2 // Check for valid user. Returns true or an error message
\r
3 function yourls_is_valid_user() {
\r
4 static $valid = false;
\r
10 if( isset( $_GET['mode'] ) && $_GET['mode'] == 'logout') {
\r
11 yourls_store_cookie( null );
\r
12 return 'Logged out successfully';
\r
15 // Check cookies or login request. Login form has precedence.
\r
16 global $yourls_user_passwords;
\r
18 // In the future maybe I'll implement nonces like in WP. Will be something like
\r
19 // ?nonce=fn(login,pwd,action)
\r
21 // Determine auth method and check credentials
\r
23 // API only: Secure (no login or pwd) and time limited token
\r
24 // ?timestamp=12345678&signature=md5(totoblah12345678)
\r
25 ( yourls_is_API() &&
\r
26 isset($_REQUEST['timestamp']) && !empty($_REQUEST['timestamp']) &&
\r
27 isset($_REQUEST['signature'])
\r
30 $valid = yourls_check_signature_timestamp();
\r
34 // API only: Secure (no login or pwd)
\r
35 // ?signature=md5(totoblah)
\r
36 ( yourls_is_API() &&
\r
37 !isset($_REQUEST['timestamp']) &&
\r
38 isset($_REQUEST['signature'])
\r
41 $valid = yourls_check_signature();
\r
45 // API or normal: login with username & pwd
\r
46 ( isset($_REQUEST['username']) && isset($_REQUEST['password']) )
\r
48 $valid = yourls_check_username_password();
\r
52 // Normal only: cookies
\r
53 ( isset($_COOKIE['yourls_username']) && isset($_COOKIE['yourls_password']) )
\r
55 $valid = yourls_check_auth_cookie();
\r
58 // Login for the win!
\r
60 // (Re)store encrypted cookie and tell it's ok
\r
61 if ( !yourls_is_API() ) // No need to store a cookie when used in API mode.
\r
62 yourls_store_cookie( YOURLS_USER );
\r
67 if ( isset($_REQUEST['username']) || isset($_REQUEST['password']) ) {
\r
68 return 'Invalid username or password';
\r
70 return 'Please log in';
\r
74 // Check auth against list of login=>pwd. Sets user if applicable, returns bool
\r
75 function yourls_check_username_password() {
\r
76 global $yourls_user_passwords;
\r
77 if( $yourls_user_passwords[ $_REQUEST['username'] ] == $_REQUEST['password'] ) {
\r
78 yourls_set_user( $_REQUEST['username'] );
\r
84 // Check auth against encrypted COOKIE data. Sets user if applicable, returns bool
\r
85 function yourls_check_auth_cookie() {
\r
86 global $yourls_user_passwords;
\r
87 foreach( $yourls_user_passwords as $valid_user => $valid_password ) {
\r
89 yourls_salt($valid_user) == $_COOKIE['yourls_username']
\r
90 && yourls_salt($valid_password) == $_COOKIE['yourls_password']
\r
92 yourls_set_user( $valid_user );
\r
99 // Check auth against signature and timestamp. Sets user if applicable, returns bool
\r
100 function yourls_check_signature_timestamp() {
\r
101 // Timestamp in PHP : time()
\r
102 // Timestamp in JS: parseInt(new Date().getTime() / 1000)
\r
103 global $yourls_user_passwords;
\r
104 foreach( $yourls_user_passwords as $valid_user => $valid_password ) {
\r
107 md5( $_REQUEST['timestamp'].yourls_auth_signature( $valid_user ) ) == $_REQUEST['signature']
\r
109 md5( yourls_auth_signature( $valid_user ).$_REQUEST['timestamp'] ) == $_REQUEST['signature']
\r
112 yourls_check_timestamp( $_REQUEST['timestamp'] )
\r
114 yourls_set_user( $valid_user );
\r
121 // Check auth against signature. Sets user if applicable, returns bool
\r
122 function yourls_check_signature() {
\r
123 global $yourls_user_passwords;
\r
124 foreach( $yourls_user_passwords as $valid_user => $valid_password ) {
\r
125 if ( yourls_auth_signature( $valid_user ) == $_REQUEST['signature'] ) {
\r
126 yourls_set_user( $valid_user );
\r
133 // Generate secret signature hash
\r
134 function yourls_auth_signature( $username = false ) {
\r
135 if( !$username && defined('YOURLS_USER') ) {
\r
136 $username = YOURLS_USER;
\r
138 return ( $username ? substr( yourls_salt( $username ), 0, 10 ) : 'Cannot generate auth signature: no username' );
\r
141 // Check a timestamp is from the past and not too old
\r
142 function yourls_check_timestamp( $time ) {
\r
144 return ( $now >= $time && ceil( $now - $time ) < YOURLS_NONCE_LIFE );
\r
147 // Store new cookie. No $user will delete the cookie.
\r
148 function yourls_store_cookie( $user = null ) {
\r
151 $time = time() - 3600;
\r
153 global $yourls_user_passwords;
\r
154 if( isset($yourls_user_passwords[$user]) ) {
\r
155 $pass = $yourls_user_passwords[$user];
\r
157 die('Stealing cookies?'); // This should never happen
\r
159 $time = time() + YOURLS_COOKIE_LIFE;
\r
161 setcookie('yourls_username', yourls_salt( $user ), $time, '/' );
\r
162 setcookie('yourls_password', yourls_salt( $pass ), $time, '/' );
\r
166 function yourls_set_user( $user ) {
\r
167 if( !defined('YOURLS_USER') )
\r
168 define('YOURLS_USER', $user);
\r