diff options
Diffstat (limited to 'plugins/auth_internal/init.php')
-rw-r--r-- | plugins/auth_internal/init.php | 322 |
1 files changed, 146 insertions, 176 deletions
diff --git a/plugins/auth_internal/init.php b/plugins/auth_internal/init.php index 13a7bc969..9155f8165 100644 --- a/plugins/auth_internal/init.php +++ b/plugins/auth_internal/init.php @@ -4,7 +4,7 @@ class Auth_Internal extends Auth_Base { private $host; function about() { - return array(1.0, + return array(null, "Authenticates against internal tt-rss database", "fox", true); @@ -19,200 +19,162 @@ class Auth_Internal extends Auth_Base { function authenticate($login, $password, $service = '') { - $pwd_hash1 = encrypt_password($password); - $pwd_hash2 = encrypt_password($password, $login); $otp = (int) ($_REQUEST["otp"] ?? 0); - if (get_schema_version() > 96) { + // don't bother with null/null logins for auth_external etc + if ($login && get_schema_version() > 96) { - $sth = $this->pdo->prepare("SELECT otp_enabled,salt FROM ttrss_users WHERE - LOWER(login) = LOWER(?)"); - $sth->execute([$login]); + $user_id = UserHelper::find_user_by_login($login); - if ($row = $sth->fetch()) { - $otp_enabled = $row['otp_enabled']; + if ($user_id && UserHelper::is_otp_enabled($user_id)) { - if ($otp_enabled) { - - // only allow app password checking if OTP is enabled - if ($service && get_schema_version() > 138) { - return $this->check_app_password($login, $password, $service); - } - - if ($otp) { - $base32 = new \OTPHP\Base32(); - - $secret = $base32->encode(mb_substr(sha1($row["salt"]), 0, 12), false); - $secret_legacy = $base32->encode(sha1($row["salt"])); - - $totp = new \OTPHP\TOTP($secret); - $otp_check = $totp->now(); - - $totp_legacy = new \OTPHP\TOTP($secret_legacy); - $otp_check_legacy = $totp_legacy->now(); - - if ($otp !== $otp_check && $otp !== $otp_check_legacy) { - return false; - } - } else { - $return = urlencode($_REQUEST["return"]); - ?> - <!DOCTYPE html> - <html> - <head> - <title>Tiny Tiny RSS</title> - <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> - </head> - <?= stylesheet_tag("themes/light.css") ?> - <body class="ttrss_utility otp"> - <h1><?= __("Authentication") ?></h1> - <div class="content"> - <form action="public.php?return=<?= $return ?>" - method="POST" class="otpform"> - <input type="hidden" name="op" value="login"> - <input type="hidden" name="login" value="<?= htmlspecialchars($login) ?>"> - <input type="hidden" name="password" value="<?= htmlspecialchars($password) ?>"> - <input type="hidden" name="bw_limit" value="<?= htmlspecialchars($_POST["bw_limit"]) ?>"> - <input type="hidden" name="remember_me" value="<?= htmlspecialchars($_POST["remember_me"]) ?>"> - <input type="hidden" name="profile" value="<?= htmlspecialchars($_POST["profile"]) ?>"> - - <fieldset> - <label><?= __("Please enter your one time password:") ?></label> - <input autocomplete="off" size="6" name="otp" value=""/> - <input type="submit" value="Continue"/> - </fieldset> - </form></div> - <script type="text/javascript"> - document.forms[0].otp.focus(); - </script> - <?php - exit; - } + // only allow app passwords for service logins if OTP is enabled + if ($service && get_schema_version() > 138) { + return $this->check_app_password($login, $password, $service); } - } - } - // check app passwords first but allow regular password as a fallback for the time being - // if OTP is not enabled + if ($otp) { - if ($service && get_schema_version() > 138) { - $user_id = $this->check_app_password($login, $password, $service); - - if ($user_id) - return $user_id; - } + /*$base32 = new \OTPHP\Base32(); - if (get_schema_version() > 87) { + $secret = $base32->encode(mb_substr(sha1($row["salt"]), 0, 12), false); + $secret_legacy = $base32->encode(sha1($row["salt"])); - $sth = $this->pdo->prepare("SELECT salt FROM ttrss_users WHERE LOWER(login) = LOWER(?)"); - $sth->execute([$login]); + $totp = new \OTPHP\TOTP($secret); + $otp_check = $totp->now(); - if ($row = $sth->fetch()) { - $salt = $row['salt']; + $totp_legacy = new \OTPHP\TOTP($secret_legacy); + $otp_check_legacy = $totp_legacy->now(); - if ($salt == "") { - - $sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE - LOWER(login) = LOWER(?) AND (pwd_hash = ? OR pwd_hash = ?)"); - - $sth->execute([$login, $pwd_hash1, $pwd_hash2]); - - // verify and upgrade password to new salt base - - if ($row = $sth->fetch()) { - // upgrade password to MODE2 - - $user_id = $row['id']; - - $salt = substr(bin2hex(get_random_bytes(125)), 0, 250); - $pwd_hash = encrypt_password($password, $salt, true); - - $sth = $this->pdo->prepare("UPDATE ttrss_users SET - pwd_hash = ?, salt = ? WHERE LOWER(login) = LOWER(?)"); - - $sth->execute([$pwd_hash, $salt, $login]); + if ($otp !== $otp_check && $otp !== $otp_check_legacy) { + return false; + } */ + if (UserHelper::check_otp($user_id, $otp)) return $user_id; - - } else { + else return false; - } } else { - $pwd_hash = encrypt_password($password, $salt, true); - - $sth = $this->pdo->prepare("SELECT id - FROM ttrss_users WHERE - LOWER(login) = LOWER(?) AND pwd_hash = ?"); - $sth->execute([$login, $pwd_hash]); - - if ($row = $sth->fetch()) { - return $row['id']; - } + $return = urlencode($_REQUEST["return"]); + ?> + <!DOCTYPE html> + <html> + <head> + <title>Tiny Tiny RSS</title> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + <?php foreach (["lib/dojo/dojo.js", + "lib/dojo/tt-rss-layer.js", + "js/common.js", + "js/utility.js"] as $jsfile) { + echo javascript_tag($jsfile); + } ?> + <style type="text/css"> + @media (prefers-color-scheme: dark) { + body { + background : #303030; + } + } + + body.css_loading * { + display : none; + } + </style> + + <script type="text/javascript"> + require({cache:{}}); + + const UtilityApp = { + init: function() { + require(['dojo/parser', "dojo/ready", 'dijit/form/Button', 'dijit/form/Form', + 'dijit/form/TextBox','dijit/form/ValidationTextBox'],function(parser, ready){ + ready(function() { + parser.parse(); + dijit.byId("otp").focus(); + }); + }); + }, + }; + </script> + </head> + <body class="flat ttrss_utility otp css_loading"> + <h1><?= __("Authentication") ?></h1> + <div class="content"> + <form dojoType="dijit.form.Form" action="public.php?return=<?= urlencode(with_trailing_slash($return)) ?>" method="post" class="otpform"> + + <?php foreach (["login", "password", "bw_limit", "safe_mode", "remember_me", "profile"] as $key) { + print \Controls\hidden_tag($key, $_POST[$key] ?? ""); + } ?> + + <?= \Controls\hidden_tag("op", "login") ?> + + <fieldset> + <label><?= __("Please enter your one time password:") ?></label> + <input id="otp" dojoType="dijit.form.ValidationTextBox" required="1" autocomplete="off" size="6" name="otp" value=""/> + <?= \Controls\submit_tag(__("Continue")) ?> + </fieldset> + </form> + </div> + </body> + </html> + <?php + exit; } + } + } - } else { - $sth = $this->pdo->prepare("SELECT id - FROM ttrss_users WHERE - LOWER(login) = LOWER(?) AND (pwd_hash = ? OR pwd_hash = ?)"); + // service logins: check app passwords first but allow regular password + // as a fallback if OTP is not enabled - $sth->execute([$login, $pwd_hash1, $pwd_hash2]); + if ($service && get_schema_version() > 138) { + $user_id = $this->check_app_password($login, $password, $service); - if ($row = $sth->fetch()) { - return $row['id']; - } - } - } else { - $sth = $this->pdo->prepare("SELECT id - FROM ttrss_users WHERE - LOWER(login) = LOWER(?) AND (pwd_hash = ? OR pwd_hash = ?)"); + if ($user_id) + return $user_id; + } - $sth->execute([$login, $pwd_hash1, $pwd_hash2]); + if ($login) { + $try_user_id = $this->find_user_by_login($login); - if ($row = $sth->fetch()) { - return $row['id']; + if ($try_user_id) { + return $this->check_password($try_user_id, $password); } } return false; } - function check_password($owner_uid, $password, $service = '') { + function check_password(int $owner_uid, string $password, string $service = '') { - $sth = $this->pdo->prepare("SELECT salt,login,otp_enabled FROM ttrss_users WHERE - id = ?"); - $sth->execute([$owner_uid]); + $user = ORM::for_table('ttrss_users')->find_one($owner_uid); - if ($row = $sth->fetch()) { + if ($user) { - $salt = $row['salt']; - $login = $row['login']; + $salt = $user['salt'] ?? ""; + $login = $user['login']; + $pwd_hash = $user['pwd_hash']; + + list ($pwd_algo, $raw_hash) = explode(":", $pwd_hash, 2); // check app password only if service is specified if ($service && get_schema_version() > 138) { return $this->check_app_password($login, $password, $service); } - if (!$salt) { - $password_hash1 = encrypt_password($password); - $password_hash2 = encrypt_password($password, $login); - - $sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE - id = ? AND (pwd_hash = ? OR pwd_hash = ?)"); - - $sth->execute([$owner_uid, $password_hash1, $password_hash2]); + $test_hash = UserHelper::hash_password($password, $salt, $pwd_algo); - return $sth->fetch(); + if (hash_equals($pwd_hash, $test_hash)) { + if ($pwd_algo != UserHelper::HASH_ALGOS[0]) { + Logger::log(E_USER_NOTICE, "Upgrading password of user $login to " . UserHelper::HASH_ALGOS[0]); - } else { - $password_hash = encrypt_password($password, $salt, true); + $new_hash = UserHelper::hash_password($password, $salt, UserHelper::HASH_ALGOS[0]); - $sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE - id = ? AND pwd_hash = ?"); - - $sth->execute([$owner_uid, $password_hash]); - - return $sth->fetch(); + if ($new_hash) { + $usth = $this->pdo->prepare("UPDATE ttrss_users SET pwd_hash = ? WHERE id = ?"); + $usth->execute([$new_hash, $owner_uid]); + } + } + return $owner_uid; } } @@ -223,35 +185,34 @@ class Auth_Internal extends Auth_Base { if ($this->check_password($owner_uid, $old_password)) { - $new_salt = substr(bin2hex(get_random_bytes(125)), 0, 250); - $new_password_hash = encrypt_password($new_password, $new_salt, true); + $new_salt = UserHelper::get_salt(); + $new_password_hash = UserHelper::hash_password($new_password, $new_salt, UserHelper::HASH_ALGOS[0]); - $sth = $this->pdo->prepare("UPDATE ttrss_users SET - pwd_hash = ?, salt = ?, otp_enabled = false - WHERE id = ?"); - $sth->execute([$new_password_hash, $new_salt, $owner_uid]); + $user = ORM::for_table('ttrss_users')->find_one($owner_uid); - $_SESSION["pwd_hash"] = $new_password_hash; + $user->salt = $new_salt; + $user->pwd_hash = $new_password_hash; + $user->save(); - $sth = $this->pdo->prepare("SELECT email, login FROM ttrss_users WHERE id = ?"); - $sth->execute([$owner_uid]); + if ($_SESSION["uid"] ?? 0 == $owner_uid) + $_SESSION["pwd_hash"] = $new_password_hash; - if ($row = $sth->fetch()) { + if ($user->email) { $mailer = new Mailer(); $tpl = new Templator(); $tpl->readTemplateFromFile("password_change_template.txt"); - $tpl->setVariable('LOGIN', $row["login"]); + $tpl->setVariable('LOGIN', $user->login); $tpl->setVariable('TTRSS_HOST', Config::get(Config::SELF_URL_PATH)); $tpl->addBlock('message'); $tpl->generateOutputToString($message); - $mailer->mail(["to_name" => $row["login"], - "to_address" => $row["email"], + $mailer->mail(["to_name" => $user->login, + "to_address" => $user->email, "subject" => "[tt-rss] Password change notification", "message" => $message]); @@ -270,19 +231,28 @@ class Auth_Internal extends Auth_Base { $sth->execute([$login, $service]); while ($row = $sth->fetch()) { - list ($algo, $hash, $salt) = explode(":", $row["pwd_hash"]); + list ($pwd_algo, $raw_hash, $salt) = explode(":", $row["pwd_hash"]); + + $test_hash = UserHelper::hash_password($password, $salt, $pwd_algo); + + if (hash_equals("$pwd_algo:$raw_hash", $test_hash)) { + $pass = ORM::for_table('ttrss_app_passwords')->find_one($row["id"]); + $pass->last_used = Db::NOW(); - if ($algo == "SSHA-512") { - $test_hash = hash('sha512', $salt . $password); + if ($pwd_algo != UserHelper::HASH_ALGOS[0]) { + // upgrade password to current algo + Logger::log(E_USER_NOTICE, "Upgrading app password of user $login to " . UserHelper::HASH_ALGOS[0]); - if ($test_hash == $hash) { - $usth = $this->pdo->prepare("UPDATE ttrss_app_passwords SET last_used = NOW() WHERE id = ?"); - $usth->execute([$row['id']]); + $new_hash = UserHelper::hash_password($password, $salt); - return $row['uid']; + if ($new_hash) { + $pass->pwd_hash = "$new_hash:$salt"; + } } - } else { - user_error("Got unknown algo of app password for user $login: $algo"); + + $pass->save(); + + return $row['uid']; } } |