Ejemplo n.º 1
0
 public static function checkAuth($roles, $initialize = false, $whenLocked = false)
 {
     $headers = getallheaders();
     if (!isset($headers['Auth-User']) || !isset($headers['Auth-Timestamp']) || !isset($headers['Auth-Signature'])) {
         return false;
     }
     if (!is_numeric($headers['Auth-Timestamp']) || $headers['Auth-Timestamp'] < strtotime("-" . _TIME_TO_LIVE_IN_MINUTES_ . " minute", time())) {
         return false;
     }
     $requestedURI = parse_url($_SERVER['REQUEST_URI']);
     if (_USE_HTTPS_ONLY_ && $requestedURI['scheme'] != 'https') {
         return false;
     }
     $userData = new AuthUser();
     if (!$userData->loadUser(mb_strtolower($headers['Auth-User']), $initialize)) {
         return false;
     }
     if ($userData->isLocked() && !$whenLocked) {
         return false;
     }
     $userSecret = null;
     if ($initialize) {
         $userSecret = $userData->getUserPassword();
         $salt = $userData->getSalt();
         $challenge = $userData->getChallengeKey();
         if (!array_key_exists('challenge', $_POST)) {
             if (hash_equals(hash_pbkdf2('sha512', $_POST['password'], $salt, 1000), $userSecret)) {
                 $userData->askClientChallenge();
                 return true;
             } else {
                 $userData->addFailedLogin();
                 return false;
             }
         } else {
             if ($_POST['challenge'] != $challenge) {
                 $userData->addFailedLogin();
                 return false;
             } else {
                 if ($_POST['challenge'] == $challenge) {
                     $userData->initiateConnection();
                 }
             }
         }
     } else {
         $userSecret = $userData->getUserSecret();
     }
     $data = '';
     foreach ($_POST as $key => $value) {
         if ($data != "") {
             $data .= "&";
         }
         if (is_array($value)) {
             $currentCount = 0;
             $data .= $key . '=';
             foreach ($value as $arrValue) {
                 $currentCount++;
                 $data .= $arrValue;
                 if (count($value) > 1 && $currentCount != count($value)) {
                     $data .= ',';
                 }
             }
         } else {
             $data .= $key . '=' . $value;
         }
     }
     $signatureData = $_SERVER['REQUEST_METHOD'] . _DOMAIN_API_HOST_ . $_SERVER['REQUEST_URI'] . $data . $headers['Auth-Timestamp'];
     $newAuthSignature = hash_hmac('sha512', $signatureData, $userSecret, true);
     $newAuthSignature = base64_encode($newAuthSignature);
     if (hash_equals($newAuthSignature, $headers['Auth-Signature']) && !empty(array_intersect($userData->getUserRoles(), $roles))) {
         $userData->makeSuccessfulLogin($initialize);
         return true;
     }
     // initiate connection add secret, but the hash test needs to pass, so if it fails, remove secret and 2nd factor header.
     header_remove('Auth-Secret');
     header_remove('Auth-Second-Factor');
     if ($initialize) {
         $userData->addFailedLogin();
     }
     return false;
 }