]> CyberLeo.Net >> Repos - Github/YOURLS.git/blob - includes/functions-auth.php
projects / Github / YOURLS.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Big commit
[Github/YOURLS.git] / includes / functions-auth.php
1 <?php\r
2 // Check for valid user. Returns true or an error message\r
3 function yourls_is_valid_user() {\r
4         static $valid = false;\r
5         \r
6         if( $valid )\r
7                 return true;\r
8 \r
9         // Logout request\r
10         if( isset( $_GET['mode'] ) && $_GET['mode'] == 'logout') {\r
11                 yourls_store_cookie( null );\r
12                 return 'Logged out successfully';\r
13         }\r
14         \r
15         // Check cookies or login request. Login form has precedence.\r
16         global $yourls_user_passwords;\r
17         \r
18         // In the future maybe I'll implement nonces like in WP. Will be something like\r
19         // ?nonce=fn(login,pwd,action)\r
20         \r
21         // Determine auth method and check credentials\r
22         if\r
23                 // API only: Secure (no login or pwd) and time limited token\r
24                 // ?timestamp=12345678&signature=md5(totoblah12345678)\r
25                 ( yourls_is_API() &&\r
26                   isset($_REQUEST['timestamp']) && !empty($_REQUEST['timestamp']) &&\r
27                   isset($_REQUEST['signature'])\r
28                 )\r
29                 {\r
30                         $valid = yourls_check_signature_timestamp();\r
31                 }\r
32                 \r
33         elseif\r
34                 // API only: Secure (no login or pwd)\r
35                 // ?signature=md5(totoblah)\r
36                 ( yourls_is_API() &&\r
37                   !isset($_REQUEST['timestamp']) &&\r
38                   isset($_REQUEST['signature'])\r
39                 )\r
40                 {\r
41                         $valid = yourls_check_signature();\r
42                 }\r
43         \r
44         elseif\r
45                 // API or normal: login with username & pwd\r
46                 ( isset($_REQUEST['username']) && isset($_REQUEST['password']) )\r
47                 {\r
48                         $valid = yourls_check_username_password();\r
49                 }\r
50         \r
51         elseif\r
52                 // Normal only: cookies\r
53                 ( isset($_COOKIE['yourls_username']) && isset($_COOKIE['yourls_password']) )\r
54                 {\r
55                         $valid = yourls_check_auth_cookie();\r
56                 }\r
57 \r
58         // Login for the win!\r
59         if ( $valid ) {\r
60                 // (Re)store encrypted cookie and tell it's ok\r
61                 if ( !yourls_is_API() ) // No need to store a cookie when used in API mode.\r
62                         yourls_store_cookie( YOURLS_USER );\r
63                 return true;\r
64         }\r
65         \r
66         // Login failed\r
67         if ( isset($_REQUEST['username']) || isset($_REQUEST['password']) ) {\r
68                 return 'Invalid username or password';\r
69         } else {\r
70                 return 'Please log in';\r
71         }\r
72 }\r
73 \r
74 // Check auth against list of login=>pwd. Sets user if applicable, returns bool\r
75 function yourls_check_username_password() {\r
76         global $yourls_user_passwords;\r
77         if( $yourls_user_passwords[ $_REQUEST['username'] ] == $_REQUEST['password'] ) {\r
78                 yourls_set_user( $_REQUEST['username'] );\r
79                 return true;\r
80         }\r
81         return false;\r
82 }\r
83 \r
84 // Check auth against encrypted COOKIE data. Sets user if applicable, returns bool\r
85 function yourls_check_auth_cookie() {\r
86         global $yourls_user_passwords;\r
87         foreach( $yourls_user_passwords as $valid_user => $valid_password ) {\r
88                 if( \r
89                         yourls_salt($valid_user) == $_COOKIE['yourls_username']\r
90                         && yourls_salt($valid_password) == $_COOKIE['yourls_password'] \r
91                 ) {\r
92                         yourls_set_user( $valid_user );\r
93                         return true;\r
94                 }\r
95         }\r
96         return false;\r
97 }\r
98 \r
99 // Check auth against signature and timestamp. Sets user if applicable, returns bool\r
100 function yourls_check_signature_timestamp() {\r
101         // Timestamp in PHP : time()\r
102         // Timestamp in JS: parseInt(new Date().getTime() / 1000)\r
103         global $yourls_user_passwords;\r
104         foreach( $yourls_user_passwords as $valid_user => $valid_password ) {\r
105                 if (\r
106                         (\r
107                                 md5( $_REQUEST['timestamp'].yourls_auth_signature( $valid_user ) ) == $_REQUEST['signature']\r
108                                 or\r
109                                 md5( yourls_auth_signature( $valid_user ).$_REQUEST['timestamp'] ) == $_REQUEST['signature']\r
110                         )\r
111                         &&\r
112                         yourls_check_timestamp( $_REQUEST['timestamp'] )\r
113                         ) {\r
114                         yourls_set_user( $valid_user );\r
115                         return true;\r
116                 }\r
117         }\r
118         return false;\r
119 }\r
120 \r
121 // Check auth against signature. Sets user if applicable, returns bool\r
122 function yourls_check_signature() {\r
123         global $yourls_user_passwords;\r
124         foreach( $yourls_user_passwords as $valid_user => $valid_password ) {\r
125                 if ( yourls_auth_signature( $valid_user ) == $_REQUEST['signature'] ) {\r
126                         yourls_set_user( $valid_user );\r
127                         return true;\r
128                 }\r
129         }\r
130         return false;\r
131 }\r
132 \r
133 // Generate secret signature hash\r
134 function yourls_auth_signature( $username = false ) {\r
135         if( !$username && defined('YOURLS_USER') ) {\r
136                 $username = YOURLS_USER;\r
137         }\r
138         return ( $username ? substr( yourls_salt( $username ), 0, 10 ) : 'Cannot generate auth signature: no username' );\r
139 }\r
140 \r
141 // Check a timestamp is from the past and not too old\r
142 function yourls_check_timestamp( $time ) {\r
143         $now = time();\r
144         return ( $now >= $time && ceil( $now - $time ) < YOURLS_NONCE_LIFE );\r
145 }\r
146 \r
147 // Store new cookie. No $user will delete the cookie.\r
148 function yourls_store_cookie( $user = null ) {\r
149         if( !$user ) {\r
150                 $pass = null;\r
151                 $time = time() - 3600;\r
152         } else {\r
153                 global $yourls_user_passwords;\r
154                 if( isset($yourls_user_passwords[$user]) ) {\r
155                         $pass = $yourls_user_passwords[$user];\r
156                 } else {\r
157                         die('Stealing cookies?'); // This should never happen\r
158                 }\r
159                 $time = time() + YOURLS_COOKIE_LIFE;\r
160         }  \r
161         setcookie('yourls_username', yourls_salt( $user ), $time, '/' );\r
162         setcookie('yourls_password', yourls_salt( $pass ), $time, '/' );\r
163 }\r
164 \r
165 // Set user name\r
166 function yourls_set_user( $user ) {\r
167         if( !defined('YOURLS_USER') )\r
168                 define('YOURLS_USER', $user);\r
169 }\r
Unnamed repository; edit this file 'description' to name the repository.