[tt-rss.git] / plugins / auth_internal / init.php

<?php
class Auth_Internal extends Plugin implements IAuthModule {

	private $host;

	function about() {
		return array(1.0,
			"Authenticates against internal tt-rss database",
			"fox",
			true);
	}

    /* @var PluginHost $host */
    function init($host) {
		$this->host = $host;
		$this->pdo = Db::pdo();

		$host->add_hook($host::HOOK_AUTH_USER, $this);
	}

	function authenticate($login, $password) {

		$pwd_hash1 = encrypt_password($password);
		$pwd_hash2 = encrypt_password($password, $login);
		$otp = $_REQUEST["otp"];

		if (get_schema_version() > 96) {
			if (!defined('AUTH_DISABLE_OTP') || !AUTH_DISABLE_OTP) {

				$sth = $this->pdo->prepare("SELECT otp_enabled,salt FROM ttrss_users WHERE
					login = ?");
				$sth->execute([$login]);

				if ($row = $sth->fetch()) {

					require_once "lib/otphp/vendor/base32.php";
					require_once "lib/otphp/lib/otp.php";
					require_once "lib/otphp/lib/totp.php";

					$base32 = new Base32();

					$otp_enabled = $row['otp_enabled'];
					$secret = $base32->encode(sha1($row['salt']));

					$topt = new \OTPHP\TOTP($secret);
					$otp_check = $topt->now();

					if ($otp_enabled) {
						if ($otp) {
							if ($otp != $otp_check) {
								return false;
							}
						} else {
							$return = urlencode($_REQUEST["return"]);
							?><html>
								<head>
									<title>Tiny Tiny RSS</title>
									<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
								</head>
								<?php echo stylesheet_tag("css/default.css") ?>
							<body class="ttrss_utility otp"><div class="content">
							<form action="public.php?return=<?php echo $return ?>"
									method="POST" class="otpform">
								<input type="hidden" name="op" value="login">
								<input type="hidden" name="login" value="<?php echo htmlspecialchars($login) ?>">
								<input type="hidden" name="password" value="<?php echo htmlspecialchars($password) ?>">
								<input type="hidden" name="bw_limit" value="<?php echo htmlspecialchars($_POST["bw_limit"]) ?>">
								<input type="hidden" name="remember_me" value="<?php echo htmlspecialchars($_POST["remember_me"]) ?>">
								<input type="hidden" name="profile" value="<?php echo htmlspecialchars($_POST["profile"]) ?>">

								<label><?php echo __("Please enter your one time password:") ?></label>
								<input autocomplete="off" size="6" name="otp" value=""/>
								<input type="submit" value="Continue"/>
							</form></div>
							<script type="text/javascript">
								document.forms[0].otp.focus();
							</script>
							<?php
							exit;
						}
					}
				}
			}
		}

		if (get_schema_version() > 87) {

			$sth = $this->pdo->prepare("SELECT salt FROM ttrss_users WHERE login = ?");
			$sth->execute([$login]);

			if ($row = $sth->fetch()) {
				$salt = $row['salt'];

				if ($salt == "") {

					$sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE
                        login = ? AND (pwd_hash = ? OR pwd_hash = ?)");

					$sth->execute([$login, $pwd_hash1, $pwd_hash2]);

					// verify and upgrade password to new salt base

					if ($row = $sth->fetch()) {
						// upgrade password to MODE2

						$user_id = $row['id'];

						$salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
						$pwd_hash = encrypt_password($password, $salt, true);

						$sth = $this->pdo->prepare("UPDATE ttrss_users SET
					        pwd_hash = ?, salt = ? WHERE login = ?");

						$sth->execute([$pwd_hash, $salt, $login]);

						return $user_id;

					} else {
						return false;
					}

				} else {
					$pwd_hash = encrypt_password($password, $salt, true);

					$sth = $this->pdo->prepare("SELECT id
  		                  FROM ttrss_users WHERE
					      login = ? AND pwd_hash = ?");
					$sth->execute([$login, $pwd_hash]);

					if ($row = $sth->fetch()) {
						return $row['id'];
					}
				}

			} else {
				$sth = $this->pdo->prepare("SELECT id
                    FROM ttrss_users WHERE
                      login = ? AND (pwd_hash = ? OR pwd_hash = ?)");

				$sth->execute([$login, $pwd_hash1, $pwd_hash2]);

				if ($row = $sth->fetch()) {
					return $row['id'];
				}
			}
		} else {
			$sth = $this->pdo->prepare("SELECT id
                    FROM ttrss_users WHERE
                      login = ? AND (pwd_hash = ? OR pwd_hash = ?)");

			$sth->execute([$login, $pwd_hash1, $pwd_hash2]);

			if ($row = $sth->fetch()) {
				return $row['id'];
			}
        }

		return false;
	}

	function check_password($owner_uid, $password) {

		$sth = $this->pdo->prepare("SELECT salt,login FROM ttrss_users WHERE
			id = ?");
		$sth->execute([$owner_uid]);

		if ($row = $sth->fetch()) {

			$salt = $row['salt'];
			$login = $row['login'];

			if (!$salt) {
				$password_hash1 = encrypt_password($password);
				$password_hash2 = encrypt_password($password, $login);

				$sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE
                    id = ? AND (pwd_hash = ? OR pwd_hash = ?)");

				$sth->execute([$owner_uid, $password_hash1, $password_hash2]);

				return $sth->fetch();

			} else {
				$password_hash = encrypt_password($password, $salt, true);

				$sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE
                    id = ? AND pwd_hash = ?");

				$sth->execute([$owner_uid, $password_hash]);

				return $sth->fetch();
			}
		}

        return false;
	}

	function change_password($owner_uid, $old_password, $new_password) {

		if ($this->check_password($owner_uid, $old_password)) {

			$new_salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
			$new_password_hash = encrypt_password($new_password, $new_salt, true);

			$sth = $this->pdo->prepare("UPDATE ttrss_users SET
				pwd_hash = ?, salt = ?, otp_enabled = false
					WHERE id = ?");
			$sth->execute([$new_password_hash, $new_salt, $owner_uid]);

			$_SESSION["pwd_hash"] = $new_password_hash;

			return __("Password has been changed.");
		} else {
			return "ERROR: ".__('Old password is incorrect.');
		}
	}

	function api_version() {
		return 2;
	}

}
?>
Commit	Line	Data
0d421af8	1	<?php
0f28f81f	2	class Auth_Internal extends Plugin implements IAuthModule {
7d960ce7	3
0f28f81f AD	4	private $host;
	5
	6	function about() {
	7	return array(1.0,
	8	"Authenticates against internal tt-rss database",
	9	"fox",
	10	true);
	11	}
	12
b431d525	13	/* @var PluginHost $host */
7d960ce7	14	function init($host) {
0f28f81f	15	$this->host = $host;
7d960ce7	16	$this->pdo = Db::pdo();
0f28f81f AD	17
	18	$host->add_hook($host::HOOK_AUTH_USER, $this);
	19	}
0d421af8 AD	20
	21	function authenticate($login, $password) {
	22
	23	$pwd_hash1 = encrypt_password($password);
	24	$pwd_hash2 = encrypt_password($password, $login);
7d960ce7	25	$otp = $_REQUEST["otp"];
fb70f26e	26
6322ac79	27	if (get_schema_version() > 96) {
d1e31c7a	28	if (!defined('AUTH_DISABLE_OTP') \|\| !AUTH_DISABLE_OTP) {
e441b583	29
7d960ce7 AD	30	$sth = $this->pdo->prepare("SELECT otp_enabled,salt FROM ttrss_users WHERE
	31	login = ?");
	32	$sth->execute([$login]);
02cd6de1	33
7d960ce7	34	if ($row = $sth->fetch()) {
e441b583	35
02cd6de1 AD	36	require_once "lib/otphp/vendor/base32.php";
	37	require_once "lib/otphp/lib/otp.php";
	38	require_once "lib/otphp/lib/totp.php";
	39
	40	$base32 = new Base32();
	41
7d960ce7 AD	42	$otp_enabled = $row['otp_enabled'];
7d960ce7 AD	43	$secret = $base32->encode(sha1($row['salt']));
02cd6de1 AD	44
	45	$topt = new \OTPHP\TOTP($secret);
	46	$otp_check = $topt->now();
	47
	48	if ($otp_enabled) {
	49	if ($otp) {
	50	if ($otp != $otp_check) {
	51	return false;
	52	}
	53	} else {
2d684749	54	$return = urlencode($_REQUEST["return"]);
02cd6de1	55	?><html>
c3637c4d	56	<head>
	57	<title>Tiny Tiny RSS</title>
	58	<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
	59	</head>
09bc54c6 AD	60	<?php echo stylesheet_tag("css/default.css") ?>
09bc54c6 AD	61	<body class="ttrss_utility otp"><div class="content">
2d684749	62	<form action="public.php?return=<?php echo $return ?>"
da1e51cd	63	method="POST" class="otpform">
2d684749	64	<input type="hidden" name="op" value="login">
02cd6de1 AD	65	<input type="hidden" name="login" value="<?php echo htmlspecialchars($login) ?>">
02cd6de1 AD	66	<input type="hidden" name="password" value="<?php echo htmlspecialchars($password) ?>">
a0dfd7ef AD	67	<input type="hidden" name="bw_limit" value="<?php echo htmlspecialchars($_POST["bw_limit"]) ?>">
	68	<input type="hidden" name="remember_me" value="<?php echo htmlspecialchars($_POST["remember_me"]) ?>">
	69	<input type="hidden" name="profile" value="<?php echo htmlspecialchars($_POST["profile"]) ?>">
02cd6de1 AD	70
02cd6de1 AD	71	<label><?php echo __("Please enter your one time password:") ?></label>
6f148528	72	<input autocomplete="off" size="6" name="otp" value=""/>
02cd6de1	73	<input type="submit" value="Continue"/>
da1e51cd	74	</form></div>
b8cdc394 AD	75	<script type="text/javascript">
	76	document.forms[0].otp.focus();
	77	</script>
02cd6de1 AD	78	<?php
02cd6de1 AD	79	exit;
4e70344b	80	}
fb70f26e	81	}
fb70f26e AD	82	}
	83	}
	84	}
0d421af8	85
6322ac79	86	if (get_schema_version() > 87) {
0d421af8	87
7d960ce7 AD	88	$sth = $this->pdo->prepare("SELECT salt FROM ttrss_users WHERE login = ?");
7d960ce7 AD	89	$sth->execute([$login]);
0d421af8	90
7d960ce7 AD	91	if ($row = $sth->fetch()) {
7d960ce7 AD	92	$salt = $row['salt'];
0d421af8	93
7d960ce7	94	if ($salt == "") {
0d421af8	95
7d960ce7 AD	96	$sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE
7d960ce7 AD	97	login = ? AND (pwd_hash = ? OR pwd_hash = ?)");
0d421af8	98
7d960ce7	99	$sth->execute([$login, $pwd_hash1, $pwd_hash2]);
0d421af8	100
7d960ce7	101	// verify and upgrade password to new salt base
0d421af8	102
7d960ce7 AD	103	if ($row = $sth->fetch()) {
7d960ce7 AD	104	// upgrade password to MODE2
0d421af8	105
7d960ce7	106	$user_id = $row['id'];
0d421af8	107
7d960ce7 AD	108	$salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
	109	$pwd_hash = encrypt_password($password, $salt, true);
	110
	111	$sth = $this->pdo->prepare("UPDATE ttrss_users SET
	112	pwd_hash = ?, salt = ? WHERE login = ?");
0d421af8	113
7d960ce7	114	$sth->execute([$pwd_hash, $salt, $login]);
0d421af8	115
7d960ce7 AD	116	return $user_id;
	117
	118	} else {
	119	return false;
	120	}
0d421af8 AD	121
0d421af8 AD	122	} else {
7d960ce7 AD	123	$pwd_hash = encrypt_password($password, $salt, true);
	124
	125	$sth = $this->pdo->prepare("SELECT id
	126	FROM ttrss_users WHERE
	127	login = ? AND pwd_hash = ?");
	128	$sth->execute([$login, $pwd_hash]);
	129
	130	if ($row = $sth->fetch()) {
	131	return $row['id'];
	132	}
0d421af8 AD	133	}
	134
	135	} else {
7d960ce7 AD	136	$sth = $this->pdo->prepare("SELECT id
	137	FROM ttrss_users WHERE
	138	login = ? AND (pwd_hash = ? OR pwd_hash = ?)");
0d421af8	139
7d960ce7	140	$sth->execute([$login, $pwd_hash1, $pwd_hash2]);
0d421af8	141
7d960ce7 AD	142	if ($row = $sth->fetch()) {
	143	return $row['id'];
	144	}
0d421af8	145	}
0d421af8	146	} else {
7d960ce7 AD	147	$sth = $this->pdo->prepare("SELECT id
	148	FROM ttrss_users WHERE
	149	login = ? AND (pwd_hash = ? OR pwd_hash = ?)");
0d421af8	150
7d960ce7	151	$sth->execute([$login, $pwd_hash1, $pwd_hash2]);
0d421af8	152
7d960ce7 AD	153	if ($row = $sth->fetch()) {
	154	return $row['id'];
	155	}
	156	}
0d421af8 AD	157
	158	return false;
	159	}
d5fd183d	160
3ca8af7f	161	function check_password($owner_uid, $password) {
d5fd183d	162
7d960ce7 AD	163	$sth = $this->pdo->prepare("SELECT salt,login FROM ttrss_users WHERE
	164	id = ?");
	165	$sth->execute([$owner_uid]);
d5fd183d	166
7d960ce7	167	if ($row = $sth->fetch()) {
d5fd183d	168
7d960ce7 AD	169	$salt = $row['salt'];
7d960ce7 AD	170	$login = $row['login'];
d5fd183d	171
7d960ce7 AD	172	if (!$salt) {
	173	$password_hash1 = encrypt_password($password);
	174	$password_hash2 = encrypt_password($password, $login);
d5fd183d	175
7d960ce7 AD	176	$sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE
7d960ce7 AD	177	id = ? AND (pwd_hash = ? OR pwd_hash = ?)");
d5fd183d	178
7d960ce7 AD	179	$sth->execute([$owner_uid, $password_hash1, $password_hash2]);
	180
	181	return $sth->fetch();
d5fd183d	182
7d960ce7 AD	183	} else {
	184	$password_hash = encrypt_password($password, $salt, true);
	185
	186	$sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE
	187	id = ? AND pwd_hash = ?");
	188
	189	$sth->execute([$owner_uid, $password_hash]);
	190
	191	return $sth->fetch();
	192	}
	193	}
d5fd183d	194
7d960ce7	195	return false;
3ca8af7f AD	196	}
	197
	198	function change_password($owner_uid, $old_password, $new_password) {
3ca8af7f AD	199
3ca8af7f AD	200	if ($this->check_password($owner_uid, $old_password)) {
d5fd183d AD	201
	202	$new_salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
	203	$new_password_hash = encrypt_password($new_password, $new_salt, true);
	204
7d960ce7 AD	205	$sth = $this->pdo->prepare("UPDATE ttrss_users SET
	206	pwd_hash = ?, salt = ?, otp_enabled = false
	207	WHERE id = ?");
	208	$sth->execute([$new_password_hash, $new_salt, $owner_uid]);
d5fd183d AD	209
	210	$_SESSION["pwd_hash"] = $new_password_hash;
	211
	212	return __("Password has been changed.");
	213	} else {
	214	return "ERROR: ".__('Old password is incorrect.');
	215	}
	216	}
106a3de9 AD	217
	218	function api_version() {
	219	return 2;
	220	}
	221
0d421af8 AD	222	}
0d421af8 AD	223	?>