '; echo '<input type="text" name="password" placeholder="Password" /> ';
echo '<input type="text" name="username" placeholder="Username (optional)" /> '; echo '<input type="text" name="username" placeholder="Username (optional)" /> ';
echo '<select name="require_unique_username" size="1">'; echo '<select name="require_unique_username" size="1">';
@@ -756,7 +818,7 @@ function showGuestUserForm() {
echo '<form action="" method="post" accept-charset="utf-8">'; echo '<form action="" method="post" accept-charset="utf-8">';
echo '<input type="hidden" name="action" value="admin.deleteUser" />'; echo '<input type="hidden" name="action" value="admin.deleteUser" />';
echo '<input type="text" name="email" placeholder="Email" /> '; echo '<input type="text" name="email" placeholder="Email address" /> ';
echo '<button type="submit">Delete user by email</button>'; echo '<button type="submit">Delete user by email</button>';
echo '</form>'; echo '</form>';
@@ -769,51 +831,69 @@ function showGuestUserForm() {
echo '<form action="" method="post" accept-charset="utf-8">'; echo '<form action="" method="post" accept-charset="utf-8">';
echo '<input type="hidden" name="action" value="admin.addRole" />'; echo '<input type="hidden" name="action" value="admin.addRole" />';
echo '<input type="text" name="id" placeholder="ID" /> '; echo '<input type="text" name="id" placeholder="ID" /> ';
echo '<select name="role">' . createRolesOptions() . '</select>'; echo '<select name="role">' . \createRolesOptions() . '</select>';
echo '<button type="submit">Add role for user by ID</button>'; echo '<button type="submit">Add role for user by ID</button>';
echo '</form>'; echo '</form>';
echo '<form action="" method="post" accept-charset="utf-8">'; echo '<form action="" method="post" accept-charset="utf-8">';
echo '<input type="hidden" name="action" value="admin.addRole" />'; echo '<input type="hidden" name="action" value="admin.addRole" />';
echo '<input type="text" name="email" placeholder="Email" /> '; echo '<input type="text" name="email" placeholder="Email address" /> ';
echo '<select name="role">' . createRolesOptions() . '</select>'; echo '<select name="role">' . \createRolesOptions() . '</select>';
echo '<button type="submit">Add role for user by email</button>'; echo '<button type="submit">Add role for user by email</button>';
echo '</form>'; echo '</form>';
echo '<form action="" method="post" accept-charset="utf-8">'; echo '<form action="" method="post" accept-charset="utf-8">';
echo '<input type="hidden" name="action" value="admin.addRole" />'; echo '<input type="hidden" name="action" value="admin.addRole" />';
echo '<input type="text" name="username" placeholder="Username" /> '; echo '<input type="text" name="username" placeholder="Username" /> ';
echo '<select name="role">' . createRolesOptions() . '</select>'; echo '<select name="role">' . \createRolesOptions() . '</select>';
echo '<button type="submit">Add role for user by username</button>'; echo '<button type="submit">Add role for user by username</button>';
echo '</form>'; echo '</form>';
echo '<form action="" method="post" accept-charset="utf-8">'; echo '<form action="" method="post" accept-charset="utf-8">';
echo '<input type="hidden" name="action" value="admin.removeRole" />'; echo '<input type="hidden" name="action" value="admin.removeRole" />';
echo '<input type="text" name="id" placeholder="ID" /> '; echo '<input type="text" name="id" placeholder="ID" /> ';
echo '<select name="role">' . createRolesOptions() . '</select>'; echo '<select name="role">' . \createRolesOptions() . '</select>';
echo '<button type="submit">Remove role for user by ID</button>'; echo '<button type="submit">Remove role for user by ID</button>';
echo '</form>'; echo '</form>';
echo '<form action="" method="post" accept-charset="utf-8">'; echo '<form action="" method="post" accept-charset="utf-8">';
echo '<input type="hidden" name="action" value="admin.removeRole" />'; echo '<input type="hidden" name="action" value="admin.removeRole" />';
echo '<input type="text" name="email" placeholder="Email" /> '; echo '<input type="text" name="email" placeholder="Email address" /> ';
echo '<select name="role">' . createRolesOptions() . '</select>'; echo '<select name="role">' . \createRolesOptions() . '</select>';
echo '<button type="submit">Remove role for user by email</button>'; echo '<button type="submit">Remove role for user by email</button>';
echo '</form>'; echo '</form>';
echo '<form action="" method="post" accept-charset="utf-8">'; echo '<form action="" method="post" accept-charset="utf-8">';
echo '<input type="hidden" name="action" value="admin.removeRole" />'; echo '<input type="hidden" name="action" value="admin.removeRole" />';
echo '<input type="text" name="username" placeholder="Username" /> '; echo '<input type="text" name="username" placeholder="Username" /> ';
echo '<select name="role">' . createRolesOptions() . '</select>'; echo '<select name="role">' . \createRolesOptions() . '</select>';
echo '<button type="submit">Remove role for user by username</button>'; echo '<button type="submit">Remove role for user by username</button>';
echo '</form>'; echo '</form>';
echo '<form action="" method="post" accept-charset="utf-8">'; echo '<form action="" method="post" accept-charset="utf-8">';
echo '<input type="hidden" name="action" value="admin.hasRole" />'; echo '<input type="hidden" name="action" value="admin.hasRole" />';
echo '<input type="text" name="id" placeholder="ID" /> '; echo '<input type="text" name="id" placeholder="ID" /> ';
echo '<select name="role">' . createRolesOptions() . '</select>'; echo '<select name="role">' . \createRolesOptions() . '</select>';
echo '<button type="submit">Does user have role?</button>'; echo '<button type="submit">Does user have role?</button>';
echo '</form>'; echo '</form>';
echo '<form action="" method="post" accept-charset="utf-8">';
echo '<input type="hidden" name="action" value="admin.logInAsUserById" />';
echo '<input type="text" name="id" placeholder="ID" /> ';
echo '<button type="submit">Log in as user by ID</button>';
echo '</form>';
echo '<form action="" method="post" accept-charset="utf-8">';
echo '<input type="hidden" name="action" value="admin.logInAsUserByEmail" />';
echo '<input type="text" name="email" placeholder="Email address" /> ';
echo '<button type="submit">Log in as user by email address</button>';
echo '</form>';
echo '<form action="" method="post" accept-charset="utf-8">';
echo '<input type="hidden" name="action" value="admin.logInAsUserByUsername" />';
echo '<input type="text" name="username" placeholder="Username" /> ';
echo '<button type="submit">Log in as user by username</button>';
echo '</form>';
} }
function showConfirmEmailForm() { function showConfirmEmailForm() {
@@ -831,7 +911,7 @@ function showConfirmEmailForm() {
echo '<form action="" method="post" accept-charset="utf-8">'; echo '<form action="" method="post" accept-charset="utf-8">';
echo '<input type="hidden" name="action" value="resendConfirmationForEmail" />'; echo '<input type="hidden" name="action" value="resendConfirmationForEmail" />';
echo '<input type="text" name="email" placeholder="Email" /> '; echo '<input type="text" name="email" placeholder="Email address" /> ';
echo '<button type="submit">Re-send confirmation</button>'; echo '<button type="submit">Re-send confirmation</button>';
echo '</form>'; echo '</form>';