summaryrefslogtreecommitdiff
path: root/classes/auth/internal.php
blob: 8890d445588cc15e80d7676f941ffaeeef1000a4 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118

<?php
class Auth_Internal extends Auth_Base {

	function authenticate($login, $password) {

		$pwd_hash1 = encrypt_password($password);
		$pwd_hash2 = encrypt_password($password, $login);
		$login = db_escape_string($login);

		if (get_schema_version($this->link) > 87) {

			$result = db_query($this->link, "SELECT salt FROM ttrss_users WHERE
				login = '$login'");

			if (db_num_rows($result) != 1) {
				return false;
			}

			$salt = db_fetch_result($result, 0, "salt");

			if ($salt == "") {

				$query = "SELECT id
	            FROM ttrss_users WHERE
					login = '$login' AND (pwd_hash = '$pwd_hash1' OR
					pwd_hash = '$pwd_hash2')";

				// verify and upgrade password to new salt base

				$result = db_query($this->link, $query);

				if (db_num_rows($result) == 1) {
					// upgrade password to MODE2

					$salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
					$pwd_hash = encrypt_password($password, $salt, true);

					db_query($this->link, "UPDATE ttrss_users SET
						pwd_hash = '$pwd_hash', salt = '$salt' WHERE login = '$login'");

					$query = "SELECT id
		            FROM ttrss_users WHERE
						login = '$login' AND pwd_hash = '$pwd_hash'";

				} else {
					return false;
				}

			} else {

				$pwd_hash = encrypt_password($password, $salt, true);

				$query = "SELECT id
		         FROM ttrss_users WHERE
					login = '$login' AND pwd_hash = '$pwd_hash'";

			}

		} else {
			$query = "SELECT id
	         FROM ttrss_users WHERE
				login = '$login' AND (pwd_hash = '$pwd_hash1' OR
					pwd_hash = '$pwd_hash2')";
		}

		$result = db_query($this->link, $query);

		if (db_num_rows($result) == 1) {
			return db_fetch_result($result, 0, "id");
		}

		return false;
	}

	function change_password($owner_uid, $old_password, $new_password) {
		$owner_uid = db_escape_string($owner_uid);

		$result = db_query($this->link, "SELECT salt,login FROM ttrss_users WHERE
			id = '$owner_uid'");

		$salt = db_fetch_result($result, 0, "salt");
		$login = db_fetch_result($result, 0, "login");

		if (!$salt) {
			$old_password_hash1 = encrypt_password($old_password);
			$old_password_hash2 = encrypt_password($old_password, $login);

			$query = "SELECT id FROM ttrss_users WHERE
				id = '$owner_uid' AND (pwd_hash = '$old_password_hash1' OR
				pwd_hash = '$old_password_hash2')";

		} else {
			$old_password_hash = encrypt_password($old_password, $salt, true);

			$query = "SELECT id FROM ttrss_users WHERE
				id = '$owner_uid' AND pwd_hash = '$old_password_hash'";
		}

		$result = db_query($this->link, $query);

		if (db_num_rows($result) == 1) {

			$new_salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
			$new_password_hash = encrypt_password($new_password, $new_salt, true);

			db_query($this->link, "UPDATE ttrss_users SET
				pwd_hash = '$new_password_hash', salt = '$new_salt'
					WHERE id = '$owner_uid'");

			$_SESSION["pwd_hash"] = $new_password_hash;

			return __("Password has been changed.");
		} else {
			return "ERROR: ".__('Old password is incorrect.');
		}
	}
}
?>
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-30 13:25:17 +0000