summaryrefslogtreecommitdiff
path: root/scripts/authenticate.php
blob: dbcd8829dc63143ab00e2d05bf826e2f9a98d221 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
<?php

  /********************************************************\
  | User authentication (no output)                        |
  | ~~~~~~~~~~~~~~~~~~~                                    |
  \********************************************************/

if (!defined('IN_FS')) {
    die('Do not access this file directly.');
}

if (Req::val('logout')) {
    $user->logout();
    Flyspray::redirect($baseurl);
}

if (Req::val('user_name') != '' && Req::val('password') != '') {
    // Otherwise, they requested login.  See if they provided the correct credentials...
    // FIXME: Do not do clean_username. Should not autostrip stuff
    // $username = Backend::clean_username(Req::val('user_name'));
    $username = Req::val('user_name');
    $password = Req::val('password');

    // Run the username and password through the login checker
    if (($user_id = Flyspray::checkLogin($username, $password)) < 1) {
        $_SESSION['failed_login'] = Req::val('user_name');
        if($user_id === -2) {
            Flyspray::show_error(L('usernotexist'));
        }elseif ($user_id === -1) {
            Flyspray::show_error(23);
        } else  /* $user_id == 0 */ {
            // just some extra check here so that never ever an account can get locked when it's already disabled
            // ... that would make it easy to get enabled
            $db->query('UPDATE {users} SET login_attempts = login_attempts+1 WHERE account_enabled = 1 AND user_name = ?',
                        array($username));
            // Lock account if failed too often for a limited amount of time
            $db->query('UPDATE {users} SET lock_until = ?, account_enabled = 0 WHERE login_attempts > ? AND user_name = ?',
                         array(time() + 60 * $fs->prefs['lock_for'], LOGIN_ATTEMPTS, $username));

            if ($db->affectedRows()) {
                Flyspray::show_error(sprintf(L('error71'), $fs->prefs['lock_for']));
                Flyspray::redirect($baseurl);
            } else {
                Flyspray::show_error(7);
            }
        }
    } else {
        // Determine if the user should be remembered on this machine
        if (Req::has('remember_login')) {
            $cookie_time = time() + (60 * 60 * 24 * 30); // Set cookies for 30 days
        } else {
            $cookie_time = 0; // Set cookies to expire when session ends (browser closes)
        }

        $user = new User($user_id);

			# check if user still has an outdated password hash and upgrade it
			if(    $conf['general']['passwdcrypt']!='md5'
			    && $conf['general']['passwdcrypt']!='sha1'
			    && $conf['general']['passwdcrypt']!='sha512'
			){
				if( substr($user->infos['user_pass'],0,1)!='$'
				    && ( strlen($user->infos['user_pass'])==32
				      || strlen($user->infos['user_pass'])==40
				      || strlen($user->infos['user_pass'])==128
				       )
				){
 						# upgrade from unsalted md5 or unsalted sha1 or unsalted sha512 to better
						if($conf['general']['passwdcrypt']=='argon2i'){
							$newhash=password_hash($password, PASSWORD_ARGON2I);
						}else{
							$cryptoptions=array('cost'=>12);
							$newhash=password_hash($password, PASSWORD_BCRYPT, $cryptoptions);
						}
						# save the new hash
						$db->query("UPDATE {users} SET user_pass=? WHERE user_id=?", array($newhash, $user_id));
						# reload the user with updated data
						$user= new User($user_id);
				}
		}
		
        // Set a couple of cookies
        $passweirded = crypt($user->infos['user_pass'], $conf['general']['cookiesalt']);
        Flyspray::setCookie('flyspray_userid', $user->id, $cookie_time,null,null,null,true);
        Flyspray::setCookie('flyspray_passhash', $passweirded, $cookie_time,null,null,null,true);
        // If the user had previously requested a password change, remove the magic url
        $remove_magic = $db->query("UPDATE {users} SET magic_url = '' WHERE user_id = ?",
                                    array($user->id));
        // Save for displaying
        if ($user->infos['login_attempts'] > 0) {
            $_SESSION['login_attempts'] = $user->infos['login_attempts'];
        }
        $db->query('UPDATE {users} SET login_attempts = 0, last_login = ? WHERE user_id = ?', array(time(), $user->id));

        $_SESSION['SUCCESS'] = L('loginsuccessful');
    }
}
else {
    // If the user didn't provide both a username and a password, show this error:
    Flyspray::show_error(8);
}

Flyspray::redirect(Req::val('return_to'));
?>