friendica/include/auth.php

<?php


require_once('include/security.php');

function nuke_session() {
	unset($_SESSION['authenticated']);
	unset($_SESSION['uid']);
	unset($_SESSION['visitor_id']);
	unset($_SESSION['administrator']);
	unset($_SESSION['cid']);
	unset($_SESSION['theme']);
	unset($_SESSION['page_flags']);
	unset($_SESSION['submanage']);
	unset($_SESSION['my_url']);
	unset($_SESSION['my_address']);
	unset($_SESSION['addr']);
	unset($_SESSION['return_url']);
	unset($_SESSION['theme']);
	unset($_SESSION['page_flags']);
}


// login/logout 


if((isset($_SESSION)) && (x($_SESSION,'authenticated')) && ((! (x($_POST,'auth-params'))) || ($_POST['auth-params'] !== 'login'))) {

	if(((x($_POST,'auth-params')) && ($_POST['auth-params'] === 'logout')) || ($a->module === 'logout')) {
	
		// process logout request
		call_hooks("logging_out");
		nuke_session();
		info( t('Logged out.') . EOL);
		goaway(z_root());
	}

	if(x($_SESSION,'visitor_id') && (! x($_SESSION,'uid'))) {
		$r = q("SELECT * FROM `contact` WHERE `id` = %d LIMIT 1",
			intval($_SESSION['visitor_id'])
		);
		if(count($r)) {
			$a->contact = $r[0];
		}
	}

	if(x($_SESSION,'uid')) {

		// already logged in user returning

		$check = get_config('system','paranoia');
		// extra paranoia - if the IP changed, log them out
		if($check && ($_SESSION['addr'] != $_SERVER['REMOTE_ADDR'])) {
			nuke_session();
			goaway(z_root());
		}

		$r = q("SELECT `user`.*, `user`.`pubkey` as `upubkey`, `user`.`prvkey` as `uprvkey` 
		FROM `user` WHERE `uid` = %d AND `blocked` = 0 AND `account_expired` = 0 AND `verified` = 1 LIMIT 1",
			intval($_SESSION['uid'])
		);

		if(! count($r)) {
			nuke_session();
			goaway(z_root());
		}

		authenticate_success($r[0]);
	}
}
else {

	if(isset($_SESSION)) {
		nuke_session();
	}

	if((x($_POST,'password')) && strlen($_POST['password']))
		$encrypted = hash('whirlpool',trim($_POST['password']));
	else {
		if((x($_POST,'openid_url')) && strlen($_POST['openid_url']) ||
		   (x($_POST,'username')) && strlen($_POST['username'])) {

			$noid = get_config('system','no_openid');

			$openid_url = trim((strlen($_POST['openid_url'])?$_POST['openid_url']:$_POST['username']) );

			// validate_url alters the calling parameter

			$temp_string = $openid_url;

			// if it's an email address or doesn't resolve to a URL, fail.

			if(($noid) || (strpos($temp_string,'@')) || (! validate_url($temp_string))) {
				$a = get_app();
				notice( t('Login failed.') . EOL);
				goaway(z_root());
				// NOTREACHED
			}

			// Otherwise it's probably an openid.

                        try {
			require_once('library/openid.php');
			$openid = new LightOpenID;
			$openid->identity = $openid_url;
			$_SESSION['openid'] = $openid_url;
			$a = get_app();
			$openid->returnUrl = $a->get_baseurl(true) . '/openid'; 
                        goaway($openid->authUrl());
                        } catch (Exception $e) {
                            notice( t('We encountered a problem while logging in with the OpenID you provided. Please check the correct spelling of the ID.').'<br /><br >'. t('The error message was:').' '.$e->getMessage());
                        }
			// NOTREACHED
		}
	}

	if((x($_POST,'auth-params')) && $_POST['auth-params'] === 'login') {

		$record = null;

		$addon_auth = array(
			'username' => trim($_POST['username']), 
			'password' => trim($_POST['password']),
			'authenticated' => 0,
			'user_record' => null
		);

		/**
		 *
		 * A plugin indicates successful login by setting 'authenticated' to non-zero value and returning a user record
		 * Plugins should never set 'authenticated' except to indicate success - as hooks may be chained
		 * and later plugins should not interfere with an earlier one that succeeded.
		 *
		 */

		call_hooks('authenticate', $addon_auth);

		if(($addon_auth['authenticated']) && (count($addon_auth['user_record']))) {
			$record = $addon_auth['user_record'];
		}
		else {

			// process normal login request

			$r = q("SELECT `user`.*, `user`.`pubkey` as `upubkey`, `user`.`prvkey` as `uprvkey`  
				FROM `user` WHERE ( `email` = '%s' OR `nickname` = '%s' ) 
				AND `password` = '%s' AND `blocked` = 0 AND `account_expired` = 0 AND `verified` = 1 LIMIT 1",
				dbesc(trim($_POST['username'])),
				dbesc(trim($_POST['username'])),
				dbesc($encrypted)
			);
			if(count($r))
				$record = $r[0];
		}

		if((! $record) || (! count($record))) {
			logger('authenticate: failed login attempt: ' . notags(trim($_POST['username'])) . ' from IP ' . $_SERVER['REMOTE_ADDR']); 
			notice( t('Login failed.') . EOL );
			goaway(z_root());
  		}

		// if we haven't failed up this point, log them in.

		authenticate_success($record, true, true);
	}
}

// Returns an array of group id's this contact is a member of.
// This array will only contain group id's related to the uid of this
// DFRN contact. They are *not* neccessarily unique across the entire site. 


if(! function_exists('init_groups_visitor')) {
function init_groups_visitor($contact_id) {
	$groups = array();
	$r = q("SELECT `gid` FROM `group_member` 
		WHERE `contact-id` = %d ",
		intval($contact_id)
	);
	if(count($r)) {
		foreach($r as $rr)
			$groups[] = $rr['gid'];
	}
	return $groups;
}}
some changes 2010-07-04 23:45:56 -04:00			`<?php`

paranoid option to reduce session hijacking by enforcing an IP match on session validation. This is not claimed to be a perfect solution to the problem by any stretch, it merely raises the bar on the script kiddies to the detriment of those whose dynamic IPs aren't long lived. For these reasons it is opt-in. 2010-11-30 02:16:14 -05:00
modularise successful authentication 2012-01-12 18:46:39 -05:00			`require_once('include/security.php');`

paranoid option to reduce session hijacking by enforcing an IP match on session validation. This is not claimed to be a perfect solution to the problem by any stretch, it merely raises the bar on the script kiddies to the detriment of those whose dynamic IPs aren't long lived. For these reasons it is opt-in. 2010-11-30 02:16:14 -05:00			`function nuke_session() {`
			`unset($_SESSION['authenticated']);`
			`unset($_SESSION['uid']);`
			`unset($_SESSION['visitor_id']);`
			`unset($_SESSION['administrator']);`
			`unset($_SESSION['cid']);`
			`unset($_SESSION['theme']);`
			`unset($_SESSION['page_flags']);`
clear submanage, etc from session on logout 2012-05-22 21:05:58 -04:00			`unset($_SESSION['submanage']);`
			`unset($_SESSION['my_url']);`
			`unset($_SESSION['my_address']);`
			`unset($_SESSION['addr']);`
			`unset($_SESSION['return_url']);`
			`unset($_SESSION['theme']);`
			`unset($_SESSION['page_flags']);`
paranoid option to reduce session hijacking by enforcing an IP match on session validation. This is not claimed to be a perfect solution to the problem by any stretch, it merely raises the bar on the script kiddies to the detriment of those whose dynamic IPs aren't long lived. For these reasons it is opt-in. 2010-11-30 02:16:14 -05:00			`}`


some changes 2010-07-04 23:45:56 -04:00			`// login/logout`

paranoid option to reduce session hijacking by enforcing an IP match on session validation. This is not claimed to be a perfect solution to the problem by any stretch, it merely raises the bar on the script kiddies to the detriment of those whose dynamic IPs aren't long lived. For these reasons it is opt-in. 2010-11-30 02:16:14 -05:00


more lint 2010-10-31 19:38:22 -04:00			`if((isset($_SESSION)) && (x($_SESSION,'authenticated')) && ((! (x($_POST,'auth-params'))) \|\| ($_POST['auth-params'] !== 'login'))) {`
make it much easier to debug friend acceptance issues by reporting specific error conditions across the wire. 2010-10-10 19:16:29 -04:00
more lint 2010-10-31 19:38:22 -04:00			`if(((x($_POST,'auth-params')) && ($_POST['auth-params'] === 'logout')) \|\| ($a->module === 'logout')) {`
make it much easier to debug friend acceptance issues by reporting specific error conditions across the wire. 2010-10-10 19:16:29 -04:00
			`// process logout request`
add 'loggin_out' hook 2012-03-12 10:58:59 -04:00			`call_hooks("logging_out");`
paranoid option to reduce session hijacking by enforcing an IP match on session validation. This is not claimed to be a perfect solution to the problem by any stretch, it merely raises the bar on the script kiddies to the detriment of those whose dynamic IPs aren't long lived. For these reasons it is opt-in. 2010-11-30 02:16:14 -05:00			`nuke_session();`
add info() function. Works like notice() but show messages in a div with class info-message. update code to use info() instead of notice() when appropriate (non-error message) add info-message class style in themes 2011-05-23 05:39:57 -04:00			`info( t('Logged out.') . EOL);`
some more zot changes migrating back to f9a mainline 2011-08-02 00:02:25 -04:00			`goaway(z_root());`
some changes 2010-07-04 23:45:56 -04:00			`}`
make it much easier to debug friend acceptance issues by reporting specific error conditions across the wire. 2010-10-10 19:16:29 -04:00
bug #70 - error messages on group deletion, warning cleanup 2011-05-15 19:36:49 -04:00			`if(x($_SESSION,'visitor_id') && (! x($_SESSION,'uid'))) {`
missing self photo on remote site comment boxes 2011-05-10 01:15:19 -04:00			$r = q("SELECT * FROM `contact` WHERE `id` = %d LIMIT 1",
			`intval($_SESSION['visitor_id'])`
			`);`
			`if(count($r)) {`
			`$a->contact = $r[0];`
			`}`
			`}`

some changes 2010-07-04 23:45:56 -04:00			`if(x($_SESSION,'uid')) {`
make it much easier to debug friend acceptance issues by reporting specific error conditions across the wire. 2010-10-10 19:16:29 -04:00
			`// already logged in user returning`

paranoid option to reduce session hijacking by enforcing an IP match on session validation. This is not claimed to be a perfect solution to the problem by any stretch, it merely raises the bar on the script kiddies to the detriment of those whose dynamic IPs aren't long lived. For these reasons it is opt-in. 2010-11-30 02:16:14 -05:00			`$check = get_config('system','paranoia');`
			`// extra paranoia - if the IP changed, log them out`
			`if($check && ($_SESSION['addr'] != $_SERVER['REMOTE_ADDR'])) {`
			`nuke_session();`
some more zot changes migrating back to f9a mainline 2011-08-02 00:02:25 -04:00			`goaway(z_root());`
paranoid option to reduce session hijacking by enforcing an IP match on session validation. This is not claimed to be a perfect solution to the problem by any stretch, it merely raises the bar on the script kiddies to the detriment of those whose dynamic IPs aren't long lived. For these reasons it is opt-in. 2010-11-30 02:16:14 -05:00			`}`

missing salmon key? report it. 2011-08-24 23:40:08 -04:00			$r = q("SELECT `user`.*, `user`.`pubkey` as `upubkey`, `user`.`prvkey` as `uprvkey`
account expiration structures 2011-09-18 22:53:45 -04:00			FROM `user` WHERE `uid` = %d AND `blocked` = 0 AND `account_expired` = 0 AND `verified` = 1 LIMIT 1",
make it much easier to debug friend acceptance issues by reporting specific error conditions across the wire. 2010-10-10 19:16:29 -04:00			`intval($_SESSION['uid'])`
			`);`

			`if(! count($r)) {`
paranoid option to reduce session hijacking by enforcing an IP match on session validation. This is not claimed to be a perfect solution to the problem by any stretch, it merely raises the bar on the script kiddies to the detriment of those whose dynamic IPs aren't long lived. For these reasons it is opt-in. 2010-11-30 02:16:14 -05:00			`nuke_session();`
some more zot changes migrating back to f9a mainline 2011-08-02 00:02:25 -04:00			`goaway(z_root());`
some changes 2010-07-04 23:45:56 -04:00			`}`
make it much easier to debug friend acceptance issues by reporting specific error conditions across the wire. 2010-10-10 19:16:29 -04:00
modularise successful authentication 2012-01-12 18:46:39 -05:00			`authenticate_success($r[0]);`
some changes 2010-07-04 23:45:56 -04:00			`}`
			`}`
			`else {`
make it much easier to debug friend acceptance issues by reporting specific error conditions across the wire. 2010-10-10 19:16:29 -04:00
-Wall cleanup 2010-10-30 16:25:37 -04:00			`if(isset($_SESSION)) {`
paranoid option to reduce session hijacking by enforcing an IP match on session validation. This is not claimed to be a perfect solution to the problem by any stretch, it merely raises the bar on the script kiddies to the detriment of those whose dynamic IPs aren't long lived. For these reasons it is opt-in. 2010-11-30 02:16:14 -05:00			`nuke_session();`
-Wall cleanup 2010-10-30 16:25:37 -04:00			`}`
theme cleanup 2010-09-19 00:11:18 -04:00
openid logins working 2010-11-17 20:03:27 -05:00			`if((x($_POST,'password')) && strlen($_POST['password']))`
-Wall cleanup 2010-10-30 16:25:37 -04:00			`$encrypted = hash('whirlpool',trim($_POST['password']));`
pull some template strings 2010-11-17 02:26:14 -05:00			`else {`
works on login form 2011-10-17 10:53:59 -04:00			`if((x($_POST,'openid_url')) && strlen($_POST['openid_url']) \|\|`
			`(x($_POST,'username')) && strlen($_POST['username'])) {`
smooth a few rough edges of openid 2010-11-18 18:06:33 -05:00
localise login template, allow openid to be disabled 2010-11-28 23:58:23 -05:00			`$noid = get_config('system','no_openid');`

refactor openid logins/registrations 2012-03-19 18:03:09 -04:00			`$openid_url = trim((strlen($_POST['openid_url'])?$_POST['openid_url']:$_POST['username']) );`
smooth a few rough edges of openid 2010-11-18 18:06:33 -05:00
			`// validate_url alters the calling parameter`

			`$temp_string = $openid_url;`

			`// if it's an email address or doesn't resolve to a URL, fail.`

localise login template, allow openid to be disabled 2010-11-28 23:58:23 -05:00			`if(($noid) \|\| (strpos($temp_string,'@')) \|\| (! validate_url($temp_string))) {`
smooth a few rough edges of openid 2010-11-18 18:06:33 -05:00			`$a = get_app();`
			`notice( t('Login failed.') . EOL);`
some more zot changes migrating back to f9a mainline 2011-08-02 00:02:25 -04:00			`goaway(z_root());`
smooth a few rough edges of openid 2010-11-18 18:06:33 -05:00			`// NOTREACHED`
			`}`

			`// Otherwise it's probably an openid.`

catch OpenID login errors in cases when the OpenID server does not answers 2012-03-30 09:19:17 -04:00			`try {`
smooth a few rough edges of openid 2010-11-18 18:06:33 -05:00			`require_once('library/openid.php');`
			`$openid = new LightOpenID;`
			`$openid->identity = $openid_url;`
			`$_SESSION['openid'] = $openid_url;`
			`$a = get_app();`
refactor openid logins/registrations 2012-03-19 18:03:09 -04:00			`$openid->returnUrl = $a->get_baseurl(true) . '/openid';`
catch OpenID login errors in cases when the OpenID server does not answers 2012-03-30 09:19:17 -04:00			`goaway($openid->authUrl());`
			`} catch (Exception $e) {`
			`notice( t('We encountered a problem while logging in with the OpenID you provided. Please check the correct spelling of the ID.').'<br /><br >'. t('The error message was:').' '.$e->getMessage());`
			`}`
refactor openid logins/registrations 2012-03-19 18:03:09 -04:00			`// NOTREACHED`
pull some template strings 2010-11-17 02:26:14 -05:00			`}`
			`}`
add IP address to failed login log message 2012-03-20 00:58:21 -04:00
stronger type checking on comparisons 2010-09-26 20:24:20 -04:00			`if((x($_POST,'auth-params')) && $_POST['auth-params'] === 'login') {`
make it much easier to debug friend acceptance issues by reporting specific error conditions across the wire. 2010-10-10 19:16:29 -04:00
Add sample external authentication plugin (ldap) 2010-12-27 17:59:26 -05:00			`$record = null;`
add authentication plugin hooks 2010-12-24 18:59:12 -05:00
			`$addon_auth = array(`
works on login form 2011-10-17 10:53:59 -04:00			`'username' => trim($_POST['username']),`
add authentication plugin hooks 2010-12-24 18:59:12 -05:00			`'password' => trim($_POST['password']),`
Add sample external authentication plugin (ldap) 2010-12-27 17:59:26 -05:00			`'authenticated' => 0,`
			`'user_record' => null`
add authentication plugin hooks 2010-12-24 18:59:12 -05:00			`);`

			`/**`
			`*`
Add sample external authentication plugin (ldap) 2010-12-27 17:59:26 -05:00			`* A plugin indicates successful login by setting 'authenticated' to non-zero value and returning a user record`
add authentication plugin hooks 2010-12-24 18:59:12 -05:00			`* Plugins should never set 'authenticated' except to indicate success - as hooks may be chained`
			`* and later plugins should not interfere with an earlier one that succeeded.`
			`*`
			`*/`

			`call_hooks('authenticate', $addon_auth);`

Add sample external authentication plugin (ldap) 2010-12-27 17:59:26 -05:00			`if(($addon_auth['authenticated']) && (count($addon_auth['user_record']))) {`
			`$record = $addon_auth['user_record'];`
			`}`
			`else {`

			`// process normal login request`
add authentication plugin hooks 2010-12-24 18:59:12 -05:00
missing salmon key? report it. 2011-08-24 23:40:08 -04:00			$r = q("SELECT `user`.*, `user`.`pubkey` as `upubkey`, `user`.`prvkey` as `uprvkey`
			FROM `user` WHERE ( `email` = '%s' OR `nickname` = '%s' )
account expiration structures 2011-09-18 22:53:45 -04:00			AND `password` = '%s' AND `blocked` = 0 AND `account_expired` = 0 AND `verified` = 1 LIMIT 1",
works on login form 2011-10-17 10:53:59 -04:00			`dbesc(trim($_POST['username'])),`
			`dbesc(trim($_POST['username'])),`
add authentication plugin hooks 2010-12-24 18:59:12 -05:00			`dbesc($encrypted)`
			`);`
Add sample external authentication plugin (ldap) 2010-12-27 17:59:26 -05:00			`if(count($r))`
			`$record = $r[0];`
add authentication plugin hooks 2010-12-24 18:59:12 -05:00			`}`

Add sample external authentication plugin (ldap) 2010-12-27 17:59:26 -05:00			`if((! $record) \|\| (! count($record))) {`
add IP address to failed login log message 2012-03-20 00:58:21 -04:00			`logger('authenticate: failed login attempt: ' . notags(trim($_POST['username'])) . ' from IP ' . $_SERVER['REMOTE_ADDR']);`
Add sample external authentication plugin (ldap) 2010-12-27 17:59:26 -05:00			`notice( t('Login failed.') . EOL );`
some more zot changes migrating back to f9a mainline 2011-08-02 00:02:25 -04:00			`goaway(z_root());`
Add sample external authentication plugin (ldap) 2010-12-27 17:59:26 -05:00			`}`

modularise successful authentication 2012-01-12 18:46:39 -05:00			`// if we haven't failed up this point, log them in.`
add authentication plugin hooks 2010-12-24 18:59:12 -05:00
modularise successful authentication 2012-01-12 18:46:39 -05:00			`authenticate_success($record, true, true);`
some changes 2010-07-04 23:45:56 -04:00			`}`
			`}`

turn groups back into numbers 2010-07-13 05:00:53 -04:00			`// Returns an array of group id's this contact is a member of.`
			`// This array will only contain group id's related to the uid of this`
some changes 2010-07-04 23:45:56 -04:00			`// DFRN contact. They are not neccessarily unique across the entire site.`


			`if(! function_exists('init_groups_visitor')) {`
			`function init_groups_visitor($contact_id) {`
			`$groups = array();`
turn groups back into numbers 2010-07-13 05:00:53 -04:00			$r = q("SELECT `gid` FROM `group_member`
			WHERE `contact-id` = %d ",
some changes 2010-07-04 23:45:56 -04:00			`intval($contact_id)`
			`);`
			`if(count($r)) {`
			`foreach($r as $rr)`
turn groups back into numbers 2010-07-13 05:00:53 -04:00			`$groups[] = $rr['gid'];`
some changes 2010-07-04 23:45:56 -04:00			`}`
			`return $groups;`
			`}}`