function create_user($username, $password)
{
log_error("Create User - Username: "******"|" . $password);
try {
$create_statement = "insert into users values (:username, :md5)";
$sth = $this->_dbh->prepare($create_statement);
$hash = WeaveHashFactory::factory();
$password = $hash->hash($password);
$sth->bindParam(':username', $username);
$sth->bindParam(':md5', $password);
$sth->execute();
} catch (PDOException $exception) {
log_error("create_user:"******"create_user:" . $exception->getMessage());
return 0;
}
return 1;
}
} else {
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
if ($username == '') {
log_error("user.php : Post no username");
report_problem(WEAVE_ERROR_INVALID_USERNAME, 400);
}
$db = new WeaveStorage($username);
log_error("user.php: POST");
if ($function == "password") {
#Auth the user
verify_user($username, $db);
$new_pwd = get_phpinput();
log_error("user.php: POST password ");
//to do
// change pw in db
$hash = WeaveHashFactory::factory();
if ($db->change_password($hash->hash($new_pwd))) {
exit("success");
} else {
report_problem(WEAVE_ERROR_INVALID_PROTOCOL, 503);
}
//server db messed up somehow
// return success
// report_problem(7, 400);
} else {
if ($function == "email") {
//change email adr
} else {
report_problem(WEAVE_ERROR_INVALID_PROTOCOL, 400);
}
}
function verify_user($url_user, $db)
{
if (!$url_user || !preg_match('/^[A-Z0-9._-]+$/i', $url_user)) {
report_problem(WEAVE_ERROR_INVALID_USERNAME, 400);
}
$auth_user = array_key_exists('PHP_AUTH_USER', $_SERVER) ? $_SERVER['PHP_AUTH_USER'] : null;
$auth_pw = array_key_exists('PHP_AUTH_PW', $_SERVER) ? $_SERVER['PHP_AUTH_PW'] : null;
if (is_null($auth_user) || is_null($auth_pw)) {
/* CGI/FCGI auth workarounds */
$auth_str = null;
if (array_key_exists('Authorization', $_SERVER)) {
/* Standard fastcgi configuration */
$auth_str = $_SERVER['Authorization'];
} else {
if (array_key_exists('AUTHORIZATION', $_SERVER)) {
/* Alternate fastcgi configuration */
$auth_str = $_SERVER['AUTHORIZATION'];
} else {
if (array_key_exists('HTTP_AUTHORIZATION', $_SERVER)) {
/* IIS/ISAPI and newer (yet to be released) fastcgi */
$auth_str = $_SERVER['HTTP_AUTHORIZATION'];
} else {
if (array_key_exists('REDIRECT_HTTP_AUTHORIZATION', $_SERVER)) {
/* mod_rewrite - per-directory internal redirect */
$auth_str = $_SERVER['REDIRECT_HTTP_AUTHORIZATION'];
}
}
}
}
if (!is_null($auth_str)) {
/* Basic base64 auth string */
if (preg_match('/Basic\\s+(.*)$/', $auth_str)) {
$auth_str = substr($auth_str, 6);
$auth_str = base64_decode($auth_str, true);
if ($auth_str != FALSE) {
$tmp = explode(':', $auth_str);
if (count($tmp) == 2) {
$auth_user = $tmp[0];
$auth_pw = $tmp[1];
}
}
}
}
}
if (!$auth_user || !$auth_pw) {
log_error("Auth failed 1 {");
log_error(" User pw: " . $auth_user . " | " . $auth_pw);
log_error(" Url_user: "******"}");
report_problem('Authentication failed', '401');
}
$url_user = strtolower($url_user);
if (strtolower($auth_user) != $url_user) {
log_error("(140) Missmatch:" . strtolower($auth_user) . "|" . $url_user);
report_problem(WEAVE_ERROR_USERID_PATH_MISMATCH, 400);
}
try {
$existingHash = $db->get_password_hash();
$hash = WeaveHashFactory::factory();
if (!$hash->verify(fix_utf8_encoding($auth_pw), $existingHash)) {
log_error("Auth failed 2 {");
log_error(" User pw: " . $auth_user . "|" . $auth_pw . "|md5:" . md5($auth_pw) . "|fix:" . fix_utf8_encoding($auth_pw) . "|fix md5 " . md5(fix_utf8_encoding($auth_pw)));
log_error(" Url_user: "******" Existing hash: " . $existingHash);
log_error("}");
report_problem('Authentication failed', '401');
} else {
if ($hash->needsUpdate($existingHash)) {
$db->change_password($hash->hash(fix_utf8_encoding($auth_pw)));
}
}
} catch (Exception $e) {
header("X-Weave-Backoff: 1800");
log_error($e->getMessage(), $e->getCode());
report_problem($e->getMessage(), $e->getCode());
}
return true;
}
