/**
* Authenticate user.
*
* @param array $form Form fields.
*
* @return bool
*/
protected function authenticate($form)
{
/** @var User $user */
$user = $this->grav['user'];
if (!$user->authenticated) {
$username = isset($form['username']) ? $form['username'] : $this->rememberMe->login();
// Normal login process
$user = User::load($username);
if ($user->exists()) {
if (!empty($form['username']) && !empty($form['password'])) {
// Authenticate user
$user->authenticated = $user->authenticate($form['password']);
if ($user->authenticated) {
$this->grav['session']->user = $user;
unset($this->grav['user']);
$this->grav['user'] = $user;
// If the user wants to be remembered, create Rememberme cookie
if (!empty($form['rememberme'])) {
$this->rememberMe->createCookie($form['username']);
} else {
$this->rememberMe->clearCookie();
$this->rememberMe->getStorage()->cleanAllTriplets($user->get('username'));
}
}
}
}
}
// Authorize against user ACL
$user_authorized = $user->authorize('site.login');
$user->authenticated = $user->authenticated && $user_authorized;
return $user->authenticated;
}
/**
* Logs the user in.
*
* @return \API\Document\User The user document
*/
public function loginPost($request)
{
$params = new Set($request->post());
// CSRF protection
if (!$params->has('csrfToken') || !isset($_SESSION['csrfToken']) || $params->get('csrfToken') !== $_SESSION['csrfToken']) {
throw new \Exception('Invalid CSRF token.', Resource::STATUS_BAD_REQUEST);
}
// This could be in JSON schema as well :)
if (!$params->has('email') || !$params->has('password')) {
throw new \Exception('Username or password missing!', Resource::STATUS_BAD_REQUEST);
}
$collection = $this->getDocumentManager()->getCollection('users');
$cursor = $collection->find();
$cursor->where('email', $params->get('email'));
$cursor->where('passwordHash', sha1($params->get('password')));
$document = $cursor->current();
if (null === $document) {
$errorMessage = 'Invalid login attempt. Try again!';
$this->errors[] = $errorMessage;
throw new \Exception($errorMessage, Resource::STATUS_UNAUTHORIZED);
}
$this->single = true;
$this->users = [$document];
// Set the session
$_SESSION['userId'] = $document->getId();
$_SESSION['expiresAt'] = time() + 3600;
//1 hour
// Set the Remember me cookie
$rememberMeStorage = new RemembermeMongoStorage($this->getDocumentManager());
$rememberMe = new Rememberme\Authenticator($rememberMeStorage);
if ($params->has('rememberMe')) {
$rememberMe->createCookie($document->getId());
} else {
$rememberMe->clearCookie();
}
return $document;
}
// There is a chance that an attacker has stolen the login token, so we store
// the fact that the user was logged in via RememberMe (instead of login form)
$_SESSION['remembered_by_cookie'] = true;
redirect();
} else {
// If $rememberMe returned false, check if the token was invalid
if ($rememberMe->loginTokenWasInvalid()) {
$content = tpl("cookie_was_stolen");
} else {
if (!empty($_POST)) {
if ($username == $_POST['username'] && $password == $_POST['password']) {
session_regenerate_id();
$_SESSION['username'] = $username;
// If the user wants to be remembered, create Rememberme cookie
if (!empty($_POST['rememberme'])) {
$rememberMe->createCookie($username);
} else {
$rememberMe->clearCookie();
}
redirect();
} else {
$content = tpl("login", "Invalid credentials");
}
} else {
$content = tpl("login");
}
}
}
}
// template function for including content, nothing interesting
function tpl($template, $msg = "")
