summaryrefslogtreecommitdiff
path: root/scripts/authenticate.php
diff options
context:
space:
mode:
Diffstat (limited to 'scripts/authenticate.php')
-rw-r--r--scripts/authenticate.php104
1 files changed, 104 insertions, 0 deletions
diff --git a/scripts/authenticate.php b/scripts/authenticate.php
new file mode 100644
index 0000000..dbcd882
--- /dev/null
+++ b/scripts/authenticate.php
@@ -0,0 +1,104 @@
+<?php
+
+ /********************************************************\
+ | User authentication (no output) |
+ | ~~~~~~~~~~~~~~~~~~~ |
+ \********************************************************/
+
+if (!defined('IN_FS')) {
+ die('Do not access this file directly.');
+}
+
+if (Req::val('logout')) {
+ $user->logout();
+ Flyspray::redirect($baseurl);
+}
+
+if (Req::val('user_name') != '' && Req::val('password') != '') {
+ // Otherwise, they requested login. See if they provided the correct credentials...
+ // FIXME: Do not do clean_username. Should not autostrip stuff
+ // $username = Backend::clean_username(Req::val('user_name'));
+ $username = Req::val('user_name');
+ $password = Req::val('password');
+
+ // Run the username and password through the login checker
+ if (($user_id = Flyspray::checkLogin($username, $password)) < 1) {
+ $_SESSION['failed_login'] = Req::val('user_name');
+ if($user_id === -2) {
+ Flyspray::show_error(L('usernotexist'));
+ }elseif ($user_id === -1) {
+ Flyspray::show_error(23);
+ } else /* $user_id == 0 */ {
+ // just some extra check here so that never ever an account can get locked when it's already disabled
+ // ... that would make it easy to get enabled
+ $db->query('UPDATE {users} SET login_attempts = login_attempts+1 WHERE account_enabled = 1 AND user_name = ?',
+ array($username));
+ // Lock account if failed too often for a limited amount of time
+ $db->query('UPDATE {users} SET lock_until = ?, account_enabled = 0 WHERE login_attempts > ? AND user_name = ?',
+ array(time() + 60 * $fs->prefs['lock_for'], LOGIN_ATTEMPTS, $username));
+
+ if ($db->affectedRows()) {
+ Flyspray::show_error(sprintf(L('error71'), $fs->prefs['lock_for']));
+ Flyspray::redirect($baseurl);
+ } else {
+ Flyspray::show_error(7);
+ }
+ }
+ } else {
+ // Determine if the user should be remembered on this machine
+ if (Req::has('remember_login')) {
+ $cookie_time = time() + (60 * 60 * 24 * 30); // Set cookies for 30 days
+ } else {
+ $cookie_time = 0; // Set cookies to expire when session ends (browser closes)
+ }
+
+ $user = new User($user_id);
+
+ # check if user still has an outdated password hash and upgrade it
+ if( $conf['general']['passwdcrypt']!='md5'
+ && $conf['general']['passwdcrypt']!='sha1'
+ && $conf['general']['passwdcrypt']!='sha512'
+ ){
+ if( substr($user->infos['user_pass'],0,1)!='$'
+ && ( strlen($user->infos['user_pass'])==32
+ || strlen($user->infos['user_pass'])==40
+ || strlen($user->infos['user_pass'])==128
+ )
+ ){
+ # upgrade from unsalted md5 or unsalted sha1 or unsalted sha512 to better
+ if($conf['general']['passwdcrypt']=='argon2i'){
+ $newhash=password_hash($password, PASSWORD_ARGON2I);
+ }else{
+ $cryptoptions=array('cost'=>12);
+ $newhash=password_hash($password, PASSWORD_BCRYPT, $cryptoptions);
+ }
+ # save the new hash
+ $db->query("UPDATE {users} SET user_pass=? WHERE user_id=?", array($newhash, $user_id));
+ # reload the user with updated data
+ $user= new User($user_id);
+ }
+ }
+
+ // Set a couple of cookies
+ $passweirded = crypt($user->infos['user_pass'], $conf['general']['cookiesalt']);
+ Flyspray::setCookie('flyspray_userid', $user->id, $cookie_time,null,null,null,true);
+ Flyspray::setCookie('flyspray_passhash', $passweirded, $cookie_time,null,null,null,true);
+ // If the user had previously requested a password change, remove the magic url
+ $remove_magic = $db->query("UPDATE {users} SET magic_url = '' WHERE user_id = ?",
+ array($user->id));
+ // Save for displaying
+ if ($user->infos['login_attempts'] > 0) {
+ $_SESSION['login_attempts'] = $user->infos['login_attempts'];
+ }
+ $db->query('UPDATE {users} SET login_attempts = 0, last_login = ? WHERE user_id = ?', array(time(), $user->id));
+
+ $_SESSION['SUCCESS'] = L('loginsuccessful');
+ }
+}
+else {
+ // If the user didn't provide both a username and a password, show this error:
+ Flyspray::show_error(8);
+}
+
+Flyspray::redirect(Req::val('return_to'));
+?>