/**
* Generates a password hash and compares against the stored hash
*
* @param {string} $address - the email address in question
* @param {string} $password - the password
* @return array|false
*/
protected function validateLogin($address, $password, $require_admin = false, $verified_address = false, $browserid_assertion = false, $element_id = null)
{
$login_method = 'internal';
if ($verified_address && !$address) {
// claiming verified without an address? false!
return false;
} else {
if (!$address && !$browserid_assertion && (!$address && !$password)) {
// none of the fancy stuff but you're trying to push through no user/pass? bullshit! false!
return false;
}
}
if (!$password) {
// set a password string for hashing
$password = '******';
// ha! i just made someone doing a security review really sad.
}
$password_hash = hash_hmac('sha256', $password, $this->salt);
if ($browserid_assertion && !$verified_address) {
$address = CASHSystem::getBrowserIdStatus($browserid_assertion);
if (!$address) {
return false;
} else {
$verified_address = true;
$login_method = 'browserid';
}
}
if ($browserid_assertion && $verified_address) {
$login_method = 'browserid';
}
$result = $this->db->getData('users', 'id,password,is_admin', array("email_address" => array("condition" => "=", "value" => $address)));
if ($password_hash == $result[0]['password'] || $verified_address) {
if ($require_admin && $result[0]['is_admin'] || !$require_admin) {
$this->recordLoginAnalytics($result[0]['id'], $element_id, $login_method);
return $result[0]['id'];
} else {
return false;
}
} else {
return false;
}
}
/**
* Logins are validated using the email address given with a salted sha256 hash of the given
* password. Blowfish is unavailable to PHP 5.2 (reliably) so we're limited in hashing. The
* system salt is stored in /framework/settings/cashmusic.ini.php outside the database for
* additional security.
*
* In addition to the standard email/pass we also validate against Mozilla's Browser ID standard
* using the browserid_assetion which can be passed in. This works with the CASHSystem Browser ID
* calls to determine a positive login status for the user, get the email address, and compare it
* to the system to return the correct user and login status.
*
* Pass require_admin to only return true for admin-level users. Pass an element_id if you want
* the login analytics to be tied to a specific element.
*
* @return array|false
*/
protected function validateLogin($address, $password, $require_admin = false, $verified_address = false, $browserid_assertion = false, $element_id = null, $keep_session = false)
{
if (!$keep_session) {
$this->sessionClearAll();
}
$login_method = 'internal';
if ($verified_address && !$address) {
// claiming verified without an address? false!
return false;
} else {
if (!$address && !$browserid_assertion && (!$address && !$password)) {
// none of the fancy stuff but you're trying to push through no user/pass? bullshit! false!
return false;
}
}
if (!$password && !$browserid_assertion) {
return false;
// seriously no password? lame.
}
if ($browserid_assertion && !$verified_address) {
$address = CASHSystem::getBrowserIdStatus($browserid_assertion);
if (!$address) {
return false;
} else {
$verified_address = true;
$login_method = 'browserid';
}
}
if ($browserid_assertion && $verified_address) {
$login_method = 'browserid';
}
$result = $this->db->getData('users', 'id,password,is_admin', array("email_address" => array("condition" => "=", "value" => $address)));
if ($result) {
$ciphers = $this->getCryptConstants();
$parts = explode('$', $result[0]['password']);
if ($ciphers || count($parts) > 2) {
$password_hash = crypt(md5($password . $this->salt), $result[0]['password']);
} else {
$key = $parts[0];
$password_hash = $key . '$' . hash_hmac('sha256', md5($password . $this->salt), $key);
}
}
if ($result && ($result[0]['password'] == $password_hash || $verified_address)) {
if ($require_admin && $result[0]['is_admin'] || !$require_admin) {
$this->recordLoginAnalytics($result[0]['id'], $element_id, $login_method);
return $result[0]['id'];
} else {
return false;
}
} else {
return false;
}
}
$cash_admin->page_data['www_path'] = ADMIN_WWW_BASE_PATH;
// if a login needs doing, do it
$cash_admin->page_data['login_message'] = 'Log In';
if (isset($_POST['login'])) {
$browseridassertion = false;
if (isset($_POST['browseridassertion'])) {
if ($_POST['browseridassertion'] != -1) {
$browseridassertion = $_POST['browseridassertion'];
}
}
$login_details = AdminHelper::doLogin($_POST['address'], $_POST['password'], true, $browseridassertion);
if ($login_details !== false) {
$admin_primary_cash_request->sessionSet('cash_actual_user', $login_details);
$admin_primary_cash_request->sessionSet('cash_effective_user', $login_details);
if ($browseridassertion) {
$address = CASHSystem::getBrowserIdStatus($browseridassertion);
} else {
$address = $_POST['address'];
}
$admin_primary_cash_request->sessionSet('cash_effective_user_email', $address);
$run_login_scripts = true;
if ($include_filename == 'logout.php') {
header('Location: ' . ADMIN_WWW_BASE_PATH);
exit;
}
} else {
$admin_primary_cash_request->sessionClearAll();
$cash_admin->page_data['login_message'] = 'Try Again';
$cash_admin->page_data['login_error'] = true;
}
}
protected function validateUserForList($address, $password, $list_id, $browserid_assertion = false, $element_id = null)
{
$validate = false;
$verified_address = false;
if ($browserid_assertion) {
$address = CASHSystem::getBrowserIdStatus($browserid_assertion);
if (!$address) {
return false;
} else {
$verified_address = true;
}
}
$user_id = $this->getUserIDForAddress($address);
$list_info = $this->getList($list_id);
$user_list_info = $this->getAddressListInfo($address, $list_id);
if ($list_info['user_id'] == $user_id) {
// user is the owner of the list, set validate to true
$validate = true;
}
if ($user_list_info && !$validate) {
// user is in the list, check that they're active then set validate to true
if ($user_list_info['active'] == 1) {
$validate = true;
}
}
if ($validate) {
$login_request = new CASHRequest(array('cash_request_type' => 'system', 'cash_action' => 'validatelogin', 'address' => $address, 'password' => $password, 'verified_address' => $verified_address, 'browserid_assertion' => $browserid_assertion, 'require_admin' => false, 'element_id' => $element_id));
if ($login_request->response['payload'] !== false) {
return true;
} else {
return false;
}
}
// we never validated, so automatically return false
return false;
}
