[tt-rss.git] / plugins / auth_internal / init.php

<?php
class Auth_Internal extends Plugin implements IAuthModule {

	private $host;

	function about() {
		return array(1.0,
			"Authenticates against internal tt-rss database",
			"fox",
			true);
	}

    function init($host) {
		$this->host = $host;
		$this->pdo = Db::pdo();

		$host->add_hook($host::HOOK_AUTH_USER, $this);
	}

	function authenticate($login, $password) {

		$pwd_hash1 = encrypt_password($password);
		$pwd_hash2 = encrypt_password($password, $login);
		$otp = $_REQUEST["otp"];

		if (get_schema_version() > 96) {
			if (!defined('AUTH_DISABLE_OTP') || !AUTH_DISABLE_OTP) {

				$sth = $this->pdo->prepare("SELECT otp_enabled,salt FROM ttrss_users WHERE
					login = ?");
				$sth->execute([$login]);

				if ($row = $sth->fetch()) {

					require_once "lib/otphp/vendor/base32.php";
					require_once "lib/otphp/lib/otp.php";
					require_once "lib/otphp/lib/totp.php";

					$base32 = new Base32();

					$otp_enabled = $row['otp_enabled'];
					$secret = $base32->encode(sha1($row['salt']));

					$topt = new \OTPHP\TOTP($secret);
					$otp_check = $topt->now();

					if ($otp_enabled) {
						if ($otp) {
							if ($otp != $otp_check) {
								return false;
							}
						} else {
							$return = urlencode($_REQUEST["return"]);
							?><html>
								<head><title>Tiny Tiny RSS</title></head>
								<?php echo stylesheet_tag("css/utility.css") ?>
							<body class="otp"><div class="content">
							<form action="public.php?return=<?php echo $return ?>"
									method="POST" class="otpform">
								<input type="hidden" name="op" value="login">
								<input type="hidden" name="login" value="<?php echo htmlspecialchars($login) ?>">
								<input type="hidden" name="password" value="<?php echo htmlspecialchars($password) ?>">
								<input type="hidden" name="bw_limit" value="<?php echo htmlspecialchars($_POST["bw_limit"]) ?>">
								<input type="hidden" name="remember_me" value="<?php echo htmlspecialchars($_POST["remember_me"]) ?>">
								<input type="hidden" name="profile" value="<?php echo htmlspecialchars($_POST["profile"]) ?>">

								<label><?php echo __("Please enter your one time password:") ?></label>
								<input autocomplete="off" size="6" name="otp" value=""/>
								<input type="submit" value="Continue"/>
							</form></div>
							<script type="text/javascript">
								document.forms[0].otp.focus();
							</script>
							<?php
							exit;
						}
					}
				}
			}
		}

		if (get_schema_version() > 87) {

			$sth = $this->pdo->prepare("SELECT salt FROM ttrss_users WHERE login = ?");
			$sth->execute([$login]);

			if ($row = $sth->fetch()) {
				$salt = $row['salt'];

				if ($salt == "") {

					$sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE
                        login = ? AND (pwd_hash = ? OR pwd_hash = ?)");

					$sth->execute([$login, $pwd_hash1, $pwd_hash2]);

					// verify and upgrade password to new salt base

					if ($row = $sth->fetch()) {
						// upgrade password to MODE2

						$user_id = $row['id'];

						$salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
						$pwd_hash = encrypt_password($password, $salt, true);

						$sth = $this->pdo->prepare("UPDATE ttrss_users SET
					        pwd_hash = ?, salt = ? WHERE login = ?");

						$sth->execute([$pwd_hash, $salt, $login]);

						return $user_id;

					} else {
						return false;
					}

				} else {
					$pwd_hash = encrypt_password($password, $salt, true);

					$sth = $this->pdo->prepare("SELECT id
  		                  FROM ttrss_users WHERE
					      login = ? AND pwd_hash = ?");
					$sth->execute([$login, $pwd_hash]);

					if ($row = $sth->fetch()) {
						return $row['id'];
					}
				}

			} else {
				$sth = $this->pdo->prepare("SELECT id
                    FROM ttrss_users WHERE
                      login = ? AND (pwd_hash = ? OR pwd_hash = ?)");

				$sth->execute([$login, $pwd_hash1, $pwd_hash2]);

				if ($row = $sth->fetch()) {
					return $row['id'];
				}
			}
		} else {
			$sth = $this->pdo->prepare("SELECT id
                    FROM ttrss_users WHERE
                      login = ? AND (pwd_hash = ? OR pwd_hash = ?)");

			$sth->execute([$login, $pwd_hash1, $pwd_hash2]);

			if ($row = $sth->fetch()) {
				return $row['id'];
			}
        }

		return false;
	}

	function check_password($owner_uid, $password) {

		$sth = $this->pdo->prepare("SELECT salt,login FROM ttrss_users WHERE
			id = ?");
		$sth->execute([$owner_uid]);

		if ($row = $sth->fetch()) {

			$salt = $row['salt'];
			$login = $row['login'];

			if (!$salt) {
				$password_hash1 = encrypt_password($password);
				$password_hash2 = encrypt_password($password, $login);

				$sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE
                    id = ? AND (pwd_hash = ? OR pwd_hash = ?)");

				$sth->execute([$owner_uid, $password_hash1, $password_hash2]);

				return $sth->fetch();

			} else {
				$password_hash = encrypt_password($password, $salt, true);

				$sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE
                    id = ? AND pwd_hash = ?");

				$sth->execute([$owner_uid, $password_hash]);

				return $sth->fetch();
			}
		}

        return false;
	}

	function change_password($owner_uid, $old_password, $new_password) {

		if ($this->check_password($owner_uid, $old_password)) {

			$new_salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
			$new_password_hash = encrypt_password($new_password, $new_salt, true);

			$sth = $this->pdo->prepare("UPDATE ttrss_users SET
				pwd_hash = ?, salt = ?, otp_enabled = false
					WHERE id = ?");
			$sth->execute([$new_password_hash, $new_salt, $owner_uid]);

			$_SESSION["pwd_hash"] = $new_password_hash;

			return __("Password has been changed.");
		} else {
			return "ERROR: ".__('Old password is incorrect.');
		}
	}

	function api_version() {
		return 2;
	}

}
?>
Commit	Line	Data
0d421af8	1	<?php
0f28f81f	2	class Auth_Internal extends Plugin implements IAuthModule {
7d960ce7	3
0f28f81f AD	4	private $host;
	5
	6	function about() {
	7	return array(1.0,
	8	"Authenticates against internal tt-rss database",
	9	"fox",
	10	true);
	11	}
	12
7d960ce7	13	function init($host) {
0f28f81f	14	$this->host = $host;
7d960ce7	15	$this->pdo = Db::pdo();
0f28f81f AD	16
	17	$host->add_hook($host::HOOK_AUTH_USER, $this);
	18	}
0d421af8 AD	19
	20	function authenticate($login, $password) {
	21
	22	$pwd_hash1 = encrypt_password($password);
	23	$pwd_hash2 = encrypt_password($password, $login);
7d960ce7	24	$otp = $_REQUEST["otp"];
fb70f26e	25
6322ac79	26	if (get_schema_version() > 96) {
d1e31c7a	27	if (!defined('AUTH_DISABLE_OTP') \|\| !AUTH_DISABLE_OTP) {
e441b583	28
7d960ce7 AD	29	$sth = $this->pdo->prepare("SELECT otp_enabled,salt FROM ttrss_users WHERE
	30	login = ?");
	31	$sth->execute([$login]);
02cd6de1	32
7d960ce7	33	if ($row = $sth->fetch()) {
e441b583	34
02cd6de1 AD	35	require_once "lib/otphp/vendor/base32.php";
	36	require_once "lib/otphp/lib/otp.php";
	37	require_once "lib/otphp/lib/totp.php";
	38
	39	$base32 = new Base32();
	40
7d960ce7 AD	41	$otp_enabled = $row['otp_enabled'];
7d960ce7 AD	42	$secret = $base32->encode(sha1($row['salt']));
02cd6de1 AD	43
	44	$topt = new \OTPHP\TOTP($secret);
	45	$otp_check = $topt->now();
	46
	47	if ($otp_enabled) {
	48	if ($otp) {
	49	if ($otp != $otp_check) {
	50	return false;
	51	}
	52	} else {
2d684749	53	$return = urlencode($_REQUEST["return"]);
02cd6de1 AD	54	?><html>
02cd6de1 AD	55	<head><title>Tiny Tiny RSS</title></head>
cdbcb277	56	<?php echo stylesheet_tag("css/utility.css") ?>
da1e51cd	57	<body class="otp"><div class="content">
2d684749	58	<form action="public.php?return=<?php echo $return ?>"
da1e51cd	59	method="POST" class="otpform">
2d684749	60	<input type="hidden" name="op" value="login">
02cd6de1 AD	61	<input type="hidden" name="login" value="<?php echo htmlspecialchars($login) ?>">
02cd6de1 AD	62	<input type="hidden" name="password" value="<?php echo htmlspecialchars($password) ?>">
a0dfd7ef AD	63	<input type="hidden" name="bw_limit" value="<?php echo htmlspecialchars($_POST["bw_limit"]) ?>">
	64	<input type="hidden" name="remember_me" value="<?php echo htmlspecialchars($_POST["remember_me"]) ?>">
	65	<input type="hidden" name="profile" value="<?php echo htmlspecialchars($_POST["profile"]) ?>">
02cd6de1 AD	66
02cd6de1 AD	67	<label><?php echo __("Please enter your one time password:") ?></label>
6f148528	68	<input autocomplete="off" size="6" name="otp" value=""/>
02cd6de1	69	<input type="submit" value="Continue"/>
da1e51cd	70	</form></div>
b8cdc394 AD	71	<script type="text/javascript">
	72	document.forms[0].otp.focus();
	73	</script>
02cd6de1 AD	74	<?php
02cd6de1 AD	75	exit;
4e70344b	76	}
fb70f26e	77	}
fb70f26e AD	78	}
	79	}
	80	}
0d421af8	81
6322ac79	82	if (get_schema_version() > 87) {
0d421af8	83
7d960ce7 AD	84	$sth = $this->pdo->prepare("SELECT salt FROM ttrss_users WHERE login = ?");
7d960ce7 AD	85	$sth->execute([$login]);
0d421af8	86
7d960ce7 AD	87	if ($row = $sth->fetch()) {
7d960ce7 AD	88	$salt = $row['salt'];
0d421af8	89
7d960ce7	90	if ($salt == "") {
0d421af8	91
7d960ce7 AD	92	$sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE
7d960ce7 AD	93	login = ? AND (pwd_hash = ? OR pwd_hash = ?)");
0d421af8	94
7d960ce7	95	$sth->execute([$login, $pwd_hash1, $pwd_hash2]);
0d421af8	96
7d960ce7	97	// verify and upgrade password to new salt base
0d421af8	98
7d960ce7 AD	99	if ($row = $sth->fetch()) {
7d960ce7 AD	100	// upgrade password to MODE2
0d421af8	101
7d960ce7	102	$user_id = $row['id'];
0d421af8	103
7d960ce7 AD	104	$salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
	105	$pwd_hash = encrypt_password($password, $salt, true);
	106
	107	$sth = $this->pdo->prepare("UPDATE ttrss_users SET
	108	pwd_hash = ?, salt = ? WHERE login = ?");
0d421af8	109
7d960ce7	110	$sth->execute([$pwd_hash, $salt, $login]);
0d421af8	111
7d960ce7 AD	112	return $user_id;
	113
	114	} else {
	115	return false;
	116	}
0d421af8 AD	117
0d421af8 AD	118	} else {
7d960ce7 AD	119	$pwd_hash = encrypt_password($password, $salt, true);
	120
	121	$sth = $this->pdo->prepare("SELECT id
	122	FROM ttrss_users WHERE
	123	login = ? AND pwd_hash = ?");
	124	$sth->execute([$login, $pwd_hash]);
	125
	126	if ($row = $sth->fetch()) {
	127	return $row['id'];
	128	}
0d421af8 AD	129	}
	130
	131	} else {
7d960ce7 AD	132	$sth = $this->pdo->prepare("SELECT id
	133	FROM ttrss_users WHERE
	134	login = ? AND (pwd_hash = ? OR pwd_hash = ?)");
0d421af8	135
7d960ce7	136	$sth->execute([$login, $pwd_hash1, $pwd_hash2]);
0d421af8	137
7d960ce7 AD	138	if ($row = $sth->fetch()) {
	139	return $row['id'];
	140	}
0d421af8	141	}
0d421af8	142	} else {
7d960ce7 AD	143	$sth = $this->pdo->prepare("SELECT id
	144	FROM ttrss_users WHERE
	145	login = ? AND (pwd_hash = ? OR pwd_hash = ?)");
0d421af8	146
7d960ce7	147	$sth->execute([$login, $pwd_hash1, $pwd_hash2]);
0d421af8	148
7d960ce7 AD	149	if ($row = $sth->fetch()) {
	150	return $row['id'];
	151	}
	152	}
0d421af8 AD	153
	154	return false;
	155	}
d5fd183d	156
3ca8af7f	157	function check_password($owner_uid, $password) {
d5fd183d	158
7d960ce7 AD	159	$sth = $this->pdo->prepare("SELECT salt,login FROM ttrss_users WHERE
	160	id = ?");
	161	$sth->execute([$owner_uid]);
d5fd183d	162
7d960ce7	163	if ($row = $sth->fetch()) {
d5fd183d	164
7d960ce7 AD	165	$salt = $row['salt'];
7d960ce7 AD	166	$login = $row['login'];
d5fd183d	167
7d960ce7 AD	168	if (!$salt) {
	169	$password_hash1 = encrypt_password($password);
	170	$password_hash2 = encrypt_password($password, $login);
d5fd183d	171
7d960ce7 AD	172	$sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE
7d960ce7 AD	173	id = ? AND (pwd_hash = ? OR pwd_hash = ?)");
d5fd183d	174
7d960ce7 AD	175	$sth->execute([$owner_uid, $password_hash1, $password_hash2]);
	176
	177	return $sth->fetch();
d5fd183d	178
7d960ce7 AD	179	} else {
	180	$password_hash = encrypt_password($password, $salt, true);
	181
	182	$sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE
	183	id = ? AND pwd_hash = ?");
	184
	185	$sth->execute([$owner_uid, $password_hash]);
	186
	187	return $sth->fetch();
	188	}
	189	}
d5fd183d	190
7d960ce7	191	return false;
3ca8af7f AD	192	}
	193
	194	function change_password($owner_uid, $old_password, $new_password) {
3ca8af7f AD	195
3ca8af7f AD	196	if ($this->check_password($owner_uid, $old_password)) {
d5fd183d AD	197
	198	$new_salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
	199	$new_password_hash = encrypt_password($new_password, $new_salt, true);
	200
7d960ce7 AD	201	$sth = $this->pdo->prepare("UPDATE ttrss_users SET
	202	pwd_hash = ?, salt = ?, otp_enabled = false
	203	WHERE id = ?");
	204	$sth->execute([$new_password_hash, $new_salt, $owner_uid]);
d5fd183d AD	205
	206	$_SESSION["pwd_hash"] = $new_password_hash;
	207
	208	return __("Password has been changed.");
	209	} else {
	210	return "ERROR: ".__('Old password is incorrect.');
	211	}
	212	}
106a3de9 AD	213
	214	function api_version() {
	215	return 2;
	216	}
	217
0d421af8 AD	218	}
0d421af8 AD	219	?>