/**
* Authenticate user.
*
* @param array $form Form fields.
*
* @return bool
*/
protected function authenticate($form)
{
/** @var User $user */
$user = $this->grav['user'];
if (!$user->authenticated) {
$username = isset($form['username']) ? $form['username'] : $this->rememberMe->login();
// Normal login process
$user = User::load($username);
if ($user->exists()) {
if (!empty($form['username']) && !empty($form['password'])) {
// Authenticate user
$user->authenticated = $user->authenticate($form['password']);
if ($user->authenticated) {
$this->grav['session']->user = $user;
unset($this->grav['user']);
$this->grav['user'] = $user;
// If the user wants to be remembered, create Rememberme cookie
if (!empty($form['rememberme'])) {
$this->rememberMe->createCookie($form['username']);
} else {
$this->rememberMe->clearCookie();
$this->rememberMe->getStorage()->cleanAllTriplets($user->get('username'));
}
}
}
}
}
// Authorize against user ACL
$user_authorized = $user->authorize('site.login');
$user->authenticated = $user->authenticated && $user_authorized;
return $user->authenticated;
}
/**
* Logs the user in.
*
* @return \API\Document\User The user document
*/
public function loginPost($request)
{
$params = new Set($request->post());
// CSRF protection
if (!$params->has('csrfToken') || !isset($_SESSION['csrfToken']) || $params->get('csrfToken') !== $_SESSION['csrfToken']) {
throw new \Exception('Invalid CSRF token.', Resource::STATUS_BAD_REQUEST);
}
// This could be in JSON schema as well :)
if (!$params->has('email') || !$params->has('password')) {
throw new \Exception('Username or password missing!', Resource::STATUS_BAD_REQUEST);
}
$collection = $this->getDocumentManager()->getCollection('users');
$cursor = $collection->find();
$cursor->where('email', $params->get('email'));
$cursor->where('passwordHash', sha1($params->get('password')));
$document = $cursor->current();
if (null === $document) {
$errorMessage = 'Invalid login attempt. Try again!';
$this->errors[] = $errorMessage;
throw new \Exception($errorMessage, Resource::STATUS_UNAUTHORIZED);
}
$this->single = true;
$this->users = [$document];
// Set the session
$_SESSION['userId'] = $document->getId();
$_SESSION['expiresAt'] = time() + 3600;
//1 hour
// Set the Remember me cookie
$rememberMeStorage = new RemembermeMongoStorage($this->getDocumentManager());
$rememberMe = new Rememberme\Authenticator($rememberMeStorage);
if ($params->has('rememberMe')) {
$rememberMe->createCookie($document->getId());
} else {
$rememberMe->clearCookie();
}
return $document;
}
}
// Normally you would store the credentials in a DB
$username = "******";
$password = "******";
// Initialize RememberMe Library with file storage
$storagePath = dirname(__FILE__) . "/tokens";
if (!is_writable($storagePath) || !is_dir($storagePath)) {
die("'{$storagePath}' does not exist or is not writable by the web server.\n To run the example, please create the directory and give it the\n correct permissions.");
}
$storage = new Rememberme\Storage\File($storagePath);
$rememberMe = new Rememberme\Authenticator($storage);
// First, we initialize the session, to see if we are already logged in
session_start();
if (!empty($_SESSION['username'])) {
if (!empty($_GET['logout'])) {
$rememberMe->clearCookie($_SESSION['username']);
redirect(true);
}
if (!empty($_GET['completelogout'])) {
$storage->cleanAllTriplets($_SESSION['username']);
redirect(true);
}
// Check, if the Rememberme cookie exists and is still valid.
// If not, we log out the current session
if (!empty($_COOKIE[$rememberMe->getCookieName()]) && !$rememberMe->cookieIsValid()) {
redirect(true);
}
// User is still logged in - show content
$content = tpl("user_is_logged_in");
} else {
// If we can present the correct tokens from the cookie, we are logged in