function post_xhr() { if ($this->checkAuth()) { $usernameOrEmail = mb_strtolower($_POST['usernameOrEmail']); if (mb_strlen($usernameOrEmail) >= 8 && preg_match('/^[a-zA-Z0-9_\\-]+$/', $usernameOrEmail) || filter_var($usernameOrEmail, FILTER_VALIDATE_EMAIL)) { $secondFactor = mb_strtolower($_POST['secondFactor']); if (ctype_alnum($secondFactor) || empty($secondFactor)) { $answer = mb_strtolower($_POST['answer']); if (mb_strlen($answer) >= 6 || empty($answer)) { $newPassword = $_POST['passwordForgot']; $newRetypedPassword = $_POST['passwordRetypedForgot']; if ($newPassword == $newRetypedPassword) { $userForgot = new AuthUser(); $responseArr = $userForgot->forgotPassword($usernameOrEmail, $secondFactor, $answer, $newPassword); if ($responseArr['continue'] == true) { echo json_encode(StatusReturn::S200($responseArr)); } else { echo json_encode(StatusReturn::E400('Unknown Error 5')); } } else { echo json_encode(StatusReturn::E400('Unknown Error 4')); } } else { echo json_encode(StatusReturn::E400('Unknown Error')); } } else { echo json_encode(StatusReturn::E400('Unknown Error')); } } else { echo json_encode(StatusReturn::E400('Unknown Error')); } } }
function post_xhr() { if ($this->checkAuth()) { if (!empty($_POST['oldPassword']) && !empty($_POST['newPassword'])) { $headers = getallheaders(); $newUser = new AuthUser(); $newUser->loadUser(mb_strtolower($headers['Auth-User'])); if ($newUser->setPassword($_POST['oldPassword'], $_POST['newPassword'])) { echo json_encode(StatusReturn::S200()); } else { echo json_encode(StatusReturn::E400('Unknown Error')); } } else { echo json_encode(StatusReturn::E400('Unknown Error')); } } }
function post_xhr() { if ($this->checkAuth()) { if (!empty($_POST['question']) && isset($_POST['answer']) && mb_strlen($_POST['answer']) >= _SECURITY_ANSWER_MIN_LENGTH_) { $headers = getallheaders(); $newUser = new AuthUser(); $newUser->loadUser(mb_strtolower($headers['Auth-User'])); if ($newUser->setQuestion($_POST['question'], mb_strtolower($_POST['answer']))) { echo json_encode(StatusReturn::S200()); } else { echo json_encode(StatusReturn::E400('Unknown Error')); } } else { echo json_encode(StatusReturn::E400('Unknown Error')); } } }
function get_xhr($userName = null) { if ($this->checkAuth()) { $headers = getallheaders(); $newUser = new AuthUser(); $newUser->loadUser(mb_strtolower($headers['Auth-User'])); if (is_null($userName)) { echo json_encode(StatusReturn::S200($newUser->getManageUsersData())); } else { $singleUser = $newUser->getManageUserData(mb_strtolower($userName)); if (!is_null($singleUser)) { echo json_encode(StatusReturn::S200($singleUser)); } else { echo json_encode(StatusReturn::E400('User Name is not a child of this account!')); } } } }
function post_xhr() { if ($this->checkAuth()) { if (isset($_POST['user'], $_POST['answer']) && mb_strlen($_POST['user']) >= _USERNAME_MIN_LENGTH_ && preg_match('/^[a-zA-Z0-9_\\-]+$/', $_POST['user']) && !empty($_POST['email']) && filter_var($_POST['email'], FILTER_VALIDATE_EMAIL) && !empty($_POST['question']) && mb_strlen($_POST['answer']) >= _SECURITY_ANSWER_MIN_LENGTH_ && !empty($_POST['password']) && (empty($_POST['factor']) || mb_strlen($_POST['answer']) >= _SECURITY_ANSWER_MIN_LENGTH_)) { $newUser = new AuthUser(); if ($newUser->createUser(mb_strtolower($_POST['user']), mb_strtolower($_POST['email']), $_POST['password'], $_POST['question'], mb_strtolower($_POST['answer']), $_POST['factor'])) { if (isset($_POST['lang']) && $_POST['lang'] != '' && mb_strlen($_POST['lang']) == 2 && ctype_alpha($_POST['lang'])) { $newUser->setLanguage($_POST['lang']); } echo json_encode(StatusReturn::S200()); } else { echo json_encode(StatusReturn::E400('Unknown Error')); } } else { echo json_encode(StatusReturn::E400('Unknown Error')); } } }
function post_xhr() { if ($this->checkAuth()) { if (isset($_POST['baseLang'], $_POST['twoFactorType']) && !empty($_POST['baseLang']) && TwoFactor::isValidValue($_POST['twoFactorType'], false)) { $headers = getallheaders(); $newUser = new AuthUser(); $newUser->loadUser(mb_strtolower($headers['Auth-User'])); $packages = array(); if (isset($_POST['packages'])) { $packages = $_POST['packages']; } if ($newUser->setSettings($_POST['baseLang'], $_POST['twoFactorType'], $packages)) { echo json_encode(StatusReturn::S200()); } else { echo json_encode(StatusReturn::E400('Failed to save settings!')); } } else { echo json_encode(StatusReturn::E400('Missing or bad data!')); } } }
public static function checkAuth($roles, $initialize = false, $whenLocked = false) { $headers = getallheaders(); if (!isset($headers['Auth-User']) || !isset($headers['Auth-Timestamp']) || !isset($headers['Auth-Signature'])) { return false; } if (!is_numeric($headers['Auth-Timestamp']) || $headers['Auth-Timestamp'] < strtotime("-" . _TIME_TO_LIVE_IN_MINUTES_ . " minute", time())) { return false; } $requestedURI = parse_url($_SERVER['REQUEST_URI']); if (_USE_HTTPS_ONLY_ && $requestedURI['scheme'] != 'https') { return false; } $userData = new AuthUser(); if (!$userData->loadUser(mb_strtolower($headers['Auth-User']), $initialize)) { return false; } if ($userData->isLocked() && !$whenLocked) { return false; } $userSecret = null; if ($initialize) { $userSecret = $userData->getUserPassword(); $salt = $userData->getSalt(); $challenge = $userData->getChallengeKey(); if (!array_key_exists('challenge', $_POST)) { if (hash_equals(hash_pbkdf2('sha512', $_POST['password'], $salt, 1000), $userSecret)) { $userData->askClientChallenge(); return true; } else { $userData->addFailedLogin(); return false; } } else { if ($_POST['challenge'] != $challenge) { $userData->addFailedLogin(); return false; } else { if ($_POST['challenge'] == $challenge) { $userData->initiateConnection(); } } } } else { $userSecret = $userData->getUserSecret(); } $data = ''; foreach ($_POST as $key => $value) { if ($data != "") { $data .= "&"; } if (is_array($value)) { $currentCount = 0; $data .= $key . '='; foreach ($value as $arrValue) { $currentCount++; $data .= $arrValue; if (count($value) > 1 && $currentCount != count($value)) { $data .= ','; } } } else { $data .= $key . '=' . $value; } } $signatureData = $_SERVER['REQUEST_METHOD'] . _DOMAIN_API_HOST_ . $_SERVER['REQUEST_URI'] . $data . $headers['Auth-Timestamp']; $newAuthSignature = hash_hmac('sha512', $signatureData, $userSecret, true); $newAuthSignature = base64_encode($newAuthSignature); if (hash_equals($newAuthSignature, $headers['Auth-Signature']) && !empty(array_intersect($userData->getUserRoles(), $roles))) { $userData->makeSuccessfulLogin($initialize); return true; } // initiate connection add secret, but the hash test needs to pass, so if it fails, remove secret and 2nd factor header. header_remove('Auth-Secret'); header_remove('Auth-Second-Factor'); if ($initialize) { $userData->addFailedLogin(); } return false; }