]> git.wh0rd.org - tt-rss.git/blob - plugins/auth_internal/init.php
git.wh0rd.org / tt-rss.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
auth_internal: use PDO + other fixes
[tt-rss.git] / plugins / auth_internal / init.php
1 <?php
2 class Auth_Internal extends Plugin implements IAuthModule {
3
4 private $host;
5
6 function about() {
7 return array(1.0,
8 "Authenticates against internal tt-rss database",
9 "fox",
10 true);
11 }
12
13 function init($host) {
14 $this->host = $host;
15 $this->pdo = Db::pdo();
16
17 $host->add_hook($host::HOOK_AUTH_USER, $this);
18 }
19
20 function authenticate($login, $password) {
21
22 $pwd_hash1 = encrypt_password($password);
23 $pwd_hash2 = encrypt_password($password, $login);
24 $otp = $_REQUEST["otp"];
25
26 if (get_schema_version() > 96) {
27 if (!defined('AUTH_DISABLE_OTP') || !AUTH_DISABLE_OTP) {
28
29 $sth = $this->pdo->prepare("SELECT otp_enabled,salt FROM ttrss_users WHERE
30 login = ?");
31 $sth->execute([$login]);
32
33 if ($row = $sth->fetch()) {
34
35 require_once "lib/otphp/vendor/base32.php";
36 require_once "lib/otphp/lib/otp.php";
37 require_once "lib/otphp/lib/totp.php";
38
39 $base32 = new Base32();
40
41 $otp_enabled = $row['otp_enabled'];
42 $secret = $base32->encode(sha1($row['salt']));
43
44 $topt = new \OTPHP\TOTP($secret);
45 $otp_check = $topt->now();
46
47 if ($otp_enabled) {
48 if ($otp) {
49 if ($otp != $otp_check) {
50 return false;
51 }
52 } else {
53 $return = urlencode($_REQUEST["return"]);
54 ?><html>
55 <head><title>Tiny Tiny RSS</title></head>
56 <?php echo stylesheet_tag("css/utility.css") ?>
57 <body class="otp"><div class="content">
58 <form action="public.php?return=<?php echo $return ?>"
59 method="POST" class="otpform">
60 <input type="hidden" name="op" value="login">
61 <input type="hidden" name="login" value="<?php echo htmlspecialchars($login) ?>">
62 <input type="hidden" name="password" value="<?php echo htmlspecialchars($password) ?>">
63 <input type="hidden" name="bw_limit" value="<?php echo htmlspecialchars($_POST["bw_limit"]) ?>">
64 <input type="hidden" name="remember_me" value="<?php echo htmlspecialchars($_POST["remember_me"]) ?>">
65 <input type="hidden" name="profile" value="<?php echo htmlspecialchars($_POST["profile"]) ?>">
66
67 <label><?php echo __("Please enter your one time password:") ?></label>
68 <input autocomplete="off" size="6" name="otp" value=""/>
69 <input type="submit" value="Continue"/>
70 </form></div>
71 <script type="text/javascript">
72 document.forms[0].otp.focus();
73 </script>
74 <?php
75 exit;
76 }
77 }
78 }
79 }
80 }
81
82 if (get_schema_version() > 87) {
83
84 $sth = $this->pdo->prepare("SELECT salt FROM ttrss_users WHERE login = ?");
85 $sth->execute([$login]);
86
87 if ($row = $sth->fetch()) {
88 $salt = $row['salt'];
89
90 if ($salt == "") {
91
92 $sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE
93 login = ? AND (pwd_hash = ? OR pwd_hash = ?)");
94
95 $sth->execute([$login, $pwd_hash1, $pwd_hash2]);
96
97 // verify and upgrade password to new salt base
98
99 if ($row = $sth->fetch()) {
100 // upgrade password to MODE2
101
102 $user_id = $row['id'];
103
104 $salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
105 $pwd_hash = encrypt_password($password, $salt, true);
106
107 $sth = $this->pdo->prepare("UPDATE ttrss_users SET
108 pwd_hash = ?, salt = ? WHERE login = ?");
109
110 $sth->execute([$pwd_hash, $salt, $login]);
111
112 return $user_id;
113
114 } else {
115 return false;
116 }
117
118 } else {
119 $pwd_hash = encrypt_password($password, $salt, true);
120
121 $sth = $this->pdo->prepare("SELECT id
122 FROM ttrss_users WHERE
123 login = ? AND pwd_hash = ?");
124 $sth->execute([$login, $pwd_hash]);
125
126 if ($row = $sth->fetch()) {
127 return $row['id'];
128 }
129 }
130
131 } else {
132 $sth = $this->pdo->prepare("SELECT id
133 FROM ttrss_users WHERE
134 login = ? AND (pwd_hash = ? OR pwd_hash = ?)");
135
136 $sth->execute([$login, $pwd_hash1, $pwd_hash2]);
137
138 if ($row = $sth->fetch()) {
139 return $row['id'];
140 }
141 }
142 } else {
143 $sth = $this->pdo->prepare("SELECT id
144 FROM ttrss_users WHERE
145 login = ? AND (pwd_hash = ? OR pwd_hash = ?)");
146
147 $sth->execute([$login, $pwd_hash1, $pwd_hash2]);
148
149 if ($row = $sth->fetch()) {
150 return $row['id'];
151 }
152 }
153
154 return false;
155 }
156
157 function check_password($owner_uid, $password) {
158
159 $sth = $this->pdo->prepare("SELECT salt,login FROM ttrss_users WHERE
160 id = ?");
161 $sth->execute([$owner_uid]);
162
163 if ($row = $sth->fetch()) {
164
165 $salt = $row['salt'];
166 $login = $row['login'];
167
168 if (!$salt) {
169 $password_hash1 = encrypt_password($password);
170 $password_hash2 = encrypt_password($password, $login);
171
172 $sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE
173 id = ? AND (pwd_hash = ? OR pwd_hash = ?)");
174
175 $sth->execute([$owner_uid, $password_hash1, $password_hash2]);
176
177 return $sth->fetch();
178
179 } else {
180 $password_hash = encrypt_password($password, $salt, true);
181
182 $sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE
183 id = ? AND pwd_hash = ?");
184
185 $sth->execute([$owner_uid, $password_hash]);
186
187 return $sth->fetch();
188 }
189 }
190
191 return false;
192 }
193
194 function change_password($owner_uid, $old_password, $new_password) {
195
196 if ($this->check_password($owner_uid, $old_password)) {
197
198 $new_salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
199 $new_password_hash = encrypt_password($new_password, $new_salt, true);
200
201 $sth = $this->pdo->prepare("UPDATE ttrss_users SET
202 pwd_hash = ?, salt = ?, otp_enabled = false
203 WHERE id = ?");
204 $sth->execute([$new_password_hash, $new_salt, $owner_uid]);
205
206 $_SESSION["pwd_hash"] = $new_password_hash;
207
208 return __("Password has been changed.");
209 } else {
210 return "ERROR: ".__('Old password is incorrect.');
211 }
212 }
213
214 function api_version() {
215 return 2;
216 }
217
218 }
219 ?>
web-based news feed (RSS/Atom) reader and aggregator; see https://tt-rss.org/