public function testNonceDoesntEverMatch() { $this->assertNotEmpty(nonce()); $i = 30; while ($i--) { $this->assertNotEquals(nonce(), nonce()); } }
public function testPostEmailReturnsErrorOnUnmatchableEmailAndNinjaName() { $req = Request::create('/resetpassword.php'); $req->setMethod('POST'); $req->query->set('email', 'unmatchable@' . nonce() . 'com'); $req->query->set('ninja_name', 'nomatch' . nonce()); $controller = new PasswordController(); $response = $controller->postEmail($req); $this->assertTrue($response instanceof RedirectResponse); $this->assertTrue(strpos($response->getTargetUrl(), url('unable to find a matching account')) !== false, 'Url Redirection did not contain expected error string'); }
<?php $resp = \shgysk8zer0\Core\JSON_Response::load(); switch ($_POST['action']) { case 'logout': $login->logout(); $session->destroy(); $session = new \shgysk8zer0\Core\Session(); nonce(); $resp->enable('#main_menu menuitem[label=Login]')->disable('#main_menu menuitem[label=Logout]')->attributes('body > main', 'contextmenu', false)->sessionStorage('nonce', $session->nonce)->notify('User has been logged out', 'Login again to make changes.', 'images/icons/people.png'); break; case 'Clear PHP_errors': require_login('admin'); $DB->resetTable('errors'); file_put_contents(BASE . '/errors.log', null, LOCK_EX); $resp->notify('Success!', "Table (PHP_errors) has been reset", 'images/icons/db.png'); break; case 'restore database': require_login('admin'); $connect = \shgysk8zer0\Core\resources\Parser::parseFile('connect.json'); $DB->restore($connect->database) ? $resp->notify('Success', "The database has been restored from {$connect->database}.sql", 'images/icons/db.png')->reload() : $resp->notify('Failed', "There was a problem restoring from {$connect->database}.sql", 'images/icons/db.png'); break; case 'backup database': require_login('admin'); $connect = \shgysk8zer0\Core\resources\Parser::parseFile('connect.json'); $DB->dump() ? $resp->notify('Success', "The database has been backed up to {$connect->database}.sql", 'images/icons/db.png') : $resp->notify("Unable to backup to {$connect->database}.sql", 'Check file permissions', 'images/icons/db.png'); break; case 'update_sitemap': require_login('admin'); update_sitemap(); $resp->notify('Sitemap has been updated', 'View ' . URL . 'sitemap.xml', 'images/icons/db.png');
/** * Verify a nonce, given the seed that was used to produce it. * @param string $seed * @param string $nonce * @return int the number of nonce splits ago that the nonce was generated, up to NONCE_LIFESPAN / NONCE_SPLIT; * use verify_nonce($seed, $nonce) === 1 for the shortest period, use verify_nonce($seed, $nonce) == true * to validate the nonce within the entire NONCE_LIFESPAN (e.g., 24 hours) */ function verify_nonce($seed = null, $nonce, $onetime = false) { if ($onetime) { if (!isset($_COOKIE[nonce($seed)])) { return false; } else { $seed .= $_COOKIE[nonce($seed)]; } } $seed .= session_id(); // get the current nonce tick $tick = _nonce_tick(); for ($i = 0; $i < config('nonce.split', 24); $i++) { if (substr(hash_hmac('md5', $seed . ($tick - $i), config('auth.salt')), -12, 10) == $nonce) { return $i + 1; } } // Invalid nonce return false; }
function valid_nonce($str, $key) { return $key == nonce($str); }
/** * Generate a full password reset request for an account * * @param Account $account * @return PasswordResetRequest */ public static function generate(Account $account, $nonce = null) { $nonce = $nonce !== null ? $nonce : nonce(); return PasswordResetRequest::create(['_account_id' => $account->id(), 'nonce' => $nonce]); }
if ($sent) { $_SESSION['alert'] = "password_sent"; } else { $alert[] = "email_fail_forgot_password_" . $_POST['login_email']; } } else { if ($_POST['login_password']) { // Check that the password is correct $hasher = new PasswordHash(8, FALSE); if ($hasher->CheckPassword($_POST['login_password'], $row["password"])) { // Check to ensure that user is only online once (USE IP ADDRESS) $_SESSION['cms_user_id'] = $row["id"]; // If user would like to "Remember Me" then store token if ($_POST['remember_me'] == 'true') { // Generate a new user token $token = nonce(); $sth2 = $dbh->prepare("UPDATE `directus_users` SET `token` = :token WHERE `id` = :id "); $sth2->bindParam(':token', $token); $sth2->bindParam(':id', $row["id"]); $sth2->execute(); setcookie("token", $token, time() + 60 * $settings['cms']['cookie_life'], CMS_PATH); } // Redirect to where you last were or the homepage if (file_exists('install.php')) { $_SESSION['alert'] = unlink('install.php') ? "installer_removed" : "installer_remove_manual"; header("Location: " . CMS_INSTALL_PATH . "settings.php"); die; } elseif ($_COOKIE['cms_redirect']) { // The installer should no longer be present if (file_exists('install.php')) { $_SESSION['alert'] = "remove_install";