friendica/src/Core/Authentication.php

<?php

/**
 * @file /src/Core/Authentication.php
 */

namespace Friendica\Core;

use Friendica\App;
use Friendica\BaseObject;
use Friendica\Network\HTTPException\ForbiddenException;

/**
 * Handle Authentification, Session and Cookies
 */
class Authentication extends BaseObject
{
	/**
	 * @brief Calculate the hash that is needed for the "Friendica" cookie
	 *
	 * @param array $user Record from "user" table
	 *
	 * @return string Hashed data
	 * @throws \Friendica\Network\HTTPException\InternalServerErrorException
	 */
	public static function getCookieHashForUser($user)
	{
		return hash_hmac(
			"sha256",
			hash_hmac("sha256", $user["password"], $user["privkey"]),
			Config::get("system", "site_prvkey")
		);
	}

	/**
	 * @brief Set the "Friendica" cookie
	 *
	 * @param int   $time
	 * @param array $user Record from "user" table
	 * @throws \Friendica\Network\HTTPException\InternalServerErrorException
	 */
	public static  function setCookie($time, $user = [])
	{
		if ($time != 0) {
			$time = $time + time();
		}

		if ($user) {
			$value = json_encode([
				"uid" => $user["uid"],
				"hash" => self::getCookieHashForUser($user),
				"ip" => defaults($_SERVER, 'REMOTE_ADDR', '0.0.0.0')
			]);
		} else {
			$value = "";
		}

		setcookie("Friendica", $value, $time, "/", "", (Config::get('system', 'ssl_policy') == App\BaseURL::SSL_POLICY_FULL), true);
	}

	/**
	 * @brief Kills the "Friendica" cookie and all session data
	 */
	public static function deleteSession()
	{
		self::setCookie(-3600); // make sure cookie is deleted on browser close, as a security measure
		session_unset();
		session_destroy();
	}

	public static function twoFactorCheck($uid, App $a)
	{
		// Check user setting, if 2FA disabled return
		if (!PConfig::get($uid, '2fa', 'verified')) {
			return;
		}

		// Check current path, if 2fa authentication module return
		if ($a->argc > 0 && in_array($a->argv[0], ['2fa', 'view', 'help', 'api', 'proxy', 'logout'])) {
			return;
		}

		// Case 1: 2FA session present and valid: return
		if (Session::get('2fa')) {
			return;
		}

		// Case 2: No valid 2FA session: redirect to code verification page
		if ($a->isAjax()) {
			throw new ForbiddenException();
		} else {
			$a->internalRedirect('2fa');
		}
	}
}
Move include/security tp /src/Core/Authentication and /src/Util/Security 2018-10-17 08:19:58 -04:00			`<?php`
Fix security vulnerbilities. Fix possible length extension attack, predicable generators, timing attacks on hash comparision and improved formatting. 2019-10-10 19:21:41 -04:00
Move include/security tp /src/Core/Authentication and /src/Util/Security 2018-10-17 08:19:58 -04:00			`/**`
			`* @file /src/Core/Authentication.php`
			`*/`

			`namespace Friendica\Core;`

Add two-factor authentication - Add 2FA login interception in Session::setAuthenticatedForUser - Add 2fa session variable holding the last auth code 2019-05-13 01:36:09 -04:00			`use Friendica\App;`
Move include/security tp /src/Core/Authentication and /src/Util/Security 2018-10-17 08:19:58 -04:00			`use Friendica\BaseObject;`
Remove mod/ping from 2fa exception list - Prevent asynchronous calls to redirect to /2fa in case of missing valid 2fa session 2019-07-23 20:03:08 -04:00			`use Friendica\Network\HTTPException\ForbiddenException;`
Move include/security tp /src/Core/Authentication and /src/Util/Security 2018-10-17 08:19:58 -04:00
			`/**`
Fix security vulnerbilities. Fix possible length extension attack, predicable generators, timing attacks on hash comparision and improved formatting. 2019-10-10 19:21:41 -04:00			`* Handle Authentification, Session and Cookies`
			`*/`
Move include/security tp /src/Core/Authentication and /src/Util/Security 2018-10-17 08:19:58 -04:00			`class Authentication extends BaseObject`
			`{`
			`/**`
			`* @brief Calculate the hash that is needed for the "Friendica" cookie`
			`*`
			`* @param array $user Record from "user" table`
			`*`
			`* @return string Hashed data`
Fix PHPDoc comments project-wide 2019-01-06 16:06:53 -05:00			`* @throws \Friendica\Network\HTTPException\InternalServerErrorException`
Move include/security tp /src/Core/Authentication and /src/Util/Security 2018-10-17 08:19:58 -04:00			`*/`
Renaming functions + moving functions from security to Model/Item and BaseModule + fix multiline comments 2018-10-17 15:30:41 -04:00			`public static function getCookieHashForUser($user)`
Move include/security tp /src/Core/Authentication and /src/Util/Security 2018-10-17 08:19:58 -04:00			`{`
Fix security vulnerbilities. Fix possible length extension attack, predicable generators, timing attacks on hash comparision and improved formatting. 2019-10-10 19:21:41 -04:00			`return hash_hmac(`
			`"sha256",`
			`hash_hmac("sha256", $user["password"], $user["privkey"]),`
			`Config::get("system", "site_prvkey")`
			`);`
Move include/security tp /src/Core/Authentication and /src/Util/Security 2018-10-17 08:19:58 -04:00			`}`

			`/**`
			`* @brief Set the "Friendica" cookie`
			`*`
Fix PHPDoc comments project-wide 2019-01-06 16:06:53 -05:00			`* @param int $time`
Move include/security tp /src/Core/Authentication and /src/Util/Security 2018-10-17 08:19:58 -04:00			`* @param array $user Record from "user" table`
Fix PHPDoc comments project-wide 2019-01-06 16:06:53 -05:00			`* @throws \Friendica\Network\HTTPException\InternalServerErrorException`
Move include/security tp /src/Core/Authentication and /src/Util/Security 2018-10-17 08:19:58 -04:00			`*/`
Renaming functions + moving functions from security to Model/Item and BaseModule + fix multiline comments 2018-10-17 15:30:41 -04:00			`public static function setCookie($time, $user = [])`
Move include/security tp /src/Core/Authentication and /src/Util/Security 2018-10-17 08:19:58 -04:00			`{`
			`if ($time != 0) {`
			`$time = $time + time();`
			`}`

			`if ($user) {`
Fix security vulnerbilities. Fix possible length extension attack, predicable generators, timing attacks on hash comparision and improved formatting. 2019-10-10 19:21:41 -04:00			`$value = json_encode([`
			`"uid" => $user["uid"],`
Renaming functions + moving functions from security to Model/Item and BaseModule + fix multiline comments 2018-10-17 15:30:41 -04:00			`"hash" => self::getCookieHashForUser($user),`
Fix security vulnerbilities. Fix possible length extension attack, predicable generators, timing attacks on hash comparision and improved formatting. 2019-10-10 19:21:41 -04:00			`"ip" => defaults($_SERVER, 'REMOTE_ADDR', '0.0.0.0')`
			`]);`
Move include/security tp /src/Core/Authentication and /src/Util/Security 2018-10-17 08:19:58 -04:00			`} else {`
			`$value = "";`
			`}`

Fixed wrong "BaseUrl" class (=> "BaseURL") 2019-08-15 11:23:35 -04:00			`setcookie("Friendica", $value, $time, "/", "", (Config::get('system', 'ssl_policy') == App\BaseURL::SSL_POLICY_FULL), true);`
Move include/security tp /src/Core/Authentication and /src/Util/Security 2018-10-17 08:19:58 -04:00			`}`

			`/**`
			`* @brief Kills the "Friendica" cookie and all session data`
			`*/`
Renaming functions + moving functions from security to Model/Item and BaseModule + fix multiline comments 2018-10-17 15:30:41 -04:00			`public static function deleteSession()`
Move include/security tp /src/Core/Authentication and /src/Util/Security 2018-10-17 08:19:58 -04:00			`{`
Renaming functions + moving functions from security to Model/Item and BaseModule + fix multiline comments 2018-10-17 15:30:41 -04:00			`self::setCookie(-3600); // make sure cookie is deleted on browser close, as a security measure`
Move include/security tp /src/Core/Authentication and /src/Util/Security 2018-10-17 08:19:58 -04:00			`session_unset();`
			`session_destroy();`
			`}`
Add two-factor authentication - Add 2FA login interception in Session::setAuthenticatedForUser - Add 2fa session variable holding the last auth code 2019-05-13 01:36:09 -04:00
			`public static function twoFactorCheck($uid, App $a)`
			`{`
			`// Check user setting, if 2FA disabled return`
			`if (!PConfig::get($uid, '2fa', 'verified')) {`
			`return;`
			`}`

			`// Check current path, if 2fa authentication module return`
Remove mod/ping from 2fa exception list - Prevent asynchronous calls to redirect to /2fa in case of missing valid 2fa session 2019-07-23 20:03:08 -04:00			`if ($a->argc > 0 && in_array($a->argv[0], ['2fa', 'view', 'help', 'api', 'proxy', 'logout'])) {`
Add two-factor authentication - Add 2FA login interception in Session::setAuthenticatedForUser - Add 2fa session variable holding the last auth code 2019-05-13 01:36:09 -04:00			`return;`
			`}`

			`// Case 1: 2FA session present and valid: return`
			`if (Session::get('2fa')) {`
			`return;`
			`}`

			`// Case 2: No valid 2FA session: redirect to code verification page`
Remove mod/ping from 2fa exception list - Prevent asynchronous calls to redirect to /2fa in case of missing valid 2fa session 2019-07-23 20:03:08 -04:00			`if ($a->isAjax()) {`
			`throw new ForbiddenException();`
			`} else {`
			`$a->internalRedirect('2fa');`
			`}`
Add two-factor authentication - Add 2FA login interception in Session::setAuthenticatedForUser - Add 2fa session variable holding the last auth code 2019-05-13 01:36:09 -04:00			`}`
Move include/security tp /src/Core/Authentication and /src/Util/Security 2018-10-17 08:19:58 -04:00			`}`