1
0
Fork 0
mirror of https://github.com/sbrl/Pepperminty-Wiki.git synced 2024-11-22 04:23:01 +00:00

Bugfix the login system changes. It works!

The issue was actually in that I hadn't created a password_verify
wrapper
This commit is contained in:
Starbeamrainbowlabs 2018-05-11 11:34:57 +01:00
parent d5b37e3ec0
commit c64aaa72db
Signed by: sbrl
GPG key ID: 1BE5172E637709C2
5 changed files with 38 additions and 62 deletions

View file

@ -395,7 +395,7 @@ if($settings->sessionprefix == "auto")
/////////////////////////////////////////////////////////////////////////////
/** The version of Pepperminty Wiki currently running. */
$version = "v0.17-dev";
$commit = "ae8412ddaf957cdfa6b55b0385093a925ff6a799";
$commit = "d5b37e3ec04759342e4e5f121fc9912c13af0cd7";
/// Environment ///
/** Holds information about the current request environment. */
$env = new stdClass();
@ -470,25 +470,11 @@ if(isset($_SESSION[$settings->sessionprefix . "-user"]) and
// Note that the 'pass' field here is actually a hash of the password set
// by the login action
$env->user = $_SESSION[$settings->sessionprefix . "-user"];
$env->pass = $_SESSION[$settings->sessionprefix . "-pass"];
if($settings->users->{$env->user}->password == $env->pass)
{
// The user is logged in
$env->is_logged_in = true;
$env->user_data = $settings->users->{$env->user};
}
else
{
// The user's login details are invalid (what is going on here?)
// Unset the session variables, treat them as an anonymous user,
// and get out of here
$env->is_logged_in = false;
$env->user = $settings->anonymous_user_name;
$env->pass = "";
// Clear the session data
$_SESSION = []; // Delete all the variables
session_destroy(); // Destroy the session
}
}
// Check to see if the currently logged in user is an admin
@ -7281,7 +7267,7 @@ function generate_page_list($pagelist)
register_module([
"name" => "Login",
"version" => "0.9",
"version" => "0.9.2",
"author" => "Starbeamrainbowlabs",
"description" => "Adds a pair of actions (login and checklogin) that allow users to login. You need this one if you want your users to be able to login.",
"id" => "page-login",
@ -7372,7 +7358,7 @@ register_module([
// The user wants to log in
$user = $_POST["user"];
$pass = $_POST["pass"];
if(password_verify($pass, $settings->users->$user->password))
if(verify_password($pass, $settings->users->$user->password))
{
// Success! :D
@ -7382,7 +7368,7 @@ register_module([
$env->user_data = $settings->users->{$env->user};
$new_password_hash = hash_password_update($pass, $settings->users->$user->password);
error_log("$pass / $new_password_hash");
// Update the password hash
if($new_password_hash !== null) {
$env->user_data->password = $new_password_hash;
@ -7397,7 +7383,7 @@ register_module([
$_SESSION["$settings->sessionprefix-user"] = $user;
$_SESSION["$settings->sessionprefix-pass"] = $new_password_hash ?? hash_password($pass);
$_SESSION["$settings->sessionprefix-expiretime"] = time() + 60*60*24*30; // 30 days from now
error_log(var_export($_SESSION, true));
// Redirect to wherever the user was going
http_response_code(302);
header("x-login-success: yes");
@ -7489,9 +7475,7 @@ function hash_password_properties() {
* @return string The hashed password. Uses sha3 if $settings->use_sha3 is
* enabled, or sha256 otherwise.
*/
function hash_password($pass)
{
error_log("hashing '$pass'");
function hash_password($pass) {
$props = hash_password_properties();
return password_hash(
base64_encode(hash("sha384", $pass)),
@ -7499,6 +7483,11 @@ function hash_password($pass)
$props["options"]
);
}
function verify_password($pass, $hash) {
$pass_transformed = base64_encode(hash("sha384", $pass));
return password_verify($pass_transformed, $hash);
}
/**
* Determines if the provided password needs re-hashing or not.
* @param string $pass The password to check.
@ -7548,7 +7537,7 @@ function hash_password_compute_cost() {
register_module([
"name" => "Logout",
"version" => "0.6",
"version" => "0.6.1",
"author" => "Starbeamrainbowlabs",
"description" => "Adds an action to let users user out. For security reasons it is wise to add this module since logging in automatically opens a session that is valid for 30 days.",
"id" => "page-logout",
@ -7573,7 +7562,7 @@ register_module([
global $env;
$env->is_logged_in = false;
unset($env->user);
unset($env->pass);
unset($env->user_data);
//clear the session variables
$_SESSION = [];
session_destroy();

View file

@ -85,25 +85,11 @@ if(isset($_SESSION[$settings->sessionprefix . "-user"]) and
// Note that the 'pass' field here is actually a hash of the password set
// by the login action
$env->user = $_SESSION[$settings->sessionprefix . "-user"];
$env->pass = $_SESSION[$settings->sessionprefix . "-pass"];
if($settings->users->{$env->user}->password == $env->pass)
{
// The user is logged in
$env->is_logged_in = true;
$env->user_data = $settings->users->{$env->user};
}
else
{
// The user's login details are invalid (what is going on here?)
// Unset the session variables, treat them as an anonymous user,
// and get out of here
$env->is_logged_in = false;
$env->user = $settings->anonymous_user_name;
$env->pass = "";
// Clear the session data
$_SESSION = []; // Delete all the variables
session_destroy(); // Destroy the session
}
}
// Check to see if the currently logged in user is an admin

View file

@ -199,20 +199,20 @@
},
{
"name": "Login",
"version": "0.9",
"version": "0.9.2",
"author": "Starbeamrainbowlabs",
"description": "Adds a pair of actions (login and checklogin) that allow users to login. You need this one if you want your users to be able to login.",
"id": "page-login",
"lastupdate": 1525993883,
"lastupdate": 1526034825,
"optional": false
},
{
"name": "Logout",
"version": "0.6",
"version": "0.6.1",
"author": "Starbeamrainbowlabs",
"description": "Adds an action to let users user out. For security reasons it is wise to add this module since logging in automatically opens a session that is valid for 30 days.",
"id": "page-logout",
"lastupdate": 1466011660,
"lastupdate": 1526034779,
"optional": false
},
{

View file

@ -1,7 +1,7 @@
<?php
register_module([
"name" => "Login",
"version" => "0.9",
"version" => "0.9.2",
"author" => "Starbeamrainbowlabs",
"description" => "Adds a pair of actions (login and checklogin) that allow users to login. You need this one if you want your users to be able to login.",
"id" => "page-login",
@ -92,7 +92,7 @@ register_module([
// The user wants to log in
$user = $_POST["user"];
$pass = $_POST["pass"];
if(password_verify($pass, $settings->users->$user->password))
if(verify_password($pass, $settings->users->$user->password))
{
// Success! :D
@ -102,9 +102,6 @@ register_module([
$env->user_data = $settings->users->{$env->user};
$new_password_hash = hash_password_update($pass, $settings->users->$user->password);
error_log("$pass / $new_password_hash");
// TODO: When rehashing a password automatically, it no longer checks out against password_verify during login
// Looks like a bug in hash_password, as it's not letting us in if we calculate it via the has action either
// Update the password hash
if($new_password_hash !== null) {
@ -120,7 +117,7 @@ register_module([
$_SESSION["$settings->sessionprefix-user"] = $user;
$_SESSION["$settings->sessionprefix-pass"] = $new_password_hash ?? hash_password($pass);
$_SESSION["$settings->sessionprefix-expiretime"] = time() + 60*60*24*30; // 30 days from now
error_log(var_export($_SESSION, true));
// Redirect to wherever the user was going
http_response_code(302);
header("x-login-success: yes");
@ -212,8 +209,7 @@ function hash_password_properties() {
* @return string The hashed password. Uses sha3 if $settings->use_sha3 is
* enabled, or sha256 otherwise.
*/
function hash_password($pass)
{
function hash_password($pass) {
$props = hash_password_properties();
return password_hash(
base64_encode(hash("sha384", $pass)),
@ -221,6 +217,11 @@ function hash_password($pass)
$props["options"]
);
}
function verify_password($pass, $hash) {
$pass_transformed = base64_encode(hash("sha384", $pass));
return password_verify($pass_transformed, $hash);
}
/**
* Determines if the provided password needs re-hashing or not.
* @param string $pass The password to check.

View file

@ -1,7 +1,7 @@
<?php
register_module([
"name" => "Logout",
"version" => "0.6",
"version" => "0.6.1",
"author" => "Starbeamrainbowlabs",
"description" => "Adds an action to let users user out. For security reasons it is wise to add this module since logging in automatically opens a session that is valid for 30 days.",
"id" => "page-logout",
@ -26,7 +26,7 @@ register_module([
global $env;
$env->is_logged_in = false;
unset($env->user);
unset($env->pass);
unset($env->user_data);
//clear the session variables
$_SESSION = [];
session_destroy();