fix hierarchy of authentication modules, make everything extend Auth_Base and implement hook_auth_user() for pluginhost

This commit is contained in:
Andrew Dolgov 2021-02-08 19:11:31 +03:00
parent fc2e0bf67b
commit 51d2deeea9
5 changed files with 25 additions and 32 deletions

View File

@ -1,6 +1,6 @@
<?php <?php
class Auth_Base { abstract class Auth_Base extends Plugin implements IAuthModule {
private $pdo; protected $pdo;
const AUTH_SERVICE_API = '_api'; const AUTH_SERVICE_API = '_api';
@ -8,18 +8,9 @@ class Auth_Base {
$this->pdo = Db::pdo(); $this->pdo = Db::pdo();
} }
/** // compatibility wrapper, because of how pluginhost works (hook name == method name)
* @SuppressWarnings(unused) function hook_auth_user(...$args) {
*/ return $this->authenticate(...$args);
function check_password($owner_uid, $password, $service = '') {
return false;
}
/**
* @SuppressWarnings(unused)
*/
function authenticate($login, $password, $service = '') {
return false;
} }
// Auto-creates specified user if allowed by system configuration // Auto-creates specified user if allowed by system configuration

View File

@ -1,4 +1,5 @@
<?php <?php
interface IAuthModule { interface IAuthModule {
function authenticate($login, $password); // + optional third parameter: $service function authenticate($login, $password); // + optional third parameter: $service
function hook_auth_user(...$args); // compatibility wrapper due to how hooks work
} }

View File

@ -7,15 +7,15 @@ class UserHelper {
$user_id = false; $user_id = false;
$auth_module = false; $auth_module = false;
foreach (PluginHost::getInstance()->get_hooks(PluginHost::HOOK_AUTH_USER) as $plugin) { PluginHost::getInstance()->chain_hooks_callback(PluginHost::HOOK_AUTH_USER,
function ($result, $plugin) use (&$user_id, &$auth_module) {
$user_id = (int) $plugin->authenticate($login, $password, $service); if ($result) {
$user_id = (int)$result;
if ($user_id) {
$auth_module = strtolower(get_class($plugin)); $auth_module = strtolower(get_class($plugin));
break; return true;
}
} }
},
$login, $password, $service);
if ($user_id && !$check_only) { if ($user_id && !$check_only) {

View File

@ -1,5 +1,5 @@
<?php <?php
class Auth_Internal extends Plugin implements IAuthModule { class Auth_Internal extends Auth_Base {
private $host; private $host;
@ -13,7 +13,6 @@ class Auth_Internal extends Plugin implements IAuthModule {
/* @var PluginHost $host */ /* @var PluginHost $host */
function init($host) { function init($host) {
$this->host = $host; $this->host = $host;
$this->pdo = Db::pdo();
$host->add_hook($host::HOOK_AUTH_USER, $this); $host->add_hook($host::HOOK_AUTH_USER, $this);
} }
@ -178,7 +177,7 @@ class Auth_Internal extends Plugin implements IAuthModule {
return false; return false;
} }
function check_password($owner_uid, $password) { function check_password($owner_uid, $password, $service = '') {
$sth = $this->pdo->prepare("SELECT salt,login,otp_enabled FROM ttrss_users WHERE $sth = $this->pdo->prepare("SELECT salt,login,otp_enabled FROM ttrss_users WHERE
id = ?"); id = ?");
@ -189,6 +188,11 @@ class Auth_Internal extends Plugin implements IAuthModule {
$salt = $row['salt']; $salt = $row['salt'];
$login = $row['login']; $login = $row['login'];
// check app password only if service is specified
if ($service && get_schema_version() > 138) {
return $this->check_app_password($login, $password, $service);
}
if (!$salt) { if (!$salt) {
$password_hash1 = encrypt_password($password); $password_hash1 = encrypt_password($password);
$password_hash2 = encrypt_password($password, $login); $password_hash2 = encrypt_password($password, $login);

View File

@ -1,9 +1,7 @@
<?php <?php
class Auth_Remote extends Plugin implements IAuthModule { class Auth_Remote extends Auth_Base {
private $host; private $host;
/* @var Auth_Base $base */
private $base;
function about() { function about() {
return array(1.0, return array(1.0,
@ -13,9 +11,8 @@ class Auth_Remote extends Plugin implements IAuthModule {
} }
/* @var PluginHost $host */ /* @var PluginHost $host */
function init($host ) { function init($host) {
$this->host = $host; $this->host = $host;
$this->base = new Auth_Base();
$host->add_hook($host::HOOK_AUTH_USER, $this); $host->add_hook($host::HOOK_AUTH_USER, $this);
} }
@ -53,7 +50,7 @@ class Auth_Remote extends Plugin implements IAuthModule {
if (!$try_login) $try_login = $this->get_login_by_ssl_certificate(); if (!$try_login) $try_login = $this->get_login_by_ssl_certificate();
if ($try_login) { if ($try_login) {
$user_id = $this->base->auto_create_user($try_login, $password); $user_id = $this->auto_create_user($try_login, $password);
if ($user_id) { if ($user_id) {
$_SESSION["fake_login"] = $try_login; $_SESSION["fake_login"] = $try_login;