public function testHash()
{
$helper = \Helper\Security::instance();
$string = "Hello world!";
$hash = $helper->hash($string);
$result = $helper->hash($string, $hash["salt"]);
$this->assertEquals($result, $hash["hash"]);
}
/**
* Create a new session
* @param int $user_id
* @param bool $auto_save
*/
public function __construct($user_id = null, $auto_save = true)
{
// Run model constructor
parent::__construct();
if ($user_id !== null) {
$this->user_id = $user_id;
$this->token = \Helper\Security::instance()->salt_sha2();
$this->ip = \Base::instance()->get("IP");
$this->created = date("Y-m-d H:i:s");
if ($auto_save) {
$this->save();
}
}
}
// Check for GD library
if (!function_exists("imagecreatetruecolor")) {
$f3->set("warning", "GD library is not available. Profile pictures and file thumbnails will not work until it is installed.");
}
// Run installation process if post data received
if ($_POST) {
$post = $_POST;
try {
// Connect to database
$db = new \DB\SQL("mysql:host=" . $post["db-host"] . ";port=" . $post["db-port"] . ";dbname=" . $post["db-name"], $post["db-user"], $post["db-pass"]);
// Run installation scripts
$install_db = file_get_contents("db/database.sql");
$db->exec(explode(";", $install_db));
// Create admin user
$f3->set("db.instance", $db);
$security = \Helper\Security::instance();
$user = new \Model\User();
$user->role = "admin";
$user->rank = 5;
// superadmin
$user->name = "Admin";
$user->username = $post["user-username"] ?: "admin";
$user->email = $post["user-email"];
$user->salt = $security->salt();
$user->password = $security->hash($post["user-password"] ?: "admin", $user->salt);
$user->api_key = $security->salt_sha1();
$user->save();
} catch (PDOException $e) {
$f3->set("warning", $e->getMessage());
return false;
}
public function user_save($f3)
{
$security = \Helper\Security::instance();
$user = new \Model\User();
// Load current user if set, otherwise validate fields for new user
if ($user_id = $f3->get("POST.user_id")) {
$f3->set("title", $f3->get("dict.edit_user"));
$user->load($user_id);
$f3->set("this_user", $user);
} else {
$f3->set("title", $f3->get("dict.new_user"));
// Verify a password is being set
if (!$f3->get("POST.password")) {
$f3->set("error", "User already exists with this username");
$this->_render("admin/users/edit.html");
return;
}
// Check for existing users with same info
$user->load(array("username = ?", $f3->get("POST.username")));
if ($user->id) {
$f3->set("error", "User already exists with this username");
$this->_render("admin/users/edit.html");
return;
}
$user->load(array("email = ?", $f3->get("POST.email")));
if ($user->id) {
$f3->set("error", "User already exists with this email address");
$this->_render("admin/users/edit.html");
return;
}
// Set new user fields
$user->api_key = $security->salt_sha1();
$user->created_date = $this->now();
}
// Validate password if being set
if ($f3->get("POST.password")) {
if ($f3->get("POST.password") != $f3->get("POST.password_confirm")) {
$f3->set("error", "Passwords do not match");
$this->_render("admin/users/edit.html");
return;
}
if (strlen($f3->get("POST.password")) < 6) {
$f3->set("error", "Passwords must be at least 6 characters");
$this->_render("admin/users/edit.html");
return;
}
// Check if giving user temporary or permanent password
if ($f3->get("POST.temporary_password")) {
$user->salt = null;
$user->password = $security->hash($f3->get("POST.password"), "");
} else {
$user->salt = $security->salt();
$user->password = $security->hash($f3->get("POST.password"), $user->salt);
}
}
// Set basic fields
$user->username = $f3->get("POST.username");
$user->email = $f3->get("POST.email");
$user->name = $f3->get("POST.name");
if ($user->id != $f3->get("user.id")) {
// Don't allow user to change own rank
$user->rank = $f3->get("POST.rank");
}
$user->role = $user->rank < 4 ? 'user' : 'admin';
$user->task_color = ltrim($f3->get("POST.task_color"), "#");
// Save user
$user->save();
$f3->reroute("/admin/users#" . $user->id);
}
public function reset_forced($f3)
{
$user = new \Model\User();
$user->loadCurrent();
if ($f3->get("POST.password1") != $f3->get("POST.password2")) {
$f3->set("reset.error", "The given passwords don't match.");
} elseif (strlen($f3->get("POST.password1")) < 6) {
$f3->set("reset.error", "The given password is too short. Passwords must be at least 6 characters.");
} else {
// Save new password and redirect to dashboard
$security = \Helper\Security::instance();
$user->salt = $security->salt();
$user->password = $security->hash($f3->get("POST.password1"), $user->salt);
$user->save();
$f3->reroute("/");
return;
}
$this->_render("index/reset_forced.html");
}
public function testRandChars()
{
$this->assertRegExp('/^[a-z0-9~!@#$%^&*_-]{64}$/i', \Helper\Security::randChars(64));
}
default:
if (ob_get_level()) {
include "app/view/error/inline.html";
} else {
include "app/view/error/500.html";
}
}
});
// Connect to database
$f3->set("db.instance", new DB\SQL("mysql:host=" . $f3->get("db.host") . ";port=" . $f3->get("db.port") . ";dbname=" . $f3->get("db.name"), $f3->get("db.user"), $f3->get("db.pass")));
// Load final configuration
\Model\Config::loadAll();
// Ensure database is up to date
$version = \Helper\Security::instance()->checkDatabaseVersion();
if ($version !== true) {
\Helper\Security::instance()->updateDatabase($version);
}
// Minify static resources
// Cache for 1 week
$f3->route("GET /minify/@type/@files", function (Base $f3, $args) {
$f3->set("UI", $args["type"] . "/");
echo Web::instance()->minify($args["files"]);
}, $f3->get("cache_expire.minify"));
// Initialize plugins and any included locales
$pluginDir = scandir("app/plugin");
$plugins = array();
$locales = "";
foreach ($pluginDir as $pluginName) {
if ($pluginName != "." && $pluginName != ".." && is_dir("app/plugin/{$pluginName}") && is_file("app/plugin/{$pluginName}/base.php") && is_dir("app/plugin/{$pluginName}/dict")) {
$locales .= ";app/plugin/{$pluginName}/dict/";
}
public function save($f3, $params)
{
$f3 = \Base::instance();
$post = array_map("trim", $f3->get("POST"));
$user = new \Model\User();
$user->load($this->_userId);
if (!empty($post["old_pass"])) {
$security = \Helper\Security::instance();
// Update password
if ($security->hash($post["old_pass"], $user->salt) == $user->password) {
if (strlen($post["new_pass"]) >= 6) {
if ($post["new_pass"] == $post["new_pass_confirm"]) {
$user->salt = $security->salt();
$user->password = $security->hash($post["new_pass"], $user->salt);
$f3->set("success", "Password updated successfully.");
} else {
$f3->set("error", "New passwords do not match");
}
} else {
$f3->set("error", "New password must be at least 6 characters.");
}
} else {
$f3->set("error", "Current password entered is not valid.");
}
} else {
// Update profile
if (!empty($post["name"])) {
$user->name = filter_var($post["name"], FILTER_SANITIZE_STRING);
} else {
$error = "Please enter your name.";
}
if (preg_match("/^([\\p{L}\\.\\-\\d]+)@([\\p{L}\\-\\.\\d]+)((\\.(\\p{L})+)+)\$/im", $post["email"])) {
$user->email = $post["email"];
} else {
$error = $post["email"] . " is not a valid email address.";
}
if (empty($error) && ctype_xdigit(ltrim($post["task_color"], "#"))) {
$user->task_color = ltrim($post["task_color"], "#");
} elseif (empty($error)) {
$error = $post["task_color"] . " is not a valid color code.";
}
if (empty($post["theme"])) {
$user->theme = null;
} else {
$user->theme = $post["theme"];
}
if (empty($post["language"])) {
$user->language = null;
} else {
$user->language = $post["language"];
}
if (empty($error)) {
$f3->set("success", "Profile updated successfully.");
} else {
$f3->set("error", $error);
}
}
$user->save();
$f3->set("title", $f3->get("dict.my_account"));
$f3->set("menuitem", "user");
// Use new user values for page
$user->loadCurrent();
$f3->set("languages", $this->_languages);
$this->_loadThemes();
$this->_render("user/account.html");
}
/**
* Require user to authenticate with a token
* @return int|bool FALSE or a User ID
*/
protected function _requireAuth()
{
$token = isset($_REQUEST['_token']) ? $_REQUEST['_token'] : (isset($_SERVER['HTTP_TOKEN']) ? $_SERVER['HTTP_TOKEN'] : null);
return $token ? \Helper\Security::validateToken($token) : false;
}
/**
* POST /auth.json
*/
public function auth($f3)
{
switch ($f3->get('POST.action')) {
case 'salt':
$user = new \Model\User();
$user->load(['username = ?', $f3->get('POST.username')]);
if ($user->id) {
$this->_json(['salt' => $user->password_salt]);
} else {
$this->_json(['salt' => null, 'error' => 'User does not exist.']);
}
break;
case 'auth':
// Verify login
$user = new \Model\User();
$user->load(['username = ?', $f3->get('POST.username')]);
if ($user->id && password_verify($f3->get('POST.password_hash'), $user->password_hash)) {
// Re-hash passphrase if it doesn't meet the current security settings
if (password_needs_rehash($user->password_hash, PASSWORD_DEFAULT, ['cost' => \App::config()['security']['bcrypt_cost']])) {
$user->password_hash = password_hash($f3->get('POST.password_hash'), PASSWORD_DEFAULT, ['cost' => \App::config()['security']['bcrypt_cost']]);
$user->save();
}
// Generate and return session token
$token = \Helper\Security::generateToken($user->id);
$this->_json(['user_id' => $user->id, 'token' => $token]);
} else {
$this->_json(['error' => 'Invalid username or password.']);
}
break;
}
}
