/**
* Validate a user-provided password with user
*
* @param HiddenString $password
* @param HiddenString $pHash
* @param array $migrationData
* @param EncryptionKey $passwordKey
* @return bool
* @throws \Exception
*/
public function validate(HiddenString $password, HiddenString $pHash, array $migrationData, EncryptionKey $passwordKey = null) : bool
{
if (!$passwordKey) {
if (!$this->key instanceof EncryptionKey) {
throw new \Exception(\__('No key was passed to this migration'));
}
$passwordKey = $this->key;
}
$hash = $this->wordPressCryptPrivate($password, $migrationData['salt']);
return Password::verify($hash, $pHash->getString(), $passwordKey);
}
public function login()
{
if (Session::get('loggin') == true) {
url::redirect('admin');
}
if (isset($_POST['submit'])) {
$username = $_POST['username'];
$password = $_POST['password'];
$admin = $this->loadModel('admin_model');
if (Password::verify($password, $admin->get_hash($username)) == false) {
die('wrong username or password');
} else {
Session::set('loggin', true);
Url::redirect('admin');
}
}
$data['title'] = 'Login';
$this->view->rendertemplate('header', $data);
$this->view->render('admin/login', $data);
$this->view->rendertemplate('footer', $data);
}
public function login()
{
if (Session::get('loggedin')) {
Url::redirect('admin');
}
$model = new \models\admin\auth();
$data['title'] = 'Login';
if (isset($_POST['submit'])) {
$username = $_POST['username'];
$password = $_POST['password'];
if (Password::verify($password, $model->getHash($_POST['username'])) == 0) {
$error[] = 'Wrong username of password';
} else {
Session::set('loggedin', true);
Url::redirect('admin');
}
}
View::renderadmintemplate('loginheader', $data);
View::render('admin/login', $data, $error);
View::renderadmintemplate('footer', $data);
}
/**
* @param HiddenString $password
* @return bool
*/
public function tryUnlockPassword(HiddenString $password) : bool
{
$state = State::instance();
return Password::verify($password->getString(), $this->installHash, $state->keyring['auth.password_key']);
}
public function login($username, $password)
{
if ($this->logged_in) {
return true;
}
//Make sure username and password are provided
if (!isset($username) || !isset($password)) {
return false;
}
$username = $this->escape(trim($username));
$password = $this->escape(trim($password));
$result = $this->query("SELECT pass, last_attempt, attempts FROM users WHERE username = '******'", array($username));
if (count($result) === 0) {
return false;
}
$password = new Password($password);
//Rate limit password guesses per minute
//Once the user has guessed 5 times, they have to wait a minute before trying again
$attempt_time = time();
$attempts = (int) $result[0]->attempts;
//Reset attempt counter if user hasn't attempted in last minute
if ($attempt_time > $result[0]->last_attempt + self::TIME_RANGE) {
$attempts = 0;
}
$attempts++;
//User has exceeded max number of attempts in last minute
if ($attempts > self::MAX_ATTEMPTS) {
return false;
}
//Update user with attempt count and current time
$this->query("UPDATE users SET last_attempt = '%d', attempts = '%d' WHERE username = '******'", array($attempt_time, $attempts, $username));
if (!$password->verify($result[0]->pass)) {
return false;
}
$_SESSION["username"] = $username;
$_SESSION["login_time"] = $attempt_time;
$this->logged_in = true;
return true;
}
function resetPasswordAction($db, $reset_key, $email_address, $password_token, $password, $user_password_repeat)
{
$response = $db->query('SELECT secret, request_timestamp FROM responses
WHERE reset_key = :reset_key AND email_address = :email_address
AND NOT used AND active', array(':reset_key' => $reset_key, ':email_address' => $email_address));
$validatedPassword = self::validateUserPassword($password, $user_password_repeat);
if (!$validatedPassword) {
return "INVALID PASSWORD";
}
if ($response) {
$created = DateTime::createFromFormat('Y-m-d G:i:s', $response[0]->request_timestamp);
if ($created >= new DateTime('30 minutes ago')) {
if (Password::verify($password_token, $response[0]->secret) && $password == $user_password_repeat) {
$disable_token = $db->update("responses", array('used' => 1), array('reset_key' => $reset_key), array());
$hash = Password::make($password, PASSWORD_BCRYPT, array("cost" => 10));
$password_change = $db->exec('UPDATE Users SET password = :password WHERE email = :email', array(':password' => $hash, ':email' => $email_address));
return "Password Successfully Changed";
}
}
} else {
return "INVALID RESET TOKEN";
}
}
/**
* Verifies that the password is valid for a given user account. Returns
* false whether or not the user name is valid and attempts to minimize
* leaking that information through timing side-channels.
*
* @param string $username
* @param HiddenString $password
* @return bool|int
*/
public function login(string $username, HiddenString $password)
{
/**
* To prevent extreme stupidity, we escape our table and column names
* here. We shouldn't ever *need* to do this, but as long as developers
* are creative, they will find creative ways to make their apps
* insecure and we should anticipate them as much as we can.
*/
$table = $this->db->escapeIdentifier($this->tableConfig['table']['accounts']);
// Let's fetch the user data from the database
$user = $this->db->row('SELECT * FROM ' . $table . ' WHERE username = ?', $username);
if (empty($user)) {
/**
* User not found. Use the dummy password to mitigate user
* enumeration via timing side-channels.
*/
Password::verify($password->getString(), $this->dummyHash, $this->key);
// No matter what, return false here:
return false;
} else {
if (!empty($user['migration'])) {
$success = $this->migrateImportedHash($password, new HiddenString($user['password']), $user);
if ($success) {
return (int) $user['userid'];
}
}
if (Password::verify($password->getString(), $user['password'], $this->key)) {
return (int) $user['userid'];
}
}
return false;
}
// $app = \Slim\Slim::getInstance();
// $token = $app->request->headers->get('Authorization');
// $token = str_replace('"', "", $token);
// $tokenFromDB = Users_model::get_user_by_token($db, $token);
// if (!$tokenFromDB) {
// echoResponse(403, "Invalid Token");
// exit();
// }
// }
// Users
$app->post('/login', function () use($app) {
global $db;
$data = json_decode($app->request->getBody());
$user = Users_model::get_hash($db, $data->email);
$hash = Password::make($data->password, PASSWORD_BCRYPT, array("cost" => 10));
if (Password::verify($data->password, $user[0]->password) == true) {
echoResponse(200, $user[0]);
} else {
echoResponse(403, "Not a valid password");
}
});
// 'authenticateToken',
$app->get('/users', 'authenticateToken', function () use($app) {
global $db;
$rows = Users_model::get_users($db);
// foreach (getallheaders() as $name => $value) {
// var_dump(getallheaders());
// }
echoResponse(200, $rows);
});
$app->post('/users', function () use($app) {
