X-Git-Url: http://git.polytechnique.org/?a=blobdiff_plain;f=classes%2Fxorgsession.php;h=8578a61384eb4552f3e0282a454b1963ab4c6336;hb=e18807a84517ab31f95755280fab7c04674c4b11;hp=02e34e4830f50b64386eaee4dbc9fb14f70a782a;hpb=843a2191e4c76f0beb00c754f06974de76791238;p=platal.git diff --git a/classes/xorgsession.php b/classes/xorgsession.php index 02e34e4..8578a61 100644 --- a/classes/xorgsession.php +++ b/classes/xorgsession.php @@ -1,6 +1,6 @@ mail->domain); + } else { + $res = XDB::query('SELECT uid, password + FROM accounts + WHERE ' . $login_type . ' = {?}', + $login); + } if (list($uid, $password) = $res->fetchOneRow()) { $expected_response = sha1("$uname:$password:" . S::v('challenge')); /* Deprecates len(password) > 10 conversion. */ @@ -132,28 +140,26 @@ class XorgSession extends PlSession */ if (S::suid()) { $login = $uname = S::suid('uid'); - $redirect = false; + $loginType = 'uid'; } else { - $uname = Env::v('username'); - if (Env::v('domain') == "alias") { - $res = XDB::query('SELECT redirect - FROM virtual - INNER JOIN virtual_redirect USING(vid) - WHERE alias LIKE {?}', - $uname . '@' . $globals->mail->alias_dom); - $redirect = $res->fetchOneCell(); - if ($redirect) { - $login = substr($redirect, 0, strpos($redirect, '@')); - } else { - $login = ''; - } + $uname = Post::v('username'); + if (Post::s('domain') == "alias") { + $login = XDB::fetchOneCell('SELECT uid + FROM email_source_account AS e + INNER JOIN email_virtual_domains AS d ON (e.domain = d.id) + WHERE e.email = {?} AND d.name = {?}', + $uname, Platal::globals()->mail->alias_dom); + $loginType = 'uid'; + } else if (Post::s('domain') == "ax") { + $login = $uname; + $loginType = 'hruid'; } else { $login = $uname; - $redirect = false; + $loginType = is_numeric($uname) ? 'uid' : 'alias'; } } - $uid = $this->checkPassword($uname, $login, Post::v('response'), (!$redirect && is_numeric($uname)) ? 'uid' : 'alias'); + $uid = $this->checkPassword($uname, $login, Post::v('response'), $loginType); if (!is_null($uid) && S::suid()) { if (S::suid('uid') == $uid) { $uid = S::i('uid'); @@ -165,8 +171,11 @@ class XorgSession extends PlSession S::set('auth', AUTH_MDP); if (!S::suid()) { if (Post::has('domain')) { - if (($domain = Post::v('domain', 'login')) == 'alias') { + $domain = Post::v('domain', 'login'); + if ($domain == 'alias') { Cookie::set('domain', 'alias', 300); + } else if ($domain == 'ax') { + Cookie::set('domain', 'ax', 300); } else { Cookie::kill('domain'); } @@ -191,7 +200,7 @@ class XorgSession extends PlSession } // Loads uid and hruid into the session for developement conveniance. - $_SESSION = array_merge($_SESSION, array('uid' => $user->id(), 'hruid' => $user->hruid)); + $_SESSION = array_merge($_SESSION, array('uid' => $user->id(), 'hruid' => $user->hruid, 'token' => $user->token, 'user' => $user)); // Starts the session's logger, and sets up the permanent cookie. if (S::suid()) { @@ -241,13 +250,60 @@ class XorgSession extends PlSession } } + /** + * The authentication schema is based on three query parameters: + * ?user=×tamp=&sig= + * where: + * - hruid is the hruid of the querying user + * - timestamp is the current UNIX timestamp, which has to be within a + * given distance of the server-side UNIX timestamp + * - sig is the HMAC of "###" using + * a known secret of the user as the key. + * + * At the moment, the shared secret of the user is the sha1 hash of its + * password. This is temporary, though, until better support for tokens is + * implemented in plat/al. + * TODO(vzanotti): Switch to dedicated secrets for authentication. + */ + public function apiAuth($method, $resource, $payload) + { + // Verify that the timestamp is within acceptable bounds. + $timestamp = Env::i('timestamp', 0); + if (abs($timestamp - time()) > Platal::globals()->api->timestamp_tolerance) { + return null; + } + + // Retrieve the user corresponding to the forlife. Note that at the + // moment, other aliases are also accepted. + $user = User::getSilent(Env::s('user', '')); + if (is_null($user) || !$user->isActive()) { + return null; + } + + // Determine the list of tokens associated with the user. At the moment, + // this is just the sha1 of the password. + $tokens = array($user->password()); + + // For each token, try to validate the signature. + $message = implode('#', array($method, $resource, $payload, $timestamp)); + $signature = Env::s('sig'); + foreach ($tokens as $token) { + $expected_signature = hash_hmac( + Platal::globals()->api->hmac_algo, $message, $token); + if ($signature == $expected_signature) { + return $user; + } + } + + return null; + } + public function tokenAuth($login, $token) { $res = XDB::query('SELECT a.uid, a.hruid - FROM aliases AS l - INNER JOIN accounts AS a ON (l.uid = a.uid AND a.state = \'active\') - WHERE a.token = {?} AND l.alias = {?} AND l.type != \'homonyme\'', - $token, $login); + FROM accounts AS a + WHERE a.token = {?} AND a.hruid = {?} AND a.state = \'active\'', + $token, $login); if ($res->numRows() == 1) { return new User(null, $res->fetchOneAssoc()); }