clones/friendica
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #4092 from MrPetovan/task/3954-move-auth-to-src

Browse Source 
Move auth to src
This commit is contained in:
Tobias Diekershoff
2018-01-04 18:06:42 +01:00
committed by GitHub
parent 6e71a84075 520a068500
commit 04589ecd38
31 changed files with 783 additions and 856 deletions
Download Patch File Download Diff File Expand all files Collapse all files

209
include/auth.php
View File

@@ -1,209 +0,0 @@
<?php
use Friendica\App;
use Friendica\Core\System;
use Friendica\Core\Config;
use Friendica\Database\DBM;
use Friendica\Model\User;
require_once 'include/security.php';
require_once 'include/datetime.php';
// When the "Friendica" cookie is set, take the value to authenticate and renew the cookie.
if (isset($_COOKIE["Friendica"])) {
$data = json_decode($_COOKIE["Friendica"]);
if (isset($data->uid)) {
$user = dba::select('user',
[],
[
'uid' => $data->uid,
'blocked' => false,
'account_expired' => false,
'account_removed' => false,
'verified' => true,
],
['limit' => 1]
);
if (DBM::is_result($user)) {
if ($data->hash != cookie_hash($user)) {
logger("Hash for user " . $data->uid . " doesn't fit.");
nuke_session();
goaway(System::baseUrl());
}
// Renew the cookie
// Expires after 7 days by default,
// can be set via system.auth_cookie_lifetime
$authcookiedays = Config::get('system', 'auth_cookie_lifetime', 7);
new_cookie($authcookiedays * 24 * 60 * 60, $user);
// Do the authentification if not done by now
if (!isset($_SESSION) || !isset($_SESSION['authenticated'])) {
authenticate_success($user);
if (Config::get('system', 'paranoia')) {
$_SESSION['addr'] = $data->ip;
}
}
}
}
}
// login/logout
if (isset($_SESSION) && x($_SESSION, 'authenticated') && (!x($_POST, 'auth-params') || ($_POST['auth-params'] !== 'login'))) {
if ((x($_POST, 'auth-params') && ($_POST['auth-params'] === 'logout')) || ($a->module === 'logout')) {
// process logout request
call_hooks("logging_out");
nuke_session();
info(t('Logged out.') . EOL);
goaway(System::baseUrl());
}
if (x($_SESSION, 'visitor_id') && !x($_SESSION, 'uid')) {
$r = q("SELECT * FROM `contact` WHERE `id` = %d LIMIT 1",
intval($_SESSION['visitor_id'])
);
if (DBM::is_result($r)) {
$a->contact = $r[0];
}
}
if (x($_SESSION, 'uid')) {
// already logged in user returning
$check = Config::get('system', 'paranoia');
// extra paranoia - if the IP changed, log them out
if ($check && ($_SESSION['addr'] != $_SERVER['REMOTE_ADDR'])) {
logger('Session address changed. Paranoid setting in effect, blocking session. ' .
$_SESSION['addr'] . ' != ' . $_SERVER['REMOTE_ADDR']);
nuke_session();
goaway(System::baseUrl());
}
$user = dba::select('user',
[],
[
'uid' => $_SESSION['uid'],
'blocked' => false,
'account_expired' => false,
'account_removed' => false,
'verified' => true,
],
['limit' => 1]
);
if (!DBM::is_result($user)) {
nuke_session();
goaway(System::baseUrl());
}
// Make sure to refresh the last login time for the user if the user
// stays logged in for a long time, e.g. with "Remember Me"
$login_refresh = false;
if (!x($_SESSION['last_login_date'])) {
$_SESSION['last_login_date'] = datetime_convert('UTC', 'UTC');
}
if (strcmp(datetime_convert('UTC', 'UTC', 'now - 12 hours'), $_SESSION['last_login_date']) > 0) {
$_SESSION['last_login_date'] = datetime_convert('UTC', 'UTC');
$login_refresh = true;
}
authenticate_success($user, false, false, $login_refresh);
}
} else {
session_unset();
if (
!(x($_POST, 'password') && strlen($_POST['password']))
&& (
x($_POST, 'openid_url') && strlen($_POST['openid_url'])
|| x($_POST, 'username') && strlen($_POST['username'])
)
) {
$noid = Config::get('system', 'no_openid');
$openid_url = trim(strlen($_POST['openid_url']) ? $_POST['openid_url'] : $_POST['username']);
// validate_url alters the calling parameter
$temp_string = $openid_url;
// if it's an email address or doesn't resolve to a URL, fail.
if ($noid || strpos($temp_string, '@') || !validate_url($temp_string)) {
$a = get_app();
notice(t('Login failed.') . EOL);
goaway(System::baseUrl());
// NOTREACHED
}
// Otherwise it's probably an openid.
try {
require_once('library/openid.php');
$openid = new LightOpenID;
$openid->identity = $openid_url;
$_SESSION['openid'] = $openid_url;
$_SESSION['remember'] = $_POST['remember'];
$openid->returnUrl = System::baseUrl(true) . '/openid';
goaway($openid->authUrl());
} catch (Exception $e) {
notice(t('We encountered a problem while logging in with the OpenID you provided. Please check the correct spelling of the ID.') . '<br /><br >' . t('The error message was:') . ' ' . $e->getMessage());
}
// NOTREACHED
}
if (x($_POST, 'auth-params') && $_POST['auth-params'] === 'login') {
$record = null;
$addon_auth = array(
'username' => trim($_POST['username']),
'password' => trim($_POST['password']),
'authenticated' => 0,
'user_record' => null
);
/**
*
* A plugin indicates successful login by setting 'authenticated' to non-zero value and returning a user record
* Plugins should never set 'authenticated' except to indicate success - as hooks may be chained
* and later plugins should not interfere with an earlier one that succeeded.
*
*/
call_hooks('authenticate', $addon_auth);
if ($addon_auth['authenticated'] && count($addon_auth['user_record'])) {
$record = $addon_auth['user_record'];
} else {
$user_id = User::authenticate(trim($_POST['username']), trim($_POST['password']));
if ($user_id) {
$record = dba::select('user', [], ['uid' => $user_id], ['limit' => 1]);
}
}
if (!$record || !count($record)) {
logger('authenticate: failed login attempt: ' . notags(trim($_POST['username'])) . ' from IP ' . $_SERVER['REMOTE_ADDR']);
notice(t('Login failed.') . EOL);
goaway(System::baseUrl());
}
if (!$_POST['remember']) {
new_cookie(0); // 0 means delete on browser exit
}
// if we haven't failed up this point, log them in.
$_SESSION['remember'] = $_POST['remember'];
$_SESSION['last_login_date'] = datetime_convert('UTC', 'UTC');
authenticate_success($record, true, true);
}
}
/**
* @brief Kills the "Friendica" cookie and all session data
*/
function nuke_session()
{
new_cookie(-3600); // make sure cookie is deleted on browser close, as a security measure
session_unset();
session_destroy();
}

11
include/identity.php
View File

@@ -920,11 +920,12 @@ function get_my_url()
function zrl_init(App $a)
{
$tmp_str = get_my_url();
if (validate_url($tmp_str)) {
$my_url = get_my_url();
$my_url = validate_url($my_url);
if ($my_url) {
// Is it a DDoS attempt?
// The check fetches the cached value from gprobe to reduce the load for this system
$urlparts = parse_url($tmp_str);
$urlparts = parse_url($my_url);
$result = Cache::get('gprobe:' . $urlparts['host']);
if ((!is_null($result)) && (in_array($result['network'], array(NETWORK_FEED, NETWORK_PHANTOM)))) {
@@ -932,8 +933,8 @@ function zrl_init(App $a)
return;
}
Worker::add(PRIORITY_LOW, 'GProbe', $tmp_str);
$arr = array('zrl' => $tmp_str, 'url' => $a->cmd);
Worker::add(PRIORITY_LOW, 'GProbe', $my_url);
$arr = array('zrl' => $my_url, 'url' => $a->cmd);
call_hooks('zrl_init', $arr);
}
}

16
include/network.php
View File

@@ -470,26 +470,28 @@ function http_status_exit($val, $description = array())
* and check DNS to see if it's real (or check if is a valid IP address)
*
* @param string $url The URL to be validated
* @return boolean True if it's a valid URL, fals if something wrong with it
* @return string|boolean The actual working URL, false else
*/
function validate_url(&$url)
function validate_url($url)
{
if (Config::get('system', 'disable_url_validation')) {
return true;
return $url;
}
// no naked subdomains (allow localhost for tests)
if (strpos($url, '.') === false && strpos($url, '/localhost/') === false)
if (strpos($url, '.') === false && strpos($url, '/localhost/') === false) {
return false;
}
if (substr($url, 0, 4) != 'http')
if (substr($url, 0, 4) != 'http') {
$url = 'http://' . $url;
}
/// @TODO Really supress function outcomes? Why not find them + debug them?
/// @TODO Really suppress function outcomes? Why not find them + debug them?
$h = @parse_url($url);
if ((is_array($h)) && (dns_get_record($h['host'], DNS_A + DNS_CNAME + DNS_PTR) || filter_var($h['host'], FILTER_VALIDATE_IP) )) {
return true;
return $url;
}
return false;

174
include/security.php
View File

@@ -5,6 +5,7 @@ use Friendica\Core\Config;
use Friendica\Core\PConfig;
use Friendica\Core\System;
use Friendica\Database\DBM;
use Friendica\Model\Group;
/**
* @brief Calculate the hash that is needed for the "Friendica" cookie
@@ -13,10 +14,11 @@ use Friendica\Database\DBM;
*
* @return string Hashed data
*/
function cookie_hash($user) {
return(hash("sha256", Config::get("system", "site_prvkey").
$user["prvkey"].
$user["password"]));
function cookie_hash($user)
{
return(hash("sha256", Config::get("system", "site_prvkey") .
$user["prvkey"] .
$user["password"]));
}
/**
@@ -25,28 +27,35 @@ function cookie_hash($user) {
* @param int $time
* @param array $user Record from "user" table
*/
function new_cookie($time, $user = array()) {
function new_cookie($time, $user = array())
{
if ($time != 0) {
$time = $time + time();
}
if ($user) {
$value = json_encode(array("uid" => $user["uid"],
"hash" => cookie_hash($user),
"ip" => $_SERVER['REMOTE_ADDR']));
}
else {
"hash" => cookie_hash($user),
"ip" => $_SERVER['REMOTE_ADDR']));
} else {
$value = "";
}
setcookie("Friendica", $value, $time, "/", "",
(Config::get('system', 'ssl_policy') == SSL_POLICY_FULL), true);
setcookie("Friendica", $value, $time, "/", "", (Config::get('system', 'ssl_policy') == SSL_POLICY_FULL), true);
}
function authenticate_success($user_record, $login_initial = false, $interactive = false, $login_refresh = false) {
/**
* @brief Sets the provided user's authenticated session
*
* @todo Should be moved to Friendica\Core\Session once it's created
*
* @param type $user_record
* @param type $login_initial
* @param type $interactive
* @param type $login_refresh
*/
function authenticate_success($user_record, $login_initial = false, $interactive = false, $login_refresh = false)
{
$a = get_app();
$_SESSION['uid'] = $user_record['uid'];
@@ -55,7 +64,7 @@ function authenticate_success($user_record, $login_initial = false, $interactive
$_SESSION['authenticated'] = 1;
$_SESSION['page_flags'] = $user_record['page-flags'];
$_SESSION['my_url'] = System::baseUrl() . '/profile/' . $user_record['nickname'];
$_SESSION['my_address'] = $user_record['nickname'] . '@' . substr(System::baseUrl(),strpos(System::baseUrl(),'://')+3);
$_SESSION['my_address'] = $user_record['nickname'] . '@' . substr(System::baseUrl(), strpos(System::baseUrl(), '://') + 3);
$_SESSION['addr'] = $_SERVER['REMOTE_ADDR'];
$a->user = $user_record;
@@ -64,10 +73,10 @@ function authenticate_success($user_record, $login_initial = false, $interactive
if ($a->user['login_date'] <= NULL_DATE) {
$_SESSION['return_url'] = 'profile_photo/new';
$a->module = 'profile_photo';
info( t("Welcome ") . $a->user['username'] . EOL);
info( t('Please upload a profile photo.') . EOL);
info(t("Welcome ") . $a->user['username'] . EOL);
info(t('Please upload a profile photo.') . EOL);
} else {
info( t("Welcome back ") . $a->user['username'] . EOL);
info(t("Welcome back ") . $a->user['username'] . EOL);
}
}
@@ -84,7 +93,7 @@ function authenticate_success($user_record, $login_initial = false, $interactive
$master_record = $a->user;
if ((x($_SESSION,'submanage')) && intval($_SESSION['submanage'])) {
if ((x($_SESSION, 'submanage')) && intval($_SESSION['submanage'])) {
$r = dba::fetch_first("SELECT * FROM `user` WHERE `uid` = ? LIMIT 1",
intval($_SESSION['submanage'])
);
@@ -112,10 +121,10 @@ function authenticate_success($user_record, $login_initial = false, $interactive
}
if ($login_initial) {
logger('auth_identities: ' . print_r($a->identities,true), LOGGER_DEBUG);
logger('auth_identities: ' . print_r($a->identities, true), LOGGER_DEBUG);
}
if ($login_refresh) {
logger('auth_identities refresh: ' . print_r($a->identities,true), LOGGER_DEBUG);
logger('auth_identities refresh: ' . print_r($a->identities, true), LOGGER_DEBUG);
}
$r = dba::fetch_first("SELECT * FROM `contact` WHERE `uid` = ? AND `self` LIMIT 1", $_SESSION['uid']);
@@ -125,7 +134,7 @@ function authenticate_success($user_record, $login_initial = false, $interactive
$_SESSION['cid'] = $a->cid;
}
header('X-Account-Management-Status: active; name="' . $a->user['username'] . '"; id="' . $a->user['nickname'] .'"');
header('X-Account-Management-Status: active; name="' . $a->user['username'] . '"; id="' . $a->user['nickname'] . '"');
if ($login_initial || $login_refresh) {
dba::update('user', array('login_date' => datetime_convert()), array('uid' => $_SESSION['uid']));
@@ -141,7 +150,7 @@ function authenticate_success($user_record, $login_initial = false, $interactive
// The cookie will be renewed automatically.
// The week ensures that sessions will expire after some inactivity.
if ($_SESSION['remember']) {
logger('Injecting cookie for remembered user '. $_SESSION['remember_user']['nickname']);
logger('Injecting cookie for remembered user ' . $_SESSION['remember_user']['nickname']);
new_cookie(604800, $user_record);
unset($_SESSION['remember']);
}
@@ -156,13 +165,11 @@ function authenticate_success($user_record, $login_initial = false, $interactive
}
}
function can_write_wall(App $a, $owner) {
function can_write_wall(App $a, $owner)
{
static $verified = 0;
if ((! (local_user())) && (! (remote_user()))) {
if (!local_user() && !remote_user()) {
return false;
}
@@ -173,10 +180,8 @@ function can_write_wall(App $a, $owner) {
}
if (remote_user()) {
// use remembered decision and avoid a DB lookup for each and every display item
// DO NOT use this function if there are going to be multiple owners
// We have a contact-id for an authenticated remote user, this block determines if the contact
// belongs to this page owner, and has the necessary permissions to post content
@@ -196,7 +201,7 @@ function can_write_wall(App $a, $owner) {
}
}
if (! $cid) {
if (!$cid) {
return false;
}
@@ -213,8 +218,7 @@ function can_write_wall(App $a, $owner) {
if (DBM::is_result($r)) {
$verified = 2;
return true;
}
else {
} else {
$verified = 1;
}
}
@@ -223,9 +227,8 @@ function can_write_wall(App $a, $owner) {
return false;
}
function permissions_sql($owner_id, $remote_verified = false, $groups = null) {
function permissions_sql($owner_id, $remote_verified = false, $groups = null)
{
$local_user = local_user();
$remote_user = remote_user();
@@ -243,8 +246,7 @@ function permissions_sql($owner_id, $remote_verified = false, $groups = null) {
/**
* Profile owner - everything is visible
*/
if (($local_user) && ($local_user == $owner_id)) {
if ($local_user && $local_user == $owner_id) {
$sql = '';
} elseif ($remote_user) {
/*
@@ -255,18 +257,18 @@ function permissions_sql($owner_id, $remote_verified = false, $groups = null) {
* done this and passed the groups into this function.
*/
if (! $remote_verified) {
if (!$remote_verified) {
$r = q("SELECT id FROM contact WHERE id = %d AND uid = %d AND blocked = 0 LIMIT 1",
intval($remote_user),
intval($owner_id)
);
if (DBM::is_result($r)) {
$remote_verified = true;
$groups = init_groups_visitor($remote_user);
$groups = Group::getIdsByContactId($remote_user);
}
}
if ($remote_verified) {
if ($remote_verified) {
$gs = '<<>>'; // should be impossible to match
if (is_array($groups) && count($groups)) {
@@ -274,20 +276,6 @@ function permissions_sql($owner_id, $remote_verified = false, $groups = null) {
$gs .= '|<' . intval($g) . '>';
}
/*
* @TODO old-lost code found?
$sql = sprintf(
" AND ( allow_cid = '' OR allow_cid REGEXP '<%d>' )
AND ( deny_cid = '' OR NOT deny_cid REGEXP '<%d>' )
AND ( allow_gid = '' OR allow_gid REGEXP '%s' )
AND ( deny_gid = '' OR NOT deny_gid REGEXP '%s')
",
intval($remote_user),
intval($remote_user),
dbesc($gs),
dbesc($gs)
);
*/
$sql = sprintf(
" AND ( NOT (deny_cid REGEXP '<%d>' OR deny_gid REGEXP '%s')
AND ( allow_cid REGEXP '<%d>' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') )
@@ -303,13 +291,12 @@ function permissions_sql($owner_id, $remote_verified = false, $groups = null) {
return $sql;
}
function item_permissions_sql($owner_id, $remote_verified = false, $groups = null) {
function item_permissions_sql($owner_id, $remote_verified = false, $groups = null)
{
$local_user = local_user();
$remote_user = remote_user();
/**
/*
* Construct permissions
*
* default permissions - anonymous user
@@ -321,9 +308,7 @@ function item_permissions_sql($owner_id, $remote_verified = false, $groups = nul
AND `item`.private = 0
";
/**
* Profile owner - everything is visible
*/
// Profile owner - everything is visible
if ($local_user && ($local_user == $owner_id)) {
$sql = '';
} elseif ($remote_user) {
@@ -334,14 +319,14 @@ function item_permissions_sql($owner_id, $remote_verified = false, $groups = nul
* If pre-verified, the caller is expected to have already
* done this and passed the groups into this function.
*/
if (! $remote_verified) {
if (!$remote_verified) {
$r = q("SELECT id FROM contact WHERE id = %d AND uid = %d AND blocked = 0 LIMIT 1",
intval($remote_user),
intval($owner_id)
);
if (DBM::is_result($r)) {
$remote_verified = true;
$groups = init_groups_visitor($remote_user);
$groups = Group::getIdsByContactId($remote_user);
}
}
if ($remote_verified) {
@@ -355,16 +340,6 @@ function item_permissions_sql($owner_id, $remote_verified = false, $groups = nul
}
$sql = sprintf(
/*" AND ( private = 0 OR ( private in (1,2) AND wall = 1 AND ( allow_cid = '' OR allow_cid REGEXP '<%d>' )
AND ( deny_cid = '' OR NOT deny_cid REGEXP '<%d>' )
AND ( allow_gid = '' OR allow_gid REGEXP '%s' )
AND ( deny_gid = '' OR NOT deny_gid REGEXP '%s')))
",
intval($remote_user),
intval($remote_user),
dbesc($gs),
dbesc($gs)
*/
" AND ( `item`.private = 0 OR ( `item`.private in (1,2) AND `item`.`wall` = 1
AND ( NOT (`item`.deny_cid REGEXP '<%d>' OR `item`.deny_gid REGEXP '%s')
AND ( `item`.allow_cid REGEXP '<%d>' OR `item`.allow_gid REGEXP '%s' OR ( `item`.allow_cid = '' AND `item`.allow_gid = '')))))
@@ -380,7 +355,6 @@ function item_permissions_sql($owner_id, $remote_verified = false, $groups = nul
return $sql;
}
/*
* Functions used to protect against Cross-Site Request Forgery
* The security token has to base on at least one value that an attacker can't know - here it's the session ID and the private key.
@@ -392,7 +366,8 @@ function item_permissions_sql($owner_id, $remote_verified = false, $groups = nul
* Actually, important actions should not be triggered by Links / GET-Requests at all, but somethimes they still are,
* so this mechanism brings in some damage control (the attacker would be able to forge a request to a form of this type, but not to forms of other types).
*/
function get_form_security_token($typename = '') {
function get_form_security_token($typename = '')
{
$a = get_app();
$timestamp = time();
@@ -401,7 +376,8 @@ function get_form_security_token($typename = '') {
return $timestamp . '.' . $sec_hash;
}
function check_form_security_token($typename = '', $formname = 'form_security_token') {
function check_form_security_token($typename = '', $formname = 'form_security_token')
{
if (!x($_REQUEST, $formname)) {
return false;
}
@@ -423,19 +399,24 @@ function check_form_security_token($typename = '', $formname = 'form_security_to
return ($sec_hash == $x[1]);
}
function check_form_security_std_err_msg() {
function check_form_security_std_err_msg()
{
return t('The form security token was not correct. This probably happened because the form has been opened for too long (>3 hours) before submitting it.') . EOL;
}
function check_form_security_token_redirectOnErr($err_redirect, $typename = '', $formname = 'form_security_token') {
function check_form_security_token_redirectOnErr($err_redirect, $typename = '', $formname = 'form_security_token')
{
if (!check_form_security_token($typename, $formname)) {
$a = get_app();
logger('check_form_security_token failed: user ' . $a->user['guid'] . ' - form element ' . $typename);
logger('check_form_security_token failed: _REQUEST data: ' . print_r($_REQUEST, true), LOGGER_DATA);
notice( check_form_security_std_err_msg() );
goaway(System::baseUrl() . $err_redirect );
notice(check_form_security_std_err_msg());
goaway(System::baseUrl() . $err_redirect);
}
}
function check_form_security_token_ForbiddenOnErr($typename = '', $formname = 'form_security_token') {
function check_form_security_token_ForbiddenOnErr($typename = '', $formname = 'form_security_token')
{
if (!check_form_security_token($typename, $formname)) {
$a = get_app();
logger('check_form_security_token failed: user ' . $a->user['guid'] . ' - form element ' . $typename);
@@ -445,21 +426,12 @@ function check_form_security_token_ForbiddenOnErr($typename = '', $formname = 'f
}
}
// Returns an array of group id's this contact is a member of.
// This array will only contain group id's related to the uid of this
// DFRN contact. They are *not* neccessarily unique across the entire site.
if (! function_exists('init_groups_visitor')) {
function init_groups_visitor($contact_id) {
$groups = array();
$r = q("SELECT `gid` FROM `group_member`
WHERE `contact-id` = %d ",
intval($contact_id)
);
if (DBM::is_result($r)) {
foreach ($r as $rr)
$groups[] = $rr['gid'];
}
return $groups;
}}
/**
* @brief Kills the "Friendica" cookie and all session data
*/
function nuke_session()
{
new_cookie(-3600); // make sure cookie is deleted on browser close, as a security measure
session_unset();
session_destroy();
}