public static function getValidUsersDB($userIDs) { if (!$userIDs) { return array(); } $invalid = array(); // Get any of these users that are known to be invalid $sql = "SELECT UserID FROM LUM_User WHERE RoleID=2 AND UserID IN (" . implode(', ', array_fill(0, sizeOf($userIDs), '?')) . ")"; try { $invalid = Zotero_WWW_DB_2::columnQuery($sql, $userIDs); Zotero_WWW_DB_2::close(); } catch (Exception $e) { try { Z_Core::logError("WARNING: {$e} -- retrying on primary"); $invalid = Zotero_WWW_DB_1::columnQuery($sql, $userIDs); Zotero_WWW_DB_1::close(); } catch (Exception $e2) { Z_Core::logError("WARNING: " . $e2); // If not available, assume valid } } if ($invalid) { $userIDs = array_diff($userIDs, $invalid); } return $userIDs; }
public static function authenticate($data) { $salt = Z_CONFIG::$AUTH_SALT; // TODO: config $dev = Z_ENV_TESTING_SITE ? "_test" : ""; $databaseName = "zotero_www{$dev}"; $username = $data['username']; $password = $data['password']; $isEmailAddress = strpos($username, '@') !== false; $cacheKey = 'userAuthHash_' . hash('sha256', $username . $password); $userID = Z_Core::$MC->get($cacheKey); if ($userID) { return $userID; } // Username if (!$isEmailAddress) { $sql = "SELECT userID, username, password AS hash FROM {$databaseName}.users WHERE username=?"; $params = [$username]; } else { $sql = "SELECT userID, username, password AS hash FROM {$databaseName}.users\n\t\t\t WHERE username = ?\n\t\t\t UNION\n\t\t\t SELECT userID, username, password AS hash FROM {$databaseName}.users\n\t\t\t WHERE email = ?\n\t\t\t ORDER BY username = ? DESC"; $params = [$username, $username, $username]; } try { $retry = true; $rows = Zotero_WWW_DB_2::query($sql, $params); Zotero_WWW_DB_2::close(); if (!$rows) { $retry = false; $rows = Zotero_WWW_DB_1::query($sql, $params); Zotero_WWW_DB_1::close(); } } catch (Exception $e) { if ($retry) { Z_Core::logError("WARNING: {$e} -- retrying on primary"); $rows = Zotero_WWW_DB_1::query($sql, $params); Zotero_WWW_DB_1::close(); } } if (!$rows) { return false; } $found = false; foreach ($rows as $row) { // Try bcrypt $found = password_verify($password, $row['hash']); // Try salted SHA1 if (!$found) { $found = sha1($salt . $password) == $row['hash']; } // Try MD5 if (!$found) { $found = md5($password) == $row['hash']; } if ($found) { $foundRow = $row; break; } } if (!$found) { return false; } self::updateUser($foundRow['userID'], $foundRow['username']); Z_Core::$MC->set($cacheKey, $foundRow['userID'], 60); return $foundRow['userID']; }