/** * Authenticate a user. * * @param $email * The user's email * * @param $password * The cleartext password used for authentication. * * @return * NULL if the authentication failed, a User object on success. */ public static function authenticate($email, $password) { $success = false; $user = static::first()->active()->email($email)->select(); $root = static::first()->root()->select(); if (!$user) { /* * We call password_verify() to avoid leaking a timing attack on * authentication. We use the root user because it is expected that * its password "cost" is the same as the other users. */ static::password_verify($password, $root->passwd); } else { $success = static::password_verify($password, $user->passwd); } // log the attempt $ip_infos = "IP={$_SERVER['REMOTE_ADDR']}"; if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) { $ip_infos .= ", X-Forwarded-For={$_SERVER['HTTP_X_FORWARDED_FOR']}"; } No2_Logger::info(($success ? 'Successfull' : 'Failed') . " login for {$email} ({$ip_infos})"); return $success ? $user : NULL; }
<?php die; } } $view = $controller->view(); if (No2_HTTP::is_error($view->status()) && !$controller->can_render_errors()) { /* * The controller declined error handling, so we load the default error * controller to generate the response. */ require_once APPDIR . '/controllers/error.class.php'; $controller = new ErrorController($view->status()); unset($view); goto invoke_it; } /* from this point, $controller and $view are set and valid. */ /* * Here we know the status code, log the request and render the requested ressource. */ No2_Logger::info("{$_SERVER['REMOTE_ADDR']} - {$_SERVER['REQUEST_METHOD']} - {$_SERVER['REQUEST_URI']} - {$view->status()}"); /* kindly ask the view to render the response */ try { /* * Don't try to buffer the view's output using something like ob_start(), * it will OOM PHP if the response is moderately big. */ $view->render(); die; } catch (Exception $e) { No2_Logger::err('view rendering exception: ' . $e->getMessage()); }