diff options
author | Andrew Dolgov <[email protected]> | 2021-02-25 15:39:46 +0300 |
---|---|---|
committer | Andrew Dolgov <[email protected]> | 2021-02-25 15:39:46 +0300 |
commit | 59c14e9c0001bc7a01763ecc7d3042dcde978a1a (patch) | |
tree | 0b50328be7b8374308fc130cb5440edd9f03c5c2 | |
parent | efd196839a20ae7e38be227c62b9c134ddec4bea (diff) |
api: remove base64 encoded passwords (wtf), log all authentication failures in userhelper
-rwxr-xr-x | classes/api.php | 9 | ||||
-rwxr-xr-x | classes/handler/public.php | 2 | ||||
-rwxr-xr-x | classes/logger.php | 2 | ||||
-rw-r--r-- | classes/userhelper.php | 3 |
4 files changed, 6 insertions, 10 deletions
diff --git a/classes/api.php b/classes/api.php index 3c6795327..a0ee773c1 100755 --- a/classes/api.php +++ b/classes/api.php @@ -68,20 +68,15 @@ class API extends Handler { $login = clean($_REQUEST["user"]); $password = clean($_REQUEST["password"]); - $password_base64 = base64_decode(clean($_REQUEST["password"])); if (Config::get(Config::SINGLE_USER_MODE)) $login = "admin"; if ($uid = UserHelper::find_user_by_login($login)) { if (get_pref(Prefs::ENABLE_API_ACCESS, $uid)) { - if (UserHelper::authenticate($login, $password, false, Auth_Base::AUTH_SERVICE_API)) { // try login with normal password + if (UserHelper::authenticate($login, $password, false, Auth_Base::AUTH_SERVICE_API)) { $this->_wrap(self::STATUS_OK, array("session_id" => session_id(), "api_level" => self::API_LEVEL)); - } else if (UserHelper::authenticate($login, $password_base64, false, Auth_Base::AUTH_SERVICE_API)) { // else try with base64_decoded password - $this->_wrap(self::STATUS_OK, array("session_id" => session_id(), - "api_level" => self::API_LEVEL)); - } else { // else we are not logged in - user_error("Failed login attempt for $login from " . UserHelper::get_user_ip(), E_USER_WARNING); + } else { $this->_wrap(self::STATUS_ERR, array("error" => self::E_LOGIN_ERROR)); } } else { diff --git a/classes/handler/public.php b/classes/handler/public.php index bf0160db6..6ab9d7285 100755 --- a/classes/handler/public.php +++ b/classes/handler/public.php @@ -395,8 +395,6 @@ class Handler_Public extends Handler { if (!isset($_SESSION["login_error_msg"])) $_SESSION["login_error_msg"] = __("Incorrect username or password"); - - user_error("Failed login attempt for $login from " . UserHelper::get_user_ip(), E_USER_WARNING); } $return = clean($_REQUEST['return']); diff --git a/classes/logger.php b/classes/logger.php index 6cc33314d..c917182c1 100755 --- a/classes/logger.php +++ b/classes/logger.php @@ -57,7 +57,7 @@ class Logger { } } - public static function get() { + public static function get() : Logger { if (self::$instance == null) self::$instance = new self(); diff --git a/classes/userhelper.php b/classes/userhelper.php index 8d9d483a8..0698f6beb 100644 --- a/classes/userhelper.php +++ b/classes/userhelper.php @@ -46,6 +46,9 @@ class UserHelper { return true; } + if (!$user_id) + Logger::get()->log(E_USER_WARNING, "Failed login attempt for $login (service: $service) from " . UserHelper::get_user_ip()); + return false; } else { |