2010-07-05 03:45:56 +00:00
< ? php
2017-04-21 15:09:06 +00:00
2017-04-30 04:07:00 +00:00
use Friendica\App ;
2017-08-26 06:04:21 +00:00
use Friendica\Core\System ;
2017-04-30 04:01:26 +00:00
use Friendica\Core\Config ;
2017-11-08 03:57:46 +00:00
use Friendica\Database\DBM ;
2017-11-26 19:46:08 +00:00
use Friendica\Model\User ;
2017-04-21 15:09:06 +00:00
2017-11-26 19:18:45 +00:00
require_once 'include/security.php' ;
require_once 'include/datetime.php' ;
2012-01-12 23:46:39 +00:00
2016-04-24 22:02:43 +00:00
// When the "Friendica" cookie is set, take the value to authenticate and renew the cookie.
2016-04-25 20:10:45 +00:00
if ( isset ( $_COOKIE [ " Friendica " ])) {
2016-04-24 22:02:43 +00:00
$data = json_decode ( $_COOKIE [ " Friendica " ]);
if ( isset ( $data -> uid )) {
2017-11-26 19:55:47 +00:00
$user = dba :: select ( 'user' ,
[],
[
2017-11-27 13:17:56 +00:00
'uid' => $data -> uid ,
'blocked' => false ,
'account_expired' => false ,
'account_removed' => false ,
'verified' => true ,
2017-11-26 19:55:47 +00:00
],
[ 'limit' => 1 ]
2016-04-24 22:02:43 +00:00
);
2017-11-26 19:55:47 +00:00
if ( DBM :: is_result ( $user )) {
if ( $data -> hash != cookie_hash ( $user )) {
2017-11-26 19:18:45 +00:00
logger ( " Hash for user " . $data -> uid . " doesn't fit. " );
2016-04-25 09:19:42 +00:00
nuke_session ();
2017-08-26 07:32:10 +00:00
goaway ( System :: baseUrl ());
2016-04-25 09:19:42 +00:00
}
2016-04-24 22:02:43 +00:00
// Renew the cookie
2017-04-21 14:15:39 +00:00
// Expires after 7 days by default,
// can be set via system.auth_cookie_lifetime
2017-04-21 15:36:45 +00:00
$authcookiedays = Config :: get ( 'system' , 'auth_cookie_lifetime' , 7 );
2017-11-26 19:55:47 +00:00
new_cookie ( $authcookiedays * 24 * 60 * 60 , $user );
2016-04-24 22:02:43 +00:00
// Do the authentification if not done by now
2017-06-08 02:00:59 +00:00
if ( ! isset ( $_SESSION ) || ! isset ( $_SESSION [ 'authenticated' ])) {
2017-11-26 19:55:47 +00:00
authenticate_success ( $user );
2016-04-24 22:02:43 +00:00
2017-11-26 19:18:45 +00:00
if ( Config :: get ( 'system' , 'paranoia' )) {
2016-04-25 05:10:40 +00:00
$_SESSION [ 'addr' ] = $data -> ip ;
2017-11-26 19:18:45 +00:00
}
2016-04-24 22:02:43 +00:00
}
}
}
}
2010-11-30 07:16:14 +00:00
2016-04-25 05:10:40 +00:00
2015-12-22 10:25:37 +00:00
// login/logout
2010-07-05 03:45:56 +00:00
2017-11-26 19:18:45 +00:00
if ( isset ( $_SESSION ) && x ( $_SESSION , 'authenticated' ) && ( ! x ( $_POST , 'auth-params' ) || ( $_POST [ 'auth-params' ] !== 'login' ))) {
if (( x ( $_POST , 'auth-params' ) && ( $_POST [ 'auth-params' ] === 'logout' )) || ( $a -> module === 'logout' )) {
2010-10-10 23:16:29 +00:00
// process logout request
2012-03-12 14:58:59 +00:00
call_hooks ( " logging_out " );
2010-11-30 07:16:14 +00:00
nuke_session ();
2017-11-26 19:18:45 +00:00
info ( t ( 'Logged out.' ) . EOL );
2017-08-26 07:32:10 +00:00
goaway ( System :: baseUrl ());
2010-07-05 03:45:56 +00:00
}
2010-10-10 23:16:29 +00:00
2017-11-26 19:18:45 +00:00
if ( x ( $_SESSION , 'visitor_id' ) && ! x ( $_SESSION , 'uid' )) {
2011-05-10 05:15:19 +00:00
$r = q ( " SELECT * FROM `contact` WHERE `id` = %d LIMIT 1 " ,
intval ( $_SESSION [ 'visitor_id' ])
);
2017-11-08 03:57:46 +00:00
if ( DBM :: is_result ( $r )) {
2011-05-10 05:15:19 +00:00
$a -> contact = $r [ 0 ];
}
}
2017-11-26 19:18:45 +00:00
if ( x ( $_SESSION , 'uid' )) {
2010-10-10 23:16:29 +00:00
// already logged in user returning
2017-11-26 19:18:45 +00:00
$check = Config :: get ( 'system' , 'paranoia' );
2010-11-30 07:16:14 +00:00
// extra paranoia - if the IP changed, log them out
2016-04-25 20:10:45 +00:00
if ( $check && ( $_SESSION [ 'addr' ] != $_SERVER [ 'REMOTE_ADDR' ])) {
2017-11-26 19:18:45 +00:00
logger ( 'Session address changed. Paranoid setting in effect, blocking session. ' .
$_SESSION [ 'addr' ] . ' != ' . $_SERVER [ 'REMOTE_ADDR' ]);
2010-11-30 07:16:14 +00:00
nuke_session ();
2017-08-26 07:32:10 +00:00
goaway ( System :: baseUrl ());
2010-11-30 07:16:14 +00:00
}
2017-11-26 19:55:47 +00:00
$user = dba :: select ( 'user' ,
[],
[
2017-11-27 13:17:56 +00:00
'uid' => $_SESSION [ 'uid' ],
'blocked' => false ,
'account_expired' => false ,
'account_removed' => false ,
'verified' => true ,
2017-11-26 19:55:47 +00:00
],
[ 'limit' => 1 ]
2010-10-10 23:16:29 +00:00
);
2017-11-26 19:55:47 +00:00
if ( ! DBM :: is_result ( $user )) {
2010-11-30 07:16:14 +00:00
nuke_session ();
2017-08-26 07:32:10 +00:00
goaway ( System :: baseUrl ());
2010-07-05 03:45:56 +00:00
}
2010-10-10 23:16:29 +00:00
2012-11-09 00:00:37 +00:00
// Make sure to refresh the last login time for the user if the user
// stays logged in for a long time, e.g. with "Remember Me"
$login_refresh = false ;
2016-04-25 20:10:45 +00:00
if ( ! x ( $_SESSION [ 'last_login_date' ])) {
2017-11-26 19:18:45 +00:00
$_SESSION [ 'last_login_date' ] = datetime_convert ( 'UTC' , 'UTC' );
2012-11-09 00:00:37 +00:00
}
2017-11-26 19:18:45 +00:00
if ( strcmp ( datetime_convert ( 'UTC' , 'UTC' , 'now - 12 hours' ), $_SESSION [ 'last_login_date' ]) > 0 ) {
$_SESSION [ 'last_login_date' ] = datetime_convert ( 'UTC' , 'UTC' );
2012-11-09 00:00:37 +00:00
$login_refresh = true ;
}
2017-11-26 19:55:47 +00:00
authenticate_success ( $user , false , false , $login_refresh );
2010-07-05 03:45:56 +00:00
}
2016-04-05 21:28:33 +00:00
} else {
2016-04-25 05:10:40 +00:00
session_unset ();
2017-11-26 19:46:08 +00:00
if (
! ( x ( $_POST , 'password' ) && strlen ( $_POST [ 'password' ]))
&& (
x ( $_POST , 'openid_url' ) && strlen ( $_POST [ 'openid_url' ])
|| x ( $_POST , 'username' ) && strlen ( $_POST [ 'username' ])
)
) {
$noid = Config :: get ( 'system' , 'no_openid' );
2010-09-19 04:11:18 +00:00
2017-11-26 19:46:08 +00:00
$openid_url = trim ( strlen ( $_POST [ 'openid_url' ]) ? $_POST [ 'openid_url' ] : $_POST [ 'username' ]);
2010-11-29 04:58:23 +00:00
2017-11-26 19:46:08 +00:00
// validate_url alters the calling parameter
2010-11-18 23:06:33 +00:00
2017-11-26 19:46:08 +00:00
$temp_string = $openid_url ;
2010-11-18 23:06:33 +00:00
2017-11-26 19:46:08 +00:00
// if it's an email address or doesn't resolve to a URL, fail.
2010-11-18 23:06:33 +00:00
2017-11-26 19:46:08 +00:00
if ( $noid || strpos ( $temp_string , '@' ) || ! validate_url ( $temp_string )) {
$a = get_app ();
notice ( t ( 'Login failed.' ) . EOL );
goaway ( System :: baseUrl ());
2012-03-19 22:03:09 +00:00
// NOTREACHED
2010-11-17 07:26:14 +00:00
}
2017-11-26 19:46:08 +00:00
// Otherwise it's probably an openid.
try {
require_once ( 'library/openid.php' );
$openid = new LightOpenID ;
$openid -> identity = $openid_url ;
$_SESSION [ 'openid' ] = $openid_url ;
$_SESSION [ 'remember' ] = $_POST [ 'remember' ];
$openid -> returnUrl = System :: baseUrl ( true ) . '/openid' ;
goaway ( $openid -> authUrl ());
} catch ( Exception $e ) {
notice ( t ( 'We encountered a problem while logging in with the OpenID you provided. Please check the correct spelling of the ID.' ) . '<br /><br >' . t ( 'The error message was:' ) . ' ' . $e -> getMessage ());
}
// NOTREACHED
2010-11-17 07:26:14 +00:00
}
2012-03-20 04:58:21 +00:00
2017-11-26 19:18:45 +00:00
if ( x ( $_POST , 'auth-params' ) && $_POST [ 'auth-params' ] === 'login' ) {
2010-12-27 22:59:26 +00:00
$record = null ;
2010-12-24 23:59:12 +00:00
$addon_auth = array (
2016-04-24 22:02:43 +00:00
'username' => trim ( $_POST [ 'username' ]),
2010-12-24 23:59:12 +00:00
'password' => trim ( $_POST [ 'password' ]),
2010-12-27 22:59:26 +00:00
'authenticated' => 0 ,
'user_record' => null
2010-12-24 23:59:12 +00:00
);
/**
*
2010-12-27 22:59:26 +00:00
* A plugin indicates successful login by setting 'authenticated' to non - zero value and returning a user record
2010-12-24 23:59:12 +00:00
* Plugins should never set 'authenticated' except to indicate success - as hooks may be chained
* and later plugins should not interfere with an earlier one that succeeded .
*
*/
call_hooks ( 'authenticate' , $addon_auth );
2017-11-26 19:18:45 +00:00
if ( $addon_auth [ 'authenticated' ] && count ( $addon_auth [ 'user_record' ])) {
2010-12-27 22:59:26 +00:00
$record = $addon_auth [ 'user_record' ];
2017-11-26 19:18:45 +00:00
} else {
2017-11-26 19:46:08 +00:00
$user_id = User :: authenticate ( trim ( $_POST [ 'username' ]), trim ( $_POST [ 'password' ]));
if ( $user_id ) {
$record = dba :: select ( 'user' , [], [ 'uid' => $user_id ], [ 'limit' => 1 ]);
2017-11-26 19:18:45 +00:00
}
2010-12-24 23:59:12 +00:00
}
2016-04-24 22:02:43 +00:00
if ( ! $record || ! count ( $record )) {
2017-11-26 19:18:45 +00:00
logger ( 'authenticate: failed login attempt: ' . notags ( trim ( $_POST [ 'username' ])) . ' from IP ' . $_SERVER [ 'REMOTE_ADDR' ]);
notice ( t ( 'Login failed.' ) . EOL );
2017-08-26 07:32:10 +00:00
goaway ( System :: baseUrl ());
2016-04-25 05:10:40 +00:00
}
2010-12-27 22:59:26 +00:00
2017-11-26 19:18:45 +00:00
if ( ! $_POST [ 'remember' ]) {
2017-03-13 10:57:10 +00:00
new_cookie ( 0 ); // 0 means delete on browser exit
}
2012-01-12 23:46:39 +00:00
// if we haven't failed up this point, log them in.
2017-03-12 00:11:35 +00:00
$_SESSION [ 'remember' ] = $_POST [ 'remember' ];
2017-11-26 19:18:45 +00:00
$_SESSION [ 'last_login_date' ] = datetime_convert ( 'UTC' , 'UTC' );
2012-01-12 23:46:39 +00:00
authenticate_success ( $record , true , true );
2010-07-05 03:45:56 +00:00
}
}
2016-04-25 20:10:45 +00:00
/**
* @ brief Kills the " Friendica " cookie and all session data
*/
2017-11-26 19:18:45 +00:00
function nuke_session ()
{
2016-04-25 20:10:45 +00:00
new_cookie ( - 3600 ); // make sure cookie is deleted on browser close, as a security measure
session_unset ();
session_destroy ();
}