/** * Generates a password hash and compares against the stored hash * * @param {string} $address - the email address in question * @param {string} $password - the password * @return array|false */ protected function validateLogin($address, $password, $require_admin = false, $verified_address = false, $browserid_assertion = false, $element_id = null) { $login_method = 'internal'; if ($verified_address && !$address) { // claiming verified without an address? false! return false; } else { if (!$address && !$browserid_assertion && (!$address && !$password)) { // none of the fancy stuff but you're trying to push through no user/pass? bullshit! false! return false; } } if (!$password) { // set a password string for hashing $password = '******'; // ha! i just made someone doing a security review really sad. } $password_hash = hash_hmac('sha256', $password, $this->salt); if ($browserid_assertion && !$verified_address) { $address = CASHSystem::getBrowserIdStatus($browserid_assertion); if (!$address) { return false; } else { $verified_address = true; $login_method = 'browserid'; } } if ($browserid_assertion && $verified_address) { $login_method = 'browserid'; } $result = $this->db->getData('users', 'id,password,is_admin', array("email_address" => array("condition" => "=", "value" => $address))); if ($password_hash == $result[0]['password'] || $verified_address) { if ($require_admin && $result[0]['is_admin'] || !$require_admin) { $this->recordLoginAnalytics($result[0]['id'], $element_id, $login_method); return $result[0]['id']; } else { return false; } } else { return false; } }
/** * Logins are validated using the email address given with a salted sha256 hash of the given * password. Blowfish is unavailable to PHP 5.2 (reliably) so we're limited in hashing. The * system salt is stored in /framework/settings/cashmusic.ini.php outside the database for * additional security. * * In addition to the standard email/pass we also validate against Mozilla's Browser ID standard * using the browserid_assetion which can be passed in. This works with the CASHSystem Browser ID * calls to determine a positive login status for the user, get the email address, and compare it * to the system to return the correct user and login status. * * Pass require_admin to only return true for admin-level users. Pass an element_id if you want * the login analytics to be tied to a specific element. * * @return array|false */ protected function validateLogin($address, $password, $require_admin = false, $verified_address = false, $browserid_assertion = false, $element_id = null, $keep_session = false) { if (!$keep_session) { $this->sessionClearAll(); } $login_method = 'internal'; if ($verified_address && !$address) { // claiming verified without an address? false! return false; } else { if (!$address && !$browserid_assertion && (!$address && !$password)) { // none of the fancy stuff but you're trying to push through no user/pass? bullshit! false! return false; } } if (!$password && !$browserid_assertion) { return false; // seriously no password? lame. } if ($browserid_assertion && !$verified_address) { $address = CASHSystem::getBrowserIdStatus($browserid_assertion); if (!$address) { return false; } else { $verified_address = true; $login_method = 'browserid'; } } if ($browserid_assertion && $verified_address) { $login_method = 'browserid'; } $result = $this->db->getData('users', 'id,password,is_admin', array("email_address" => array("condition" => "=", "value" => $address))); if ($result) { $ciphers = $this->getCryptConstants(); $parts = explode('$', $result[0]['password']); if ($ciphers || count($parts) > 2) { $password_hash = crypt(md5($password . $this->salt), $result[0]['password']); } else { $key = $parts[0]; $password_hash = $key . '$' . hash_hmac('sha256', md5($password . $this->salt), $key); } } if ($result && ($result[0]['password'] == $password_hash || $verified_address)) { if ($require_admin && $result[0]['is_admin'] || !$require_admin) { $this->recordLoginAnalytics($result[0]['id'], $element_id, $login_method); return $result[0]['id']; } else { return false; } } else { return false; } }
$cash_admin->page_data['www_path'] = ADMIN_WWW_BASE_PATH; // if a login needs doing, do it $cash_admin->page_data['login_message'] = 'Log In'; if (isset($_POST['login'])) { $browseridassertion = false; if (isset($_POST['browseridassertion'])) { if ($_POST['browseridassertion'] != -1) { $browseridassertion = $_POST['browseridassertion']; } } $login_details = AdminHelper::doLogin($_POST['address'], $_POST['password'], true, $browseridassertion); if ($login_details !== false) { $admin_primary_cash_request->sessionSet('cash_actual_user', $login_details); $admin_primary_cash_request->sessionSet('cash_effective_user', $login_details); if ($browseridassertion) { $address = CASHSystem::getBrowserIdStatus($browseridassertion); } else { $address = $_POST['address']; } $admin_primary_cash_request->sessionSet('cash_effective_user_email', $address); $run_login_scripts = true; if ($include_filename == 'logout.php') { header('Location: ' . ADMIN_WWW_BASE_PATH); exit; } } else { $admin_primary_cash_request->sessionClearAll(); $cash_admin->page_data['login_message'] = 'Try Again'; $cash_admin->page_data['login_error'] = true; } }
protected function validateUserForList($address, $password, $list_id, $browserid_assertion = false, $element_id = null) { $validate = false; $verified_address = false; if ($browserid_assertion) { $address = CASHSystem::getBrowserIdStatus($browserid_assertion); if (!$address) { return false; } else { $verified_address = true; } } $user_id = $this->getUserIDForAddress($address); $list_info = $this->getList($list_id); $user_list_info = $this->getAddressListInfo($address, $list_id); if ($list_info['user_id'] == $user_id) { // user is the owner of the list, set validate to true $validate = true; } if ($user_list_info && !$validate) { // user is in the list, check that they're active then set validate to true if ($user_list_info['active'] == 1) { $validate = true; } } if ($validate) { $login_request = new CASHRequest(array('cash_request_type' => 'system', 'cash_action' => 'validatelogin', 'address' => $address, 'password' => $password, 'verified_address' => $verified_address, 'browserid_assertion' => $browserid_assertion, 'require_admin' => false, 'element_id' => $element_id)); if ($login_request->response['payload'] !== false) { return true; } else { return false; } } // we never validated, so automatically return false return false; }