X-Git-Url: http://git.polytechnique.org/?a=blobdiff_plain;f=classes%2Fxorgsession.php;h=815ad816b6dfff144ceb4efdd586ecf9dbc988e3;hb=45dcbe4d0b623e195055d82543e3815d8b5419a4;hp=b8980e1bc92797639546ff9f868741c8b951b727;hpb=12262f1306059765d8625a6752364679c8625d31;p=platal.git diff --git a/classes/xorgsession.php b/classes/xorgsession.php index b8980e1..815ad81 100644 --- a/classes/xorgsession.php +++ b/classes/xorgsession.php @@ -81,9 +81,9 @@ class XorgSession extends PlSession { if ($login_type == 'alias') { $res = XDB::query('SELECT a.uid, a.password - FROM accounts AS a - INNER JOIN aliases AS l ON (l.uid = a.uid AND l.type != \'homonyme\') - WHERE l.alias = {?} AND a.state = \'active\'', + FROM accounts AS a + INNER JOIN email_source_account AS e ON (e.uid = a.uid) + WHERE e.email = {?}', $login); } else { $res = XDB::query('SELECT uid, password @@ -140,29 +140,28 @@ class XorgSession extends PlSession if (S::suid()) { $login = $uname = S::suid('uid'); $loginType = 'uid'; - $redirect = false; } else { $uname = Post::v('username'); if (Post::s('domain') == "alias") { - $res = XDB::query('SELECT redirect - FROM virtual - INNER JOIN virtual_redirect USING(vid) - WHERE alias LIKE {?}', - $uname . '@' . $globals->mail->alias_dom); - $redirect = $res->fetchOneCell(); - if ($redirect) { - $login = substr($redirect, 0, strpos($redirect, '@')); - } else { - $login = ''; - } - $loginType = 'alias'; - } else if (Post::s('domain') == "ax") { + $login = XDB::fetchOneCell('SELECT uid + FROM email_source_account + WHERE email = {?} AND type = \'alias_aux\'', + $uname); + $loginType = 'uid'; + } else if (Post::s('domain') == 'hruid') { $login = $uname; - $redirect = false; $loginType = 'hruid'; + } else if ((Post::s('domain') == 'email')) { + $login = XDB::fetchOneCell('SELECT SQL_CALC_FOUND_ROWS uid + FROM accounts + WHERE email = {?}', + $uname); + if (!(XDB::fetchOneCell('SELECT FOUND_ROWS()') == 1)) { + $login =null; + } + $loginType = 'uid'; } else { $login = $uname; - $redirect = false; $loginType = is_numeric($uname) ? 'uid' : 'alias'; } } @@ -258,6 +257,54 @@ class XorgSession extends PlSession } } + /** + * The authentication schema is based on three query parameters: + * ?user=×tamp=&sig= + * where: + * - hruid is the hruid of the querying user + * - timestamp is the current UNIX timestamp, which has to be within a + * given distance of the server-side UNIX timestamp + * - sig is the HMAC of "###" using + * a known secret of the user as the key. + * + * At the moment, the shared secret of the user is the sha1 hash of its + * password. This is temporary, though, until better support for tokens is + * implemented in plat/al. + * TODO(vzanotti): Switch to dedicated secrets for authentication. + */ + public function apiAuth($method, $resource, $payload) + { + // Verify that the timestamp is within acceptable bounds. + $timestamp = Env::i('timestamp', 0); + if (abs($timestamp - time()) > Platal::globals()->api->timestamp_tolerance) { + return null; + } + + // Retrieve the user corresponding to the forlife. Note that at the + // moment, other aliases are also accepted. + $user = User::getSilent(Env::s('user', '')); + if (is_null($user) || !$user->isActive()) { + return null; + } + + // Determine the list of tokens associated with the user. At the moment, + // this is just the sha1 of the password. + $tokens = array($user->password()); + + // For each token, try to validate the signature. + $message = implode('#', array($method, $resource, $payload, $timestamp)); + $signature = Env::s('sig'); + foreach ($tokens as $token) { + $expected_signature = hash_hmac( + Platal::globals()->api->hmac_algo, $message, $token); + if ($signature == $expected_signature) { + return $user; + } + } + + return null; + } + public function tokenAuth($login, $token) { $res = XDB::query('SELECT a.uid, a.hruid