public function setUp()
{
require 'bootstrap.php';
$session = new Hm_Mock_Session();
$request = new Hm_Mock_Request('AJAX');
Hm_Request_Key::load($session, $request, false);
}
public function process()
{
/* new session or one not passed the second auth */
if ($this->session->loaded || $this->session->get('2fa_required', false)) {
/* ini file location */
$ini_file = rtrim($this->config->get('app_data_dir', ''), '/') . '/swipeidentity.ini';
/* data for the swipe api */
$swipe_username = $this->session->get('username', false);
$swipe_address = $this->request->server['REMOTE_ADDR'];
$required = true;
/* get api config and object */
list($api, $api_config) = setup_swipe_api($ini_file);
$started = start_api($api, $api_config);
if (!$started) {
$this->out('2fa_fatal', true);
}
/* get current 2fa state */
if (!array_key_exists('2fa_sms_response', $this->request->post)) {
$state = get_secondfactor_state($api, $api_config, $swipe_username, $swipe_address);
} else {
$state = RC_SMS_DELIVERED;
}
/* pass a key and no redirect flag to the output modules */
$this->out('no_redirect', true);
Hm_Request_Key::load($this->session, $this->request, false);
$this->out('2fa_key', Hm_Request_Key::generate());
$sms_number = false;
$sms_response = false;
/* if the user has not registered a phone number yet look for one in POST */
if ($state == NEED_REGISTER_SMS && array_key_exists('sms_number', $this->request->post)) {
/* remove non numeric delimiters */
$sms_number = preg_replace("/[^\\d]/", "", $this->request->post['sms_number']);
/* US phone numbers only for now */
if (preg_match("/^1\\d{10}\$/", $sms_number)) {
$submit_number = $sms_number;
/* set the phone number using the api */
$api->setUserSmsNumber($swipe_username, $api_config["com.swipeidentity.api.appcode"], $submit_number);
/* refecth the status */
$state = get_secondfactor_state($api, $api_config, $swipe_username, $swipe_address);
/* number rejected by swipe */
if ($state == NEED_REGISTER_SMS) {
$this->out('2fa_error', 'Invalid phone number');
}
} else {
$this->out('2fa_error', 'Invalid phone number format');
}
} elseif ($state == RC_SMS_DELIVERED && array_key_exists('2fa_sms_response', $this->request->post)) {
if (preg_match("/^\\d{5}\$/", $this->request->post['2fa_sms_response'])) {
$sms_response = $this->request->post['2fa_sms_response'];
/* validate the sms response with the api */
$resp = $api->answerSMS($swipe_username, $api_config["com.swipeidentity.api.appcode"], $sms_response);
/* success! allow the user to login */
if ($resp->getReturnCode() == RC_SMS_ANSWER_ACCEPTED) {
$required = false;
} else {
$state = get_secondfactor_state($api, $api_config, $swipe_username, $swipe_address);
$this->out('2fa_error', 'Response did not match! A new sms code has been sent');
}
} else {
$this->out('2fa_error', 'Incorrectly formatted response, please re-enter the sms code');
}
}
/* if required is true we still have not completed the 2fa */
if ($required) {
/* pass required flag to modules */
$this->session->set('2fa_required', true);
$this->out('2fa_required', true);
$this->out('2fa_state', $state);
/* close the session early */
$this->session->close_early();
} else {
/* unset any previously set required flags */
$this->session->set('2fa_required', false);
$this->out('2fa_required', false);
}
}
}
/**
* @preserveGlobalState disabled
* @runInSeparateProcess
*/
public function test_key_load()
{
$this->assertEquals('fakefingerprint', Hm_Request_Key::generate());
$session = new Hm_Mock_Session();
$request = new Hm_Mock_Request('AJAX');
$session->loaded = false;
Hm_Request_Key::load($session, $request, false);
$this->assertEquals('fakefingerprint', Hm_Request_Key::generate());
}
/**
* Destroy a session for good
* @param object $request request details
* @return void
*/
public function destroy($request)
{
if (function_exists('delete_uploaded_files')) {
delete_uploaded_files($this);
}
if ($this->dbh) {
$sql = $this->dbh->prepare("delete from hm_user_session where hm_id=?");
$sql->execute(array($this->session_key));
}
$this->secure_cookie($request, $this->cname, '', time() - 3600);
$this->secure_cookie($request, 'hm_id', '', time() - 3600);
$this->active = false;
Hm_Request_Key::load($this, $request, false);
}
/**
* Perform a new login if the form was submitted, otherwise check for and continue a session if it exists
*/
public function process()
{
if (!$this->get('create_username', false)) {
list($success, $form) = $this->process_form(array('username', 'password'));
if ($success) {
$this->session->check($this->request, rtrim($form['username']), $form['password']);
$this->session->set('username', rtrim($form['username']));
} else {
$this->session->check($this->request);
}
if ($this->session->is_active()) {
Hm_Page_Cache::load($this->session);
$this->out('changed_settings', $this->session->get('changed_settings', array()), false);
}
}
Hm_Request_Key::load($this->session, $this->request, $this->session->loaded);
$this->process_key();
}
/**
* Validate a form key. If this is a non-empty POST form from an
* HTTP request or AJAX update, it will take the user to the home
* page if the page_key value is either not present or not valid
* @return void
*/
public function process_key()
{
Hm_Request_Key::load($this->session, $this->request, $this->session->loaded);
if (empty($this->request->post)) {
return false;
}
$key = array_key_exists('hm_page_key', $this->request->post) ? $this->request->post['hm_page_key'] : false;
$valid = Hm_Request_Key::validate($key);
if (!$valid) {
if ($this->request->type == 'AJAX') {
if (DEBUG_MODE) {
Hm_Debug::add('REQUEST KEY check failed');
Hm_Debug::load_page_stats();
Hm_Debug::show('log');
}
Hm_Functions::cease(json_encode(array('status' => 'not callable')));
return 'exit';
} else {
if ($this->session->loaded) {
$this->session->destroy($this->request);
}
Hm_Debug::add('REQUEST KEY check failed');
Hm_Dispatch::page_redirect('?page=home');
return 'redirect';
}
}
return false;
}
/**
* @preserveGlobalState disabled
* @runInSeparateProcess
*/
public function test_process_key()
{
/* TODO: fix assertions */
$session = new Hm_Mock_Session();
$request = new Hm_Mock_Request('AJAX');
Hm_Request_Key::load($session, $request, false);
$request->post = array();
$this->handler_mod->request->post = array();
$this->assertFalse($this->handler_mod->process_key());
$request->post['hm_page_key'] = 'asdf';
$this->handler_mod->request->post['hm_page_key'] = 'asdf';
Hm_Request_Key::load($session, $request, false);
$this->assertEquals('redirect', $this->handler_mod->process_key());
$this->handler_mod->request->type = 'AJAX';
$this->assertEquals('exit', $this->handler_mod->process_key());
$this->handler_mod->request->post['hm_page_key'] = 'fakefingerprint';
$this->assertFalse($this->handler_mod->process_key());
}
