/**
* Authenticate a user.
*
* @param $email
* The user's email
*
* @param $password
* The cleartext password used for authentication.
*
* @return
* NULL if the authentication failed, a User object on success.
*/
public static function authenticate($email, $password)
{
$success = false;
$user = static::first()->active()->email($email)->select();
$root = static::first()->root()->select();
if (!$user) {
/*
* We call password_verify() to avoid leaking a timing attack on
* authentication. We use the root user because it is expected that
* its password "cost" is the same as the other users.
*/
static::password_verify($password, $root->passwd);
} else {
$success = static::password_verify($password, $user->passwd);
}
// log the attempt
$ip_infos = "IP={$_SERVER['REMOTE_ADDR']}";
if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$ip_infos .= ", X-Forwarded-For={$_SERVER['HTTP_X_FORWARDED_FOR']}";
}
No2_Logger::info(($success ? 'Successfull' : 'Failed') . " login for {$email} ({$ip_infos})");
return $success ? $user : NULL;
}
<?php
die;
}
}
$view = $controller->view();
if (No2_HTTP::is_error($view->status()) && !$controller->can_render_errors()) {
/*
* The controller declined error handling, so we load the default error
* controller to generate the response.
*/
require_once APPDIR . '/controllers/error.class.php';
$controller = new ErrorController($view->status());
unset($view);
goto invoke_it;
}
/* from this point, $controller and $view are set and valid. */
/*
* Here we know the status code, log the request and render the requested ressource.
*/
No2_Logger::info("{$_SERVER['REMOTE_ADDR']} - {$_SERVER['REQUEST_METHOD']} - {$_SERVER['REQUEST_URI']} - {$view->status()}");
/* kindly ask the view to render the response */
try {
/*
* Don't try to buffer the view's output using something like ob_start(),
* it will OOM PHP if the response is moderately big.
*/
$view->render();
die;
} catch (Exception $e) {
No2_Logger::err('view rendering exception: ' . $e->getMessage());
}
