public function authenticate($google = false)
{
$user = $this->getUserModel();
$isRealUser = $user instanceof User;
if ($isRealUser) {
$this->username = $user->username;
if ((int) $user->status === User::STATUS_INACTIVE) {
$this->errorCode = self::ERROR_DISABLED;
return false;
}
}
if (!$isRealUser) {
// username not found
$this->errorCode = self::ERROR_USERNAME_INVALID;
} elseif ($google) {
// Completely bypasses password-based authentication
$this->errorCode = self::ERROR_NONE;
$this->_id = $user->id;
return true;
} else {
if ($user->status == 0) {
// User has been disabled
$this->errorCode = self::ERROR_DISABLED;
return false;
}
$reEncrypt = false;
$isValid = false;
if (PasswordUtil::validatePassword($this->password, $user->password)) {
$isValid = true;
} else {
if (PasswordUtil::slowEquals(md5($this->password), $user->password)) {
//Oldest format
$isValid = true;
$reEncrypt = true;
} else {
if (PasswordUtil::slowEquals(crypt($this->password, '$5$rounds=32678$' . $user->password), '$5$rounds=32678$' . $user->password)) {
//Old format
$isValid = true;
$reEncrypt = true;
}
}
}
if ($isValid) {
$this->errorCode = self::ERROR_NONE;
$this->_id = $user->id;
if ($reEncrypt) {
$user->password = PasswordUtil::createHash($this->password);
$user->update(array('password'));
}
} else {
$this->errorCode = self::ERROR_PASSWORD_INVALID;
}
}
return $this->errorCode === self::ERROR_NONE;
}
public function testSlowEquals()
{
// Test null values
$a = null;
$b = null;
$this->assertFalse(PasswordUtil::slowEquals($a, $b));
// Test empty strings
$a = '';
$b = '';
$this->assertTrue(PasswordUtil::slowEquals($a, $b));
$a = '';
$b = null;
$this->assertFalse(PasswordUtil::slowEquals($a, $b));
$a = 'Array';
$b = array();
$this->assertFalse(PasswordUtil::slowEquals($a, $b));
$a = 'this is a string';
$b = 'this is a string';
$this->assertTrue(PasswordUtil::slowEquals($a, $b));
$a = 'this is a string';
$b = 'this is a string ';
$this->assertFalse(PasswordUtil::slowEquals($a, $b));
}
/**
* Sets the user for a stateless API request
*/
public function filterAuthenticate($filterChain)
{
// Check for the availability of authentication:
if (!isset($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) && isset($_SERVER['HTTP_AUTHORIZATION'])) {
list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':', base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));
}
foreach (array('user', 'pw') as $field) {
$srvKey = 'PHP_AUTH_' . strtoupper($field);
if (!isset($_SERVER[$srvKey]) || empty($_SERVER[$srvKey])) {
$this->authFail("Missing user credentials: {$field}");
return;
}
${$field} = $_SERVER[$srvKey];
}
$userModel = User::model()->findByAlias($user);
// Invalid/not found
if (!$userModel instanceof User || !PasswordUtil::slowEquals($userModel->userKey, $pw)) {
$this->authFail("Invalid user credentials.");
} elseif (trim($userModel->userKey) == null) {
// Null user key = disabled
$this->authFail("API access has been disabled for the specified user.");
}
// Set user model and profile to respect permissions
Yii::app()->setSuModel($userModel);
$profile = $userModel->profile;
if ($profile instanceof Profile) {
Yii::app()->params->profile = $profile;
}
$filterChain->run();
}
