Example #1
0
 public function testPassword()
 {
     $password = \SecureFuncs\SecureFuncs::randomString(32);
     $hash = \SecureFuncs\SecureFuncs::password_hash($password);
     $this->assertInternalType('string', $hash);
     $this->assertTrue(\SecureFuncs\SecureFuncs::password_verify($password, $hash));
 }
Example #2
0
 /**
  * Login a existing user
  * @param $username
  * @param $password
  * @param $rememberme
  * @return bool
  */
 public function login($username, $password, $rememberme = "off")
 {
     $this->checkLoggedIn();
     if (Core::$loggedIn !== false) {
         $this->setMessage('error', ADVANCEDLOGINSCRIPT_USER_ALREADY_LOGGED_IN);
         return false;
     }
     $username = strtolower($username);
     $_SESSION['stored_login_fields']['username'] = $username;
     if ($failedLogins = $this->checkFailedLogins() >= 3) {
         $this->setMessage('error', ADVANCEDLOGINSCRIPT_USER_FAILED_ATTEMPTS);
         return false;
     }
     if (!filter_var($username, FILTER_VALIDATE_EMAIL) === false) {
         // the username that was entered is a valid email, check for a user in the database with this email
         $get_user = $this->newBuilder()->select('*, u.id as id, ug.id as usergroup_id, ug.name as usergroup')->from('users', 'u')->innerJoin('u', 'usergroups', 'ug', 'u.user_group = ug.id')->where('LOWER(email) = :email')->setParameter('email', $username)->execute();
     } else {
         // the username that was entered is not a valid email, check for a user in the database with this username
         $get_user = $this->newBuilder()->select('*, u.id as id, ug.id as usergroup_id, ug.name as usergroup')->from('users', 'u')->innerJoin('u', 'usergroups', 'ug', 'u.user_group = ug.id')->where('LOWER(username) = :username')->setParameter('username', $username)->execute();
     }
     $record = $get_user->fetch();
     // fetch the results
     if (!$record) {
         // no results > no user was found
         $this->addLoginAttempt(NULL, 'not_found');
         // add a failed login attempt
         $this->setMessage('error', ADVANCEDLOGINSCRIPT_INVALID_LOGIN);
         return false;
     } elseif ($record['banned'] === 1) {
         // user is banned, run the logout function to make sure the session is reset
         $this->setMessage('error', ADVANCEDLOGINSCRIPT_USER_BANNED);
         $this->logout();
         return false;
     } elseif ($record['active'] == 0) {
         // user is inactive, warn that the user needs to activate his/her account
         $this->logout();
         $this->setMessage('error', ADVANCEDLOGINSCRIPT_USER_INACTIVE);
         return false;
     }
     $rehash = false;
     if (md5($password) === $record['password']) {
         // first check if the password matches with the md5 hash, we do this first because its fast
         $rehash = true;
     } elseif (\SecureFuncs\SecureFuncs::password_verify($password, $record['password'])) {
         //next check for a bcrypt password match
         $rehash = password_needs_rehash($record['password'], PASSWORD_DEFAULT);
     } else {
         // no user found or password invalid, invalid login
         $this->addLoginAttempt($record['id'], 'invalid_password');
         $this->setMessage('error', ADVANCEDLOGINSCRIPT_INVALID_LOGIN);
         return false;
     }
     // update some data
     $update_user = $this->newBuilder()->update('users')->set('last_login', 'now()')->where('id = :id')->setParameter(":id", $record['id']);
     if ($rehash) {
         // password needs to be rehashed
         $update_data['password'] = \SecureFuncs\SecureFuncs::password_hash($password, PASSWORD_DEFAULT);
         $update_user->set('password', ':password')->setParameter(":password", $update_data['password']);
     }
     $update_user->execute();
     if ($rememberme == "on") {
         // set new authentication cookie
         $this->set_auth_cookie($record['id']);
     }
     // add a succesful login attempt to the database
     $this->addLoginAttempt($record['id'], 1);
     // unset password variable before adding the session variables
     unset($record['password']);
     unset($_SESSION['stored_login_fields']);
     $_SESSION['currentuser'] = $record;
     // refresh the session ID
     session_regenerate_id();
     // display a message to notify the user
     $this->setMessage('success', ADVANCEDLOGINSCRIPT_USER_LOGGED_IN . $record['username']);
     if (ADVANCEDLOGINSCRIPT_ENABLE_JWT) {
         $this->refreshJWTtoken($record);
     }
     return true;
 }