public function authenticate($google = false) { $user = $this->getUserModel(); $isRealUser = $user instanceof User; if ($isRealUser) { $this->username = $user->username; if ((int) $user->status === User::STATUS_INACTIVE) { $this->errorCode = self::ERROR_DISABLED; return false; } } if (!$isRealUser) { // username not found $this->errorCode = self::ERROR_USERNAME_INVALID; } elseif ($google) { // Completely bypasses password-based authentication $this->errorCode = self::ERROR_NONE; $this->_id = $user->id; return true; } else { if ($user->status == 0) { // User has been disabled $this->errorCode = self::ERROR_DISABLED; return false; } $reEncrypt = false; $isValid = false; if (PasswordUtil::validatePassword($this->password, $user->password)) { $isValid = true; } else { if (PasswordUtil::slowEquals(md5($this->password), $user->password)) { //Oldest format $isValid = true; $reEncrypt = true; } else { if (PasswordUtil::slowEquals(crypt($this->password, '$5$rounds=32678$' . $user->password), '$5$rounds=32678$' . $user->password)) { //Old format $isValid = true; $reEncrypt = true; } } } if ($isValid) { $this->errorCode = self::ERROR_NONE; $this->_id = $user->id; if ($reEncrypt) { $user->password = PasswordUtil::createHash($this->password); $user->update(array('password')); } } else { $this->errorCode = self::ERROR_PASSWORD_INVALID; } } return $this->errorCode === self::ERROR_NONE; }
public function testSlowEquals() { // Test null values $a = null; $b = null; $this->assertFalse(PasswordUtil::slowEquals($a, $b)); // Test empty strings $a = ''; $b = ''; $this->assertTrue(PasswordUtil::slowEquals($a, $b)); $a = ''; $b = null; $this->assertFalse(PasswordUtil::slowEquals($a, $b)); $a = 'Array'; $b = array(); $this->assertFalse(PasswordUtil::slowEquals($a, $b)); $a = 'this is a string'; $b = 'this is a string'; $this->assertTrue(PasswordUtil::slowEquals($a, $b)); $a = 'this is a string'; $b = 'this is a string '; $this->assertFalse(PasswordUtil::slowEquals($a, $b)); }
/** * Sets the user for a stateless API request */ public function filterAuthenticate($filterChain) { // Check for the availability of authentication: if (!isset($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) && isset($_SERVER['HTTP_AUTHORIZATION'])) { list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':', base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6))); } foreach (array('user', 'pw') as $field) { $srvKey = 'PHP_AUTH_' . strtoupper($field); if (!isset($_SERVER[$srvKey]) || empty($_SERVER[$srvKey])) { $this->authFail("Missing user credentials: {$field}"); return; } ${$field} = $_SERVER[$srvKey]; } $userModel = User::model()->findByAlias($user); // Invalid/not found if (!$userModel instanceof User || !PasswordUtil::slowEquals($userModel->userKey, $pw)) { $this->authFail("Invalid user credentials."); } elseif (trim($userModel->userKey) == null) { // Null user key = disabled $this->authFail("API access has been disabled for the specified user."); } // Set user model and profile to respect permissions Yii::app()->setSuModel($userModel); $profile = $userModel->profile; if ($profile instanceof Profile) { Yii::app()->params->profile = $profile; } $filterChain->run(); }