Beispiel #1
0
 /**
  * Validate a user-provided password with user
  *
  * @param HiddenString $password
  * @param HiddenString $pHash
  * @param array $migrationData
  * @param EncryptionKey $passwordKey
  * @return bool
  * @throws \Exception
  */
 public function validate(HiddenString $password, HiddenString $pHash, array $migrationData, EncryptionKey $passwordKey = null) : bool
 {
     if (!$passwordKey) {
         if (!$this->key instanceof EncryptionKey) {
             throw new \Exception(\__('No key was passed to this migration'));
         }
         $passwordKey = $this->key;
     }
     $hash = $this->wordPressCryptPrivate($password, $migrationData['salt']);
     return Password::verify($hash, $pHash->getString(), $passwordKey);
 }
Beispiel #2
0
 public function login()
 {
     if (Session::get('loggin') == true) {
         url::redirect('admin');
     }
     if (isset($_POST['submit'])) {
         $username = $_POST['username'];
         $password = $_POST['password'];
         $admin = $this->loadModel('admin_model');
         if (Password::verify($password, $admin->get_hash($username)) == false) {
             die('wrong username or password');
         } else {
             Session::set('loggin', true);
             Url::redirect('admin');
         }
     }
     $data['title'] = 'Login';
     $this->view->rendertemplate('header', $data);
     $this->view->render('admin/login', $data);
     $this->view->rendertemplate('footer', $data);
 }
Beispiel #3
0
 public function login()
 {
     if (Session::get('loggedin')) {
         Url::redirect('admin');
     }
     $model = new \models\admin\auth();
     $data['title'] = 'Login';
     if (isset($_POST['submit'])) {
         $username = $_POST['username'];
         $password = $_POST['password'];
         if (Password::verify($password, $model->getHash($_POST['username'])) == 0) {
             $error[] = 'Wrong username of password';
         } else {
             Session::set('loggedin', true);
             Url::redirect('admin');
         }
     }
     View::renderadmintemplate('loginheader', $data);
     View::render('admin/login', $data, $error);
     View::renderadmintemplate('footer', $data);
 }
Beispiel #4
0
 /**
  * @param HiddenString $password
  * @return bool
  */
 public function tryUnlockPassword(HiddenString $password) : bool
 {
     $state = State::instance();
     return Password::verify($password->getString(), $this->installHash, $state->keyring['auth.password_key']);
 }
Beispiel #5
0
 public function login($username, $password)
 {
     if ($this->logged_in) {
         return true;
     }
     //Make sure username and password are provided
     if (!isset($username) || !isset($password)) {
         return false;
     }
     $username = $this->escape(trim($username));
     $password = $this->escape(trim($password));
     $result = $this->query("SELECT pass, last_attempt, attempts FROM users WHERE username = '******'", array($username));
     if (count($result) === 0) {
         return false;
     }
     $password = new Password($password);
     //Rate limit password guesses per minute
     //Once the user has guessed 5 times, they have to wait a minute before trying again
     $attempt_time = time();
     $attempts = (int) $result[0]->attempts;
     //Reset attempt counter if user hasn't attempted in last minute
     if ($attempt_time > $result[0]->last_attempt + self::TIME_RANGE) {
         $attempts = 0;
     }
     $attempts++;
     //User has exceeded max number of attempts in last minute
     if ($attempts > self::MAX_ATTEMPTS) {
         return false;
     }
     //Update user with attempt count and current time
     $this->query("UPDATE users SET last_attempt = '%d', attempts = '%d' WHERE username = '******'", array($attempt_time, $attempts, $username));
     if (!$password->verify($result[0]->pass)) {
         return false;
     }
     $_SESSION["username"] = $username;
     $_SESSION["login_time"] = $attempt_time;
     $this->logged_in = true;
     return true;
 }
Beispiel #6
0
 function resetPasswordAction($db, $reset_key, $email_address, $password_token, $password, $user_password_repeat)
 {
     $response = $db->query('SELECT secret, request_timestamp FROM responses 
   WHERE reset_key = :reset_key AND email_address = :email_address 
   AND NOT used AND active', array(':reset_key' => $reset_key, ':email_address' => $email_address));
     $validatedPassword = self::validateUserPassword($password, $user_password_repeat);
     if (!$validatedPassword) {
         return "INVALID PASSWORD";
     }
     if ($response) {
         $created = DateTime::createFromFormat('Y-m-d G:i:s', $response[0]->request_timestamp);
         if ($created >= new DateTime('30 minutes ago')) {
             if (Password::verify($password_token, $response[0]->secret) && $password == $user_password_repeat) {
                 $disable_token = $db->update("responses", array('used' => 1), array('reset_key' => $reset_key), array());
                 $hash = Password::make($password, PASSWORD_BCRYPT, array("cost" => 10));
                 $password_change = $db->exec('UPDATE Users SET password = :password WHERE email = :email', array(':password' => $hash, ':email' => $email_address));
                 return "Password Successfully Changed";
             }
         }
     } else {
         return "INVALID RESET TOKEN";
     }
 }
Beispiel #7
0
 /**
  * Verifies that the password is valid for a given user account. Returns
  * false whether or not the user name is valid and attempts to minimize
  * leaking that information through timing side-channels.
  * 
  * @param string $username
  * @param HiddenString $password
  * @return bool|int
  */
 public function login(string $username, HiddenString $password)
 {
     /**
      * To prevent extreme stupidity, we escape our table and column names
      * here. We shouldn't ever *need* to do this, but as long as developers
      * are creative, they will find creative ways to make their apps
      * insecure and we should anticipate them as much as we can.
      */
     $table = $this->db->escapeIdentifier($this->tableConfig['table']['accounts']);
     // Let's fetch the user data from the database
     $user = $this->db->row('SELECT * FROM ' . $table . ' WHERE username = ?', $username);
     if (empty($user)) {
         /**
          * User not found. Use the dummy password to mitigate user
          * enumeration via timing side-channels.
          */
         Password::verify($password->getString(), $this->dummyHash, $this->key);
         // No matter what, return false here:
         return false;
     } else {
         if (!empty($user['migration'])) {
             $success = $this->migrateImportedHash($password, new HiddenString($user['password']), $user);
             if ($success) {
                 return (int) $user['userid'];
             }
         }
         if (Password::verify($password->getString(), $user['password'], $this->key)) {
             return (int) $user['userid'];
         }
     }
     return false;
 }
Beispiel #8
0
//   $app = \Slim\Slim::getInstance();
//   $token = $app->request->headers->get('Authorization');
//   $token = str_replace('"', "", $token);
//   $tokenFromDB = Users_model::get_user_by_token($db, $token);
//   if (!$tokenFromDB) {
//     echoResponse(403, "Invalid Token");
//     exit();
//   }
// }
// Users
$app->post('/login', function () use($app) {
    global $db;
    $data = json_decode($app->request->getBody());
    $user = Users_model::get_hash($db, $data->email);
    $hash = Password::make($data->password, PASSWORD_BCRYPT, array("cost" => 10));
    if (Password::verify($data->password, $user[0]->password) == true) {
        echoResponse(200, $user[0]);
    } else {
        echoResponse(403, "Not a valid password");
    }
});
// 'authenticateToken',
$app->get('/users', 'authenticateToken', function () use($app) {
    global $db;
    $rows = Users_model::get_users($db);
    // foreach (getallheaders() as $name => $value) {
    // var_dump(getallheaders());
    // }
    echoResponse(200, $rows);
});
$app->post('/users', function () use($app) {