/** * Continues a previously saved request. * * The request is saved as a <code>SecurityToken</code> which is passed through * the <code>token</code> path parameter. The underlying payload * can contain the following keys * * - mt the HTTP method (e.g. GET, POST) * - rt the FatFree routing path * - rq an array containing the request parameters */ public function continueRequest($f3, $params) { $token = new SecurityToken(); $payload = $token->getPayload($params['token']); if ($payload === null) { $this->f3->fatalError($this->t('Invalid request.')); return; } if (!isset($payload['mt'])) { $payload['mt'] = 'GET'; } if (!isset($payload['rt'])) { $payload['rt'] = '/'; } if (!isset($payload['rq'])) { $payload['rq'] = array(); } $this->f3->mock($payload['mt'] . ' ' . $payload['rt'], $payload['rq']); }
/** * Creates a auto login cookie. The login cookie will be based on the * current log in user. * * @param string $id the ID of the series of auto login cookies, Cookies * belonging to the same user and computer have the same ID. If none is specified, * one will be generated * @param int $expires the time at which the cookie will expire. If none is specified * the time specified in {@link SIMPLEID_REMEMBERME_EXPIRES_IN} will be * used * */ protected function createCookie($id = NULL, $expires = NULL) { $user = $this->auth->getUser(); $rand = new Random(); if ($expires == NULL) { $this->logger->log(LogLevel::DEBUG, 'Automatic login token created for ' . $user['uid']); } else { $this->logger->log(LogLevel::DEBUG, 'Automatic login token renewed for ' . $user['uid']); } if ($id == NULL) { $id = $rand->id(); } if ($expires == NULL) { $expires = time() + SIMPLEID_LONG_TOKEN_EXPIRES_IN; } $data = array('typ' => 'rememberme', 'id' => $id, 'uid' => $user['uid'], 'exp' => $expires, 'uaid' => $this->auth->assignUAID()); $token = new SecurityToken(); $cookie = $token->generate($data); $this->f3->set('COOKIE.' . $this->cookie_name, $cookie, SIMPLEID_LONG_TOKEN_EXPIRES_IN); }
/** * Applies the upgrade. */ function complete() { global $upgrade_access_check; $cache = \Cache::instance(); $token = new SecurityToken(); if (!$this->f3->exists('GET.tk')) { $this->f3->status(401); $this->fatalError($this->t('SimpleID detected a potential security attack. Please try again.')); return; } $payload = $token->getPayload($this->f3->get('POST.step')); if ($payload == null) { $this->f3->status(401); $this->fatalError($this->t('SimpleID detected a potential security attack. Please try again.')); return; } $upgid = $payload['upgid']; $upgrade = $cache->get($upgid . '.upgrade'); $cache->reset('.upgrade'); if ($upgrade === false) { $this->f3->status(500); $this->fatalError($this->t('Upgrade not found')); } if (!$upgrade_access_check) { $this->f3->set('edit_upgrade_php', $this->t('Remember to edit upgrade.php to check <code>$upgrade_access_check</code> back to <code>TRUE</code>.')); } $this->f3->set('results', $upgrade['results']); $this->f3->set('upgrade_complete', $this->t('Your SimpleID installation has been upgraded. Please check the results below for any errors.')); $this->f3->set('title', $this->t('Upgrade')); $this->f3->set('page_class', 'dialog-page'); $this->f3->set('layout', 'upgrade_results.html'); print $tpl->render('page.html'); }
public function delete($f3, $params) { $this->checkHttps('error', true); parse_str($this->f3->get('BODY'), $delete); header('Content-Type: application/json'); $token = new SecurityToken(); if (!isset($delete['tk']) || !$token->verify($delete['tk'], 'apps')) { $this->f3->status(401); print json_encode(array('error' => 'unauthorized', 'error_description' => $this->t('Unauthorized'))); return; } $auth = AuthManager::instance(); $user = $auth->getUser(); $prefs =& $user->clients; if (!isset($prefs[$params['cid']])) { $this->f3->status(404); print json_encode(array('error' => 'not_found', 'error_description' => $this->t('Not found'))); return; } $mgr = ModuleManager::instance(); $mgr->invokeAll('revokeApp', $params['cid']); unset($prefs[$params['cid']]); $store = StoreManager::instance(); $store->saveUser($user); print json_encode(array('result' => 'success', 'result_description' => $this->t('App has been deleted.'))); }
/** * Processes a user response from the {@link consentForm()} function. * * @since 2.0 */ function consent() { $auth = AuthManager::instance(); $token = new SecurityToken(); $store = StoreManager::instance(); if (!$auth->isLoggedIn()) { $auth_module = $this->mgr->getModule('SimpleID\\Auth\\AuthModule'); $auth_module->loginForm(); return; } $user = $auth->getUser(); $form_state = $token->getPayload($this->f3->get('POST.fs')); $request = $form_state['rq']; $response = $form_state['rs']; if (!$token->verify($this->f3->get('POST.tk'), 'oauth_consent')) { $this->logger->log(LogLevel::WARNING, 'Security token ' . $this->f3->get('POST.tk') . ' invalid.'); $this->f3->set('message', $this->t('SimpleID detected a potential security attack. Please try again.')); $this->consentForm($request, $response); return; } if ($this->f3->get('POST.op') == $this->t('Deny')) { $response->setError('access_denied')->renderRedirect(); return; } else { $this->mgr->invokeRefAll('oAuthConsentFormSubmit', $form_state); $client = $store->loadClient($request['client_id'], 'SimpleID\\Protocols\\OAuth\\OAuthClient'); $cid = $client->getStoreID(); $now = time(); $consents = array('oauth' => $this->f3->get('POST.prefs.consents.oauth')); if (isset($user->clients[$cid])) { $prefs = $user->clients[$cid]; } else { $prefs = array('oauth' => array(), 'store_id' => $client->getStoreID(), 'display_name' => $client->getDisplayName(), 'display_html' => $client->getDisplayHTML(), 'first_time' => $now, 'consents' => array()); } $prefs['last_time'] = $now; $prefs['consents'] = array_merge($prefs['consents'], $consents); if ($this->f3->exists('POST.prefs.oauth.prompt_none') && $this->f3->exists('POST.prefs.oauth.prompt_none') == 'true') { $prefs['oauth']['prompt_none'] = true; } $user->clients[$cid] = $prefs; $store->saveUser($user); } $this->processAuthRequest($request, $response); }
/** * Returns the dashboard OTP block. * * @return array the dashboard OTP block */ public function dashboardBlocksHook() { $auth = AuthManager::instance(); $user = $auth->getUser(); $base_path = $this->f3->get('base_path'); $token = new SecurityToken(); $tk = $token->generate('otp', SecurityToken::OPTION_BIND_SESSION); $html = '<p>' . $this->t('Login verification adds an extra layer of protection to your account. When enabled, you will need to enter an additional security code whenever you log into SimpleID.') . '</p>'; if (isset($user['otp'])) { $html .= '<p>' . $this->t('Login verification is <strong>enabled</strong>.') . '</p>'; $html .= '<form action="' . $base_path . 'auth/otp" method="post" enctype="application/x-www-form-urlencoded"><input type="hidden" name="tk" value="' . $tk . '"/>'; $html .= '<input type="submit" name="op" value="' . $this->t('Disable') . '" /></form>'; } else { $html .= '<p>' . $this->t('Login verification is <strong>disabled</strong>. To enable login verification, click the button below.') . '</p>'; $html .= '<form action="' . $base_path . 'auth/otp" method="post" enctype="application/x-www-form-urlencoded"><input type="hidden" name="tk" value="' . $tk . '"/>'; $html .= '<input type="submit" name="op" value="' . $this->t('Enable') . '" /></form>'; } return array(array('id' => 'otp', 'title' => $this->t('Login Verification'), 'content' => $html, 'weight' => 0)); }
/** * Processes a user response from the {@link simpleid_openid_consent_form()} function. * * If the user verifies the relying party, an OpenID response will be sent to * the relying party. Otherwise, the dashboard will be displayed to the user. */ public function consent() { $auth = AuthManager::instance(); $token = new SecurityToken(); $store = StoreManager::instance(); if (!$auth->isLoggedIn()) { $auth_module = $this->mgr->getModule('SimpleID\\Auth\\AuthModule'); $auth_module->loginForm(); return; } $user = $auth->getUser(); $form_state = $token->getPayload($this->f3->get('POST.fs')); $request = $form_state['rq']; $response = $form_state['rs']; $reason = $form_state['code']; if (!$token->verify($this->f3->get('POST.tk'), 'openid_consent')) { $this->logger->log(LogLevel::WARNING, 'Security token ' . $this->f3->get('POST.tk') . ' invalid.'); $this->f3->set('message', $this->t('SimpleID detected a potential security attack. Please try again.')); $this->consentForm($request, $response, $reason); return; } $return_to = $response['return_to']; if ($return_to == null) { $return_to = $request['openid.return_to']; } if ($this->f3->get('POST.op') == $this->t('Cancel')) { $response = $this->createErrorResponse($request, false); if (!$return_to) { $this->f3->set('message', $this->t('Log in cancelled.')); } } else { $this->mgr->invokeRefAll('openIDConsentFormSubmit', $form_state); $consents = array('openid' => $this->f3->exists('POST.prefs.consents.openid') && $this->f3->exists('POST.prefs.consents.openid') == 'true'); $this->logActivity($request, $consents); $this->signResponse($response, isset($response['assoc_handle']) ? $response['assoc_handle'] : NULL); if (!$return_to) { $this->f3->set('message', $this->t('You were logged in successfully.')); } } if ($return_to) { $response->render($return_to); } else { $this->f3->reroute('/'); } }
/** * Displays a user login or a login verification form. * * @param array $params the F3 parameters * @param array $form_state the form state */ public function loginForm($params = array('destination' => null), $form_state = array('mode' => AuthManager::MODE_CREDENTIALS)) { $tpl = new \Template(); $config = $this->f3->get('config'); // 1. Check for HTTPS $this->checkHttps('redirect', true); // 2. Build the buttons and security messaging switch ($form_state['mode']) { case AuthManager::MODE_REENTER_CREDENTIALS: // Follow through $this->f3->set('uid', $form_state['uid']); case AuthManager::MODE_CREDENTIALS: $security_class = $config['allow_autocomplete'] ? 'allow-autocomplete ' : ''; $this->f3->set('security_class', $security_class); $this->f3->set('submit_button', $this->t('Log in')); $this->f3->set('title', $this->t('Log In')); break; case AuthManager::MODE_VERIFY: if (count($forms) == 0) { return; } // Nothing to verify $this->f3->set('submit_button', $this->t('Verify')); $this->f3->set('title', $this->t('Verify')); } if (isset($form_state['cancel'])) { $this->f3->set('cancellable', true); $this->f3->set('cancel_button', $this->t('Cancel')); } // 3. Build the forms if ($form_state['mode'] == AuthManager::MODE_VERIFY && isset($form_state['verify_forms'])) { $forms = $form_state['verify_forms']; unset($form_state['verify_forms']); } else { $forms = $this->mgr->invokeRefAll('loginForm', $form_state); uasort($forms, function ($a, $b) { if ($a['weight'] == $b['weight']) { return 0; } return $a['weight'] < $b['weight'] ? -1 : 1; }); } $this->f3->set('forms', $forms); // 4. We can't use SecurityToken::BIND_SESSION here because the PHP session is not // yet stable $token = new SecurityToken(); $this->f3->set('tk', $token->generate('login', SecurityToken::OPTION_NONCE)); $this->f3->set('fs', $token->generate($form_state)); if (isset($params['destination'])) { $this->f3->set('destination', $params['destination']); } $this->f3->set('framekiller', true); $this->f3->set('page_class', 'dialog-page'); $this->f3->set('layout', 'auth_login.html'); header('X-Frame-Options: DENY'); print $tpl->render('page.html'); }