Пример #1
0
 function post_xhr()
 {
     if ($this->checkAuth()) {
         if (!empty($_POST['oldPassword']) && !empty($_POST['newPassword'])) {
             $headers = getallheaders();
             $newUser = new AuthUser();
             $newUser->loadUser(mb_strtolower($headers['Auth-User']));
             if ($newUser->setPassword($_POST['oldPassword'], $_POST['newPassword'])) {
                 echo json_encode(StatusReturn::S200());
             } else {
                 echo json_encode(StatusReturn::E400('Unknown Error'));
             }
         } else {
             echo json_encode(StatusReturn::E400('Unknown Error'));
         }
     }
 }
 function post_xhr()
 {
     if ($this->checkAuth()) {
         if (!empty($_POST['question']) && isset($_POST['answer']) && mb_strlen($_POST['answer']) >= _SECURITY_ANSWER_MIN_LENGTH_) {
             $headers = getallheaders();
             $newUser = new AuthUser();
             $newUser->loadUser(mb_strtolower($headers['Auth-User']));
             if ($newUser->setQuestion($_POST['question'], mb_strtolower($_POST['answer']))) {
                 echo json_encode(StatusReturn::S200());
             } else {
                 echo json_encode(StatusReturn::E400('Unknown Error'));
             }
         } else {
             echo json_encode(StatusReturn::E400('Unknown Error'));
         }
     }
 }
Пример #3
0
 function get_xhr($userName = null)
 {
     if ($this->checkAuth()) {
         $headers = getallheaders();
         $newUser = new AuthUser();
         $newUser->loadUser(mb_strtolower($headers['Auth-User']));
         if (is_null($userName)) {
             echo json_encode(StatusReturn::S200($newUser->getManageUsersData()));
         } else {
             $singleUser = $newUser->getManageUserData(mb_strtolower($userName));
             if (!is_null($singleUser)) {
                 echo json_encode(StatusReturn::S200($singleUser));
             } else {
                 echo json_encode(StatusReturn::E400('User Name is not a child of this account!'));
             }
         }
     }
 }
 function post_xhr()
 {
     if ($this->checkAuth()) {
         if (isset($_POST['baseLang'], $_POST['twoFactorType']) && !empty($_POST['baseLang']) && TwoFactor::isValidValue($_POST['twoFactorType'], false)) {
             $headers = getallheaders();
             $newUser = new AuthUser();
             $newUser->loadUser(mb_strtolower($headers['Auth-User']));
             $packages = array();
             if (isset($_POST['packages'])) {
                 $packages = $_POST['packages'];
             }
             if ($newUser->setSettings($_POST['baseLang'], $_POST['twoFactorType'], $packages)) {
                 echo json_encode(StatusReturn::S200());
             } else {
                 echo json_encode(StatusReturn::E400('Failed to save settings!'));
             }
         } else {
             echo json_encode(StatusReturn::E400('Missing or bad data!'));
         }
     }
 }
Пример #5
0
 public static function checkAuth($roles, $initialize = false, $whenLocked = false)
 {
     $headers = getallheaders();
     if (!isset($headers['Auth-User']) || !isset($headers['Auth-Timestamp']) || !isset($headers['Auth-Signature'])) {
         return false;
     }
     if (!is_numeric($headers['Auth-Timestamp']) || $headers['Auth-Timestamp'] < strtotime("-" . _TIME_TO_LIVE_IN_MINUTES_ . " minute", time())) {
         return false;
     }
     $requestedURI = parse_url($_SERVER['REQUEST_URI']);
     if (_USE_HTTPS_ONLY_ && $requestedURI['scheme'] != 'https') {
         return false;
     }
     $userData = new AuthUser();
     if (!$userData->loadUser(mb_strtolower($headers['Auth-User']), $initialize)) {
         return false;
     }
     if ($userData->isLocked() && !$whenLocked) {
         return false;
     }
     $userSecret = null;
     if ($initialize) {
         $userSecret = $userData->getUserPassword();
         $salt = $userData->getSalt();
         $challenge = $userData->getChallengeKey();
         if (!array_key_exists('challenge', $_POST)) {
             if (hash_equals(hash_pbkdf2('sha512', $_POST['password'], $salt, 1000), $userSecret)) {
                 $userData->askClientChallenge();
                 return true;
             } else {
                 $userData->addFailedLogin();
                 return false;
             }
         } else {
             if ($_POST['challenge'] != $challenge) {
                 $userData->addFailedLogin();
                 return false;
             } else {
                 if ($_POST['challenge'] == $challenge) {
                     $userData->initiateConnection();
                 }
             }
         }
     } else {
         $userSecret = $userData->getUserSecret();
     }
     $data = '';
     foreach ($_POST as $key => $value) {
         if ($data != "") {
             $data .= "&";
         }
         if (is_array($value)) {
             $currentCount = 0;
             $data .= $key . '=';
             foreach ($value as $arrValue) {
                 $currentCount++;
                 $data .= $arrValue;
                 if (count($value) > 1 && $currentCount != count($value)) {
                     $data .= ',';
                 }
             }
         } else {
             $data .= $key . '=' . $value;
         }
     }
     $signatureData = $_SERVER['REQUEST_METHOD'] . _DOMAIN_API_HOST_ . $_SERVER['REQUEST_URI'] . $data . $headers['Auth-Timestamp'];
     $newAuthSignature = hash_hmac('sha512', $signatureData, $userSecret, true);
     $newAuthSignature = base64_encode($newAuthSignature);
     if (hash_equals($newAuthSignature, $headers['Auth-Signature']) && !empty(array_intersect($userData->getUserRoles(), $roles))) {
         $userData->makeSuccessfulLogin($initialize);
         return true;
     }
     // initiate connection add secret, but the hash test needs to pass, so if it fails, remove secret and 2nd factor header.
     header_remove('Auth-Secret');
     header_remove('Auth-Second-Factor');
     if ($initialize) {
         $userData->addFailedLogin();
     }
     return false;
 }