diff options
Diffstat (limited to 'plugins/auth_internal/init.php')
-rw-r--r-- | plugins/auth_internal/init.php | 98 |
1 files changed, 52 insertions, 46 deletions
diff --git a/plugins/auth_internal/init.php b/plugins/auth_internal/init.php index 77f7596f0..688a0f5d8 100644 --- a/plugins/auth_internal/init.php +++ b/plugins/auth_internal/init.php @@ -12,6 +12,7 @@ class Auth_Internal extends Auth_Base { $host->add_hook($host::HOOK_AUTH_USER, $this); } + /** @param string $service */ function authenticate($login, $password, $service = '') { $otp = (int) ($_REQUEST["otp"] ?? 0); @@ -29,22 +30,6 @@ class Auth_Internal extends Auth_Base { } if ($otp) { - - /*$base32 = new \OTPHP\Base32(); - - $secret = $base32->encode(mb_substr(sha1($row["salt"]), 0, 12), false); - $secret_legacy = $base32->encode(sha1($row["salt"])); - - $totp = new \OTPHP\TOTP($secret); - $otp_check = $totp->now(); - - $totp_legacy = new \OTPHP\TOTP($secret_legacy); - $otp_check_legacy = $totp_legacy->now(); - - if ($otp !== $otp_check && $otp !== $otp_check_legacy) { - return false; - } */ - if ($this->check_password($user_id, $password) && UserHelper::check_otp($user_id, $otp)) return $user_id; else @@ -129,48 +114,61 @@ class Auth_Internal extends Auth_Base { } if ($login) { - $try_user_id = $this->find_user_by_login($login); - - if ($try_user_id) { - return $this->check_password($try_user_id, $password); - } - } - - return false; - } - - function check_password(int $owner_uid, string $password, string $service = '') { + $user = ORM::for_table('ttrss_users') + ->where('login', $login) + ->find_one(); - $user = ORM::for_table('ttrss_users')->find_one($owner_uid); + if ($user) { + if (get_schema_version() >= 145) { + if ($user->last_auth_attempt) { + $last_auth_attempt = strtotime($user->last_auth_attempt); - if ($user) { + if ($last_auth_attempt && time() - $last_auth_attempt < Config::get(Config::AUTH_MIN_INTERVAL)) { + Logger::log(E_USER_NOTICE, "Too many authentication attempts for {$user->login}, throttled."); - // don't throttle app passwords - if (!$service && get_schema_version() >= 145) { + // start an empty session to deliver login error message + if (session_status() != PHP_SESSION_ACTIVE) + session_start(); - if ($user->last_auth_attempt) { - $last_auth_attempt = strtotime($user->last_auth_attempt); + $_SESSION["login_error_msg"] = __("Too many authentication attempts, throttled."); - if ($last_auth_attempt && time() - $last_auth_attempt < Config::get(Config::AUTH_MIN_INTERVAL)) { - Logger::log(E_USER_NOTICE, "Too many authentication attempts for {$user->login}, throttled."); + $user->last_auth_attempt = Db::NOW(); + $user->save(); - // start an empty session to deliver login error message - if (session_status() != PHP_SESSION_ACTIVE) - session_start(); + return false; + } + } + } - $_SESSION["login_error_msg"] = __("Too many authentication attempts, throttled."); + $auth_result = $this->check_password($user->id, $password); + if ($auth_result) { + return $auth_result; + } else { + if (get_schema_version() >= 145) { $user->last_auth_attempt = Db::NOW(); $user->save(); - - return false; } } - - $user->last_auth_attempt = Db::NOW(); - $user->save(); } + } + return false; + } + + /** + * @param int $owner_uid + * @param string $password + * @param string $service + * @return int|false (false if failed, user id otherwise) + * @throws PDOException + * @throws Exception + */ + function check_password(int $owner_uid, string $password, string $service = '') { + + $user = ORM::for_table('ttrss_users')->find_one($owner_uid); + + if ($user) { $salt = $user['salt'] ?? ""; $login = $user['login']; $pwd_hash = $user['pwd_hash']; @@ -202,7 +200,7 @@ class Auth_Internal extends Auth_Base { return false; } - function change_password($owner_uid, $old_password, $new_password) { + function change_password(int $owner_uid, string $old_password, string $new_password) : string { if ($this->check_password($owner_uid, $old_password)) { @@ -245,7 +243,15 @@ class Auth_Internal extends Auth_Base { } } - private function check_app_password($login, $password, $service) { + /** + * @param string $login + * @param string $password + * @param string $service + * @return false|int (false if failed, user id otherwise) + * @throws PDOException + * @throws Exception + */ + private function check_app_password(string $login, string $password, string $service) { $sth = $this->pdo->prepare("SELECT p.id, p.pwd_hash, u.id AS uid FROM ttrss_app_passwords p, ttrss_users u WHERE p.owner_uid = u.id AND LOWER(u.login) = LOWER(?) AND service = ?"); |