1 files changed, 104 insertions, 0 deletions
diff --git a/scripts/authenticate.php b/scripts/authenticate.php
new file mode 100644
index 0000000..dbcd882
--- /dev/null
+++ b/scripts/authenticate.php
@@ -0,0 +1,104 @@
+<?php
+
+  /********************************************************\
+  | User authentication (no output)                        |
+  | ~~~~~~~~~~~~~~~~~~~                                    |
+  \********************************************************/
+
+if (!defined('IN_FS')) {
+    die('Do not access this file directly.');
+}
+
+if (Req::val('logout')) {
+    $user->logout();
+    Flyspray::redirect($baseurl);
+}
+
+if (Req::val('user_name') != '' && Req::val('password') != '') {
+    // Otherwise, they requested login.  See if they provided the correct credentials...
+    // FIXME: Do not do clean_username. Should not autostrip stuff
+    // $username = Backend::clean_username(Req::val('user_name'));
+    $username = Req::val('user_name');
+    $password = Req::val('password');
+
+    // Run the username and password through the login checker
+    if (($user_id = Flyspray::checkLogin($username, $password)) < 1) {
+        $_SESSION['failed_login'] = Req::val('user_name');
+        if($user_id === -2) {
+            Flyspray::show_error(L('usernotexist'));
+        }elseif ($user_id === -1) {
+            Flyspray::show_error(23);
+        } else  /* $user_id == 0 */ {
+            // just some extra check here so that never ever an account can get locked when it's already disabled
+            // ... that would make it easy to get enabled
+            $db->query('UPDATE {users} SET login_attempts = login_attempts+1 WHERE account_enabled = 1 AND user_name = ?',
+                        array($username));
+            // Lock account if failed too often for a limited amount of time
+            $db->query('UPDATE {users} SET lock_until = ?, account_enabled = 0 WHERE login_attempts > ? AND user_name = ?',
+                         array(time() + 60 * $fs->prefs['lock_for'], LOGIN_ATTEMPTS, $username));
+
+            if ($db->affectedRows()) {
+                Flyspray::show_error(sprintf(L('error71'), $fs->prefs['lock_for']));
+                Flyspray::redirect($baseurl);
+            } else {
+                Flyspray::show_error(7);
+            }
+        }
+    } else {
+        // Determine if the user should be remembered on this machine
+        if (Req::has('remember_login')) {
+            $cookie_time = time() + (60 * 60 * 24 * 30); // Set cookies for 30 days
+        } else {
+            $cookie_time = 0; // Set cookies to expire when session ends (browser closes)
+        }
+
+        $user = new User($user_id);
+
+			# check if user still has an outdated password hash and upgrade it
+			if(    $conf['general']['passwdcrypt']!='md5'
+			    && $conf['general']['passwdcrypt']!='sha1'
+			    && $conf['general']['passwdcrypt']!='sha512'
+			){
+				if( substr($user->infos['user_pass'],0,1)!='$'
+				    && ( strlen($user->infos['user_pass'])==32
+				      || strlen($user->infos['user_pass'])==40
+				      || strlen($user->infos['user_pass'])==128
+				       )
+				){
+ 						# upgrade from unsalted md5 or unsalted sha1 or unsalted sha512 to better
+						if($conf['general']['passwdcrypt']=='argon2i'){
+							$newhash=password_hash($password, PASSWORD_ARGON2I);
+						}else{
+							$cryptoptions=array('cost'=>12);
+							$newhash=password_hash($password, PASSWORD_BCRYPT, $cryptoptions);
+						}
+						# save the new hash
+						$db->query("UPDATE {users} SET user_pass=? WHERE user_id=?", array($newhash, $user_id));
+						# reload the user with updated data
+						$user= new User($user_id);
+				}
+		}
+		
+        // Set a couple of cookies
+        $passweirded = crypt($user->infos['user_pass'], $conf['general']['cookiesalt']);
+        Flyspray::setCookie('flyspray_userid', $user->id, $cookie_time,null,null,null,true);
+        Flyspray::setCookie('flyspray_passhash', $passweirded, $cookie_time,null,null,null,true);
+        // If the user had previously requested a password change, remove the magic url
+        $remove_magic = $db->query("UPDATE {users} SET magic_url = '' WHERE user_id = ?",
+                                    array($user->id));
+        // Save for displaying
+        if ($user->infos['login_attempts'] > 0) {
+            $_SESSION['login_attempts'] = $user->infos['login_attempts'];
+        }
+        $db->query('UPDATE {users} SET login_attempts = 0, last_login = ? WHERE user_id = ?', array(time(), $user->id));
+
+        $_SESSION['SUCCESS'] = L('loginsuccessful');
+    }
+}
+else {
+    // If the user didn't provide both a username and a password, show this error:
+    Flyspray::show_error(8);
+}
+
+Flyspray::redirect(Req::val('return_to'));
+?>