[tt-rss.git] / plugins / auth_internal / init.php

<?php
class Auth_Internal extends Plugin implements IAuthModule {

	private $host;

	function about() {
		return array(1.0,
			"Authenticates against internal tt-rss database",
			"fox",
			true);
	}

    /* @var PluginHost $host */
    function init($host) {
		$this->host = $host;
		$this->pdo = Db::pdo();

		$host->add_hook($host::HOOK_AUTH_USER, $this);
	}

	function authenticate($login, $password) {

		$pwd_hash1 = encrypt_password($password);
		$pwd_hash2 = encrypt_password($password, $login);
		$otp = $_REQUEST["otp"];

		if (get_schema_version() > 96) {
			if (!defined('AUTH_DISABLE_OTP') || !AUTH_DISABLE_OTP) {

				$sth = $this->pdo->prepare("SELECT otp_enabled,salt FROM ttrss_users WHERE
					login = ?");
				$sth->execute([$login]);

				if ($row = $sth->fetch()) {

					require_once "lib/otphp/vendor/base32.php";
					require_once "lib/otphp/lib/otp.php";
					require_once "lib/otphp/lib/totp.php";

					$base32 = new Base32();

					$otp_enabled = $row['otp_enabled'];
					$secret = $base32->encode(sha1($row['salt']));

					$topt = new \OTPHP\TOTP($secret);
					$otp_check = $topt->now();

					if ($otp_enabled) {
						if ($otp) {
							if ($otp != $otp_check) {
								return false;
							}
						} else {
							$return = urlencode($_REQUEST["return"]);
							?><html>
								<head><title>Tiny Tiny RSS</title></head>
								<?php echo stylesheet_tag("css/default.css") ?>
							<body class="ttrss_utility otp"><div class="content">
							<form action="public.php?return=<?php echo $return ?>"
									method="POST" class="otpform">
								<input type="hidden" name="op" value="login">
								<input type="hidden" name="login" value="<?php echo htmlspecialchars($login) ?>">
								<input type="hidden" name="password" value="<?php echo htmlspecialchars($password) ?>">
								<input type="hidden" name="bw_limit" value="<?php echo htmlspecialchars($_POST["bw_limit"]) ?>">
								<input type="hidden" name="remember_me" value="<?php echo htmlspecialchars($_POST["remember_me"]) ?>">
								<input type="hidden" name="profile" value="<?php echo htmlspecialchars($_POST["profile"]) ?>">

								<label><?php echo __("Please enter your one time password:") ?></label>
								<input autocomplete="off" size="6" name="otp" value=""/>
								<input type="submit" value="Continue"/>
							</form></div>
							<script type="text/javascript">
								document.forms[0].otp.focus();
							</script>
							<?php
							exit;
						}
					}
				}
			}
		}

		if (get_schema_version() > 87) {

			$sth = $this->pdo->prepare("SELECT salt FROM ttrss_users WHERE login = ?");
			$sth->execute([$login]);

			if ($row = $sth->fetch()) {
				$salt = $row['salt'];

				if ($salt == "") {

					$sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE
                        login = ? AND (pwd_hash = ? OR pwd_hash = ?)");

					$sth->execute([$login, $pwd_hash1, $pwd_hash2]);

					// verify and upgrade password to new salt base

					if ($row = $sth->fetch()) {
						// upgrade password to MODE2

						$user_id = $row['id'];

						$salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
						$pwd_hash = encrypt_password($password, $salt, true);

						$sth = $this->pdo->prepare("UPDATE ttrss_users SET
					        pwd_hash = ?, salt = ? WHERE login = ?");

						$sth->execute([$pwd_hash, $salt, $login]);

						return $user_id;

					} else {
						return false;
					}

				} else {
					$pwd_hash = encrypt_password($password, $salt, true);

					$sth = $this->pdo->prepare("SELECT id
  		                  FROM ttrss_users WHERE
					      login = ? AND pwd_hash = ?");
					$sth->execute([$login, $pwd_hash]);

					if ($row = $sth->fetch()) {
						return $row['id'];
					}
				}

			} else {
				$sth = $this->pdo->prepare("SELECT id
                    FROM ttrss_users WHERE
                      login = ? AND (pwd_hash = ? OR pwd_hash = ?)");

				$sth->execute([$login, $pwd_hash1, $pwd_hash2]);

				if ($row = $sth->fetch()) {
					return $row['id'];
				}
			}
		} else {
			$sth = $this->pdo->prepare("SELECT id
                    FROM ttrss_users WHERE
                      login = ? AND (pwd_hash = ? OR pwd_hash = ?)");

			$sth->execute([$login, $pwd_hash1, $pwd_hash2]);

			if ($row = $sth->fetch()) {
				return $row['id'];
			}
        }

		return false;
	}

	function check_password($owner_uid, $password) {

		$sth = $this->pdo->prepare("SELECT salt,login FROM ttrss_users WHERE
			id = ?");
		$sth->execute([$owner_uid]);

		if ($row = $sth->fetch()) {

			$salt = $row['salt'];
			$login = $row['login'];

			if (!$salt) {
				$password_hash1 = encrypt_password($password);
				$password_hash2 = encrypt_password($password, $login);

				$sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE
                    id = ? AND (pwd_hash = ? OR pwd_hash = ?)");

				$sth->execute([$owner_uid, $password_hash1, $password_hash2]);

				return $sth->fetch();

			} else {
				$password_hash = encrypt_password($password, $salt, true);

				$sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE
                    id = ? AND pwd_hash = ?");

				$sth->execute([$owner_uid, $password_hash]);

				return $sth->fetch();
			}
		}

        return false;
	}

	function change_password($owner_uid, $old_password, $new_password) {

		if ($this->check_password($owner_uid, $old_password)) {

			$new_salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
			$new_password_hash = encrypt_password($new_password, $new_salt, true);

			$sth = $this->pdo->prepare("UPDATE ttrss_users SET
				pwd_hash = ?, salt = ?, otp_enabled = false
					WHERE id = ?");
			$sth->execute([$new_password_hash, $new_salt, $owner_uid]);

			$_SESSION["pwd_hash"] = $new_password_hash;

			return __("Password has been changed.");
		} else {
			return "ERROR: ".__('Old password is incorrect.');
		}
	}

	function api_version() {
		return 2;
	}

}
?>
Commit	Line	Data
0d421af8	1	<?php
0f28f81f	2	class Auth_Internal extends Plugin implements IAuthModule {
7d960ce7	3
0f28f81f AD	4	private $host;
	5
	6	function about() {
	7	return array(1.0,
	8	"Authenticates against internal tt-rss database",
	9	"fox",
	10	true);
	11	}
	12
b431d525	13	/* @var PluginHost $host */
7d960ce7	14	function init($host) {
0f28f81f	15	$this->host = $host;
7d960ce7	16	$this->pdo = Db::pdo();
0f28f81f AD	17
	18	$host->add_hook($host::HOOK_AUTH_USER, $this);
	19	}
0d421af8 AD	20
	21	function authenticate($login, $password) {
	22
	23	$pwd_hash1 = encrypt_password($password);
	24	$pwd_hash2 = encrypt_password($password, $login);
7d960ce7	25	$otp = $_REQUEST["otp"];
fb70f26e	26
6322ac79	27	if (get_schema_version() > 96) {
d1e31c7a	28	if (!defined('AUTH_DISABLE_OTP') \|\| !AUTH_DISABLE_OTP) {
e441b583	29
7d960ce7 AD	30	$sth = $this->pdo->prepare("SELECT otp_enabled,salt FROM ttrss_users WHERE
	31	login = ?");
	32	$sth->execute([$login]);
02cd6de1	33
7d960ce7	34	if ($row = $sth->fetch()) {
e441b583	35
02cd6de1 AD	36	require_once "lib/otphp/vendor/base32.php";
	37	require_once "lib/otphp/lib/otp.php";
	38	require_once "lib/otphp/lib/totp.php";
	39
	40	$base32 = new Base32();
	41
7d960ce7 AD	42	$otp_enabled = $row['otp_enabled'];
7d960ce7 AD	43	$secret = $base32->encode(sha1($row['salt']));
02cd6de1 AD	44
	45	$topt = new \OTPHP\TOTP($secret);
	46	$otp_check = $topt->now();
	47
	48	if ($otp_enabled) {
	49	if ($otp) {
	50	if ($otp != $otp_check) {
	51	return false;
	52	}
	53	} else {
2d684749	54	$return = urlencode($_REQUEST["return"]);
02cd6de1 AD	55	?><html>
02cd6de1 AD	56	<head><title>Tiny Tiny RSS</title></head>
09bc54c6 AD	57	<?php echo stylesheet_tag("css/default.css") ?>
09bc54c6 AD	58	<body class="ttrss_utility otp"><div class="content">
2d684749	59	<form action="public.php?return=<?php echo $return ?>"
da1e51cd	60	method="POST" class="otpform">
2d684749	61	<input type="hidden" name="op" value="login">
02cd6de1 AD	62	<input type="hidden" name="login" value="<?php echo htmlspecialchars($login) ?>">
02cd6de1 AD	63	<input type="hidden" name="password" value="<?php echo htmlspecialchars($password) ?>">
a0dfd7ef AD	64	<input type="hidden" name="bw_limit" value="<?php echo htmlspecialchars($_POST["bw_limit"]) ?>">
	65	<input type="hidden" name="remember_me" value="<?php echo htmlspecialchars($_POST["remember_me"]) ?>">
	66	<input type="hidden" name="profile" value="<?php echo htmlspecialchars($_POST["profile"]) ?>">
02cd6de1 AD	67
02cd6de1 AD	68	<label><?php echo __("Please enter your one time password:") ?></label>
6f148528	69	<input autocomplete="off" size="6" name="otp" value=""/>
02cd6de1	70	<input type="submit" value="Continue"/>
da1e51cd	71	</form></div>
b8cdc394 AD	72	<script type="text/javascript">
	73	document.forms[0].otp.focus();
	74	</script>
02cd6de1 AD	75	<?php
02cd6de1 AD	76	exit;
4e70344b	77	}
fb70f26e	78	}
fb70f26e AD	79	}
	80	}
	81	}
0d421af8	82
6322ac79	83	if (get_schema_version() > 87) {
0d421af8	84
7d960ce7 AD	85	$sth = $this->pdo->prepare("SELECT salt FROM ttrss_users WHERE login = ?");
7d960ce7 AD	86	$sth->execute([$login]);
0d421af8	87
7d960ce7 AD	88	if ($row = $sth->fetch()) {
7d960ce7 AD	89	$salt = $row['salt'];
0d421af8	90
7d960ce7	91	if ($salt == "") {
0d421af8	92
7d960ce7 AD	93	$sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE
7d960ce7 AD	94	login = ? AND (pwd_hash = ? OR pwd_hash = ?)");
0d421af8	95
7d960ce7	96	$sth->execute([$login, $pwd_hash1, $pwd_hash2]);
0d421af8	97
7d960ce7	98	// verify and upgrade password to new salt base
0d421af8	99
7d960ce7 AD	100	if ($row = $sth->fetch()) {
7d960ce7 AD	101	// upgrade password to MODE2
0d421af8	102
7d960ce7	103	$user_id = $row['id'];
0d421af8	104
7d960ce7 AD	105	$salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
	106	$pwd_hash = encrypt_password($password, $salt, true);
	107
	108	$sth = $this->pdo->prepare("UPDATE ttrss_users SET
	109	pwd_hash = ?, salt = ? WHERE login = ?");
0d421af8	110
7d960ce7	111	$sth->execute([$pwd_hash, $salt, $login]);
0d421af8	112
7d960ce7 AD	113	return $user_id;
	114
	115	} else {
	116	return false;
	117	}
0d421af8 AD	118
0d421af8 AD	119	} else {
7d960ce7 AD	120	$pwd_hash = encrypt_password($password, $salt, true);
	121
	122	$sth = $this->pdo->prepare("SELECT id
	123	FROM ttrss_users WHERE
	124	login = ? AND pwd_hash = ?");
	125	$sth->execute([$login, $pwd_hash]);
	126
	127	if ($row = $sth->fetch()) {
	128	return $row['id'];
	129	}
0d421af8 AD	130	}
	131
	132	} else {
7d960ce7 AD	133	$sth = $this->pdo->prepare("SELECT id
	134	FROM ttrss_users WHERE
	135	login = ? AND (pwd_hash = ? OR pwd_hash = ?)");
0d421af8	136
7d960ce7	137	$sth->execute([$login, $pwd_hash1, $pwd_hash2]);
0d421af8	138
7d960ce7 AD	139	if ($row = $sth->fetch()) {
	140	return $row['id'];
	141	}
0d421af8	142	}
0d421af8	143	} else {
7d960ce7 AD	144	$sth = $this->pdo->prepare("SELECT id
	145	FROM ttrss_users WHERE
	146	login = ? AND (pwd_hash = ? OR pwd_hash = ?)");
0d421af8	147
7d960ce7	148	$sth->execute([$login, $pwd_hash1, $pwd_hash2]);
0d421af8	149
7d960ce7 AD	150	if ($row = $sth->fetch()) {
	151	return $row['id'];
	152	}
	153	}
0d421af8 AD	154
	155	return false;
	156	}
d5fd183d	157
3ca8af7f	158	function check_password($owner_uid, $password) {
d5fd183d	159
7d960ce7 AD	160	$sth = $this->pdo->prepare("SELECT salt,login FROM ttrss_users WHERE
	161	id = ?");
	162	$sth->execute([$owner_uid]);
d5fd183d	163
7d960ce7	164	if ($row = $sth->fetch()) {
d5fd183d	165
7d960ce7 AD	166	$salt = $row['salt'];
7d960ce7 AD	167	$login = $row['login'];
d5fd183d	168
7d960ce7 AD	169	if (!$salt) {
	170	$password_hash1 = encrypt_password($password);
	171	$password_hash2 = encrypt_password($password, $login);
d5fd183d	172
7d960ce7 AD	173	$sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE
7d960ce7 AD	174	id = ? AND (pwd_hash = ? OR pwd_hash = ?)");
d5fd183d	175
7d960ce7 AD	176	$sth->execute([$owner_uid, $password_hash1, $password_hash2]);
	177
	178	return $sth->fetch();
d5fd183d	179
7d960ce7 AD	180	} else {
	181	$password_hash = encrypt_password($password, $salt, true);
	182
	183	$sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE
	184	id = ? AND pwd_hash = ?");
	185
	186	$sth->execute([$owner_uid, $password_hash]);
	187
	188	return $sth->fetch();
	189	}
	190	}
d5fd183d	191
7d960ce7	192	return false;
3ca8af7f AD	193	}
	194
	195	function change_password($owner_uid, $old_password, $new_password) {
3ca8af7f AD	196
3ca8af7f AD	197	if ($this->check_password($owner_uid, $old_password)) {
d5fd183d AD	198
	199	$new_salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
	200	$new_password_hash = encrypt_password($new_password, $new_salt, true);
	201
7d960ce7 AD	202	$sth = $this->pdo->prepare("UPDATE ttrss_users SET
	203	pwd_hash = ?, salt = ?, otp_enabled = false
	204	WHERE id = ?");
	205	$sth->execute([$new_password_hash, $new_salt, $owner_uid]);
d5fd183d AD	206
	207	$_SESSION["pwd_hash"] = $new_password_hash;
	208
	209	return __("Password has been changed.");
	210	} else {
	211	return "ERROR: ".__('Old password is incorrect.');
	212	}
	213	}
106a3de9 AD	214
	215	function api_version() {
	216	return 2;
	217	}
	218
0d421af8 AD	219	}
0d421af8 AD	220	?>