/**
* Generates a serialized, encrypted and base64-encoded for identifying a user,
* usually for using it in an URL
*
* @param User $user The user Entity
* @param int $validForSeconds how long the token should be valid
* @param array $additionalData Optional additional data for storage in the encrypted token
* @return string
*/
public function getTokenForUser(User $user, $validForSeconds = null, array $additionalData = [])
{
$tokenData = ['user_id' => $user->id, 'generated' => time(), 'validForSeconds' => $validForSeconds, 'additionalData' => $additionalData];
$tokenDataString = serialize($tokenData);
$encrypted = Security::encrypt($tokenDataString, Configure::read('Security.cryptKey'));
return base64_encode($encrypted);
}
/**
* Marshalls request data into PHP strings.
*
* @param mixed $value The value to convert.
* @return mixed Converted value.
*/
public function marshal($value)
{
if ($value === null) {
return $value;
}
return base64_encode(Security::encrypt($value, Configure::read('Security.key')));
}
/**
* Setup
*
* @return void
*/
public function setUp()
{
parent::setUp();
$this->type = Type::build('encryptedsecurity');
$this->driver = $this->getMockBuilder('Cake\\Database\\Driver')->getMock();
$this->crypted = base64_encode(Security::encrypt('string', Configure::read('Security.key')));
}
/**
* Encrypts $value using public $type method in Security class
*
* @param string $value Value to encrypt
* @param string|bool $encrypt Encryption mode to use. False
* disabled encryption.
* @param string|null $key Used as the security salt only in this time for tests if specified.
* @return string Encoded values
*/
protected function _encrypt($value, $encrypt, $key = null)
{
if (is_array($value)) {
$value = $this->_implode($value);
}
if ($encrypt === false) {
return $value;
}
$this->_checkCipher($encrypt);
$prefix = "Q2FrZQ==.";
$cipher = null;
if (!isset($key)) {
$key = $this->_getCookieEncryptionKey();
}
if ($encrypt === 'rijndael') {
$cipher = Security::rijndael($value, $key, 'encrypt');
}
if ($encrypt === 'aes') {
$cipher = Security::encrypt($value, $key);
}
return $prefix . base64_encode($cipher);
}
/**
* Encrypts $value using public $type method in Security class
*
* @param string $value Value to encrypt
* @param string|bool $encrypt Encryption mode to use. False
* disabled encryption.
* @return string Encoded values
*/
protected function _encrypt($value, $encrypt)
{
if (is_array($value)) {
$value = $this->_implode($value);
}
if (!$encrypt) {
return $value;
}
$this->_checkCipher($encrypt);
$prefix = "Q2FrZQ==.";
if ($encrypt === 'rijndael') {
$cipher = Security::rijndael($value, $this->_config['key'], 'encrypt');
}
if ($encrypt === 'aes') {
$cipher = Security::encrypt($value, $this->_config['key']);
}
return $prefix . base64_encode($cipher);
}
/**
* encrypt method
*
* @param array|string $value
* @return string
*/
protected function _encrypt($value)
{
if (is_array($value)) {
$value = $this->_implode($value);
}
return "Q2FrZQ==." . base64_encode(Security::encrypt($value, $this->Cookie->config('key')));
}
/**
* Encrypt a value
* @param type $value Value to be encrypted
* @return type Encrypted value
*/
public function encrypt($value)
{
return Security::encrypt($value, $this->config('key'), $this->config('salt'));
}
/**
* Encrypt a string
*
* @param string $value string to encrypt
* @return string
*/
protected function _encrypt($value)
{
return base64_encode(Security::encrypt($value, $this->_encryptionKey()));
}
/**
* Test that values encrypted with open ssl can be decrypted with mcrypt and the reverse.
*
* @return void
*/
public function testEngineEquivalence()
{
$this->skipIf(!defined('MCRYPT_RIJNDAEL_128'), 'This needs mcrypt extension to be loaded.');
$restore = Security::engine();
$txt = "Obi-wan you're our only hope";
$key = 'This is my secret key phrase it is quite long.';
$salt = 'A tasty salt that is delicious';
Security::engine(new Mcrypt());
$cipher = Security::encrypt($txt, $key, $salt);
$this->assertEquals($txt, Security::decrypt($cipher, $key, $salt));
Security::engine(new OpenSsl());
$this->assertEquals($txt, Security::decrypt($cipher, $key, $salt));
Security::engine(new OpenSsl());
$cipher = Security::encrypt($txt, $key, $salt);
$this->assertEquals($txt, Security::decrypt($cipher, $key, $salt));
Security::engine(new Mcrypt());
$this->assertEquals($txt, Security::decrypt($cipher, $key, $salt));
}
/**
* Test that values encrypted with open ssl can be decrypted with mcrypt and the reverse.
*
* @return void
*/
public function testEngineEquivalence()
{
$restore = Security::engine();
$txt = "Obi-wan you're our only hope";
$key = 'This is my secret key phrase it is quite long.';
$salt = 'A tasty salt that is delicious';
Security::engine(new Mcrypt());
$cipher = Security::encrypt($txt, $key, $salt);
$this->assertEquals($txt, Security::decrypt($cipher, $key, $salt));
Security::engine(new OpenSsl());
$this->assertEquals($txt, Security::decrypt($cipher, $key, $salt));
Security::engine(new OpenSsl());
$cipher = Security::encrypt($txt, $key, $salt);
$this->assertEquals($txt, Security::decrypt($cipher, $key, $salt));
Security::engine(new Mcrypt());
$this->assertEquals($txt, Security::decrypt($cipher, $key, $salt));
}
/**
* {@inheritdoc}
*/
public function encrypt($plain)
{
return Security::encrypt($plain, $this->__key);
}
/**
* Test encrypting falsey data
*
* @return void
*/
public function testEncryptDecryptFalseyData()
{
$key = 'This is a key that is long enough to be ok.';
$result = Security::encrypt('', $key);
$this->assertSame('', Security::decrypt($result, $key));
$result = Security::encrypt(false, $key);
$this->assertSame('', Security::decrypt($result, $key));
$result = Security::encrypt(null, $key);
$this->assertSame('', Security::decrypt($result, $key));
$result = Security::encrypt(0, $key);
$this->assertSame('0', Security::decrypt($result, $key));
$result = Security::encrypt('0', $key);
$this->assertSame('0', Security::decrypt($result, $key));
}
/**
* Login and register page.
*
* @return \Cake\Network\Response|void
*/
public function login()
{
//Handle Maintenances
if (Configure::read('User.Login.enabled') === false) {
$this->Flash->error(__("The Login action is disabled for the moment, please try again later."));
}
if (Configure::read('User.Register.enabled') === false && Configure::read('Site.maintenance') === false) {
$this->Flash->error(__("The Register action is disabled for the moment, please try again later."));
}
if (Configure::read('Site.maintenance') === true) {
$this->Flash->error(__("While the site is in maintenance, you can not register a new account."));
}
if ($this->request->is('post')) {
$method = $this->request->data['method'] ? $this->request->data['method'] : false;
switch ($method) {
case "login":
if (Configure::read('User.Login.enabled') === false) {
$userRegister = $userRegister = $this->Users->newEntity($this->request->data);
break;
}
$userLogin = $this->Auth->identify();
if ($userLogin) {
if ($userLogin['is_deleted'] == true) {
$this->Flash->error(__("This account has been deleted."));
$userRegister = $this->Users->newEntity($this->request->data);
break;
}
//Check the 2FA if the user has enabled it.
if ($userLogin['two_factor_auth_enabled'] == true && $this->TwoFactorAuth->isAuthorized($userLogin['id']) === false) {
//Write the cookie
$cookie = base64_encode(Security::encrypt($userLogin['id'], Configure::read('Security.key')));
$this->Cookie->configKey('CookieTfa', ['expires' => '+1 hour', 'httpOnly' => true]);
$this->Cookie->write('CookieTfa', $cookie);
return $this->redirect(['action' => 'tfa']);
}
$this->_handleLogin($userLogin);
$this->Auth->setUser($userLogin);
$user = $this->Users->newEntity($userLogin, ['accessibleFields' => ['id' => true]]);
$user->isNew(false);
$user->last_login = new Time();
$user->last_login_ip = $this->request->clientIp();
$this->Users->save($user);
//Cookies.
$this->Cookie->configKey('CookieAuth', ['expires' => '+1 year', 'httpOnly' => true]);
$this->Cookie->write('CookieAuth', ['username' => $this->request->data('username'), 'password' => $this->request->data('password')]);
//Badge Event.
$this->eventManager()->attach(new Badges($this));
$user = new Event('Model.Users.register', $this, ['user' => $user]);
$this->eventManager()->dispatch($user);
$url = $this->Auth->redirectUrl();
if (substr($this->Auth->redirectUrl(), -5) == 'login') {
$url = ['controller' => 'pages', 'action' => 'home'];
}
return $this->redirect($url);
}
$user = $this->Users->find()->where(['username' => $this->request->data['username']])->select(['id', 'group_id', 'username', 'email'])->first();
if (!is_null($user)) {
//Users Event.
$this->eventManager()->attach(new Users());
$event = new Event('Users.login.failed', $this, ['user_id' => $user->id, 'username' => $user->username, 'group_id' => $user->group_id, 'user_ip' => $this->request->clientIp(), 'user_email' => $user->email, 'user_agent' => $this->request->header('User-Agent'), 'action' => 'user.connection.manual.failed']);
$this->eventManager()->dispatch($event);
}
$this->Flash->error(__("Your username or password doesn't match."));
$userRegister = $this->Users->newEntity($this->request->data);
break;
case "register":
$userRegister = $this->Users->newEntity($this->request->data, ['validate' => 'create']);
//Handle Maintenances
if (Configure::read('Site.maintenance') === true || Configure::read('User.Register.enabled') === false) {
break;
}
$userRegister->register_ip = $this->request->clientIp();
$userRegister->last_login_ip = $this->request->clientIp();
$userRegister->last_login = new Time();
if ($this->Recaptcha->verify() || Configure::read('Recaptcha.bypass') === true) {
if ($this->Users->save($userRegister)) {
$user = $this->Auth->identify();
if ($user) {
$this->Auth->setUser($user);
}
$user = $this->Users->get($user['id']);
//Statistics Event.
$this->eventManager()->attach(new Statistics());
$stats = new Event('Model.Users.register', $this);
$this->eventManager()->dispatch($stats);
//Notification Events.
$this->eventManager()->attach(new Notifications());
$event = new Event('Model.Notifications.new', $this, ['user_id' => $user->id, 'type' => 'bot']);
$this->eventManager()->dispatch($event);
$viewVars = ['user' => $user, 'name' => $user->full_name];
$this->getMailer('User')->send('register', [$user, $viewVars]);
$this->Flash->success(__("Your account has been created successfully !"));
$url = $this->Auth->redirectUrl();
if (substr($this->Auth->redirectUrl(), -5) == 'login') {
$url = ['controller' => 'pages', 'action' => 'home'];
}
return $this->redirect($url);
}
$this->Flash->error(__("Please, correct your mistake."));
} else {
$this->Flash->error(__("Please, correct your Captcha."));
}
break;
}
} else {
//Save the referer URL before the user send the login/register request else it will delete the referer.
$this->request->session()->write('Auth.redirect', $this->referer());
$userRegister = $this->Users->newEntity($this->request->data, ['validate' => 'create']);
}
if ($this->Auth->user()) {
return $this->redirect($this->Auth->redirectUrl());
}
$this->set(compact('userRegister'));
}
/**
* Encrypt a value
*
* @param type $value Value to be encrypted
* @return type Encrypted value
*/
protected function _encrypt($value)
{
return Security::encrypt($value, $this->options['key'], $this->options['salt']);
}
