public static function authenticate($data) { $salt = Z_CONFIG::$AUTH_SALT; // TODO: config $dev = Z_ENV_TESTING_SITE ? "_test" : ""; $databaseName = "zotero_www{$dev}"; $username = $data['username']; $password = $data['password']; $isEmailAddress = strpos($username, '@') !== false; $cacheKey = 'userAuthHash_' . hash('sha256', $username . $password); $userID = Z_Core::$MC->get($cacheKey); if ($userID) { return $userID; } // Username if (!$isEmailAddress) { $sql = "SELECT userID, username, password AS hash FROM {$databaseName}.users WHERE username=?"; $params = [$username]; } else { $sql = "SELECT userID, username, password AS hash FROM {$databaseName}.users\n\t\t\t WHERE username = ?\n\t\t\t UNION\n\t\t\t SELECT userID, username, password AS hash FROM {$databaseName}.users\n\t\t\t WHERE email = ?\n\t\t\t ORDER BY username = ? DESC"; $params = [$username, $username, $username]; } try { $retry = true; $rows = Zotero_WWW_DB_2::query($sql, $params); if (!$rows) { $retry = false; $rows = Zotero_WWW_DB_1::query($sql, $params); } } catch (Exception $e) { if ($retry) { Z_Core::logError("WARNING: {$e} -- retrying on primary"); $rows = Zotero_WWW_DB_1::query($sql, $params); } } if (!$rows) { return false; } $found = false; foreach ($rows as $row) { // Try bcrypt $found = password_verify($password, $row['hash']); // Try salted SHA1 if (!$found) { $found = sha1($salt . $password) == $row['hash']; } // Try MD5 if (!$found) { $found = md5($password) == $row['hash']; } if ($found) { $foundRow = $row; break; } } if (!$found) { return false; } self::updateUser($foundRow['userID'], $foundRow['username']); Z_Core::$MC->set($cacheKey, $foundRow['userID'], 60); return $foundRow['userID']; }
private function getUserPrivacy($userID) { if (isset($this->userPrivacy[$userID])) { return $this->userPrivacy[$userID]; } if (Z_ENV_DEV_SITE) { // Hard-coded test values $privacy = array(); switch ($userID) { case 1: $privacy['library'] = true; $privacy['notes'] = true; break; case 2: $privacy['library'] = false; $privacy['notes'] = false; break; default: throw new Exception("External requests disabled on dev site"); } $this->userPrivacy[$userID] = $privacy; return $privacy; } $sql = "SELECT metaKey, metaValue FROM users_meta WHERE userID=? AND metaKey LIKE 'privacy_publish%'"; try { $rows = Zotero_WWW_DB_2::query($sql, $userID); } catch (Exception $e) { Z_Core::logError("WARNING: {$e} -- retrying on primary"); $rows = Zotero_WWW_DB_1::query($sql, $userID); } $privacy = array('library' => false, 'notes' => false); foreach ($rows as $row) { $privacy[strtolower(substr($row['metaKey'], 15))] = (bool) (int) $row['metaValue']; } $this->userPrivacy[$userID] = $privacy; return $privacy; }