/** * Authenticate user. * * @param array $form Form fields. * * @return bool */ protected function authenticate($form) { /** @var User $user */ $user = $this->grav['user']; if (!$user->authenticated) { $username = isset($form['username']) ? $form['username'] : $this->rememberMe->login(); // Normal login process $user = User::load($username); if ($user->exists()) { if (!empty($form['username']) && !empty($form['password'])) { // Authenticate user $user->authenticated = $user->authenticate($form['password']); if ($user->authenticated) { $this->grav['session']->user = $user; unset($this->grav['user']); $this->grav['user'] = $user; // If the user wants to be remembered, create Rememberme cookie if (!empty($form['rememberme'])) { $this->rememberMe->createCookie($form['username']); } else { $this->rememberMe->clearCookie(); $this->rememberMe->getStorage()->cleanAllTriplets($user->get('username')); } } } } } // Authorize against user ACL $user_authorized = $user->authorize('site.login'); $user->authenticated = $user->authenticated && $user_authorized; return $user->authenticated; }
/** * Logs the user in. * * @return \API\Document\User The user document */ public function loginPost($request) { $params = new Set($request->post()); // CSRF protection if (!$params->has('csrfToken') || !isset($_SESSION['csrfToken']) || $params->get('csrfToken') !== $_SESSION['csrfToken']) { throw new \Exception('Invalid CSRF token.', Resource::STATUS_BAD_REQUEST); } // This could be in JSON schema as well :) if (!$params->has('email') || !$params->has('password')) { throw new \Exception('Username or password missing!', Resource::STATUS_BAD_REQUEST); } $collection = $this->getDocumentManager()->getCollection('users'); $cursor = $collection->find(); $cursor->where('email', $params->get('email')); $cursor->where('passwordHash', sha1($params->get('password'))); $document = $cursor->current(); if (null === $document) { $errorMessage = 'Invalid login attempt. Try again!'; $this->errors[] = $errorMessage; throw new \Exception($errorMessage, Resource::STATUS_UNAUTHORIZED); } $this->single = true; $this->users = [$document]; // Set the session $_SESSION['userId'] = $document->getId(); $_SESSION['expiresAt'] = time() + 3600; //1 hour // Set the Remember me cookie $rememberMeStorage = new RemembermeMongoStorage($this->getDocumentManager()); $rememberMe = new Rememberme\Authenticator($rememberMeStorage); if ($params->has('rememberMe')) { $rememberMe->createCookie($document->getId()); } else { $rememberMe->clearCookie(); } return $document; }
// There is a chance that an attacker has stolen the login token, so we store // the fact that the user was logged in via RememberMe (instead of login form) $_SESSION['remembered_by_cookie'] = true; redirect(); } else { // If $rememberMe returned false, check if the token was invalid if ($rememberMe->loginTokenWasInvalid()) { $content = tpl("cookie_was_stolen"); } else { if (!empty($_POST)) { if ($username == $_POST['username'] && $password == $_POST['password']) { session_regenerate_id(); $_SESSION['username'] = $username; // If the user wants to be remembered, create Rememberme cookie if (!empty($_POST['rememberme'])) { $rememberMe->createCookie($username); } else { $rememberMe->clearCookie(); } redirect(); } else { $content = tpl("login", "Invalid credentials"); } } else { $content = tpl("login"); } } } } // template function for including content, nothing interesting function tpl($template, $msg = "")