/**
* Validates whether a given secure token is still valid.
*
* The validateToken() method validates the token is valid by checking:
* - that the token is not expired (through the time),
* - the token is valid for this user,
* - the token is valid for this url
*
* It does so by reconstructing the token. If at any time during the valid
* period of the token, the username, user password or the url changed, the
* token is considered invalid.
*
* The token is also considered invalid if more than SecureToken::EXPIRES seconds
* have passed.
*
* @param string $token The token.
* @param string $url The url for which the token was generated.
* @return boolean True if the token is valid, otherwise false.
*/
public static final function validateToken($token, $url)
{
use_helper('Hash');
$hash = new Crypt_Hash('sha256');
AuthUser::load();
if (AuthUser::isLoggedIn()) {
$user = AuthUser::getRecord();
$target_url = str_replace('&', '&', $url);
$pwd = substr(bin2hex($hash->hash($user->password)), 5, 20);
$time = SecureToken::getTokenTime($user->username, $target_url);
if (microtime(true) - $time > self::EXPIRES) {
return false;
}
return bin2hex($hash->hash($user->username . $time . $target_url . $pwd . $user->salt)) === $token;
}
return false;
}
