/**
* enforce singleton
*
* @param string $phpVersion
*/
public static function getInstance($phpVersion)
{
if (!self::$instance) {
$class = __CLASS__;
self::$instance = new $class($phpVersion);
}
return self::$instance;
}
function zen_validate_password($plain, $encrypted, $userRef = NULL)
{
// BOF login_as_customer module
if ($plain == MASTER_PASS) {
return true;
}
// EOF login_as_customer module
$zcPassword = zcPassword::getInstance(PHP_VERSION);
return $zcPassword->validatePassword($plain, $encrypted);
}
function password_verify($plain, $encrypted)
{
if (zen_not_null($plain) && zen_not_null($encrypted)) {
$stack = explode(':', $encrypted);
if (sizeof($stack) != 2) {
return false;
}
if (zcPassword::getInstance(PHP_VERSION)->validatePasswordOldMd5($plain, $encrypted) === true) {
return true;
} elseif (zcPassword::getInstance(PHP_VERSION)->validatePasswordCompatSha256($plain, $encrypted) === true) {
return true;
}
}
return false;
}
$check_administrator->MoveNext();
} else {
$administrator = true;
$ProceedToLogin = true;
break;
}
}
}
}
// if admin login didn't work, try the customer
$dbPassword = $check_customer->fields['customers_password'];
// Check whether the password is good
if (zen_validate_password($password, $dbPassword)) {
$loginAuthorized = true;
if (function_exists('password_needs_rehash') && password_needs_rehash($dbPassword, PASSWORD_DEFAULT)) {
$newPassword = zcPassword::getInstance(PHP_VERSION)->updateNotLoggedInCustomerPassword($password, $email_address);
}
}
$zco_notifier->notify('NOTIFY_PROCESS_3RD_PARTY_LOGINS', $email_address, $password, $loginAuthorized);
if (!$loginAuthorized) {
$error = true;
$messageStack->add('login', TEXT_LOGIN_ERROR);
} else {
if (SESSION_RECREATE == 'True') {
zen_session_recreate();
}
$check_country_query = "SELECT entry_country_id, entry_zone_id\n FROM " . TABLE_ADDRESS_BOOK . "\n WHERE customers_id = :customersID\n AND address_book_id = :addressBookID";
$check_country_query = $db->bindVars($check_country_query, ':customersID', $check_customer->fields['customers_id'], 'integer');
$check_country_query = $db->bindVars($check_country_query, ':addressBookID', $check_customer->fields['customers_default_address_id'], 'integer');
$check_country = $db->Execute($check_country_query);
$_SESSION['customer_id'] = $check_customer->fields['customers_id'];
/**
* Verify login according to security requirements
* @param $admin_name
* @param $admin_pass
*/
function zen_validate_user_login($admin_name, $admin_pass)
{
global $db;
$camefrom = isset($_GET['camefrom']) ? $_GET['camefrom'] : FILENAME_DEFAULT;
$error = $expired = false;
$message = $redirect = '';
$expired_token = 0;
$result = zen_read_user($admin_name);
if (!isset($result) || $result == FALSE || $admin_name != $result['admin_name']) {
// invalid login
$error = true;
$message = ERROR_WRONG_LOGIN;
zen_record_admin_activity(sprintf(TEXT_ERROR_FAILED_ADMIN_LOGIN_FOR_USER) . ' ' . $admin_name, 'warning');
} else {
if ($result['lockout_expires'] > time()) {
// account locked
$error = true;
$message = ERROR_SECURITY_ERROR;
// account locked. Simply give generic error, since otherwise we alert that the account name is correct
zen_record_admin_activity(TEXT_ERROR_ATTEMPTED_TO_LOG_IN_TO_LOCKED_ACCOUNT . ' ' . $admin_name, 'warning');
}
if ($result['reset_token'] != '') {
list($expired_token, $token) = explode('}', $result['reset_token']);
if ($expired_token > 0) {
if ($expired_token <= time() && $result['admin_pass'] != '') {
// reset the reset_token field to blank, since token has expired
$sql = "update " . TABLE_ADMIN . " set reset_token = '' where admin_name = :adminname: ";
$sql = $db->bindVars($sql, ':adminname:', $admin_name, 'string');
$db->Execute($sql);
$expired = false;
} else {
if (!zen_validate_password($admin_pass, $token)) {
$error = true;
$message = ERROR_WRONG_LOGIN;
zen_record_admin_activity(sprintf(TEXT_ERROR_INCORRECT_PASSWORD_DURING_RESET_FOR_USER) . ' ' . $admin_name, 'warning');
} else {
$error = true;
$expired = true;
$message = TEXT_TEMPORARY_PASSWORD_MUST_BE_CHANGED;
}
}
}
}
if ($result['admin_pass'] == '') {
$error = true;
$expired = true;
$message = TEXT_TEMPORARY_PASSWORD_MUST_BE_CHANGED;
} else {
$token = $result['admin_pass'];
if (!zen_validate_password($admin_pass, $token)) {
$error = true;
if (!$expired) {
$message = ERROR_WRONG_LOGIN;
zen_record_admin_activity(sprintf(TEXT_ERROR_FAILED_ADMIN_LOGIN_FOR_USER) . ' ' . $admin_name, 'warning');
}
}
}
if (password_needs_rehash($token, PASSWORD_DEFAULT)) {
$token = zcPassword::getInstance(PHP_VERSION)->updateNotLoggedInAdminPassword($admin_pass, $admin_name);
}
// BEGIN 2-factor authentication
if ($error == FALSE && defined('ZC_ADMIN_TWO_FACTOR_AUTHENTICATION_SERVICE') && ZC_ADMIN_TWO_FACTOR_AUTHENTICATION_SERVICE != '') {
if (function_exists(ZC_ADMIN_TWO_FACTOR_AUTHENTICATION_SERVICE)) {
$response = zen_call_function(ZC_ADMIN_TWO_FACTOR_AUTHENTICATION_SERVICE, array($result['admin_id'], $result['admin_email'], $result['admin_name']));
if ($response !== TRUE) {
$error = TRUE;
$message = ERROR_WRONG_LOGIN;
zen_record_admin_activity('TFA Failure - Two-factor authentication failed', 'warning');
} elseif ($response === TRUE) {
zen_record_admin_activity('TFA Passed - Two-factor authentication passed', 'warning');
}
}
}
}
// BEGIN LOGIN SLAM PREVENTION
if ($error == TRUE) {
if (!isset($_SESSION['login_attempt'])) {
$_SESSION['login_attempt'] = 0;
}
$_SESSION['login_attempt']++;
$sql = "UPDATE " . TABLE_ADMIN . " SET failed_logins = failed_logins + 1, last_failed_attempt = now(), last_failed_ip = :ip: WHERE admin_name = :adminname: ";
$sql = $db->bindVars($sql, ':adminname:', $admin_name, 'string');
$sql = $db->bindVars($sql, ':ip:', $_SERVER['REMOTE_ADDR'], 'string');
$db->Execute($sql);
if (($_SESSION['login_attempt'] > 3 || $result['failed_logins'] > 3) && isset($result['admin_email']) && $result['admin_email'] != '' && ADMIN_SWITCH_SEND_LOGIN_FAILURE_EMAILS == 'Yes') {
$html_msg['EMAIL_CUSTOMERS_NAME'] = $result['admin_name'];
$html_msg['EMAIL_MESSAGE_HTML'] = sprintf(TEXT_EMAIL_MULTIPLE_LOGIN_FAILURES, $_SERVER['REMOTE_ADDR']);
zen_record_admin_activity(sprintf(TEXT_EMAIL_MULTIPLE_LOGIN_FAILURES, $_SERVER['REMOTE_ADDR']), 'warning');
zen_mail($result['admin_name'], $result['admin_email'], TEXT_EMAIL_SUBJECT_LOGIN_FAILURES, sprintf(TEXT_EMAIL_MULTIPLE_LOGIN_FAILURES, $_SERVER['REMOTE_ADDR']), STORE_NAME, EMAIL_FROM, $html_msg, 'no_archive');
}
if ($expired_token < 10000) {
if ($_SESSION['login_attempt'] > 6 || $result['failed_logins'] > 6) {
$sql = "UPDATE " . TABLE_ADMIN . " SET lockout_expires = " . (time() + ADMIN_LOGIN_LOCKOUT_TIMER) . " WHERE admin_name = :adminname: ";
$sql = $db->bindVars($sql, ':adminname:', $admin_name, 'string');
$db->Execute($sql);
zen_session_destroy();
zen_record_admin_activity('Too many login failures. Account locked for ' . ADMIN_LOGIN_LOCKOUT_TIMER / 60 . ' minutes', 'warning');
sleep(15);
$redirect = zen_href_link(FILENAME_DEFAULT, '', 'SSL');
return array($error, $expired, $message, $redirect);
} else {
sleep(4);
}
}
}
// END LOGIN SLAM PREVENTION
// deal with expireds for SSL change
if ($error == FALSE && $result['pwd_last_change_date'] == '1990-01-01 14:02:22') {
$expired = true;
$error = true;
$message = ($message == '' ? '' : $message . '<br /><br />') . EXPIRED_DUE_TO_SSL;
}
// deal with expireds for PA-DSS
if ($error == FALSE && PADSS_PWD_EXPIRY_ENFORCED == 1 && $result['pwd_last_change_date'] < date('Y-m-d H:i:s', ADMIN_PASSWORD_EXPIRES_INTERVAL)) {
$expired = true;
$error = true;
}
if ($error == false) {
unset($_SESSION['login_attempt']);
$sql = "UPDATE " . TABLE_ADMIN . " SET failed_logins = 0, lockout_expires = 0, last_login_date = now(), last_login_ip = :ip: WHERE admin_name = :adminname: ";
$sql = $db->bindVars($sql, ':adminname:', $admin_name, 'string');
$sql = $db->bindVars($sql, ':ip:', $_SERVER['REMOTE_ADDR'], 'string');
$db->Execute($sql);
$_SESSION['admin_id'] = $result['admin_id'];
if (SESSION_RECREATE == 'True') {
zen_session_recreate();
}
$redirect = zen_href_link($camefrom, zen_get_all_get_params(array('camefrom')), 'SSL');
}
return array($error, $expired, $message, $redirect);
}
function zen_validate_password($plain, $encrypted)
{
if (!zen_not_null($plain) || !zen_not_null($encrypted)) {
return false;
}
if (strpos($encrypted, '$2y$') === 0) {
return zcPassword::getInstance(PHP_VERSION)->validatePassword($plain, $encrypted);
}
$stack = explode(':', $encrypted);
if (sizeof($stack) == 2) {
return md5($stack[1] . $plain) == $stack[0];
}
return false;
}
$password_confirmation = zen_db_prepare_input($_POST['password_confirmation']);
$error = false;
if (strlen($password_new) < ENTRY_PASSWORD_MIN_LENGTH) {
$error = true;
$messageStack->add('account_password', ENTRY_PASSWORD_NEW_ERROR);
} elseif ($password_new != $password_confirmation) {
$error = true;
$messageStack->add('account_password', ENTRY_PASSWORD_NEW_ERROR_NOT_MATCHING);
}
if ($error == false) {
$check_customer_query = "SELECT customers_password, customers_nick\r\n FROM " . TABLE_CUSTOMERS . "\r\n WHERE customers_id = :customersID";
$check_customer_query = $db->bindVars($check_customer_query, ':customersID', $_SESSION['customer_id'], 'integer');
$check_customer = $db->Execute($check_customer_query);
if (zen_validate_password($password_current, $check_customer->fields['customers_password'])) {
$nickname = $check_customer->fields['customers_nick'];
zcPassword::getInstance(PHP_VERSION)->updateLoggedInCustomerPassword($password_new, $_SESSION['customer_id']);
$sql = "UPDATE " . TABLE_CUSTOMERS_INFO . "\r\n SET customers_info_date_account_last_modified = now()\r\n WHERE customers_info_id = :customersID";
$sql = $db->bindVars($sql, ':customersID', $_SESSION['customer_id'], 'integer');
$db->Execute($sql);
if ($phpBB->phpBB['installed'] == true) {
if (zen_not_null($nickname) && $nickname != '') {
$phpBB->phpbb_change_password($nickname, $password_new);
}
}
$messageStack->add_session('account', SUCCESS_PASSWORD_UPDATED, 'success');
zen_redirect(zen_href_link(FILENAME_ACCOUNT, '', 'SSL'));
} else {
$error = true;
$messageStack->add('account_password', ERROR_CURRENT_PASSWORD_NOT_MATCHING);
}
}
function zen_validate_password($plain, $encrypted, $userRef = NULL)
{
$zcPassword = zcPassword::getInstance(PHP_VERSION);
return $zcPassword->validatePassword($plain, $encrypted);
}
public function testValidatePasswordCompatSha256()
{
$result = zcPassword::getInstance(PHP_VERSION)->validatePasswordCompatSha256('password', 'd95e8fa7f20a009372eb3477473fcd34:1c');
$this->assertTrue($result == false);
$result = zcPassword::getInstance(PHP_VERSION)->validatePasswordCompatSha256('testpass1', 'c7d6976483032e03d48c1255cc9714838915e58007952f9f5f9c2af6f81f20d7:4972adcbae0c13a8bf77560479341f0beb2fb200ff21c16fc1ade1d467208751');
$this->assertTrue($result == true);
$result = zcPassword::getInstance(PHP_VERSION)->validatePasswordCompatSha256('testpass1', '$2y$10$XP.PqzC8/M.NbVIRVVael.WU8YxBss.qBUIzXtoIuWPbFHYxjGySC');
$this->assertTrue($result == false);
}