includes/functions-auth.php

   1 <?php\r
   2 // Check for valid user. Returns true or an error message\r
   3 function yourls_is_valid_user() {\r
   4         static $valid = false;\r
   5         \r
   6         if( $valid )\r
   7                 return true;\r
   8 \r
   9         // Logout request\r
  10         if( isset( $_GET['action'] ) && $_GET['action'] == 'logout' ) {\r
  11                 yourls_do_action( 'logout' );\r
  12                 yourls_store_cookie( null );\r
  13                 return 'Logged out successfully';\r
  14         }\r
  15         \r
  16         // Check cookies or login request. Login form has precedence.\r
  17         global $yourls_user_passwords;\r
  18         \r
  19         yourls_do_action( 'pre_login' );\r
  20 \r
  21         // Determine auth method and check credentials\r
  22         if\r
  23                 // API only: Secure (no login or pwd) and time limited token\r
  24                 // ?timestamp=12345678&signature=md5(totoblah12345678)\r
  25                 ( yourls_is_API() &&\r
  26                   isset( $_REQUEST['timestamp'] ) && !empty($_REQUEST['timestamp'] ) &&\r
  27                   isset( $_REQUEST['signature'] ) && !empty($_REQUEST['signature'] )\r
  28                 )\r
  29                 {\r
  30                         yourls_do_action( 'pre_login_signature_timestamp' );\r
  31                         $valid = yourls_check_signature_timestamp();\r
  32                 }\r
  33                 \r
  34         elseif\r
  35                 // API only: Secure (no login or pwd)\r
  36                 // ?signature=md5(totoblah)\r
  37                 ( yourls_is_API() &&\r
  38                   !isset( $_REQUEST['timestamp'] ) &&\r
  39                   isset( $_REQUEST['signature'] ) && !empty( $_REQUEST['signature'] )\r
  40                 )\r
  41                 {\r
  42                         yourls_do_action( 'pre_login_signature' );\r
  43                         $valid = yourls_check_signature();\r
  44                 }\r
  45         \r
  46         elseif\r
  47                 // API or normal: login with username & pwd\r
  48                 ( isset( $_REQUEST['username'] ) && isset( $_REQUEST['password'] )\r
  49                   && !empty( $_REQUEST['username'] ) && !empty( $_REQUEST['password']  ) )\r
  50                 {\r
  51                         yourls_do_action( 'pre_login_username_password' );\r
  52                         $valid = yourls_check_username_password();\r
  53                 }\r
  54         \r
  55         elseif\r
  56                 // Normal only: cookies\r
  57                 ( !yourls_is_API() && \r
  58                   isset( $_COOKIE['yourls_username'] ) && isset( $_COOKIE['yourls_password'] ) )\r
  59                 {\r
  60                         yourls_do_action( 'pre_login_cookie' );\r
  61                         $valid = yourls_check_auth_cookie();\r
  62                 }\r
  63 \r
  64         // Login for the win!\r
  65         if ( $valid ) {\r
  66                 yourls_do_action( 'login' );\r
  67                 // (Re)store encrypted cookie and tell it's ok\r
  68                 if ( !yourls_is_API() ) // No need to store a cookie when used in API mode.\r
  69                         yourls_store_cookie( YOURLS_USER );\r
  70                 return true;\r
  71         }\r
  72         \r
  73         // Login failed\r
  74         yourls_do_action( 'login_failed' );\r
  75 \r
  76         if ( isset( $_REQUEST['username'] ) || isset( $_REQUEST['password'] ) ) {\r
  77                 return 'Invalid username or password';\r
  78         } else {\r
  79                 return 'Please log in';\r
  80         }\r
  81 }\r
  82 \r
  83 // Check auth against list of login=>pwd. Sets user if applicable, returns bool\r
  84 function yourls_check_username_password() {\r
  85         global $yourls_user_passwords;\r
  86         if( isset( $yourls_user_passwords[ $_REQUEST['username'] ] ) && yourls_check_password_hash( $yourls_user_passwords[ $_REQUEST['username'] ], $_REQUEST['password'] ) ) {\r
  87                 yourls_set_user( $_REQUEST['username'] );\r
  88                 return true;\r
  89         }\r
  90         return false;\r
  91 }\r
  92 \r
  93 // Check a REQUEST password sent in plain text against stored password which can be a salted hash\r
  94 function yourls_check_password_hash( $stored, $plaintext ) {\r
  95         if ( substr( $stored, 0, 4 ) == 'md5:' and strlen( $stored ) == 42 ) {\r
  96                 // Stored password is a salted hash: "md5:<$r = rand(10000,99999)>:<md5($r.'thepassword')>"\r
  97                 // And 42. Of course. http://www.google.com/search?q=the+answer+to+life+the+universe+and+everything\r
  98                 list( $temp, $salt, $md5 ) = split( ':', $stored );\r
  99                 return( $stored == 'md5:'.$salt.':'.md5( $salt.$plaintext ) );\r
 100         } else {\r
 101                 // Password was sent in clear\r
 102                 return( $stored == $plaintext );\r
 103         }\r
 104 }\r
 105 \r
 106 \r
 107 // Check auth against encrypted COOKIE data. Sets user if applicable, returns bool\r
 108 function yourls_check_auth_cookie() {\r
 109         global $yourls_user_passwords;\r
 110         foreach( $yourls_user_passwords as $valid_user => $valid_password ) {\r
 111                 if( \r
 112                         yourls_salt( $valid_user ) == $_COOKIE['yourls_username']\r
 113                         && yourls_salt( $valid_password ) == $_COOKIE['yourls_password'] \r
 114                 ) {\r
 115                         yourls_set_user( $valid_user );\r
 116                         return true;\r
 117                 }\r
 118         }\r
 119         return false;\r
 120 }\r
 121 \r
 122 // Check auth against signature and timestamp. Sets user if applicable, returns bool\r
 123 function yourls_check_signature_timestamp() {\r
 124         // Timestamp in PHP : time()\r
 125         // Timestamp in JS: parseInt(new Date().getTime() / 1000)\r
 126         global $yourls_user_passwords;\r
 127         foreach( $yourls_user_passwords as $valid_user => $valid_password ) {\r
 128                 if (\r
 129                         (\r
 130                                 md5( $_REQUEST['timestamp'].yourls_auth_signature( $valid_user ) ) == $_REQUEST['signature']\r
 131                                 or\r
 132                                 md5( yourls_auth_signature( $valid_user ).$_REQUEST['timestamp'] ) == $_REQUEST['signature']\r
 133                         )\r
 134                         &&\r
 135                         yourls_check_timestamp( $_REQUEST['timestamp'] )\r
 136                         ) {\r
 137                         yourls_set_user( $valid_user );\r
 138                         return true;\r
 139                 }\r
 140         }\r
 141         return false;\r
 142 }\r
 143 \r
 144 // Check auth against signature. Sets user if applicable, returns bool\r
 145 function yourls_check_signature() {\r
 146         global $yourls_user_passwords;\r
 147         foreach( $yourls_user_passwords as $valid_user => $valid_password ) {\r
 148                 if ( yourls_auth_signature( $valid_user ) == $_REQUEST['signature'] ) {\r
 149                         yourls_set_user( $valid_user );\r
 150                         return true;\r
 151                 }\r
 152         }\r
 153         return false;\r
 154 }\r
 155 \r
 156 // Generate secret signature hash\r
 157 function yourls_auth_signature( $username = false ) {\r
 158         if( !$username && defined('YOURLS_USER') ) {\r
 159                 $username = YOURLS_USER;\r
 160         }\r
 161         return ( $username ? substr( yourls_salt( $username ), 0, 10 ) : 'Cannot generate auth signature: no username' );\r
 162 }\r
 163 \r
 164 // Check a timestamp is from the past and not too old\r
 165 function yourls_check_timestamp( $time ) {\r
 166         $now = time();\r
 167         return ( $now >= $time && ceil( $now - $time ) < YOURLS_NONCE_LIFE );\r
 168 }\r
 169 \r
 170 // Store new cookie. No $user will delete the cookie.\r
 171 function yourls_store_cookie( $user = null ) {\r
 172         if( !$user ) {\r
 173                 $pass = null;\r
 174                 $time = time() - 3600;\r
 175         } else {\r
 176                 global $yourls_user_passwords;\r
 177                 if( isset($yourls_user_passwords[$user]) ) {\r
 178                         $pass = $yourls_user_passwords[$user];\r
 179                 } else {\r
 180                         die( 'Stealing cookies?' ); // This should never happen\r
 181                 }\r
 182                 $time = time() + YOURLS_COOKIE_LIFE;\r
 183         }\r
 184         \r
 185         $domain   = yourls_apply_filter( 'setcookie_domain',   parse_url( YOURLS_SITE, 1 ) );\r
 186         $secure   = yourls_apply_filter( 'setcookie_secure',   yourls_is_ssl() );\r
 187         $httponly = yourls_apply_filter( 'setcookie_httponly', true );\r
 188                 \r
 189         if ( !headers_sent() ) {\r
 190                 // Set httponly if the php version is >= 5.2.0\r
 191                 if( version_compare( phpversion(), '5.2.0', 'ge' ) ) {\r
 192                         setcookie('yourls_username', yourls_salt( $user ), $time, '/', $domain, $secure, $httponly );\r
 193                         setcookie('yourls_password', yourls_salt( $pass ), $time, '/', $domain, $secure, $httponly );\r
 194                 } else {\r
 195                         setcookie('yourls_username', yourls_salt( $user ), $time, '/', $domain, $secure );\r
 196                         setcookie('yourls_password', yourls_salt( $pass ), $time, '/', $domain, $secure );\r
 197                 }\r
 198         }\r
 199 }\r
 200 \r
 201 // Set user name\r
 202 function yourls_set_user( $user ) {\r
 203         if( !defined( 'YOURLS_USER' ) )\r
 204                 define( 'YOURLS_USER', $user );\r
 205 }\r