Ejemplo n.º 1
0
 /**
  * This action handles form login page.
  *
  * If this action is reached through a POST request, username and password
  * are compared to login the current user.
  *
  * Parameters are:
  *   - nonce (default: false)
  *   - username (default: '')
  *   - challenge (default: '')
  *   - keep_logged_in (default: false)
  *
  * @todo move unsafe autologin in an extension.
  */
 public function formLoginAction()
 {
     invalidateHttpCache();
     $file_mtime = @filemtime(PUBLIC_PATH . '/scripts/bcrypt.min.js');
     Minz_View::appendScript(Minz_Url::display('/scripts/bcrypt.min.js?' . $file_mtime));
     if (Minz_Request::isPost()) {
         $nonce = Minz_Session::param('nonce');
         $username = Minz_Request::param('username', '');
         $challenge = Minz_Request::param('challenge', '');
         $conf = get_user_configuration($username);
         if (is_null($conf)) {
             Minz_Error::error(403, array(_t('feedback.auth.login.invalid')), false);
             return;
         }
         $ok = FreshRSS_FormAuth::checkCredentials($username, $conf->passwordHash, $nonce, $challenge);
         if ($ok) {
             // Set session parameter to give access to the user.
             Minz_Session::_param('currentUser', $username);
             Minz_Session::_param('passwordHash', $conf->passwordHash);
             FreshRSS_Auth::giveAccess();
             // Set cookie parameter if nedded.
             if (Minz_Request::param('keep_logged_in')) {
                 FreshRSS_FormAuth::makeCookie($username, $conf->passwordHash);
             } else {
                 FreshRSS_FormAuth::deleteCookie();
             }
             // All is good, go back to the index.
             Minz_Request::good(_t('feedback.auth.login.success'), array('c' => 'index', 'a' => 'index'));
         } else {
             Minz_Log::warning('Password mismatch for' . ' user='******', nonce=' . $nonce . ', c=' . $challenge);
             Minz_Error::error(403, array(_t('feedback.auth.login.invalid')), false);
         }
     } elseif (FreshRSS_Context::$system_conf->unsafe_autologin_enabled) {
         $username = Minz_Request::param('u', '');
         $password = Minz_Request::param('p', '');
         Minz_Request::_param('p');
         if (!$username) {
             return;
         }
         $conf = get_user_configuration($username);
         if (is_null($conf)) {
             return;
         }
         if (!function_exists('password_verify')) {
             include_once LIB_PATH . '/password_compat.php';
         }
         $s = $conf->passwordHash;
         $ok = password_verify($password, $s);
         unset($password);
         if ($ok) {
             Minz_Session::_param('currentUser', $username);
             Minz_Session::_param('passwordHash', $s);
             FreshRSS_Auth::giveAccess();
             Minz_Request::good(_t('feedback.auth.login.success'), array('c' => 'index', 'a' => 'index'));
         } else {
             Minz_Log::warning('Unsafe password mismatch for user ' . $username);
             Minz_Error::error(403, array(_t('feedback.auth.login.invalid')), false);
         }
     }
 }
Ejemplo n.º 2
0
 /**
  * Removes all accesses for the current user.
  */
 public static function removeAccess()
 {
     Minz_Session::_param('loginOk');
     self::$login_ok = false;
     $conf = Minz_Configuration::get('system');
     Minz_Session::_param('currentUser', $conf->default_user);
     switch ($conf->auth_type) {
         case 'form':
             Minz_Session::_param('passwordHash');
             FreshRSS_FormAuth::deleteCookie();
             break;
         case 'persona':
             Minz_Session::_param('mail');
             break;
         case 'http_auth':
         case 'none':
             // Nothing to do...
             break;
         default:
             // TODO: extensions
     }
 }