mirror/php-auth
1
0
Fork 0
mirror of https://github.com/delight-im/PHP-Auth.git synced 2025-08-06 16:16:29 +02:00
Code Issues Releases Wiki Activity

Compare commits

base: mirror:v6.1.1
Branches Tags
mirror:master
mirror:v9.0.0 mirror:v8.3.0 mirror:v8.2.2 mirror:v8.2.1 mirror:v8.2.0 mirror:v8.1.0 mirror:v8.0.2 mirror:v8.0.1 mirror:v8.0.0 mirror:v7.6.0 mirror:v7.5.2 mirror:v7.5.1 mirror:v7.5.0 mirror:v7.4.0 mirror:v7.3.0 mirror:v7.2.0 mirror:v7.1.0 mirror:v7.0.0 mirror:v6.1.1 mirror:v6.1.0 mirror:v6.0.0 mirror:v5.2.0 mirror:v5.1.1 mirror:v5.1.0 mirror:v5.0.1 mirror:v5.0.0 mirror:v4.3.0 mirror:v4.2.0 mirror:v4.1.1 mirror:v4.1.0 mirror:v4.0.1 mirror:v4.0.0 mirror:v3.1.0 mirror:v3.0.0 mirror:v2.1.0 mirror:v2.0.1 mirror:v2.0.0 mirror:v1.1.0 mirror:v1.0.0
...
compare: mirror:v7.5.1
Branches Tags
mirror:master
mirror:v9.0.0 mirror:v8.3.0 mirror:v8.2.2 mirror:v8.2.1 mirror:v8.2.0 mirror:v8.1.0 mirror:v8.0.2 mirror:v8.0.1 mirror:v8.0.0 mirror:v7.6.0 mirror:v7.5.2 mirror:v7.5.1 mirror:v7.5.0 mirror:v7.4.0 mirror:v7.3.0 mirror:v7.2.0 mirror:v7.1.0 mirror:v7.0.0 mirror:v6.1.1 mirror:v6.1.0 mirror:v6.0.0 mirror:v5.2.0 mirror:v5.1.1 mirror:v5.1.0 mirror:v5.0.1 mirror:v5.0.0 mirror:v4.3.0 mirror:v4.2.0 mirror:v4.1.1 mirror:v4.1.0 mirror:v4.0.1 mirror:v4.0.0 mirror:v3.1.0 mirror:v3.0.0 mirror:v2.1.0 mirror:v2.0.1 mirror:v2.0.0 mirror:v1.1.0 mirror:v1.0.0

81 Commits
v6.1.1 ... v7.5.1

Author SHA1 Message Date
Marco
e7e174b05d Only configure and start session if not already started 2018-03-12 22:29:56 +01:00
Marco
8f35cc9965 Optimize spacing in PostgreSQL schema 2018-03-12 18:44:32 +01:00
Marco
142ccc362f Shorten line of text in README for better overview 2018-03-12 02:18:44 +01:00
Marco
bce31f9cfc Link to MariaDB schema separately from MySQL in README 2018-03-12 02:15:35 +01:00
Marco
3ddc7af1b4 Document support for PostgreSQL 2018-03-12 02:11:54 +01:00
Marco
62d9e44aa4 Add check constraints for unsigned integers in PostgreSQL schema 2018-03-12 01:51:33 +01:00
Marco
1121685cef Improve database schema for PostgreSQL 2018-03-12 01:51:15 +01:00
Tiberiu Chibici
2f9bab4779 Add database schema for PostgreSQL 2018-03-12 00:32:53 +01:00
Marco
89e99d727d Document resynchronization of session data with authoritative database 2018-03-10 20:54:24 +01:00
Marco
21341d3c18 Regularly resynchronize session data with authoritative source in DB 2018-03-10 20:53:13 +01:00
Marco
a1ae66374b Improve documentation on password reset by dividing it into steps 2018-03-10 17:47:03 +01:00
Marco
477164e8ec Rename identifiers in comments to prevent highlighting in IDE 2018-03-10 17:46:05 +01:00
Marco
9478a43e9b Re-implement method 'canResetPassword' using 'canResetPasswordOrThrow' 2018-03-10 04:13:14 +01:00
Marco
1ba8e1ff21 Document method 'canResetPasswordOrThrow' from class 'Auth' 2018-03-10 04:10:22 +01:00
Marco
1657102f75 Add tests for method 'canResetPasswordOrThrow' from class 'Auth' 2018-03-10 04:06:45 +01:00
Marco
d246248ab5 Implement method 'canResetPasswordOrThrow' in class 'Auth' 2018-03-10 03:54:42 +01:00
Marco
94531f24d3 Improve language 2018-03-10 03:50:12 +01:00
Marco
2f29830ed9 Improve documentation to use more suitable data source for token 2018-03-10 03:47:55 +01:00
Marco
42a8c1616c Document method 'getRolesForUserById' from class 'Administration' 2018-03-10 03:10:17 +01:00
Marco
a2be4c61ee Add tests for method 'getRolesForUserById' from class 'Administration' 2018-03-10 03:05:41 +01:00
Marco
d9f9198b45 Implement method 'getRolesForUserById' in class 'Administration' 2018-03-10 03:03:57 +01:00
Marco
13b58abebc Document method 'getRoles' from class 'Auth' 2018-03-10 03:01:23 +01:00
Marco
b0bf7647ce Add tests for method 'getRoles' from class 'Auth' 2018-03-10 02:56:32 +01:00
Marco
012577227a Implement method 'getRoles' in class 'Auth' 2018-03-10 02:54:57 +01:00
Marco
d834623954 Document methods 'getMap', 'getNames' and 'getValues' of class 'Role' 2018-03-10 02:51:27 +01:00
Marco
d3594898cc Make use of new method 'getMap' from class 'Role' in 'tests' 2018-03-10 02:03:25 +01:00
Marco
7d44158c32 Implement methods 'getMap', 'getNames' and 'getValues' in class 'Role' 2018-03-10 01:58:54 +01:00
Marco
04edd9f88f Simplify migration guide using that method names are case-insensitive 2018-03-09 15:22:55 +01:00
Marco
cd2ac47912 Simplify general notes for any update or upgrade in migration guide 2018-01-25 00:01:50 +01:00
Marco
7bcf201972 Improve documentation on default value for IP address in README 2017-11-08 21:34:50 +01:00
Marco
09247e7203 Provide possibility to disable throttling during development 2017-11-08 21:34:05 +01:00
Marco
ab1c54fae2 Optimize order of throttling in 'changeEmail' method from class 'Auth' 2017-11-08 20:40:37 +01:00
Marco
23acb66cc7 Reduce permitted frequency of requests to change one's email address 2017-11-08 20:38:16 +01:00
Marco
a7a9d45302 Drop constant 'CONFIRMATION_REQUESTS_TTL_IN_SECONDS' in 'UserManager' 2017-11-08 20:30:09 +01:00
Marco
ba4dc29ca5 Optimize order of throttling in 'resendConfirmationForColumnValue' 2017-11-08 20:23:34 +01:00
Marco
0a97f67515 Enforce limits for resending confirmations solely via throttling 2017-11-08 20:21:35 +01:00
Marco
7a94c6acef Improve documentation in 'confirmEmail' method from 'Auth' class 2017-11-08 19:23:22 +01:00
Marco
dbbbf1b193 Remove superfluous comment in 'UserManager' 2017-11-08 19:18:14 +01:00
Marco
9637dfa60d Improve language 2017-11-05 02:37:48 +01:00
Marco
aec738a9db Document methods for impersonating users in class 'Administration' 2017-11-03 15:48:21 +01:00
Marco
382ee5bf93 Add tests for methods to impersonate users in class 'Administration' 2017-11-03 15:44:39 +01:00
Marco
47d1e303aa Implement methods for impersonating users in class 'Administration' 2017-11-03 15:21:45 +01:00
Marco
67443c122a Move core logic of 'onLoginSuccessful' from 'Auth' to 'UserManager' 2017-11-03 08:50:59 +01:00
Marco
24056e89a4 Move constants holding names of session fields to 'UserManager' 2017-11-03 08:49:10 +01:00
Marco
c06bc7da1a Improve documentation for method 'onLoginSuccessful' in class 'Auth' 2017-11-03 08:38:17 +01:00
Marco
aedd2125fc Document constants holding names of session fields 2017-11-03 08:36:03 +01:00
Marco
425cf9b6f6 Write to session fields directly instead of using accessor methods 2017-11-03 08:33:41 +01:00
Marco
739fa7d574 Fix internal links in migration guide that should point to README 2017-10-21 23:15:15 +02:00
Marco
302feb5da2 Document 'secure' cookie attribute and how to change it in README 2017-10-21 22:32:01 +02:00
Marco
2ded232d8e Document 'httponly' cookie attribute and how to change it in README 2017-10-21 22:30:41 +02:00
Marco
70a905afd7 Document 'path' cookie attribute and how to change it in README 2017-10-21 22:29:19 +02:00
Marco
84f3ad10a9 Document 'domain' cookie attribute and how to change it in README 2017-10-21 22:26:25 +02:00
Marco
81091df66b Drop constructor arguments 'useHttps' and 'allowCookiesScriptAccess' 2017-10-20 23:07:36 +02:00
Marco
8926e7e708 Improve general upgrade guide in migration notes 2017-10-20 22:46:01 +02:00
Marco
eec450677f Do not duplicate and overwrite parts of cookie configuration anymore 
Previously, PHP's configuration directives 'session.cookie_httponly'
and 'session.cookie_secure' were always overwritten with duplicated
and separately tracked variants of each directive
 2017-10-20 22:30:16 +02:00
Marco
f1360dceba Improve code style 2017-10-20 08:53:02 +02:00
Marco
2cf7b27ba3 Support empty path scope for cookies to restrict to current directory 2017-10-20 08:47:56 +02:00
Marco
ecd8015acf Explain changes to domain scope of cookies in migration guide 2017-10-20 08:01:00 +02:00
Marco
1eedfd0e02 Simplify code based on assumptions about new 'Delight\Cookie' behavior 2017-10-20 01:12:04 +02:00
Marco
757579523c Use constants from 'Delight\Cookie\Cookie' class for cookie prefixes 2017-10-19 22:33:18 +02:00
Marco
d695328a5a Update dependencies 2017-10-19 22:29:50 +02:00
Marco
71506eaa05 Rename two methods for logout to highlight the better default version 2017-10-19 20:25:11 +02:00
Marco
ce8dbbc436 Delete 'remember me' cookies from previous major versions as well 2017-10-19 20:19:19 +02:00
Marco
d181219e40 Add documentation about cookies and their usage to README 2017-10-19 20:11:28 +02:00
Marco
891cef2511 Do not make repeated attempts to use invalid 'remember me' cookies 2017-10-19 03:00:28 +02:00
Marco
f70613b2b8 Ignore defined but empty selectors and tokens from 'remember me' 2017-10-19 02:55:49 +02:00
Marco
59816d1a40 Re-use 'remember me' cookie from previous major versions if available 2017-10-19 02:50:24 +02:00
Marco
1284f64f04 Fix documentation for method 'setRememberCookie' in class 'Auth' 2017-10-19 02:27:42 +02:00
Marco
8165e8917b Change name of 'remember me' cookie to be dependent on session name 2017-10-19 01:44:19 +02:00
Marco
a4b68167a1 Prepare migration guide for next major release 2017-10-19 00:47:47 +02:00
Marco
fc2fb4bb44 Move 'Refresh' button from bottom to top in 'tests' 2017-10-19 00:36:08 +02:00
Marco
b2a3fde696 Add tests for method 'createRememberCookieName' from class 'Auth' 2017-10-18 23:08:01 +02:00
Marco
36880b87c9 Implement method 'createRememberCookieName' in class 'Auth' 2017-10-18 23:03:41 +02:00
Marco
4a66965994 Add tests for method 'createCookieName' from class 'Auth' 2017-10-18 23:01:15 +02:00
Marco
e7b590dc80 Implement method 'createCookieName' in class 'Auth' 2017-10-18 22:52:00 +02:00
Marco
33d2384c93 Add list of available cookie prefixes as constant in class 'Auth' 2017-10-18 22:48:14 +02:00
Marco
1169856217 Improve code style 2017-10-18 22:47:24 +02:00
Marco
fa75811679 Display current session name in 'tests' 2017-10-18 22:30:06 +02:00
Marco
fa8fa4887e Improve documentation in class 'Auth' 2017-10-18 21:59:25 +02:00
Marco
8fecb86f15 Improve code style 2017-10-12 02:42:40 +02:00
Pavel Levin
04c466b309 Drop superfluous check using 'isset' 2017-10-12 02:32:13 +02:00
10 changed files with 1056 additions and 358 deletions
Expand all files Collapse all files

57
Database/PostgreSQL.sql Normal file
View File

@@ -0,0 +1,57 @@
-- PHP-Auth (https://github.com/delight-im/PHP-Auth)
-- Copyright (c) delight.im (https://www.delight.im/)
-- Licensed under the MIT License (https://opensource.org/licenses/MIT)
BEGIN;
CREATE TABLE IF NOT EXISTS "users" (
"id" SERIAL PRIMARY KEY CHECK ("id" >= 0),
"email" VARCHAR(249) UNIQUE NOT NULL,
"password" VARCHAR(255) NOT NULL,
"username" VARCHAR(100) DEFAULT NULL,
"status" SMALLINT NOT NULL DEFAULT '0' CHECK ("status" >= 0),
"verified" SMALLINT NOT NULL DEFAULT '0' CHECK ("verified" >= 0),
"resettable" SMALLINT NOT NULL DEFAULT '1' CHECK ("resettable" >= 0),
"roles_mask" INTEGER NOT NULL DEFAULT '0' CHECK ("roles_mask" >= 0),
"registered" INTEGER NOT NULL CHECK ("registered" >= 0),
"last_login" INTEGER DEFAULT NULL CHECK ("last_login" >= 0)
);
CREATE TABLE IF NOT EXISTS "users_confirmations" (
"id" SERIAL PRIMARY KEY CHECK ("id" >= 0),
"user_id" INTEGER NOT NULL CHECK ("user_id" >= 0),
"email" VARCHAR(249) NOT NULL,
"selector" VARCHAR(16) UNIQUE NOT NULL,
"token" VARCHAR(255) NOT NULL,
"expires" INTEGER NOT NULL CHECK ("expires" >= 0)
);
CREATE INDEX IF NOT EXISTS "email_expires" ON "users_confirmations" ("email", "expires");
CREATE INDEX IF NOT EXISTS "user_id" ON "users_confirmations" ("user_id");
CREATE TABLE IF NOT EXISTS "users_remembered" (
"id" BIGSERIAL PRIMARY KEY CHECK ("id" >= 0),
"user" INTEGER NOT NULL CHECK ("user" >= 0),
"selector" VARCHAR(24) UNIQUE NOT NULL,
"token" VARCHAR(255) NOT NULL,
"expires" INTEGER NOT NULL CHECK ("expires" >= 0)
);
CREATE INDEX IF NOT EXISTS "user" ON "users_remembered" ("user");
CREATE TABLE IF NOT EXISTS "users_resets" (
"id" BIGSERIAL PRIMARY KEY CHECK ("id" >= 0),
"user" INTEGER NOT NULL CHECK ("user" >= 0),
"selector" VARCHAR(20) UNIQUE NOT NULL,
"token" VARCHAR(255) NOT NULL,
"expires" INTEGER NOT NULL CHECK ("expires" >= 0)
);
CREATE INDEX IF NOT EXISTS "user_expires" ON "users_resets" ("user", "expires");
CREATE TABLE IF NOT EXISTS "users_throttling" (
"bucket" VARCHAR(44) PRIMARY KEY,
"tokens" REAL NOT NULL CHECK ("tokens" >= 0),
"replenished_at" INTEGER NOT NULL CHECK ("replenished_at" >= 0),
"expires_at" INTEGER NOT NULL CHECK ("expires_at" >= 0)
);
CREATE INDEX IF NOT EXISTS "expires_at" ON "users_throttling" ("expires_at");
COMMIT;

55
Migration.md
View File

@@ -1,6 +1,7 @@
# Migration
* [General](#general)
* [From `v6.x.x` to `v7.x.x`](#from-v6xx-to-v7xx)
* [From `v5.x.x` to `v6.x.x`](#from-v5xx-to-v6xx)
* [From `v4.x.x` to `v5.x.x`](#from-v4xx-to-v5xx)
* [From `v3.x.x` to `v4.x.x`](#from-v3xx-to-v4xx)
@@ -9,11 +10,57 @@
## General
Update your version of this library via Composer [[?]](https://github.com/delight-im/Knowledge/blob/master/Composer%20(PHP).md):
Update your version of this library using Composer and its `composer update` or `composer require` commands [[?]](https://github.com/delight-im/Knowledge/blob/master/Composer%20(PHP).md#how-do-i-update-libraries-or-modules-within-my-application).
```
$ composer update delight-im/auth
```
## From `v6.x.x` to `v7.x.x`
* The method `logOutButKeepSession` from class `Auth` is now simply called `logOut`. Therefore, the former method `logout` is now called `logOutAndDestroySession`.
* The second argument of the `Auth` constructor, which was named `$useHttps`, has been removed. If you previously had it set to `true`, make sure to set the value of the `session.cookie_secure` directive to `1` now. You may do so either directly in your [PHP configuration](http://php.net/manual/en/configuration.file.php) (`php.ini`), via the `\ini_set` method or via the `\session_set_cookie_params` method. Otherwise, make sure that directive is set to `0`.
* The third argument of the `Auth` constructor, which was named `$allowCookiesScriptAccess`, has been removed. If you previously had it set to `true`, make sure to set the value of the `session.cookie_httponly` directive to `0` now. You may do so either directly in your [PHP configuration](http://php.net/manual/en/configuration.file.php) (`php.ini`), via the `\ini_set` method or via the `\session_set_cookie_params` method. Otherwise, make sure that directive is set to `1`.
* Only if *both* of the following two conditions are met:
* The directive `session.cookie_domain` is set to an empty value. It may have been set directly in your [PHP configuration](http://php.net/manual/en/configuration.file.php) (`php.ini`), via the `\ini_set` method or via the `\session_set_cookie_params` method. You can check the value of that directive by executing the following statement somewhere in your application:
```php
\var_dump(\ini_get('session.cookie_domain'));
```
* Your application is accessed via a registered or registrable *domain name*, either by yourself during development and testing or by your visitors and users in production. That means your application is *not*, or *not only*, accessed via `localhost` or via an IP address.
Then the domain scope for the [two cookies](README.md#cookies) used by this library has changed. You can handle this change in one of two different ways:
* Restore the old behavior by placing the following statement as early as possible in your application, and before you create the `Auth` instance:
```php
\ini_set('session.cookie_domain', \preg_replace('/^www\./', '', $_SERVER['HTTP_HOST']));
```
You may also evaluate the complete second parameter and put its value directly into your [PHP configuration](http://php.net/manual/en/configuration.file.php) (`php.ini`).
* Use the new domain scope for your application. To do so, you only need to [rename the cookies](README.md#renaming-the-librarys-cookies) used by this library in order to prevent conflicts with old cookies that have been created previously. Renaming the cookies is critically important here. We recommend a versioned name such as `session_v1` for the session cookie.
* Only if *both* of the following two conditions are met:
* The directive `session.cookie_domain` is set to a value that starts with the `www` subdomain. It may have been set directly in your [PHP configuration](http://php.net/manual/en/configuration.file.php) (`php.ini`), via the `\ini_set` method or via the `\session_set_cookie_params` method. You can check the value of that directive by executing the following statement somewhere in your application:
```php
\var_dump(\ini_get('session.cookie_domain'));
```
* Your application is accessed via a registered or registrable *domain name*, either by yourself during development and testing or by your visitors and users in production. That means your application is *not*, or *not only*, accessed via `localhost` or via an IP address.
Then the domain scope for [one of the cookies](README.md#cookies) used by this library has changed. To make your application work correctly with the new scope, [rename the cookies](README.md#renaming-the-librarys-cookies) used by this library in order to prevent conflicts with old cookies that have been created previously. Renaming the cookies is critically important here. We recommend a versioned name such as `session_v1` for the session cookie.
* If the directive `session.cookie_path` is set to an empty value, then the path scope for [one of the cookies](README.md#cookies) used by this library has changed. To make your application work correctly with the new scope, [rename the cookies](README.md#renaming-the-librarys-cookies) used by this library in order to prevent conflicts with old cookies that have been created previously. Renaming the cookies is critically important here. We recommend a versioned name such as `session_v1` for the session cookie.
The directive may have been set directly in your [PHP configuration](http://php.net/manual/en/configuration.file.php) (`php.ini`), via the `\ini_set` method or via the `\session_set_cookie_params` method. You can check the value of that directive by executing the following statement somewhere in your application:
```php
\var_dump(\ini_get('session.cookie_path'));
```
## From `v5.x.x` to `v6.x.x`

257
README.md
View File

@@ -18,9 +18,9 @@ Completely framework-agnostic and database-agnostic.
* PHP 5.6.0+
* PDO (PHP Data Objects) extension (`pdo`)
* MySQL Native Driver (`mysqlnd`) **or** SQLite driver (`sqlite`)
* MySQL Native Driver (`mysqlnd`) **or** PostgreSQL driver (`pgsql`) **or** SQLite driver (`sqlite`)
* OpenSSL extension (`openssl`)
* MySQL 5.5.3+ **or** MariaDB 5.5.23+ **or** SQLite 3.14.1+ **or** other SQL databases that you create the [schema](Database) for
* MySQL 5.5.3+ **or** MariaDB 5.5.23+ **or** PostgreSQL 9.5.10+ **or** SQLite 3.14.1+ **or** [other SQL databases](Database)
## Installation
@@ -38,7 +38,9 @@ Completely framework-agnostic and database-agnostic.
1. Set up a database and create the required tables:
* [MariaDB](Database/MySQL.sql)
* [MySQL](Database/MySQL.sql)
* [PostgreSQL](Database/PostgreSQL.sql)
* [SQLite](Database/SQLite.sql)
## Upgrading
@@ -79,6 +81,13 @@ Migrating from an earlier version of this project? See our [upgrade guide](Migra
* [Assigning roles to users](#assigning-roles-to-users)
* [Taking roles away from users](#taking-roles-away-from-users)
* [Checking roles](#checking-roles-1)
* [Impersonating users (logging in as user)](#impersonating-users-logging-in-as-user)
* [Cookies](#cookies)
* [Renaming the librarys cookies](#renaming-the-librarys-cookies)
* [Defining the domain scope for cookies](#defining-the-domain-scope-for-cookies)
* [Restricting the path where cookies are available](#restricting-the-path-where-cookies-are-available)
* [Controlling client-side script access to cookies](#controlling-client-side-script-access-to-cookies)
* [Configuring transport security for cookies](#configuring-transport-security-for-cookies)
* [Utilities](#utilities)
* [Creating a random string](#creating-a-random-string)
* [Creating a UUID v4 as per RFC 4122](#creating-a-uuid-v4-as-per-rfc-4122)
@@ -89,12 +98,16 @@ Migrating from an earlier version of this project? See our [upgrade guide](Migra
```php
// $db = new \PDO('mysql:dbname=my-database;host=localhost;charset=utf8mb4', 'my-username', 'my-password');
// or
// $db = new \PDO('pgsql:dbname=my-database;host=localhost;port=5432', 'my-username', 'my-password');
// or
// $db = new \PDO('sqlite:../Databases/my-database.sqlite');
// or
// $db = new \Delight\Db\PdoDsn('mysql:dbname=my-database;host=localhost;charset=utf8mb4', 'my-username', 'my-password');
// or
// $db = new \Delight\Db\PdoDsn('pgsql:dbname=my-database;host=localhost;port=5432', 'my-username', 'my-password');
// or
// $db = new \Delight\Db\PdoDsn('sqlite:../Databases/my-database.sqlite');
$auth = new \Delight\Auth\Auth($db);
@@ -102,13 +115,13 @@ $auth = new \Delight\Auth\Auth($db);
If you have an open `PDO` connection already, just re-use it.
If you do enforce HTTPS on your site, pass `true` as the second parameter to the constructor. This is optional and the default is `false`.
If your web server is behind a proxy server and `$_SERVER['REMOTE_ADDR']` only contains the proxys IP address, you must pass the users real IP address to the constructor in the second argument, which is named `$ipAddress`. The default is the usual remote IP address received by PHP.
Only in the very rare case that you need access to your cookies from JavaScript, pass `true` as the third argument to the constructor. This is optional and the default is `false`. There is almost always a *better* solution than enabling this, however.
Should your database tables for this library need a common prefix, e.g. `my_users` instead of `users` (and likewise for the other tables), pass the prefix (e.g. `my_`) as the third parameter to the constructor, which is named `$dbTablePrefix`. This is optional and the prefix is empty by default.
If your web server is behind a proxy server and `$_SERVER['REMOTE_ADDR']` only contains the proxys IP address, you must pass the users real IP address to the constructor in the fourth argument. The default is `null`.
During development, you may want to disable the request limiting or throttling performed by this library. To do so, pass `false` to the constructor as the fourth argument, which is named `$throttling`. The feature is enabled by default.
Should your database tables for this library need a common prefix, e.g. `my_users` instead of `users` (and likewise for the other tables), pass the prefix (e.g. `my_`) as the fifth parameter to the constructor. This is optional and the prefix is empty by default.
During the lifetime of a session, some user data may be changed remotely, either by a client in another session or by an administrator. That means this information must be regularly resynchronized with its authoritative source in the database, which this library does automatically. By default, this happens every five minutes. If you want to change this interval, pass a custom interval in seconds to the constructor as the fifth argument, which is named `$sessionResyncInterval`.
### Registration (sign up)
@@ -223,6 +236,8 @@ Omit the third parameter or set it to `null` to disable the feature. Otherwise,
### Password reset (“forgot password”)
#### Step 1 of 3: Initiating the request
```php
try {
$auth->forgotPassword($_POST['email'], function ($selector, $token) {
@@ -251,12 +266,39 @@ You should build an URL with the selector and token and send it to the user, e.g
$url = 'https://www.example.com/reset_password?selector=' . \urlencode($selector) . '&token=' . \urlencode($token);
```
#### Step 2 of 3: Verifying an attempt
As the next step, users will click on the link that they received. Extract the selector and token from the URL.
If the selector/token pair is valid, let the user choose a new password:
```php
if ($auth->canResetPassword($_POST['selector'], $_POST['token'])) {
try {
$auth->canResetPasswordOrThrow($_GET['selector'], $_GET['token']);
// put the selector into a `hidden` field (or keep it in the URL)
// put the token into a `hidden` field (or keep it in the URL)
// ask the user for their new password
}
catch (\Delight\Auth\InvalidSelectorTokenPairException $e) {
// invalid token
}
catch (\Delight\Auth\TokenExpiredException $e) {
// token expired
}
catch (\Delight\Auth\ResetDisabledException $e) {
// password reset is disabled
}
catch (\Delight\Auth\TooManyRequestsException $e) {
// too many requests
}
```
Alternatively, if you dont need any error messages but only want to check the validity, you can use the slightly simpler version:
```php
if ($auth->canResetPassword($_GET['selector'], $_GET['token'])) {
// put the selector into a `hidden` field (or keep it in the URL)
// put the token into a `hidden` field (or keep it in the URL)
@@ -264,6 +306,8 @@ if ($auth->canResetPassword($_POST['selector'], $_POST['token'])) {
}
```
#### Step 3 of 3: Updating the password
Now when you have the new password for the user (and still have the other two pieces of information), you can reset the password:
```php
@@ -405,9 +449,9 @@ $url = 'https://www.example.com/verify_email?selector=' . \urlencode($selector)
### Logout
```php
$auth->logOutButKeepSession();
$auth->logOut();
// or
$auth->logout();
$auth->logOutAndDestroySession();
// user has been signed out
```
@@ -578,6 +622,12 @@ if ($auth->hasAllRoles(\Delight\Auth\Role::DEVELOPER, \Delight\Auth\Role::MANAGE
While the method `hasRole` takes exactly one role as its argument, the two methods `hasAnyRole` and `hasAllRoles` can take any number of roles that you would like to check for.
Alternatively, you can get a list of all the roles that have been assigned to the user:
```php
$auth->getRoles();
```
#### Available roles
```php
@@ -605,7 +655,15 @@ While the method `hasRole` takes exactly one role as its argument, the two metho
\Delight\Auth\Role::TRANSLATOR;
```
You can use any of these roles and ignore those that you dont need.
You can use any of these roles and ignore those that you dont need. The list above can also be retrieved programmatically, in one of three formats:
```php
\Delight\Auth\Role::getMap();
// or
\Delight\Auth\Role::getNames();
// or
\Delight\Auth\Role::getValues();
```
#### Permissions (or access rights, privileges or capabilities)
@@ -896,6 +954,185 @@ catch (\Delight\Auth\UnknownIdException $e) {
}
```
Alternatively, you can get a list of all the roles that have been assigned to the user:
```php
$auth->admin()->getRolesForUserById($userId);
```
#### Impersonating users (logging in as user)
```php
try {
$auth->admin()->logInAsUserById($_POST['id']);
}
catch (\Delight\Auth\UnknownIdException $e) {
// unknown ID
}
catch (\Delight\Auth\EmailNotVerifiedException $e) {
// email address not verified
}
// or
try {
$auth->admin()->logInAsUserByEmail($_POST['email']);
}
catch (\Delight\Auth\InvalidEmailException $e) {
// unknown email address
}
catch (\Delight\Auth\EmailNotVerifiedException $e) {
// email address not verified
}
// or
try {
$auth->admin()->logInAsUserByUsername($_POST['username']);
}
catch (\Delight\Auth\UnknownUsernameException $e) {
// unknown username
}
catch (\Delight\Auth\AmbiguousUsernameException $e) {
// ambiguous username
}
catch (\Delight\Auth\EmailNotVerifiedException $e) {
// email address not verified
}
```
### Cookies
This library uses two cookies to keep state on the client: The first, whose name you can retrieve using
```php
\session_name();
```
is the general (mandatory) session cookie. The second (optional) cookie is only used for [persistent logins](#keeping-the-user-logged-in) and its name can be retrieved as follows:
```php
\Delight\Auth\Auth::createRememberCookieName();
```
#### Renaming the librarys cookies
You can rename the session cookie used by this library through one of the following means, in order of recommendation:
* In the [PHP configuration](http://php.net/manual/en/configuration.file.php) (`php.ini`), find the line with the `session.name` directive and change its value to something like `session_v1`, as in:
```
session.name = session_v1
```
* As early as possible in your application, and before you create the `Auth` instance, call `\ini_set` to change `session.name` to something like `session_v1`, as in:
```php
\ini_set('session.name', 'session_v1');
```
For this to work, `session.auto_start` must be set to `0` in the [PHP configuration](http://php.net/manual/en/configuration.file.php) (`php.ini`).
* As early as possible in your application, and before you create the `Auth` instance, call `\session_name` with an argument like `session_v1`, as in:
```php
\session_name('session_v1');
```
For this to work, `session.auto_start` must be set to `0` in the [PHP configuration](http://php.net/manual/en/configuration.file.php) (`php.ini`).
The name of the cookie for [persistent logins](#keeping-the-user-logged-in) will change as well automatically following your change of the session cookies name.
#### Defining the domain scope for cookies
A cookies `domain` attribute controls which domain (and which subdomains) the cookie will be valid for, and thus where the users session and authentication state will be available.
The recommended default is an empty string, which means that the cookie will only be valid for the *exact* current host, *excluding* any subdomains that may exist. You should only use a different value if you need to share cookies between different subdomains. Often, youll want to share cookies between the bare domain and the `www` subdomain, but you might also want to share them between any other set of subdomains.
Whatever set of subdomains you choose, you should set the cookies attribute to the *most specific* domain name that still includes all your required subdomains. For example, to share cookies between `example.com` and `www.example.com`, you would set the attribute to `example.com`. But if you wanted to share cookies between `sub1.app.example.com` and `sub2.app.example.com`, you should set the attribute to `app.example.com`. Any explicitly specified domain name will always *include* all subdomains that may exist.
You can change the attribute through one of the following means, in order of recommendation:
* In the [PHP configuration](http://php.net/manual/en/configuration.file.php) (`php.ini`), find the line with the `session.cookie_domain` directive and change its value as desired, e.g.:
```
session.cookie_domain = example.com
```
* As early as possible in your application, and before you create the `Auth` instance, call `\ini_set` to change the value of the `session.cookie_domain` directive as desired, e.g.:
```php
\ini_set('session.cookie_domain', 'example.com');
```
For this to work, `session.auto_start` must be set to `0` in the [PHP configuration](http://php.net/manual/en/configuration.file.php) (`php.ini`).
#### Restricting the path where cookies are available
A cookies `path` attribute controls which directories (and subdirectories) the cookie will be valid for, and thus where the users session and authentication state will be available.
In most cases, youll want to make cookies available for all paths, i.e. any directory and file, starting in the root directory. That is what a value of `/` for the attribute does, which is also the recommended default. You should only change this attribute to a different value, e.g. `/path/to/subfolder`, if you want to restrict which directories your cookies will be available in, e.g. to host multiple applications side-by-side, in different directories, under the same domain name.
You can change the attribute through one of the following means, in order of recommendation:
* In the [PHP configuration](http://php.net/manual/en/configuration.file.php) (`php.ini`), find the line with the `session.cookie_path` directive and change its value as desired, e.g.:
```
session.cookie_path = /
```
* As early as possible in your application, and before you create the `Auth` instance, call `\ini_set` to change the value of the `session.cookie_path` directive as desired, e.g.:
```php
\ini_set('session.cookie_path', '/');
```
For this to work, `session.auto_start` must be set to `0` in the [PHP configuration](http://php.net/manual/en/configuration.file.php) (`php.ini`).
#### Controlling client-side script access to cookies
Using the `httponly` attribute, you can control whether client-side scripts, i.e. JavaScript, should be able to access your cookies or not. For security reasons, it is best to *deny* script access to your cookies, which reduces the damage that successful XSS attacks against your application could do, for example.
Thus, you should always set `httponly` to `1`, except for the rare cases where you really need access to your cookies from JavaScript and cant find any better solution. In those cases, set the attribute to `0`, but be aware of the consequences.
You can change the attribute through one of the following means, in order of recommendation:
* In the [PHP configuration](http://php.net/manual/en/configuration.file.php) (`php.ini`), find the line with the `session.cookie_httponly` directive and change its value as desired, e.g.:
```
session.cookie_httponly = 1
```
* As early as possible in your application, and before you create the `Auth` instance, call `\ini_set` to change the value of the `session.cookie_httponly` directive as desired, e.g.:
```php
\ini_set('session.cookie_httponly', 1);
```
For this to work, `session.auto_start` must be set to `0` in the [PHP configuration](http://php.net/manual/en/configuration.file.php) (`php.ini`).
#### Configuring transport security for cookies
Using the `secure` attribute, you can control whether cookies should be sent over *any* connection, including plain HTTP, or whether a secure connection, i.e. HTTPS (with SSL/TLS), should be required. The former (less secure) mode can be chosen by setting the attribute to `0`, and the latter (more secure) mode can be chosen by setting the attribute to `1`.
Obviously, this solely depends on whether you are able to serve *all* pages exclusively via HTTPS. If you can, you should set the attribute to `1` and possibly combine it with HTTP redirects to the secure protocol and HTTP Strict Transport Security (HSTS). Otherwise, you may have to keep the attribute set to `0`.
You can change the attribute through one of the following means, in order of recommendation:
* In the [PHP configuration](http://php.net/manual/en/configuration.file.php) (`php.ini`), find the line with the `session.cookie_secure` directive and change its value as desired, e.g.:
```
session.cookie_secure = 1
```
* As early as possible in your application, and before you create the `Auth` instance, call `\ini_set` to change the value of the `session.cookie_secure` directive as desired, e.g.:
```php
\ini_set('session.cookie_secure', 1);
```
For this to work, `session.auto_start` must be set to `0` in the [PHP configuration](http://php.net/manual/en/configuration.file.php) (`php.ini`).
### Utilities
#### Creating a random string

2
composer.json
View File

@@ -5,7 +5,7 @@
"php": ">=5.6.0",
"ext-openssl": "*",
"delight-im/base64": "^1.0",
"delight-im/cookie": "^2.1",
"delight-im/cookie": "^3.1",
"delight-im/db": "^1.2"
},
"type": "library",

12
composer.lock generated
View File

@@ -4,7 +4,7 @@
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file",
"This file is @generated automatically"
],
"content-hash": "8ab7c9ad8ef2bc7d9a6beb27f9bf4df5",
"content-hash": "54d541ae3c5ba25b0cc06688d2b65467",
"packages": [
{
"name": "delight-im/base64",
@@ -49,16 +49,16 @@
},
{
"name": "delight-im/cookie",
"version": "v2.1.3",
"version": "v3.1.0",
"source": {
"type": "git",
"url": "https://github.com/delight-im/PHP-Cookie.git",
"reference": "a66c8a02aa4776c4b7d3d04c695411f73e04e1eb"
"reference": "76ef2a21817cf7a034f85fc3f4d4bfc60f873947"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/delight-im/PHP-Cookie/zipball/a66c8a02aa4776c4b7d3d04c695411f73e04e1eb",
"reference": "a66c8a02aa4776c4b7d3d04c695411f73e04e1eb",
"url": "https://api.github.com/repos/delight-im/PHP-Cookie/zipball/76ef2a21817cf7a034f85fc3f4d4bfc60f873947",
"reference": "76ef2a21817cf7a034f85fc3f4d4bfc60f873947",
"shasum": ""
},
"require": {
@@ -86,7 +86,7 @@
"samesite",
"xss"
],
"time": "2017-07-26T14:03:38+00:00"
"time": "2017-10-18T19:48:59+00:00"
},
{
"name": "delight-im/db",

124
src/Administration.php
View File

@@ -107,7 +107,7 @@ final class Administration extends UserManager {
*/
public function deleteUserByUsername($username) {
$userData = $this->getUserDataByUsername(
trim($username),
\trim($username),
[ 'id' ]
);
@@ -286,6 +286,90 @@ final class Administration extends UserManager {
return ($rolesBitmask & $role) === $role;
}
/**
* Returns the roles of the user with the given ID, mapping the numerical values to their descriptive names
*
* @param int $userId the ID of the user to return the roles for
* @return array
* @throws UnknownIdException if no user with the specified ID has been found
*
* @see Role
*/
public function getRolesForUserById($userId) {
$userId = (int) $userId;
$rolesBitmask = $this->db->selectValue(
'SELECT roles_mask FROM ' . $this->dbTablePrefix . 'users WHERE id = ?',
[ $userId ]
);
if ($rolesBitmask === null) {
throw new UnknownIdException();
}
return \array_filter(
Role::getMap(),
function ($each) use ($rolesBitmask) {
return ($rolesBitmask & $each) === $each;
},
\ARRAY_FILTER_USE_KEY
);
}
/**
* Signs in as the user with the specified ID
*
* @param int $id the ID of the user to sign in as
* @throws UnknownIdException if no user with the specified ID has been found
* @throws EmailNotVerifiedException if the user has not verified their email address via a confirmation method yet
* @throws AuthError if an internal problem occurred (do *not* catch)
*/
public function logInAsUserById($id) {
$numberOfMatchedUsers = $this->logInAsUserByColumnValue('id', (int) $id);
if ($numberOfMatchedUsers === 0) {
throw new UnknownIdException();
}
}
/**
* Signs in as the user with the specified email address
*
* @param string $email the email address of the user to sign in as
* @throws InvalidEmailException if no user with the specified email address has been found
* @throws EmailNotVerifiedException if the user has not verified their email address via a confirmation method yet
* @throws AuthError if an internal problem occurred (do *not* catch)
*/
public function logInAsUserByEmail($email) {
$email = self::validateEmailAddress($email);
$numberOfMatchedUsers = $this->logInAsUserByColumnValue('email', $email);
if ($numberOfMatchedUsers === 0) {
throw new InvalidEmailException();
}
}
/**
* Signs in as the user with the specified display name
*
* @param string $username the display name of the user to sign in as
* @throws UnknownUsernameException if no user with the specified username has been found
* @throws AmbiguousUsernameException if multiple users with the specified username have been found
* @throws EmailNotVerifiedException if the user has not verified their email address via a confirmation method yet
* @throws AuthError if an internal problem occurred (do *not* catch)
*/
public function logInAsUserByUsername($username) {
$numberOfMatchedUsers = $this->logInAsUserByColumnValue('username', \trim($username));
if ($numberOfMatchedUsers === 0) {
throw new UnknownUsernameException();
}
elseif ($numberOfMatchedUsers > 1) {
throw new AmbiguousUsernameException();
}
}
/**
* Deletes all existing users where the column with the specified name has the given value
*
@@ -404,4 +488,42 @@ final class Administration extends UserManager {
);
}
/**
* Signs in as the user for which the column with the specified name has the given value
*
* You must never pass untrusted input to the parameter that takes the column name
*
* @param string $columnName the name of the column to filter by
* @param mixed $columnValue the value to look for in the selected column
* @return int the number of matched users (where only a value of one means that the login may have been successful)
* @throws EmailNotVerifiedException if the user has not verified their email address via a confirmation method yet
* @throws AuthError if an internal problem occurred (do *not* catch)
*/
private function logInAsUserByColumnValue($columnName, $columnValue) {
try {
$users = $this->db->select(
'SELECT verified, id, email, username, status, roles_mask FROM ' . $this->dbTablePrefix . 'users WHERE ' . $columnName . ' = ? LIMIT 2 OFFSET 0',
[ $columnValue ]
);
}
catch (Error $e) {
throw new DatabaseError();
}
$numberOfMatchingUsers = \count($users);
if ($numberOfMatchingUsers === 1) {
$user = $users[0];
if ((int) $user['verified'] === 1) {
$this->onLoginSuccessful($user['id'], $user['email'], $user['username'], $user['status'], $user['roles_mask'], false);
}
else {
throw new EmailNotVerifiedException();
}
}
return $numberOfMatchingUsers;
}
}

460
src/Auth.php
View File

@@ -21,77 +21,71 @@ require_once __DIR__ . '/Exceptions.php';
/** Component that provides all features and utilities for secure authentication of individual users */
final class Auth extends UserManager {
const SESSION_FIELD_LOGGED_IN = 'auth_logged_in';
const SESSION_FIELD_USER_ID = 'auth_user_id';
const SESSION_FIELD_EMAIL = 'auth_email';
const SESSION_FIELD_USERNAME = 'auth_username';
const SESSION_FIELD_STATUS = 'auth_status';
const SESSION_FIELD_ROLES = 'auth_roles';
const SESSION_FIELD_REMEMBERED = 'auth_remembered';
const COOKIE_PREFIXES = [ Cookie::PREFIX_SECURE, Cookie::PREFIX_HOST ];
const COOKIE_CONTENT_SEPARATOR = '~';
const COOKIE_NAME_REMEMBER = 'auth_remember';
/** @var boolean whether HTTPS (TLS/SSL) will be used (recommended) */
private $useHttps;
/** @var boolean whether cookies should be accessible via client-side scripts (*not* recommended) */
private $allowCookiesScriptAccess;
/** @var string the user's current IP address */
private $ipAddress;
/** @var bool whether throttling should be enabled (e.g. in production) or disabled (e.g. during development) */
private $throttling;
/** @var int the interval in seconds after which to resynchronize the session data with its authoritative source in the database */
private $sessionResyncInterval;
/** @var string the name of the cookie used for the 'remember me' feature */
private $rememberCookieName;
/**
* @param PdoDatabase|PdoDsn|\PDO $databaseConnection the database connection to operate on
* @param bool $useHttps whether HTTPS (TLS/SSL) will be used (recommended)
* @param bool $allowCookiesScriptAccess whether cookies should be accessible via client-side scripts (*not* recommended)
* @param string $ipAddress the IP address that should be used instead of the default setting (if any), e.g. when behind a proxy
* @param string|null $dbTablePrefix (optional) the prefix for the names of all database tables used by this component
* @param bool|null $throttling (optional) whether throttling should be enabled (e.g. in production) or disabled (e.g. during development)
* @param int|null $sessionResyncInterval (optional) the interval in seconds after which to resynchronize the session data with its authoritative source in the database
*/
public function __construct($databaseConnection, $useHttps = false, $allowCookiesScriptAccess = false, $ipAddress = null, $dbTablePrefix = null) {
public function __construct($databaseConnection, $ipAddress = null, $dbTablePrefix = null, $throttling = null, $sessionResyncInterval = null) {
parent::__construct($databaseConnection, $dbTablePrefix);
$this->useHttps = $useHttps;
$this->allowCookiesScriptAccess = $allowCookiesScriptAccess;
$this->ipAddress = !empty($ipAddress) ? $ipAddress : (isset($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : null);
$this->throttling = isset($throttling) ? (bool) $throttling : true;
$this->sessionResyncInterval = isset($sessionResyncInterval) ? ((int) $sessionResyncInterval) : (60 * 5);
$this->rememberCookieName = self::createRememberCookieName();
$this->initSession();
$this->initSessionIfNecessary();
$this->enhanceHttpSecurity();
$this->processRememberDirective();
$this->resyncSessionIfNecessary();
}
/** Initializes the session and sets the correct configuration */
private function initSession() {
// use cookies to store session IDs
ini_set('session.use_cookies', 1);
// use cookies only (do not send session IDs in URLs)
ini_set('session.use_only_cookies', 1);
// do not send session IDs in URLs
ini_set('session.use_trans_sid', 0);
private function initSessionIfNecessary() {
if (\session_status() === \PHP_SESSION_NONE) {
// use cookies to store session IDs
\ini_set('session.use_cookies', 1);
// use cookies only (do not send session IDs in URLs)
\ini_set('session.use_only_cookies', 1);
// do not send session IDs in URLs
\ini_set('session.use_trans_sid', 0);
// get our cookie settings
$params = $this->createCookieSettings();
// define our new cookie settings
session_set_cookie_params($params['lifetime'], $params['path'], $params['domain'], $params['secure'], $params['httponly']);
// start the session
@Session::start();
// start the session (requests a cookie to be written on the client)
@Session::start();
}
}
/** Improves the application's security over HTTP(S) by setting specific headers */
private function enhanceHttpSecurity() {
// remove exposure of PHP version (at least where possible)
header_remove('X-Powered-By');
\header_remove('X-Powered-By');
// if the user is signed in
if ($this->isLoggedIn()) {
// prevent clickjacking
header('X-Frame-Options: sameorigin');
\header('X-Frame-Options: sameorigin');
// prevent content sniffing (MIME sniffing)
header('X-Content-Type-Options: nosniff');
\header('X-Content-Type-Options: nosniff');
// disable caching of potentially sensitive data
header('Cache-Control: no-store, no-cache, must-revalidate', true);
header('Expires: Thu, 19 Nov 1981 00:00:00 GMT', true);
header('Pragma: no-cache', true);
\header('Cache-Control: no-store, no-cache, must-revalidate', true);
\header('Expires: Thu, 19 Nov 1981 00:00:00 GMT', true);
\header('Pragma: no-cache', true);
}
}
@@ -99,12 +93,25 @@ final class Auth extends UserManager {
private function processRememberDirective() {
// if the user is not signed in yet
if (!$this->isLoggedIn()) {
// if there is currently no cookie for the 'remember me' feature
if (!isset($_COOKIE[$this->rememberCookieName])) {
// if an old cookie for that feature from versions v1.x.x to v6.x.x has been found
if (isset($_COOKIE['auth_remember'])) {
// use the value from that old cookie instead
$_COOKIE[$this->rememberCookieName] = $_COOKIE['auth_remember'];
}
}
// if a remember cookie is set
if (isset($_COOKIE[self::COOKIE_NAME_REMEMBER])) {
if (isset($_COOKIE[$this->rememberCookieName])) {
// assume the cookie and its contents to be invalid until proven otherwise
$valid = false;
// split the cookie's content into selector and token
$parts = explode(self::COOKIE_CONTENT_SEPARATOR, $_COOKIE[self::COOKIE_NAME_REMEMBER], 2);
$parts = \explode(self::COOKIE_CONTENT_SEPARATOR, $_COOKIE[$this->rememberCookieName], 2);
// if both selector and token were found
if (isset($parts[0]) && isset($parts[1])) {
if (!empty($parts[0]) && !empty($parts[1])) {
try {
$rememberData = $this->db->selectRow(
'SELECT a.user, a.token, a.expires, b.email, b.username, b.status, b.roles_mask FROM ' . $this->dbTablePrefix . 'users_remembered AS a JOIN ' . $this->dbTablePrefix . 'users AS b ON a.user = b.id WHERE a.selector = ?',
@@ -116,13 +123,62 @@ final class Auth extends UserManager {
}
if (!empty($rememberData)) {
if ($rememberData['expires'] >= time()) {
if (password_verify($parts[1], $rememberData['token'])) {
if ($rememberData['expires'] >= \time()) {
if (\password_verify($parts[1], $rememberData['token'])) {
// the cookie and its contents have now been proven to be valid
$valid = true;
$this->onLoginSuccessful($rememberData['user'], $rememberData['email'], $rememberData['username'], $rememberData['status'], $rememberData['roles_mask'], true);
}
}
}
}
// if the cookie or its contents have been invalid
if (!$valid) {
// mark the cookie as such to prevent any further futile attempts
$this->setRememberCookie('', '', \time() + 60 * 60 * 24 * 365.25);
}
}
}
}
private function resyncSessionIfNecessary() {
// if the user is signed in
if ($this->isLoggedIn()) {
if (!isset($_SESSION[self::SESSION_FIELD_LAST_RESYNC])) {
$_SESSION[self::SESSION_FIELD_LAST_RESYNC] = 0;
}
// if it's time for resynchronization
if (($_SESSION[self::SESSION_FIELD_LAST_RESYNC] + $this->sessionResyncInterval) <= \time()) {
// fetch the authoritative data from the database again
try {
$authoritativeData = $this->db->selectRow(
'SELECT email, username, status, roles_mask FROM ' . $this->dbTablePrefix . 'users WHERE id = ?',
[ $this->getUserId() ]
);
}
catch (Error $e) {
throw new DatabaseError();
}
// if the user's data has been found
if (!empty($authoritativeData)) {
// update the session data
$_SESSION[self::SESSION_FIELD_EMAIL] = $authoritativeData['email'];
$_SESSION[self::SESSION_FIELD_USERNAME] = $authoritativeData['username'];
$_SESSION[self::SESSION_FIELD_STATUS] = (int) $authoritativeData['status'];
$_SESSION[self::SESSION_FIELD_ROLES] = (int) $authoritativeData['roles_mask'];
}
// if no data has been found for the user
else {
// their account may have been deleted so they should be signed out
$this->logOut();
}
// remember that we've just performed resynchronization
$_SESSION[self::SESSION_FIELD_LAST_RESYNC] = \time();
}
}
}
@@ -314,7 +370,7 @@ final class Auth extends UserManager {
*
* @throws AuthError if an internal problem occurred (do *not* catch)
*/
public function logOutButKeepSession() {
public function logOut() {
// if the user has been signed in
if ($this->isLoggedIn()) {
// get the user's ID
@@ -334,6 +390,7 @@ final class Auth extends UserManager {
unset($_SESSION[self::SESSION_FIELD_STATUS]);
unset($_SESSION[self::SESSION_FIELD_ROLES]);
unset($_SESSION[self::SESSION_FIELD_REMEMBERED]);
unset($_SESSION[self::SESSION_FIELD_LAST_RESYNC]);
}
}
@@ -361,8 +418,8 @@ final class Auth extends UserManager {
private function createRememberDirective($userId, $duration) {
$selector = self::createRandomString(24);
$token = self::createRandomString(32);
$tokenHashed = password_hash($token, PASSWORD_DEFAULT);
$expires = time() + ((int) $duration);
$tokenHashed = \password_hash($token, \PASSWORD_DEFAULT);
$expires = \time() + ((int) $duration);
try {
$this->db->insert(
@@ -399,20 +456,19 @@ final class Auth extends UserManager {
throw new DatabaseError();
}
$this->setRememberCookie(null, null, time() - 3600);
$this->setRememberCookie(null, null, \time() - 3600);
}
/**
* Sets or updates the cookie that manages the "remember me" token
*
* @param string $selector the selector from the selector/token pair
* @param string $token the token from the selector/token pair
* @param int $expires the interval in seconds after which the token should expire
* @param string|null $selector the selector from the selector/token pair
* @param string|null $token the token from the selector/token pair
* @param int $expires the UNIX time in seconds which the token should expire at
* @throws AuthError if an internal problem occurred (do *not* catch)
*/
private function setRememberCookie($selector, $token, $expires) {
// get our cookie settings
$params = $this->createCookieSettings();
$params = \session_get_cookie_params();
if (isset($selector) && isset($token)) {
$content = $selector . self::COOKIE_CONTENT_SEPARATOR . $token;
@@ -421,47 +477,38 @@ final class Auth extends UserManager {
$content = '';
}
// set the cookie with the selector and token
$cookie = new Cookie(self::COOKIE_NAME_REMEMBER);
// save the cookie with the selector and token (requests a cookie to be written on the client)
$cookie = new Cookie($this->rememberCookieName);
$cookie->setValue($content);
$cookie->setExpiryTime($expires);
if (!empty($params['path'])) {
$cookie->setPath($params['path']);
}
if (!empty($params['domain'])) {
$cookie->setDomain($params['domain']);
}
$cookie->setPath($params['path']);
$cookie->setDomain($params['domain']);
$cookie->setHttpOnly($params['httponly']);
$cookie->setSecureOnly($params['secure']);
$result = $cookie->save();
if ($result === false) {
throw new HeadersAlreadySentError();
}
// if we've been deleting the cookie above
if (!isset($selector) || !isset($token)) {
// attempt to delete a potential old cookie from versions v1.x.x to v6.x.x as well (requests a cookie to be written on the client)
$cookie = new Cookie('auth_remember');
$cookie->setPath((!empty($params['path'])) ? $params['path'] : '/');
$cookie->setDomain($params['domain']);
$cookie->setHttpOnly($params['httponly']);
$cookie->setSecureOnly($params['secure']);
$cookie->delete();
}
}
/**
* Called when the user has successfully logged in (via standard login or "remember me")
*
* @param int $userId the ID of the user who has just logged in
* @param string $email the email address of the user who has just logged in
* @param string $username the username (if any)
* @param int $status the status as one of the constants from the {@see Status} class
* @param int $roles the bitmask containing the roles of the user
* @param bool $remembered whether the user was remembered ("remember me") or logged in actively
* @throws AuthError if an internal problem occurred (do *not* catch)
*/
private function onLoginSuccessful($userId, $email, $username, $status, $roles, $remembered) {
protected function onLoginSuccessful($userId, $email, $username, $status, $roles, $remembered) {
// update the timestamp of the user's last login
try {
$this->db->update(
$this->dbTablePrefix . 'users',
[ 'last_login' => time() ],
[ 'last_login' => \time() ],
[ 'id' => $userId ]
);
}
@@ -469,17 +516,7 @@ final class Auth extends UserManager {
throw new DatabaseError();
}
// re-generate the session ID to prevent session fixation attacks
Session::regenerate(true);
// save the user data in the session
$this->setLoggedIn(true);
$this->setUserId($userId);
$this->setEmail($email);
$this->setUsername($username);
$this->setStatus($status);
$this->setRoles($roles);
$this->setRemembered($remembered);
parent::onLoginSuccessful($userId, $email, $username, $status, $roles, $remembered);
}
/**
@@ -487,8 +524,8 @@ final class Auth extends UserManager {
*
* @throws AuthError if an internal problem occurred (do *not* catch)
*/
public function logout() {
$this->logOutButKeepSession();
public function logOutAndDestroySession() {
$this->logOut();
$this->destroySession();
}
@@ -498,17 +535,12 @@ final class Auth extends UserManager {
* @throws AuthError if an internal problem occurred (do *not* catch)
*/
private function deleteSessionCookie() {
// get our cookie settings
$params = $this->createCookieSettings();
$params = \session_get_cookie_params();
// cause the session cookie to be deleted
$cookie = new Cookie(session_name());
if (!empty($params['path'])) {
$cookie->setPath($params['path']);
}
if (!empty($params['domain'])) {
$cookie->setDomain($params['domain']);
}
// ask for the session cookie to be deleted (requests a cookie to be written on the client)
$cookie = new Cookie(\session_name());
$cookie->setPath($params['path']);
$cookie->setDomain($params['domain']);
$cookie->setHttpOnly($params['httponly']);
$cookie->setSecureOnly($params['secure']);
$result = $cookie->delete();
@@ -548,8 +580,8 @@ final class Auth extends UserManager {
}
if (!empty($confirmationData)) {
if (password_verify($token, $confirmationData['token'])) {
if ($confirmationData['expires'] >= time()) {
if (\password_verify($token, $confirmationData['token'])) {
if ($confirmationData['expires'] >= \time()) {
// invalidate any potential outstanding password reset requests
try {
$this->db->delete(
@@ -584,10 +616,11 @@ final class Auth extends UserManager {
// if the user has just confirmed an email address for their own account
if ($this->getUserId() === $confirmationData['user_id']) {
// immediately update the email address in the current session as well
$this->setEmail($confirmationData['email']);
$_SESSION[self::SESSION_FIELD_EMAIL] = $confirmationData['email'];
}
}
// consume the token just being used for confirmation
try {
$this->db->delete(
$this->dbTablePrefix . 'users_confirmations',
@@ -700,7 +733,7 @@ final class Auth extends UserManager {
* @throws AuthError if an internal problem occurred (do *not* catch)
*/
private function updatePassword($userId, $newPassword) {
$newPassword = password_hash($newPassword, PASSWORD_DEFAULT);
$newPassword = \password_hash($newPassword, \PASSWORD_DEFAULT);
try {
$this->db->update(
@@ -772,8 +805,8 @@ final class Auth extends UserManager {
throw new EmailNotVerifiedException();
}
$this->throttle([ 'requestEmailChange', 'userId', $this->getUserId() ], 1, (60 * 60 * 24));
$this->throttle([ 'requestEmailChange', $this->getIpAddress() ], 1, (60 * 60 * 24), 3);
$this->throttle([ 'requestEmailChange', 'user', $this->getUserId() ], 1, (60 * 60 * 24), 3);
$this->createConfirmationRequest($this->getUserId(), $newEmail, $callback);
}
@@ -847,7 +880,7 @@ final class Auth extends UserManager {
private function resendConfirmationForColumnValue($columnName, $columnValue, callable $callback) {
try {
$latestAttempt = $this->db->selectRow(
'SELECT user_id, email, expires FROM ' . $this->dbTablePrefix . 'users_confirmations WHERE ' . $columnName . ' = ? ORDER BY id DESC LIMIT 1 OFFSET 0',
'SELECT user_id, email FROM ' . $this->dbTablePrefix . 'users_confirmations WHERE ' . $columnName . ' = ? ORDER BY id DESC LIMIT 1 OFFSET 0',
[ $columnValue ]
);
}
@@ -859,14 +892,8 @@ final class Auth extends UserManager {
throw new ConfirmationRequestNotFound();
}
$retryAt = $latestAttempt['expires'] - 0.75 * self::CONFIRMATION_REQUESTS_TTL_IN_SECONDS;
if ($retryAt > \time()) {
throw new TooManyRequestsException('', $retryAt - \time());
}
$this->throttle([ 'resendConfirmation', 'userId', $latestAttempt['user_id'] ], 1, (60 * 60 * 6));
$this->throttle([ 'resendConfirmation', $this->getIpAddress() ], 4, (60 * 60 * 24 * 7), 2);
$this->throttle([ 'resendConfirmation', 'user', $latestAttempt['user_id'] ], 4, (60 * 60 * 24 * 7), 2);
$this->createConfirmationRequest(
$latestAttempt['user_id'],
@@ -978,7 +1005,7 @@ final class Auth extends UserManager {
);
}
elseif ($username !== null) {
$username = trim($username);
$username = \trim($username);
// attempt to look up the account information using the specified username
$userData = $this->getUserDataByUsername(
@@ -994,9 +1021,9 @@ final class Auth extends UserManager {
$password = self::validatePassword($password);
if (password_verify($password, $userData['password'])) {
if (\password_verify($password, $userData['password'])) {
// if the password needs to be re-hashed to keep up with improving password cracking techniques
if (password_needs_rehash($userData['password'], PASSWORD_DEFAULT)) {
if (\password_needs_rehash($userData['password'], \PASSWORD_DEFAULT)) {
// create a new hash from the password and update it in the database
$this->updatePassword($userData['id'], $password);
}
@@ -1064,7 +1091,7 @@ final class Auth extends UserManager {
*/
private function getUserDataByEmailAddress($email, array $requestedColumns) {
try {
$projection = implode(', ', $requestedColumns);
$projection = \implode(', ', $requestedColumns);
$userData = $this->db->selectRow(
'SELECT ' . $projection . ' FROM ' . $this->dbTablePrefix . 'users WHERE email = ?',
[ $email ]
@@ -1095,7 +1122,7 @@ final class Auth extends UserManager {
'SELECT COUNT(*) FROM ' . $this->dbTablePrefix . 'users_resets WHERE user = ? AND expires > ?',
[
$userId,
time()
\time()
]
);
@@ -1130,8 +1157,8 @@ final class Auth extends UserManager {
private function createPasswordResetRequest($userId, $expiresAfter, callable $callback) {
$selector = self::createRandomString(20);
$token = self::createRandomString(20);
$tokenHashed = password_hash($token, PASSWORD_DEFAULT);
$expiresAt = time() + $expiresAfter;
$tokenHashed = \password_hash($token, \PASSWORD_DEFAULT);
$expiresAt = \time() + $expiresAfter;
try {
$this->db->insert(
@@ -1148,7 +1175,7 @@ final class Auth extends UserManager {
throw new DatabaseError();
}
if (isset($callback) && is_callable($callback)) {
if (\is_callable($callback)) {
$callback($selector, $token);
}
else {
@@ -1188,8 +1215,8 @@ final class Auth extends UserManager {
if (!empty($resetData)) {
if ((int) $resetData['resettable'] === 1) {
if (password_verify($token, $resetData['token'])) {
if ($resetData['expires'] >= time()) {
if (\password_verify($token, $resetData['token'])) {
if ($resetData['expires'] >= \time()) {
$newPassword = self::validatePassword($newPassword);
// update the password in the database
@@ -1225,6 +1252,40 @@ final class Auth extends UserManager {
}
}
/**
* Check if the supplied selector/token pair can be used to reset a password
*
* The password can be reset using the supplied information if this method does *not* throw any exception
*
* The selector/token pair must have been generated previously by calling `Auth#forgotPassword(...)`
*
* @param string $selector the selector from the selector/token pair
* @param string $token the token from the selector/token pair
* @throws InvalidSelectorTokenPairException if either the selector or the token was not correct
* @throws TokenExpiredException if the token has already expired
* @throws ResetDisabledException if the user has explicitly disabled password resets for their account
* @throws TooManyRequestsException if the number of allowed attempts/requests has been exceeded
* @throws AuthError if an internal problem occurred (do *not* catch)
*/
public function canResetPasswordOrThrow($selector, $token) {
try {
// pass an invalid password intentionally to force an expected error
$this->resetPassword($selector, $token, null);
// we should already be in one of the `catch` blocks now so this is not expected
throw new AuthError();
}
// if the password is the only thing that's invalid
catch (InvalidPasswordException $ignored) {
// the password can be reset
}
// if some other things failed (as well)
catch (AuthException $e) {
// re-throw the exception
throw $e;
}
}
/**
* Check if the supplied selector/token pair can be used to reset a password
*
@@ -1237,18 +1298,10 @@ final class Auth extends UserManager {
*/
public function canResetPassword($selector, $token) {
try {
// pass an invalid password intentionally to force an expected error
$this->resetPassword($selector, $token, null);
$this->canResetPasswordOrThrow($selector, $token);
// we should already be in the `catch` block now so this is not expected
throw new AuthError();
}
// if the password is the only thing that's invalid
catch (InvalidPasswordException $e) {
// the password can be reset
return true;
}
// if some other things failed (as well)
catch (AuthException $e) {
return false;
}
@@ -1311,15 +1364,6 @@ final class Auth extends UserManager {
}
}
/**
* Sets whether the user is currently logged in and updates the session
*
* @param bool $loggedIn whether the user is logged in or not
*/
private function setLoggedIn($loggedIn) {
$_SESSION[self::SESSION_FIELD_LOGGED_IN] = $loggedIn;
}
/**
* Returns whether the user is currently logged in by reading from the session
*
@@ -1338,15 +1382,6 @@ final class Auth extends UserManager {
return $this->isLoggedIn();
}
/**
* Sets the currently signed-in user's ID and updates the session
*
* @param int $userId the user's ID
*/
private function setUserId($userId) {
$_SESSION[self::SESSION_FIELD_USER_ID] = intval($userId);
}
/**
* Returns the currently signed-in user's ID by reading from the session
*
@@ -1370,15 +1405,6 @@ final class Auth extends UserManager {
return $this->getUserId();
}
/**
* Sets the currently signed-in user's email address and updates the session
*
* @param string $email the email address
*/
private function setEmail($email) {
$_SESSION[self::SESSION_FIELD_EMAIL] = $email;
}
/**
* Returns the currently signed-in user's email address by reading from the session
*
@@ -1393,15 +1419,6 @@ final class Auth extends UserManager {
}
}
/**
* Sets the currently signed-in user's display name and updates the session
*
* @param string $username the display name
*/
private function setUsername($username) {
$_SESSION[self::SESSION_FIELD_USERNAME] = $username;
}
/**
* Returns the currently signed-in user's display name by reading from the session
*
@@ -1416,24 +1433,6 @@ final class Auth extends UserManager {
}
}
/**
* Sets the currently signed-in user's status and updates the session
*
* @param int $status the status as one of the constants from the {@see Status} class
*/
private function setStatus($status) {
$_SESSION[self::SESSION_FIELD_STATUS] = (int) $status;
}
/**
* Sets the currently signed-in user's roles and updates the session
*
* @param int $roles the bitmask containing the roles
*/
private function setRoles($roles) {
$_SESSION[self::SESSION_FIELD_ROLES] = (int) $roles;
}
/**
* Returns the currently signed-in user's status by reading from the session
*
@@ -1576,12 +1575,16 @@ final class Auth extends UserManager {
}
/**
* Sets whether the currently signed-in user has been remembered by a long-lived cookie
* Returns an array of the user's roles, mapping the numerical values to their descriptive names
*
* @param bool $remembered whether the user was remembered
* @return array
*/
private function setRemembered($remembered) {
$_SESSION[self::SESSION_FIELD_REMEMBERED] = $remembered;
public function getRoles() {
return \array_filter(
Role::getMap(),
[ $this, 'hasRole' ],
\ARRAY_FILTER_USE_KEY
);
}
/**
@@ -1621,6 +1624,10 @@ final class Auth extends UserManager {
* @throws AuthError if an internal problem occurred (do *not* catch)
*/
public function throttle(array $criteria, $supply, $interval, $burstiness = null, $simulated = null, $cost = null) {
if (!$this->throttling) {
return $supply;
}
// generate a unique key for the bucket (consisting of 44 or fewer ASCII characters)
$key = Base64::encodeUrlSafeWithoutPadding(
\hash(
@@ -1729,24 +1736,6 @@ final class Auth extends UserManager {
return new Administration($this->db, $this->dbTablePrefix);
}
/**
* Creates the cookie settings that will be used to create and update cookies on the client
*
* @return array the cookie settings
*/
private function createCookieSettings() {
// get the default cookie settings
$params = session_get_cookie_params();
// check if we want to send cookies via SSL/TLS only
$params['secure'] = $params['secure'] || $this->useHttps;
// check if we want to send cookies via HTTP(S) only
$params['httponly'] = $params['httponly'] || !$this->allowCookiesScriptAccess;
// return the modified settings
return $params;
}
/**
* Creates a UUID v4 as per RFC 4122
*
@@ -1756,14 +1745,57 @@ final class Auth extends UserManager {
* @author Jack @ Stack Overflow
*/
public static function createUuid() {
$data = openssl_random_pseudo_bytes(16);
$data = \openssl_random_pseudo_bytes(16);
// set the version to 0100
$data[6] = chr(ord($data[6]) & 0x0f | 0x40);
$data[6] = \chr(\ord($data[6]) & 0x0f | 0x40);
// set bits 6-7 to 10
$data[8] = chr(ord($data[8]) & 0x3f | 0x80);
$data[8] = \chr(\ord($data[8]) & 0x3f | 0x80);
return vsprintf('%s%s-%s-%s-%s-%s%s%s', str_split(bin2hex($data), 4));
return \vsprintf('%s%s-%s-%s-%s-%s%s%s', \str_split(\bin2hex($data), 4));
}
/**
* Generates a unique cookie name for the given descriptor based on the supplied seed
*
* @param string $descriptor a short label describing the purpose of the cookie, e.g. 'session'
* @param string|null $seed (optional) the data to deterministically generate the name from
* @return string
*/
public static function createCookieName($descriptor, $seed = null) {
// use the supplied seed or the current UNIX time in seconds
$seed = ($seed !== null) ? $seed : \time();
foreach (self::COOKIE_PREFIXES as $cookiePrefix) {
// if the seed contains a certain cookie prefix
if (\strpos($seed, $cookiePrefix) === 0) {
// prepend the same prefix to the descriptor
$descriptor = $cookiePrefix . $descriptor;
}
}
// generate a unique token based on the name(space) of this library and on the seed
$token = Base64::encodeUrlSafeWithoutPadding(
\md5(
__NAMESPACE__ . "\n" . $seed,
true
)
);
return $descriptor . '_' . $token;
}
/**
* Generates a unique cookie name for the 'remember me' feature
*
* @param string|null $sessionName (optional) the session name that the output should be based on
* @return string
*/
public static function createRememberCookieName($sessionName = null) {
return self::createCookieName(
'remember',
($sessionName !== null) ? $sessionName : \session_name()
);
}
}

49
src/Role.php
View File

@@ -32,14 +32,47 @@ final class Role {
const SUPER_EDITOR = 524288;
const SUPER_MODERATOR = 1048576;
const TRANSLATOR = 2097152;
// const XXX = 4194304;
// const XXX = 8388608;
// const XXX = 16777216;
// const XXX = 33554432;
// const XXX = 67108864;
// const XXX = 134217728;
// const XXX = 268435456;
// const XXX = 536870912;
// const XYZ = 4194304;
// const XYZ = 8388608;
// const XYZ = 16777216;
// const XYZ = 33554432;
// const XYZ = 67108864;
// const XYZ = 134217728;
// const XYZ = 268435456;
// const XYZ = 536870912;
/**
* Returns an array mapping the numerical role values to their descriptive names
*
* @return array
*/
public static function getMap() {
$reflectionClass = new \ReflectionClass(static::class);
return \array_flip($reflectionClass->getConstants());
}
/**
* Returns the descriptive role names
*
* @return string[]
*/
public static function getNames() {
$reflectionClass = new \ReflectionClass(static::class);
return \array_keys($reflectionClass->getConstants());
}
/**
* Returns the numerical role values
*
* @return int[]
*/
public static function getValues() {
$reflectionClass = new \ReflectionClass(static::class);
return \array_values($reflectionClass->getConstants());
}
private function __construct() {}

80
src/UserManager.php
View File

@@ -9,6 +9,7 @@
namespace Delight\Auth;
use Delight\Base64\Base64;
use Delight\Cookie\Session;
use Delight\Db\PdoDatabase;
use Delight\Db\PdoDsn;
use Delight\Db\Throwable\Error;
@@ -23,7 +24,22 @@ require_once __DIR__ . '/Exceptions.php';
*/
abstract class UserManager {
const CONFIRMATION_REQUESTS_TTL_IN_SECONDS = 60 * 60 * 24;
/** @var string session field for whether the client is currently signed in */
const SESSION_FIELD_LOGGED_IN = 'auth_logged_in';
/** @var string session field for the ID of the user who is currently signed in (if any) */
const SESSION_FIELD_USER_ID = 'auth_user_id';
/** @var string session field for the email address of the user who is currently signed in (if any) */
const SESSION_FIELD_EMAIL = 'auth_email';
/** @var string session field for the display name (if any) of the user who is currently signed in (if any) */
const SESSION_FIELD_USERNAME = 'auth_username';
/** @var string session field for the status of the user who is currently signed in (if any) as one of the constants from the {@see Status} class */
const SESSION_FIELD_STATUS = 'auth_status';
/** @var string session field for the roles of the user who is currently signed in (if any) as a bitmask using constants from the {@see Role} class */
const SESSION_FIELD_ROLES = 'auth_roles';
/** @var string session field for whether the user who is currently signed in (if any) has been remembered (instead of them having authenticated actively) */
const SESSION_FIELD_REMEMBERED = 'auth_remembered';
/** @var string session field for the UNIX timestamp in seconds of the session data's last resynchronization with its authoritative source in the database */
const SESSION_FIELD_LAST_RESYNC = 'auth_last_resync';
/** @var PdoDatabase the database connection to operate on */
protected $db;
@@ -40,10 +56,10 @@ abstract class UserManager {
*/
public static function createRandomString($maxLength = 24) {
// calculate how many bytes of randomness we need for the specified string length
$bytes = floor(intval($maxLength) / 4) * 3;
$bytes = \floor((int) $maxLength / 4) * 3;
// get random data
$data = openssl_random_pseudo_bytes($bytes);
$data = \openssl_random_pseudo_bytes($bytes);
// return the Base64-encoded result
return Base64::encodeUrlSafe($data);
@@ -103,12 +119,12 @@ abstract class UserManager {
* @see confirmEmailAndSignIn
*/
protected function createUserInternal($requireUniqueUsername, $email, $password, $username = null, callable $callback = null) {
ignore_user_abort(true);
\ignore_user_abort(true);
$email = self::validateEmailAddress($email);
$password = self::validatePassword($password);
$username = isset($username) ? trim($username) : null;
$username = isset($username) ? \trim($username) : null;
// if the supplied username is the empty string or has consisted of whitespace only
if ($username === '') {
@@ -134,8 +150,8 @@ abstract class UserManager {
}
}
$password = password_hash($password, PASSWORD_DEFAULT);
$verified = isset($callback) && is_callable($callback) ? 0 : 1;
$password = \password_hash($password, \PASSWORD_DEFAULT);
$verified = \is_callable($callback) ? 0 : 1;
try {
$this->db->insert(
@@ -145,7 +161,7 @@ abstract class UserManager {
'password' => $password,
'username' => $username,
'verified' => $verified,
'registered' => time()
'registered' => \time()
]
);
}
@@ -166,6 +182,34 @@ abstract class UserManager {
return $newUserId;
}
/**
* Called when a user has successfully logged in
*
* This may happen via the standard login, via the "remember me" feature, or due to impersonation by administrators
*
* @param int $userId the ID of the user
* @param string $email the email address of the user
* @param string $username the display name (if any) of the user
* @param int $status the status of the user as one of the constants from the {@see Status} class
* @param int $roles the roles of the user as a bitmask using constants from the {@see Role} class
* @param bool $remembered whether the user has been remembered (instead of them having authenticated actively)
* @throws AuthError if an internal problem occurred (do *not* catch)
*/
protected function onLoginSuccessful($userId, $email, $username, $status, $roles, $remembered) {
// re-generate the session ID to prevent session fixation attacks (requests a cookie to be written on the client)
Session::regenerate(true);
// save the user data in the session variables maintained by this library
$_SESSION[self::SESSION_FIELD_LOGGED_IN] = true;
$_SESSION[self::SESSION_FIELD_USER_ID] = (int) $userId;
$_SESSION[self::SESSION_FIELD_EMAIL] = $email;
$_SESSION[self::SESSION_FIELD_USERNAME] = $username;
$_SESSION[self::SESSION_FIELD_STATUS] = (int) $status;
$_SESSION[self::SESSION_FIELD_ROLES] = (int) $roles;
$_SESSION[self::SESSION_FIELD_REMEMBERED] = $remembered;
$_SESSION[self::SESSION_FIELD_LAST_RESYNC] = \time();
}
/**
* Returns the requested user data for the account with the specified username (if any)
*
@@ -180,7 +224,7 @@ abstract class UserManager {
*/
protected function getUserDataByUsername($username, array $requestedColumns) {
try {
$projection = implode(', ', $requestedColumns);
$projection = \implode(', ', $requestedColumns);
$users = $this->db->select(
'SELECT ' . $projection . ' FROM ' . $this->dbTablePrefix . 'users WHERE username = ? LIMIT 2 OFFSET 0',
@@ -195,7 +239,7 @@ abstract class UserManager {
throw new UnknownUsernameException();
}
else {
if (count($users) === 1) {
if (\count($users) === 1) {
return $users[0];
}
else {
@@ -216,9 +260,9 @@ abstract class UserManager {
throw new InvalidEmailException();
}
$email = trim($email);
$email = \trim($email);
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
if (!\filter_var($email, \FILTER_VALIDATE_EMAIL)) {
throw new InvalidEmailException();
}
@@ -237,9 +281,9 @@ abstract class UserManager {
throw new InvalidPasswordException();
}
$password = trim($password);
$password = \trim($password);
if (strlen($password) < 1) {
if (\strlen($password) < 1) {
throw new InvalidPasswordException();
}
@@ -265,10 +309,8 @@ abstract class UserManager {
protected function createConfirmationRequest($userId, $email, callable $callback) {
$selector = self::createRandomString(16);
$token = self::createRandomString(16);
$tokenHashed = password_hash($token, PASSWORD_DEFAULT);
// the request shall be valid for one day
$expires = time() + self::CONFIRMATION_REQUESTS_TTL_IN_SECONDS;
$tokenHashed = \password_hash($token, \PASSWORD_DEFAULT);
$expires = \time() + 60 * 60 * 24;
try {
$this->db->insert(
@@ -286,7 +328,7 @@ abstract class UserManager {
throw new DatabaseError();
}
if (isset($callback) && is_callable($callback)) {
if (\is_callable($callback)) {
$callback($selector, $token);
}
else {

318
tests/index.php
View File

@@ -15,33 +15,36 @@
*/
// enable error reporting
error_reporting(E_ALL);
ini_set('display_errors', 'stdout');
\error_reporting(\E_ALL);
\ini_set('display_errors', 'stdout');
// enable assertions
ini_set('assert.active', 1);
@ini_set('zend.assertions', 1);
ini_set('assert.exception', 1);
\ini_set('assert.active', 1);
@\ini_set('zend.assertions', 1);
\ini_set('assert.exception', 1);
header('Content-type: text/html; charset=utf-8');
\header('Content-type: text/html; charset=utf-8');
require __DIR__.'/../vendor/autoload.php';
$db = new PDO('mysql:dbname=php_auth;host=127.0.0.1;charset=utf8mb4', 'root', 'monkey');
$db = new \PDO('mysql:dbname=php_auth;host=127.0.0.1;charset=utf8mb4', 'root', 'monkey');
// or
// $db = new PDO('sqlite:../Databases/php_auth.sqlite');
// $db = new \PDO('pgsql:dbname=php_auth;host=127.0.0.1;port=5432', 'postgres', 'monkey');
// or
// $db = new \PDO('sqlite:../Databases/php_auth.sqlite');
$auth = new \Delight\Auth\Auth($db);
$result = processRequestData($auth);
$result = \processRequestData($auth);
showDebugData($auth, $result);
\showGeneralForm();
\showDebugData($auth, $result);
if ($auth->check()) {
showAuthenticatedUserForm($auth);
\showAuthenticatedUserForm($auth);
}
else {
showGuestUserForm();
\showGuestUserForm();
}
function processRequestData(\Delight\Auth\Auth $auth) {
@@ -83,7 +86,7 @@ function processRequestData(\Delight\Auth\Auth $auth) {
return 'wrong password';
}
catch (\Delight\Auth\EmailNotVerifiedException $e) {
return 'email not verified';
return 'email address not verified';
}
catch (\Delight\Auth\TooManyRequestsException $e) {
return 'too many requests';
@@ -98,11 +101,11 @@ function processRequestData(\Delight\Auth\Auth $auth) {
echo "\n";
echo ' > Selector';
echo "\t\t\t\t";
echo htmlspecialchars($selector);
echo \htmlspecialchars($selector);
echo "\n";
echo ' > Token';
echo "\t\t\t\t";
echo htmlspecialchars($token);
echo \htmlspecialchars($token);
echo '</pre>';
};
}
@@ -177,11 +180,11 @@ function processRequestData(\Delight\Auth\Auth $auth) {
echo "\n";
echo ' > Selector';
echo "\t\t\t\t";
echo htmlspecialchars($selector);
echo \htmlspecialchars($selector);
echo "\n";
echo ' > Token';
echo "\t\t\t\t";
echo htmlspecialchars($token);
echo \htmlspecialchars($token);
echo '</pre>';
});
@@ -202,11 +205,11 @@ function processRequestData(\Delight\Auth\Auth $auth) {
echo "\n";
echo ' > Selector';
echo "\t\t\t\t";
echo htmlspecialchars($selector);
echo \htmlspecialchars($selector);
echo "\n";
echo ' > Token';
echo "\t\t\t\t";
echo htmlspecialchars($token);
echo \htmlspecialchars($token);
echo '</pre>';
});
@@ -227,11 +230,11 @@ function processRequestData(\Delight\Auth\Auth $auth) {
echo "\n";
echo ' > Selector';
echo "\t\t\t\t";
echo htmlspecialchars($selector);
echo \htmlspecialchars($selector);
echo "\n";
echo ' > Token';
echo "\t\t\t\t";
echo htmlspecialchars($token);
echo \htmlspecialchars($token);
echo '</pre>';
});
@@ -241,10 +244,10 @@ function processRequestData(\Delight\Auth\Auth $auth) {
return 'invalid email address';
}
catch (\Delight\Auth\EmailNotVerifiedException $e) {
return 'email not verified';
return 'email address not verified';
}
catch (\Delight\Auth\ResetDisabledException $e) {
return 'password reset disabled';
return 'password reset is disabled';
}
catch (\Delight\Auth\TooManyRequestsException $e) {
return 'too many requests';
@@ -263,7 +266,7 @@ function processRequestData(\Delight\Auth\Auth $auth) {
return 'token expired';
}
catch (\Delight\Auth\ResetDisabledException $e) {
return 'password reset disabled';
return 'password reset is disabled';
}
catch (\Delight\Auth\InvalidPasswordException $e) {
return 'invalid password';
@@ -272,6 +275,25 @@ function processRequestData(\Delight\Auth\Auth $auth) {
return 'too many requests';
}
}
else if ($_POST['action'] === 'canResetPassword') {
try {
$auth->canResetPasswordOrThrow($_POST['selector'], $_POST['token']);
return 'yes';
}
catch (\Delight\Auth\InvalidSelectorTokenPairException $e) {
return 'invalid token';
}
catch (\Delight\Auth\TokenExpiredException $e) {
return 'token expired';
}
catch (\Delight\Auth\ResetDisabledException $e) {
return 'password reset is disabled';
}
catch (\Delight\Auth\TooManyRequestsException $e) {
return 'too many requests';
}
}
else if ($_POST['action'] === 'reconfirmPassword') {
try {
return $auth->reconfirmPassword($_POST['password']) ? 'correct' : 'wrong';
@@ -320,11 +342,11 @@ function processRequestData(\Delight\Auth\Auth $auth) {
echo "\n";
echo ' > Selector';
echo "\t\t\t\t";
echo htmlspecialchars($selector);
echo \htmlspecialchars($selector);
echo "\n";
echo ' > Token';
echo "\t\t\t\t";
echo htmlspecialchars($token);
echo \htmlspecialchars($token);
echo '</pre>';
});
@@ -356,13 +378,13 @@ function processRequestData(\Delight\Auth\Auth $auth) {
return 'not logged in';
}
}
else if ($_POST['action'] === 'logOutButKeepSession') {
$auth->logOutButKeepSession();
else if ($_POST['action'] === 'logOut') {
$auth->logOut();
return 'ok';
}
else if ($_POST['action'] === 'logout') {
$auth->logout();
else if ($_POST['action'] === 'logOutAndDestroySession') {
$auth->logOutAndDestroySession();
return 'ok';
}
@@ -421,7 +443,7 @@ function processRequestData(\Delight\Auth\Auth $auth) {
}
}
else {
return 'either ID, email or username required';
return 'either ID, email address or username required';
}
return 'ok';
@@ -456,7 +478,7 @@ function processRequestData(\Delight\Auth\Auth $auth) {
}
}
else {
return 'either ID, email or username required';
return 'either ID, email address or username required';
}
}
else {
@@ -495,7 +517,7 @@ function processRequestData(\Delight\Auth\Auth $auth) {
}
}
else {
return 'either ID, email or username required';
return 'either ID, email address or username required';
}
}
else {
@@ -522,8 +544,78 @@ function processRequestData(\Delight\Auth\Auth $auth) {
return 'ID required';
}
}
else if ($_POST['action'] === 'admin.getRoles') {
if (isset($_POST['id'])) {
try {
return $auth->admin()->getRolesForUserById($_POST['id']);
}
catch (\Delight\Auth\UnknownIdException $e) {
return 'unknown ID';
}
}
else {
return 'ID required';
}
}
else if ($_POST['action'] === 'admin.logInAsUserById') {
if (isset($_POST['id'])) {
try {
$auth->admin()->logInAsUserById($_POST['id']);
return 'ok';
}
catch (\Delight\Auth\UnknownIdException $e) {
return 'unknown ID';
}
catch (\Delight\Auth\EmailNotVerifiedException $e) {
return 'email address not verified';
}
}
else {
return 'ID required';
}
}
else if ($_POST['action'] === 'admin.logInAsUserByEmail') {
if (isset($_POST['email'])) {
try {
$auth->admin()->logInAsUserByEmail($_POST['email']);
return 'ok';
}
catch (\Delight\Auth\InvalidEmailException $e) {
return 'unknown email address';
}
catch (\Delight\Auth\EmailNotVerifiedException $e) {
return 'email address not verified';
}
}
else {
return 'Email address required';
}
}
else if ($_POST['action'] === 'admin.logInAsUserByUsername') {
if (isset($_POST['username'])) {
try {
$auth->admin()->logInAsUserByUsername($_POST['username']);
return 'ok';
}
catch (\Delight\Auth\UnknownUsernameException $e) {
return 'unknown username';
}
catch (\Delight\Auth\AmbiguousUsernameException $e) {
return 'ambiguous username';
}
catch (\Delight\Auth\EmailNotVerifiedException $e) {
return 'email address not verified';
}
}
else {
return 'Username required';
}
}
else {
throw new Exception('Unexpected action: '.$_POST['action']);
throw new Exception('Unexpected action: ' . $_POST['action']);
}
}
}
@@ -534,57 +626,68 @@ function processRequestData(\Delight\Auth\Auth $auth) {
function showDebugData(\Delight\Auth\Auth $auth, $result) {
echo '<pre>';
echo 'Last operation'."\t\t\t\t";
var_dump($result);
echo 'Session ID'."\t\t\t\t";
var_dump(session_id());
echo 'Last operation' . "\t\t\t\t";
\var_dump($result);
echo 'Session ID' . "\t\t\t\t";
\var_dump(\session_id());
echo "\n";
echo '$auth->isLoggedIn()'."\t\t\t";
var_dump($auth->isLoggedIn());
echo '$auth->check()'."\t\t\t\t";
var_dump($auth->check());
echo '$auth->isLoggedIn()' . "\t\t\t";
\var_dump($auth->isLoggedIn());
echo '$auth->check()' . "\t\t\t\t";
\var_dump($auth->check());
echo "\n";
echo '$auth->getUserId()'."\t\t\t";
var_dump($auth->getUserId());
echo '$auth->id()'."\t\t\t\t";
var_dump($auth->id());
echo '$auth->getUserId()' . "\t\t\t";
\var_dump($auth->getUserId());
echo '$auth->id()' . "\t\t\t\t";
\var_dump($auth->id());
echo "\n";
echo '$auth->getEmail()'."\t\t\t";
var_dump($auth->getEmail());
echo '$auth->getUsername()'."\t\t\t";
var_dump($auth->getUsername());
echo '$auth->getEmail()' . "\t\t\t";
\var_dump($auth->getEmail());
echo '$auth->getUsername()' . "\t\t\t";
\var_dump($auth->getUsername());
echo '$auth->getStatus()'."\t\t\t";
echo convertStatusToText($auth);
echo '$auth->getStatus()' . "\t\t\t";
echo \convertStatusToText($auth);
echo ' / ';
var_dump($auth->getStatus());
\var_dump($auth->getStatus());
echo "\n";
echo 'Roles (super moderator)'."\t\t\t";
var_dump($auth->hasRole(\Delight\Auth\Role::SUPER_MODERATOR));
echo 'Roles (super moderator)' . "\t\t\t";
\var_dump($auth->hasRole(\Delight\Auth\Role::SUPER_MODERATOR));
echo 'Roles (developer *or* manager)'."\t\t";
var_dump($auth->hasAnyRole(\Delight\Auth\Role::DEVELOPER, \Delight\Auth\Role::MANAGER));
echo 'Roles (developer *or* manager)' . "\t\t";
\var_dump($auth->hasAnyRole(\Delight\Auth\Role::DEVELOPER, \Delight\Auth\Role::MANAGER));
echo 'Roles (developer *and* manager)'."\t\t";
var_dump($auth->hasAllRoles(\Delight\Auth\Role::DEVELOPER, \Delight\Auth\Role::MANAGER));
echo 'Roles (developer *and* manager)' . "\t\t";
\var_dump($auth->hasAllRoles(\Delight\Auth\Role::DEVELOPER, \Delight\Auth\Role::MANAGER));
echo 'Roles' . "\t\t\t\t\t";
echo \json_encode($auth->getRoles()) . "\n";
echo "\n";
echo '$auth->isRemembered()'."\t\t\t";
var_dump($auth->isRemembered());
echo '$auth->getIpAddress()'."\t\t\t";
var_dump($auth->getIpAddress());
echo '$auth->isRemembered()' . "\t\t\t";
\var_dump($auth->isRemembered());
echo '$auth->getIpAddress()' . "\t\t\t";
\var_dump($auth->getIpAddress());
echo "\n";
echo 'Auth::createRandomString()'."\t\t";
var_dump(\Delight\Auth\Auth::createRandomString());
echo 'Auth::createUuid()'."\t\t\t";
var_dump(\Delight\Auth\Auth::createUuid());
echo 'Session name' . "\t\t\t\t";
\var_dump(\session_name());
echo 'Auth::createRememberCookieName()' . "\t";
\var_dump(\Delight\Auth\Auth::createRememberCookieName());
echo "\n";
echo 'Auth::createCookieName(\'session\')' . "\t";
\var_dump(\Delight\Auth\Auth::createCookieName('session'));
echo 'Auth::createRandomString()' . "\t\t";
\var_dump(\Delight\Auth\Auth::createRandomString());
echo 'Auth::createUuid()' . "\t\t\t";
\var_dump(\Delight\Auth\Auth::createUuid());
echo '</pre>';
}
@@ -626,8 +729,6 @@ function showGeneralForm() {
}
function showAuthenticatedUserForm(\Delight\Auth\Auth $auth) {
showGeneralForm();
echo '<form action="" method="post" accept-charset="utf-8">';
echo '<input type="hidden" name="action" value="reconfirmPassword" />';
echo '<input type="text" name="password" placeholder="Password" /> ';
@@ -653,7 +754,7 @@ function showAuthenticatedUserForm(\Delight\Auth\Auth $auth) {
echo '<button type="submit">Change email address</button>';
echo '</form>';
showConfirmEmailForm();
\showConfirmEmailForm();
echo '<form action="" method="post" accept-charset="utf-8">';
echo '<input type="hidden" name="action" value="setPasswordResetEnabled" />';
@@ -665,24 +766,22 @@ function showAuthenticatedUserForm(\Delight\Auth\Auth $auth) {
echo '</form>';
echo '<form action="" method="post" accept-charset="utf-8">';
echo '<input type="hidden" name="action" value="logOutButKeepSession" />';
echo '<button type="submit">Log out but keep session</button>';
echo '<input type="hidden" name="action" value="logOut" />';
echo '<button type="submit">Log out</button>';
echo '</form>';
echo '<form action="" method="post" accept-charset="utf-8">';
echo '<input type="hidden" name="action" value="logout" />';
echo '<button type="submit">Log out</button>';
echo '<input type="hidden" name="action" value="logOutAndDestroySession" />';
echo '<button type="submit">Log out and destroy session</button>';
echo '</form>';
}
function showGuestUserForm() {
showGeneralForm();
echo '<h1>Public</h1>';
echo '<form action="" method="post" accept-charset="utf-8">';
echo '<input type="hidden" name="action" value="login" />';
echo '<input type="text" name="email" placeholder="Email" /> ';
echo '<input type="text" name="email" placeholder="Email address" /> ';
echo '<input type="text" name="password" placeholder="Password" /> ';
echo '<select name="remember" size="1">';
echo '<option value="0">Remember (keep logged in)? — No</option>';
@@ -704,7 +803,7 @@ function showGuestUserForm() {
echo '<form action="" method="post" accept-charset="utf-8">';
echo '<input type="hidden" name="action" value="register" />';
echo '<input type="text" name="email" placeholder="Email" /> ';
echo '<input type="text" name="email" placeholder="Email address" /> ';
echo '<input type="text" name="password" placeholder="Password" /> ';
echo '<input type="text" name="username" placeholder="Username (optional)" /> ';
echo '<select name="require_verification" size="1">';
@@ -718,11 +817,11 @@ function showGuestUserForm() {
echo '<button type="submit">Register</button>';
echo '</form>';
showConfirmEmailForm();
\showConfirmEmailForm();
echo '<form action="" method="post" accept-charset="utf-8">';
echo '<input type="hidden" name="action" value="forgotPassword" />';
echo '<input type="text" name="email" placeholder="Email" /> ';
echo '<input type="text" name="email" placeholder="Email address" /> ';
echo '<button type="submit">Forgot password</button>';
echo '</form>';
@@ -734,11 +833,18 @@ function showGuestUserForm() {
echo '<button type="submit">Reset password</button>';
echo '</form>';
echo '<form action="" method="post" accept-charset="utf-8">';
echo '<input type="hidden" name="action" value="canResetPassword" />';
echo '<input type="text" name="selector" placeholder="Selector" /> ';
echo '<input type="text" name="token" placeholder="Token" /> ';
echo '<button type="submit">Can reset password?</button>';
echo '</form>';
echo '<h1>Administration</h1>';
echo '<form action="" method="post" accept-charset="utf-8">';
echo '<input type="hidden" name="action" value="admin.createUser" />';
echo '<input type="text" name="email" placeholder="Email" /> ';
echo '<input type="text" name="email" placeholder="Email address" /> ';
echo '<input type="text" name="password" placeholder="Password" /> ';
echo '<input type="text" name="username" placeholder="Username (optional)" /> ';
echo '<select name="require_unique_username" size="1">';
@@ -756,7 +862,7 @@ function showGuestUserForm() {
echo '<form action="" method="post" accept-charset="utf-8">';
echo '<input type="hidden" name="action" value="admin.deleteUser" />';
echo '<input type="text" name="email" placeholder="Email" /> ';
echo '<input type="text" name="email" placeholder="Email address" /> ';
echo '<button type="submit">Delete user by email</button>';
echo '</form>';
@@ -769,51 +875,75 @@ function showGuestUserForm() {
echo '<form action="" method="post" accept-charset="utf-8">';
echo '<input type="hidden" name="action" value="admin.addRole" />';
echo '<input type="text" name="id" placeholder="ID" /> ';
echo '<select name="role">' . createRolesOptions() . '</select>';
echo '<select name="role">' . \createRolesOptions() . '</select>';
echo '<button type="submit">Add role for user by ID</button>';
echo '</form>';
echo '<form action="" method="post" accept-charset="utf-8">';
echo '<input type="hidden" name="action" value="admin.addRole" />';
echo '<input type="text" name="email" placeholder="Email" /> ';
echo '<select name="role">' . createRolesOptions() . '</select>';
echo '<input type="text" name="email" placeholder="Email address" /> ';
echo '<select name="role">' . \createRolesOptions() . '</select>';
echo '<button type="submit">Add role for user by email</button>';
echo '</form>';
echo '<form action="" method="post" accept-charset="utf-8">';
echo '<input type="hidden" name="action" value="admin.addRole" />';
echo '<input type="text" name="username" placeholder="Username" /> ';
echo '<select name="role">' . createRolesOptions() . '</select>';
echo '<select name="role">' . \createRolesOptions() . '</select>';
echo '<button type="submit">Add role for user by username</button>';
echo '</form>';
echo '<form action="" method="post" accept-charset="utf-8">';
echo '<input type="hidden" name="action" value="admin.removeRole" />';
echo '<input type="text" name="id" placeholder="ID" /> ';
echo '<select name="role">' . createRolesOptions() . '</select>';
echo '<select name="role">' . \createRolesOptions() . '</select>';
echo '<button type="submit">Remove role for user by ID</button>';
echo '</form>';
echo '<form action="" method="post" accept-charset="utf-8">';
echo '<input type="hidden" name="action" value="admin.removeRole" />';
echo '<input type="text" name="email" placeholder="Email" /> ';
echo '<select name="role">' . createRolesOptions() . '</select>';
echo '<input type="text" name="email" placeholder="Email address" /> ';
echo '<select name="role">' . \createRolesOptions() . '</select>';
echo '<button type="submit">Remove role for user by email</button>';
echo '</form>';
echo '<form action="" method="post" accept-charset="utf-8">';
echo '<input type="hidden" name="action" value="admin.removeRole" />';
echo '<input type="text" name="username" placeholder="Username" /> ';
echo '<select name="role">' . createRolesOptions() . '</select>';
echo '<select name="role">' . \createRolesOptions() . '</select>';
echo '<button type="submit">Remove role for user by username</button>';
echo '</form>';
echo '<form action="" method="post" accept-charset="utf-8">';
echo '<input type="hidden" name="action" value="admin.hasRole" />';
echo '<input type="text" name="id" placeholder="ID" /> ';
echo '<select name="role">' . createRolesOptions() . '</select>';
echo '<select name="role">' . \createRolesOptions() . '</select>';
echo '<button type="submit">Does user have role?</button>';
echo '</form>';
echo '<form action="" method="post" accept-charset="utf-8">';
echo '<input type="hidden" name="action" value="admin.getRoles" />';
echo '<input type="text" name="id" placeholder="ID" /> ';
echo '<button type="submit">Get user\'s roles</button>';
echo '</form>';
echo '<form action="" method="post" accept-charset="utf-8">';
echo '<input type="hidden" name="action" value="admin.logInAsUserById" />';
echo '<input type="text" name="id" placeholder="ID" /> ';
echo '<button type="submit">Log in as user by ID</button>';
echo '</form>';
echo '<form action="" method="post" accept-charset="utf-8">';
echo '<input type="hidden" name="action" value="admin.logInAsUserByEmail" />';
echo '<input type="text" name="email" placeholder="Email address" /> ';
echo '<button type="submit">Log in as user by email address</button>';
echo '</form>';
echo '<form action="" method="post" accept-charset="utf-8">';
echo '<input type="hidden" name="action" value="admin.logInAsUserByUsername" />';
echo '<input type="text" name="username" placeholder="Username" /> ';
echo '<button type="submit">Log in as user by username</button>';
echo '</form>';
}
function showConfirmEmailForm() {
@@ -831,7 +961,7 @@ function showConfirmEmailForm() {
echo '<form action="" method="post" accept-charset="utf-8">';
echo '<input type="hidden" name="action" value="resendConfirmationForEmail" />';
echo '<input type="text" name="email" placeholder="Email" /> ';
echo '<input type="text" name="email" placeholder="Email address" /> ';
echo '<button type="submit">Re-send confirmation</button>';
echo '</form>';
@@ -843,11 +973,9 @@ function showConfirmEmailForm() {
}
function createRolesOptions() {
$roleReflection = new ReflectionClass(\Delight\Auth\Role::class);
$out = '';
foreach ($roleReflection->getConstants() as $roleName => $roleValue) {
foreach (\Delight\Auth\Role::getMap() as $roleValue => $roleName) {
$out .= '<option value="' . $roleValue . '">' . $roleName . '</option>';
}