/**
* @param Request $req
*/
public function __construct(Request $req)
{
$this->request = $req;
// exclude parameter
$exclude = $req->query('exclude');
if (is_string($exclude) && !empty($exclude)) {
$exclude = explode(',', $exclude);
}
if (is_array($exclude)) {
$this->setExclude(array_filter($exclude));
}
// include parameter
$include = $req->query('include');
if (is_string($include) && !empty($include)) {
$include = explode(',', $include);
}
if (is_array($include)) {
$this->setInclude(array_filter($include));
}
// expand parameter
$expand = $req->query('expand');
if (is_string($expand) && !empty($expand)) {
$expand = explode(',', $expand);
}
if (is_array($expand)) {
$this->setExpand(array_filter($expand));
}
}
public function authenticate(Request $req, Response $res)
{
$username = $req->request('username');
$password = $req->request('password');
$remember = (bool) $req->request('remember');
return $this->login($username, $password, $remember);
}
public function __invoke(Request $req, Response $res, callable $next)
{
$config = $this->app['config'];
if (!$config->get('sessions.enabled') || $req->isApi()) {
return $next($req, $res);
}
$lifetime = $config->get('sessions.lifetime');
$hostname = $config->get('app.hostname');
ini_set('session.use_trans_sid', false);
ini_set('session.use_only_cookies', true);
ini_set('url_rewriter.tags', '');
ini_set('session.gc_maxlifetime', $lifetime);
// set the session name
$defaultSessionTitle = $config->get('app.title') . '-' . $hostname;
$sessionTitle = $config->get('sessions.name', $defaultSessionTitle);
$safeSessionTitle = str_replace(['.', ' ', "'", '"'], ['', '_', '', ''], $sessionTitle);
session_name($safeSessionTitle);
// set the session cookie parameters
session_set_cookie_params($lifetime, '/', '.' . $hostname, $req->isSecure(), true);
// register session_write_close as a shutdown function
session_register_shutdown();
// install any custom session handlers
$class = $config->get('sessions.driver');
if ($class) {
$handler = new $class($this->app);
$handler::registerHandler($handler);
}
session_start();
// fix the session cookie
Utility::setCookieFixDomain(session_name(), session_id(), time() + $lifetime, '/', $hostname, $req->isSecure(), true);
// make the newly started session in our request
$req->setSession($_SESSION);
return $next($req, $res);
}
/**
* Gets the decoded remember me cookie from the request.
*
* @param Request $req
*
* @return RememberMeCookie
*/
private function getRememberMeCookie(Request $req)
{
$encoded = $req->cookies($this->rememberMeCookieName());
return RememberMeCookie::decode($encoded);
}
/**
* Step 2 in the forgot password process. Resets the password
* given a valid token.
*
* @param string $token token
* @param array $password new password
*
* @throws AuthException when the step cannot be completed.
*
* @return bool
*/
public function forgotStep2($token, array $password)
{
$ip = $this->request->ip();
return $this->getPasswordReset()->step2($token, $password, $ip);
}
/**
* Builds a request not recognized error.
*
* @return InvalidRequest
*/
protected function requestNotRecognizedError()
{
return new InvalidRequest('Request was not recognized: ' . $this->request->method() . ' ' . $this->request->path(), 404);
}
/**
* Verifies the cookie against an incoming request.
*
* @param Request $req
* @param AuthManager $auth
*
* @return bool
*/
public function verify(Request $req, AuthManager $auth)
{
if (!$this->isValid()) {
return false;
}
// verify the user agent matches the one in the request
if ($this->userAgent != $req->agent()) {
return false;
}
// look up the user with a matching email address
$userClass = $auth->getUserClass();
$user = $userClass::where('email', $this->email)->first();
if (!$user) {
return false;
}
// hash series for matching with the db
$seriesHash = $this->hash($this->series);
// First, make sure all of the parameters match, except the token.
// We match the token separately to detect if an older session is
// being used, in which case we cowardly run away.
$expiration = time() - $this->getExpires();
$db = $auth->getApp()['db'];
$query = $db->select('token,two_factor_verified')->from('PersistentSessions')->where('email', $this->email)->where('created_at', U::unixToDb($expiration), '>')->where('series', $seriesHash);
$persistentSession = $query->one();
if ($query->rowCount() !== 1) {
return false;
}
// if there is a match, sign the user in
$tokenHash = $this->hash($this->token);
// Same series, but different token, meaning the user is trying
// to use an older token. It's most likely an attack, so flush
// all sessions.
if (!hash_equals($persistentSession['token'], $tokenHash)) {
$db->delete('PersistentSessions')->where('email', $this->email)->execute();
return false;
}
// remove the token once used
$db->delete('PersistentSessions')->where('email', $this->email)->where('series', $seriesHash)->where('token', $tokenHash)->execute();
// mark the user as 2fa verified
if ($persistentSession['two_factor_verified']) {
$user->markTwoFactorVerified();
}
return $user;
}
/**
* @param Request $req
*/
public function __construct(Request $req)
{
if ($req->query('compact')) {
$this->compactPrint();
}
}
