/**
  * Method to display the view.
  *
  * @param   string  $tpl  The name of the template file to parse; automatically searches through the template paths.
  *
  * @return  mixed  A string if successful, otherwise an Error object.
  *
  * @since   1.5
  */
 public function display($tpl = null)
 {
     // Get the view data.
     $this->user = JFactory::getUser();
     $this->form = $this->get('Form');
     $this->state = $this->get('State');
     $this->params = $this->state->get('params');
     // Check for errors.
     if (count($errors = $this->get('Errors'))) {
         JError::raiseError(500, implode('<br />', $errors));
         return false;
     }
     // Check for layout override
     $active = JFactory::getApplication()->getMenu()->getActive();
     if (isset($active->query['layout'])) {
         $this->setLayout($active->query['layout']);
     }
     $tfa = JAuthenticationHelper::getTwoFactorMethods();
     $this->tfa = is_array($tfa) && count($tfa) > 1;
     // Escape strings for HTML output
     $this->pageclass_sfx = htmlspecialchars($this->params->get('pageclass_sfx'), ENT_COMPAT, 'UTF-8');
     $this->prepareDocument();
     parent::display($tpl);
 }
<?php

/**
 * @package     Joomla.Administrator
 * @subpackage  mod_login
 *
 * @copyright   Copyright (C) 2005 - 2016 Open Source Matters, Inc. All rights reserved.
 * @license     GNU General Public License version 2 or later; see LICENSE.txt
 */
defined('_JEXEC') or die;
// Include the login functions only once
JLoader::register('ModLoginHelper', __DIR__ . '/helper.php');
$langs = ModLoginHelper::getLanguageList();
$twofactormethods = JAuthenticationHelper::getTwoFactorMethods();
$return = ModLoginHelper::getReturnUri();
require JModuleHelper::getLayoutPath('mod_login', $params->get('layout', 'default'));
Beispiel #3
0
 /**
  * This method should handle any authentication and report back to the subject
  *
  * @param   array   $credentials  Array holding the user credentials
  * @param   array   $options      Array of extra options
  * @param   object  &$response    Authentication response object
  *
  * @return  void
  *
  * @since   1.5
  */
 public function onUserAuthenticate($credentials, $options, &$response)
 {
     $response->type = 'Joomla';
     // Joomla does not like blank passwords
     if (empty($credentials['password'])) {
         $response->status = JAuthentication::STATUS_FAILURE;
         $response->error_message = JText::_('JGLOBAL_AUTH_EMPTY_PASS_NOT_ALLOWED');
         return;
     }
     // Get a database object
     $db = JFactory::getDbo();
     $query = $db->getQuery(true)->select('id, password')->from('#__users')->where('username='******'username']));
     $db->setQuery($query);
     $result = $db->loadObject();
     if ($result) {
         $match = JUserHelper::verifyPassword($credentials['password'], $result->password, $result->id);
         if ($match === true) {
             // Bring this in line with the rest of the system
             $user = JUser::getInstance($result->id);
             $response->email = $user->email;
             $response->fullname = $user->name;
             if (JFactory::getApplication()->isAdmin()) {
                 $response->language = $user->getParam('admin_language');
             } else {
                 $response->language = $user->getParam('language');
             }
             $response->status = JAuthentication::STATUS_SUCCESS;
             $response->error_message = '';
         } else {
             // Invalid password
             $response->status = JAuthentication::STATUS_FAILURE;
             $response->error_message = JText::_('JGLOBAL_AUTH_INVALID_PASS');
         }
     } else {
         // Let's hash the entered password even if we don't have a matching user for some extra response time
         // By doing so, we mitigate side channel user enumeration attacks
         JUserHelper::hashPassword($credentials['password']);
         // Invalid user
         $response->status = JAuthentication::STATUS_FAILURE;
         $response->error_message = JText::_('JGLOBAL_AUTH_NO_USER');
     }
     // Check the two factor authentication
     if ($response->status == JAuthentication::STATUS_SUCCESS) {
         $methods = JAuthenticationHelper::getTwoFactorMethods();
         if (count($methods) <= 1) {
             // No two factor authentication method is enabled
             return;
         }
         JModelLegacy::addIncludePath(JPATH_ADMINISTRATOR . '/components/com_users/models', 'UsersModel');
         /** @var UsersModelUser $model */
         $model = JModelLegacy::getInstance('User', 'UsersModel', array('ignore_request' => true));
         // Load the user's OTP (one time password, a.k.a. two factor auth) configuration
         if (!array_key_exists('otp_config', $options)) {
             $otpConfig = $model->getOtpConfig($result->id);
             $options['otp_config'] = $otpConfig;
         } else {
             $otpConfig = $options['otp_config'];
         }
         // Check if the user has enabled two factor authentication
         if (empty($otpConfig->method) || $otpConfig->method == 'none') {
             // Warn the user if they are using a secret code but they have not
             // enabed two factor auth in their account.
             if (!empty($credentials['secretkey'])) {
                 try {
                     $app = JFactory::getApplication();
                     $this->loadLanguage();
                     $app->enqueueMessage(JText::_('PLG_AUTH_JOOMLA_ERR_SECRET_CODE_WITHOUT_TFA'), 'warning');
                 } catch (Exception $exc) {
                     // This happens when we are in CLI mode. In this case
                     // no warning is issued
                     return;
                 }
             }
             return;
         }
         // Try to validate the OTP
         FOFPlatform::getInstance()->importPlugin('twofactorauth');
         $otpAuthReplies = FOFPlatform::getInstance()->runPlugins('onUserTwofactorAuthenticate', array($credentials, $options));
         $check = false;
         /*
          * This looks like noob code but DO NOT TOUCH IT and do not convert
          * to in_array(). During testing in_array() inexplicably returned
          * null when the OTEP begins with a zero! o_O
          */
         if (!empty($otpAuthReplies)) {
             foreach ($otpAuthReplies as $authReply) {
                 $check = $check || $authReply;
             }
         }
         // Fall back to one time emergency passwords
         if (!$check) {
             // Did the user use an OTEP instead?
             if (empty($otpConfig->otep)) {
                 if (empty($otpConfig->method) || $otpConfig->method == 'none') {
                     // Two factor authentication is not enabled on this account.
                     // Any string is assumed to be a valid OTEP.
                     return;
                 } else {
                     /*
                      * Two factor authentication enabled and no OTEPs defined. The
                      * user has used them all up. Therefore anything they enter is
                      * an invalid OTEP.
                      */
                     return;
                 }
             }
             // Clean up the OTEP (remove dashes, spaces and other funny stuff
             // our beloved users may have unwittingly stuffed in it)
             $otep = $credentials['secretkey'];
             $otep = filter_var($otep, FILTER_SANITIZE_NUMBER_INT);
             $otep = str_replace('-', '', $otep);
             $check = false;
             // Did we find a valid OTEP?
             if (in_array($otep, $otpConfig->otep)) {
                 // Remove the OTEP from the array
                 $otpConfig->otep = array_diff($otpConfig->otep, array($otep));
                 $model->setOtpConfig($result->id, $otpConfig);
                 // Return true; the OTEP was a valid one
                 $check = true;
             }
         }
         if (!$check) {
             $response->status = JAuthentication::STATUS_FAILURE;
             $response->error_message = JText::_('JGLOBAL_AUTH_INVALID_SECRETKEY');
         }
     }
 }
 /**
  * Get list of available two factor methods
  *
  * @return array
  *
  * @deprecated  4.0  Use JAuthenticationHelper::getTwoFactorMethods() instead.
  */
 public static function getTwoFactorMethods()
 {
     JLog::add(__METHOD__ . ' is deprecated, use JAuthenticationHelper::getTwoFactorMethods() instead.', JLog::WARNING, 'deprecated');
     return JAuthenticationHelper::getTwoFactorMethods();
 }