sbrl-github/Pepperminty-Wiki
sbrl-github
/
Pepperminty-Wiki
mirror of https://github.com/sbrl/Pepperminty-Wiki.git
1
0
Fork 0
Code

Bugfix the login system changes. It works! 

The issue was actually in that I hadn't created a password_verify
wrapper
This commit is contained in:
Starbeamrainbowlabs 2018-05-11 11:34:57 +01:00
parent d5b37e3ec0
commit c64aaa72db
Signed by: sbrl
GPG Key ID: 1BE5172E637709C2
5 changed files with 38 additions and 62 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
build/index.php
View File

@ -395,7 +395,7 @@ if($settings->sessionprefix == "auto")
///////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////////////////
/** The version of Pepperminty Wiki currently running. */ /** The version of Pepperminty Wiki currently running. */
$version = "v0.17-dev"; $version = "v0.17-dev";
$commit = "ae8412ddaf957cdfa6b55b0385093a925ff6a799"; $commit = "d5b37e3ec04759342e4e5f121fc9912c13af0cd7";
/// Environment /// /// Environment ///
/** Holds information about the current request environment. */ /** Holds information about the current request environment. */
$env = new stdClass(); $env = new stdClass();
@ -470,25 +470,11 @@ if(isset($_SESSION[$settings->sessionprefix . "-user"]) and
// Note that the 'pass' field here is actually a hash of the password set // Note that the 'pass' field here is actually a hash of the password set
// by the login action // by the login action
$env->user = $_SESSION[$settings->sessionprefix . "-user"]; $env->user = $_SESSION[$settings->sessionprefix . "-user"];
$env->pass = $_SESSION[$settings->sessionprefix . "-pass"];
if($settings->users->{$env->user}->password == $env->pass) // The user is logged in
{ $env->is_logged_in = true;
// The user is logged in $env->user_data = $settings->users->{$env->user};
$env->is_logged_in = true;
$env->user_data = $settings->users->{$env->user};
}
else
{
// The user's login details are invalid (what is going on here?)
// Unset the session variables, treat them as an anonymous user,
// and get out of here
$env->is_logged_in = false;
$env->user = $settings->anonymous_user_name;
$env->pass = "";
// Clear the session data
$_SESSION = []; // Delete all the variables
session_destroy(); // Destroy the session
}
} }
// Check to see if the currently logged in user is an admin // Check to see if the currently logged in user is an admin
@ -7281,7 +7267,7 @@ function generate_page_list($pagelist)
register_module([ register_module([
"name" => "Login", "name" => "Login",
"version" => "0.9", "version" => "0.9.2",
"author" => "Starbeamrainbowlabs", "author" => "Starbeamrainbowlabs",
"description" => "Adds a pair of actions (login and checklogin) that allow users to login. You need this one if you want your users to be able to login.", "description" => "Adds a pair of actions (login and checklogin) that allow users to login. You need this one if you want your users to be able to login.",
"id" => "page-login", "id" => "page-login",
@ -7372,7 +7358,7 @@ register_module([
// The user wants to log in // The user wants to log in
$user = $_POST["user"]; $user = $_POST["user"];
$pass = $_POST["pass"]; $pass = $_POST["pass"];
if(password_verify($pass, $settings->users->$user->password)) if(verify_password($pass, $settings->users->$user->password))
{ {
// Success! :D // Success! :D
@ -7382,7 +7368,7 @@ register_module([
$env->user_data = $settings->users->{$env->user}; $env->user_data = $settings->users->{$env->user};
$new_password_hash = hash_password_update($pass, $settings->users->$user->password); $new_password_hash = hash_password_update($pass, $settings->users->$user->password);
error_log("$pass / $new_password_hash");
// Update the password hash // Update the password hash
if($new_password_hash !== null) { if($new_password_hash !== null) {
$env->user_data->password = $new_password_hash; $env->user_data->password = $new_password_hash;
@ -7397,7 +7383,7 @@ register_module([
$_SESSION["$settings->sessionprefix-user"] = $user; $_SESSION["$settings->sessionprefix-user"] = $user;
$_SESSION["$settings->sessionprefix-pass"] = $new_password_hash ?? hash_password($pass); $_SESSION["$settings->sessionprefix-pass"] = $new_password_hash ?? hash_password($pass);
$_SESSION["$settings->sessionprefix-expiretime"] = time() + 60*60*24*30; // 30 days from now $_SESSION["$settings->sessionprefix-expiretime"] = time() + 60*60*24*30; // 30 days from now
error_log(var_export($_SESSION, true));
// Redirect to wherever the user was going // Redirect to wherever the user was going
http_response_code(302); http_response_code(302);
header("x-login-success: yes"); header("x-login-success: yes");
@ -7489,9 +7475,7 @@ function hash_password_properties() {
* @return string The hashed password. Uses sha3 if $settings->use_sha3 is * @return string The hashed password. Uses sha3 if $settings->use_sha3 is
* enabled, or sha256 otherwise. * enabled, or sha256 otherwise.
*/ */
function hash_password($pass) function hash_password($pass) {
{
error_log("hashing '$pass'");
$props = hash_password_properties(); $props = hash_password_properties();
return password_hash( return password_hash(
base64_encode(hash("sha384", $pass)), base64_encode(hash("sha384", $pass)),
@ -7499,6 +7483,11 @@ function hash_password($pass)
$props["options"] $props["options"]
); );
} }
function verify_password($pass, $hash) {
$pass_transformed = base64_encode(hash("sha384", $pass));
return password_verify($pass_transformed, $hash);
}
/** /**
* Determines if the provided password needs re-hashing or not. * Determines if the provided password needs re-hashing or not.
* @param string $pass The password to check. * @param string $pass The password to check.
@ -7548,7 +7537,7 @@ function hash_password_compute_cost() {
register_module([ register_module([
"name" => "Logout", "name" => "Logout",
"version" => "0.6", "version" => "0.6.1",
"author" => "Starbeamrainbowlabs", "author" => "Starbeamrainbowlabs",
"description" => "Adds an action to let users user out. For security reasons it is wise to add this module since logging in automatically opens a session that is valid for 30 days.", "description" => "Adds an action to let users user out. For security reasons it is wise to add this module since logging in automatically opens a session that is valid for 30 days.",
"id" => "page-logout", "id" => "page-logout",
@ -7573,7 +7562,7 @@ register_module([
global $env; global $env;
$env->is_logged_in = false; $env->is_logged_in = false;
unset($env->user); unset($env->user);
unset($env->pass); unset($env->user_data);
//clear the session variables //clear the session variables
$_SESSION = []; $_SESSION = [];
session_destroy(); session_destroy();

24
core.php
View File

@ -85,25 +85,11 @@ if(isset($_SESSION[$settings->sessionprefix . "-user"]) and
// Note that the 'pass' field here is actually a hash of the password set // Note that the 'pass' field here is actually a hash of the password set
// by the login action // by the login action
$env->user = $_SESSION[$settings->sessionprefix . "-user"]; $env->user = $_SESSION[$settings->sessionprefix . "-user"];
$env->pass = $_SESSION[$settings->sessionprefix . "-pass"];
if($settings->users->{$env->user}->password == $env->pass) // The user is logged in
{ $env->is_logged_in = true;
// The user is logged in $env->user_data = $settings->users->{$env->user};
$env->is_logged_in = true;
$env->user_data = $settings->users->{$env->user};
}
else
{
// The user's login details are invalid (what is going on here?)
// Unset the session variables, treat them as an anonymous user,
// and get out of here
$env->is_logged_in = false;
$env->user = $settings->anonymous_user_name;
$env->pass = "";
// Clear the session data
$_SESSION = []; // Delete all the variables
session_destroy(); // Destroy the session
}
} }
// Check to see if the currently logged in user is an admin // Check to see if the currently logged in user is an admin

8
module_index.json
View File

@ -199,20 +199,20 @@
}, },
{ {
"name": "Login", "name": "Login",
"version": "0.9", "version": "0.9.2",
"author": "Starbeamrainbowlabs", "author": "Starbeamrainbowlabs",
"description": "Adds a pair of actions (login and checklogin) that allow users to login. You need this one if you want your users to be able to login.", "description": "Adds a pair of actions (login and checklogin) that allow users to login. You need this one if you want your users to be able to login.",
"id": "page-login", "id": "page-login",
"lastupdate": 1525993883, "lastupdate": 1526034825,
"optional": false "optional": false
}, },
{ {
"name": "Logout", "name": "Logout",
"version": "0.6", "version": "0.6.1",
"author": "Starbeamrainbowlabs", "author": "Starbeamrainbowlabs",
"description": "Adds an action to let users user out. For security reasons it is wise to add this module since logging in automatically opens a session that is valid for 30 days.", "description": "Adds an action to let users user out. For security reasons it is wise to add this module since logging in automatically opens a session that is valid for 30 days.",
"id": "page-logout", "id": "page-logout",
"lastupdate": 1466011660, "lastupdate": 1526034779,
"optional": false "optional": false
}, },
{ {

17
modules/page-login.php
View File

@ -1,7 +1,7 @@
<?php <?php
register_module([ register_module([
"name" => "Login", "name" => "Login",
"version" => "0.9", "version" => "0.9.2",
"author" => "Starbeamrainbowlabs", "author" => "Starbeamrainbowlabs",
"description" => "Adds a pair of actions (login and checklogin) that allow users to login. You need this one if you want your users to be able to login.", "description" => "Adds a pair of actions (login and checklogin) that allow users to login. You need this one if you want your users to be able to login.",
"id" => "page-login", "id" => "page-login",
@ -92,7 +92,7 @@ register_module([
// The user wants to log in // The user wants to log in
$user = $_POST["user"]; $user = $_POST["user"];
$pass = $_POST["pass"]; $pass = $_POST["pass"];
if(password_verify($pass, $settings->users->$user->password)) if(verify_password($pass, $settings->users->$user->password))
{ {
// Success! :D // Success! :D
@ -102,9 +102,6 @@ register_module([
$env->user_data = $settings->users->{$env->user}; $env->user_data = $settings->users->{$env->user};
$new_password_hash = hash_password_update($pass, $settings->users->$user->password); $new_password_hash = hash_password_update($pass, $settings->users->$user->password);
error_log("$pass / $new_password_hash");
// TODO: When rehashing a password automatically, it no longer checks out against password_verify during login
// Looks like a bug in hash_password, as it's not letting us in if we calculate it via the has action either
// Update the password hash // Update the password hash
if($new_password_hash !== null) { if($new_password_hash !== null) {
@ -120,7 +117,7 @@ register_module([
$_SESSION["$settings->sessionprefix-user"] = $user; $_SESSION["$settings->sessionprefix-user"] = $user;
$_SESSION["$settings->sessionprefix-pass"] = $new_password_hash ?? hash_password($pass); $_SESSION["$settings->sessionprefix-pass"] = $new_password_hash ?? hash_password($pass);
$_SESSION["$settings->sessionprefix-expiretime"] = time() + 60*60*24*30; // 30 days from now $_SESSION["$settings->sessionprefix-expiretime"] = time() + 60*60*24*30; // 30 days from now
error_log(var_export($_SESSION, true));
// Redirect to wherever the user was going // Redirect to wherever the user was going
http_response_code(302); http_response_code(302);
header("x-login-success: yes"); header("x-login-success: yes");
@ -212,8 +209,7 @@ function hash_password_properties() {
* @return string The hashed password. Uses sha3 if $settings->use_sha3 is * @return string The hashed password. Uses sha3 if $settings->use_sha3 is
* enabled, or sha256 otherwise. * enabled, or sha256 otherwise.
*/ */
function hash_password($pass) function hash_password($pass) {
{
$props = hash_password_properties(); $props = hash_password_properties();
return password_hash( return password_hash(
base64_encode(hash("sha384", $pass)), base64_encode(hash("sha384", $pass)),
@ -221,6 +217,11 @@ function hash_password($pass)
$props["options"] $props["options"]
); );
} }
function verify_password($pass, $hash) {
$pass_transformed = base64_encode(hash("sha384", $pass));
return password_verify($pass_transformed, $hash);
}
/** /**
* Determines if the provided password needs re-hashing or not. * Determines if the provided password needs re-hashing or not.
* @param string $pass The password to check. * @param string $pass The password to check.

4
modules/page-logout.php
View File

@ -1,7 +1,7 @@
<?php <?php
register_module([ register_module([
"name" => "Logout", "name" => "Logout",
"version" => "0.6", "version" => "0.6.1",
"author" => "Starbeamrainbowlabs", "author" => "Starbeamrainbowlabs",
"description" => "Adds an action to let users user out. For security reasons it is wise to add this module since logging in automatically opens a session that is valid for 30 days.", "description" => "Adds an action to let users user out. For security reasons it is wise to add this module since logging in automatically opens a session that is valid for 30 days.",
"id" => "page-logout", "id" => "page-logout",
@ -26,7 +26,7 @@ register_module([
global $env; global $env;
$env->is_logged_in = false; $env->is_logged_in = false;
unset($env->user); unset($env->user);
unset($env->pass); unset($env->user_data);
//clear the session variables //clear the session variables
$_SESSION = []; $_SESSION = [];
session_destroy(); session_destroy();