2 require('PasswordHash.php');
4 * Check for valid user via login form or stored cookie. Returns true or an error message
7 function yourls_is_valid_user() {
13 // Allow plugins to short-circuit the whole function
14 $pre = yourls_apply_filter( 'shunt_is_valid_user', null );
15 if ( null !== $pre ) {
16 $valid = ( $pre === true ) ;
20 // $unfiltered_valid : are credentials valid? Boolean value. It's "unfiltered" to allow plugins to eventually filter it.
21 $unfiltered_valid = false;
24 if( isset( $_GET['action'] ) && $_GET['action'] == 'logout' ) {
25 yourls_do_action( 'logout' );
26 yourls_store_cookie( null );
27 return yourls__( 'Logged out successfully' );
30 // Check cookies or login request. Login form has precedence.
32 yourls_do_action( 'pre_login' );
34 // Determine auth method and check credentials
36 // API only: Secure (no login or pwd) and time limited token
37 // ?timestamp=12345678&signature=md5(totoblah12345678)
39 isset( $_REQUEST['timestamp'] ) && !empty($_REQUEST['timestamp'] ) &&
40 isset( $_REQUEST['signature'] ) && !empty($_REQUEST['signature'] )
43 yourls_do_action( 'pre_login_signature_timestamp' );
44 $unfiltered_valid = yourls_check_signature_timestamp();
48 // API only: Secure (no login or pwd)
49 // ?signature=md5(totoblah)
51 !isset( $_REQUEST['timestamp'] ) &&
52 isset( $_REQUEST['signature'] ) && !empty( $_REQUEST['signature'] )
55 yourls_do_action( 'pre_login_signature' );
56 $unfiltered_valid = yourls_check_signature();
60 // API or normal: login with username & pwd
61 ( isset( $_REQUEST['username'] ) && isset( $_REQUEST['password'] )
62 && !empty( $_REQUEST['username'] ) && !empty( $_REQUEST['password'] ) )
64 yourls_do_action( 'pre_login_username_password' );
65 $unfiltered_valid = yourls_check_username_password();
69 // Normal only: cookies
71 isset( $_COOKIE['yourls_session_id'] ) && isset( $_COOKIE['yourls_session_id'] ) )
73 yourls_do_action( 'pre_login_cookie' );
74 $unfiltered_valid = yourls_check_auth_cookie();
77 // Regardless of validity, allow plugins to filter the boolean and have final word
78 $valid = yourls_apply_filter( 'is_valid_user', $unfiltered_valid );
82 yourls_do_action( 'login' );
84 // (Re)store encrypted cookie if needed
85 if ( !yourls_is_API() ) {
86 yourls_store_cookie( YOURLS_USER );
88 // Login form : redirect to requested URL to avoid re-submitting the login form on page reload
89 if( isset( $_REQUEST['username'] ) && isset( $_REQUEST['password'] ) ) {
90 $url = $_SERVER['REQUEST_URI'];
91 yourls_redirect( $url );
100 yourls_do_action( 'login_failed' );
102 if ( isset( $_REQUEST['username'] ) || isset( $_REQUEST['password'] ) ) {
103 return yourls__( 'Invalid username or password' );
105 return yourls__( 'Please log in' );
110 * Check auth against list of login=>pwd. Sets user if applicable, returns bool
113 function yourls_check_username_password() {
114 global $yourls_user_passwords;
115 if( isset( $yourls_user_passwords[ $_REQUEST['username'] ] ) && yourls_check_password_hash( $_REQUEST['username'], $_REQUEST['password'] ) ) {
116 yourls_set_user( $_REQUEST['username'] );
123 * Check a submitted password sent in plain text against stored password which can be a salted hash
126 function yourls_check_password_hash( $user, $submitted_password ) {
127 global $yourls_user_passwords;
129 if( !isset( $yourls_user_passwords[ $user ] ) )
132 if ( yourls_user_has_phppass( $user ) ) {
133 $hasher = new PasswordHash(8, false);
134 list( , $hash ) = explode( ':', $yourls_user_passwords[ $user ] );
135 $hash = str_replace( '!', '$', $hash );
136 return ( $hasher->CheckPassword( $submitted_password, $hash ) );
137 } else if( yourls_has_hashed_password( $user ) ) {
138 // Stored password is a salted hash: "md5:<$r = rand(10000,99999)>:<md5($r.'thepassword')>"
139 list( , $salt, ) = explode( ':', $yourls_user_passwords[ $user ] );
140 return( $yourls_user_passwords[ $user ] == 'md5:'.$salt.':'.md5( $salt . $submitted_password ) );
142 // Password stored in clear text
143 return( $yourls_user_passwords[ $user ] == $submitted_password );
148 * Check if a user's password is hashed with PHPASS.
150 * @param string $user user login
151 * @return bool true if password hashed with PHPASS, otherwise false
153 function yourls_user_has_phppass( $user ) {
154 global $yourls_user_passwords;
155 if ( !isset( $yourls_user_passwords[ $user ] ) ) {
159 $hash = $yourls_user_passwords[ $user ];
160 return ( substr( $hash, 0, 7 ) === 'phpass:' );
164 * Overwrite plaintext passwords in config file with hashed versions.
165 * This has the unfortunate side effect of invalidating the session cookie
166 * for any user whose password is changed.
168 * @return true if overwrite was successful, otherwise false
170 function yourls_hash_passwords_now() {
171 global $yourls_user_passwords;
172 $hasher = new PasswordHash(8, false);
173 $configdata = file_get_contents( YOURLS_CONFIGFILE );
174 // TODO: check mode for writability
175 foreach ( $yourls_user_passwords as $user => $pwvalue ) {
176 if ( !yourls_user_has_phppass( $user ) && !yourls_has_hashed_password( $user ) ) {
177 $clearpass = $pwvalue;
178 $hash = $hasher->HashPassword( $clearpass );
179 // PHP would interpret $ as a variable, so replace it in storage.
180 $hash = str_replace( '$', '!', $hash );
181 $pattern = "/'$user'[\t ]*=>[\t ]*'$clearpass'/";
182 $replace = "'$user' => 'phpass:$hash'";
184 $configdata = preg_replace( $pattern, $replace, $configdata, -1, $count );
185 // There should be exactly one replacement. Otherwise, fast fail.
187 yourls_add_notice( $count . $pattern );
192 $success = file_put_contents( YOURLS_CONFIGFILE, $configdata );
193 if ( $success === FALSE ) {
194 yourls_add_notice( 'Failed writing password hashes to config.php' );
201 * Check to see if any passwords are stored as cleartext.
204 * @return bool true if any passwords are cleartext
206 function yourls_has_cleartext_passwords() {
207 global $yourls_user_passwords;
208 foreach ( $yourls_user_passwords as $user => $pwdata ) {
209 if ( !yourls_has_hashed_password( $user ) && !yourls_user_has_phppass( $user ) ) {
217 * Check if a user has a hashed password
219 * Check if a user password is 'md5:[38 chars]'. TODO: deprecate this when/if we have proper user management with
220 * password hashes stored in the DB
223 * @param string $user user login
224 * @return bool true if password hashed, false otherwise
226 function yourls_has_hashed_password( $user ) {
227 global $yourls_user_passwords;
228 return( isset( $yourls_user_passwords[ $user ] )
229 && substr( $yourls_user_passwords[ $user ], 0, 4 ) == 'md5:'
230 && strlen( $yourls_user_passwords[ $user ] ) == 42 // http://www.google.com/search?q=the+answer+to+life+the+universe+and+everything
235 * Check auth against encrypted COOKIE data. Sets user if applicable, returns bool
238 function yourls_check_auth_cookie() {
239 global $yourls_user_passwords;
240 $session_id = $_COOKIE['yourls_session_id'];
241 foreach( $yourls_user_passwords as $valid_user => $valid_password ) {
242 if ( yourls_salt( $valid_user . $session_id ) == $_COOKIE['yourls_session_key'] ) {
243 yourls_set_user( $valid_user );
251 * Check auth against signature and timestamp. Sets user if applicable, returns bool
254 function yourls_check_signature_timestamp() {
255 // Timestamp in PHP : time()
256 // Timestamp in JS: parseInt(new Date().getTime() / 1000)
257 global $yourls_user_passwords;
258 foreach( $yourls_user_passwords as $valid_user => $valid_password ) {
261 md5( $_REQUEST['timestamp'].yourls_auth_signature( $valid_user ) ) == $_REQUEST['signature']
263 md5( yourls_auth_signature( $valid_user ).$_REQUEST['timestamp'] ) == $_REQUEST['signature']
266 yourls_check_timestamp( $_REQUEST['timestamp'] )
268 yourls_set_user( $valid_user );
276 * Check auth against signature. Sets user if applicable, returns bool
279 function yourls_check_signature() {
280 global $yourls_user_passwords;
281 foreach( $yourls_user_passwords as $valid_user => $valid_password ) {
282 if ( yourls_auth_signature( $valid_user ) == $_REQUEST['signature'] ) {
283 yourls_set_user( $valid_user );
291 * Generate secret signature hash
294 function yourls_auth_signature( $username = false ) {
295 if( !$username && defined('YOURLS_USER') ) {
296 $username = YOURLS_USER;
298 return ( $username ? substr( yourls_salt( $username ), 0, 10 ) : 'Cannot generate auth signature: no username' );
302 * Check if timestamp is not too old
305 function yourls_check_timestamp( $time ) {
307 // Allow timestamp to be a little in the future or the past -- see Issue 766
308 return yourls_apply_filter( 'check_timestamp', abs( $now - $time ) < YOURLS_NONCE_LIFE, $time );
312 * Store new cookie. No $user will delete the cookie.
315 function yourls_store_cookie( $user = null ) {
318 $time = time() - 3600;
320 global $yourls_user_passwords;
321 if( isset($yourls_user_passwords[$user]) ) {
322 $pass = $yourls_user_passwords[$user];
324 die( 'Stealing cookies?' ); // This should never happen
326 $time = time() + YOURLS_COOKIE_LIFE;
329 $domain = yourls_apply_filter( 'setcookie_domain', parse_url( YOURLS_SITE, 1 ) );
330 $secure = yourls_apply_filter( 'setcookie_secure', yourls_is_ssl() );
331 $httponly = yourls_apply_filter( 'setcookie_httponly', true );
333 $session_id = bin2hex( openssl_random_pseudo_bytes( 8 ) );
334 $session_key = yourls_salt( $user . $session_id );
336 if ( !headers_sent() ) {
337 // Set httponly if the php version is >= 5.2.0
338 if( version_compare( phpversion(), '5.2.0', 'ge' ) ) {
339 setcookie('yourls_session_id', $session_id , $time, '/', $domain, $secure, $httponly );
340 setcookie('yourls_session_key', $session_key, $time, '/', $domain, $secure, $httponly );
342 setcookie('yourls_session_id', $session_id, $time, '/', $domain, $secure );
343 setcookie('yourls_session_key', $session_key, $time, '/', $domain, $secure );
346 // For some reason cookies were not stored: action to be able to debug that
347 yourls_do_action( 'setcookie_failed', $user );
355 function yourls_set_user( $user ) {
356 if( !defined( 'YOURLS_USER' ) )
357 define( 'YOURLS_USER', $user );