api: remove base64 encoded passwords (wtf), log all authentication failures in userhelper
This commit is contained in:
Andrew Dolgov
parent
efd196839a
commit
59c14e9c00
|
|
@ -68,20 +68,15 @@ class API extends Handler {
|
||||||
|
|
||||||
$login = clean($_REQUEST["user"]);
|
$login = clean($_REQUEST["user"]);
|
||||||
$password = clean($_REQUEST["password"]);
|
$password = clean($_REQUEST["password"]);
|
||||||
$password_base64 = base64_decode(clean($_REQUEST["password"]));
|
|
||||||
|
|
||||||
if (Config::get(Config::SINGLE_USER_MODE)) $login = "admin";
|
if (Config::get(Config::SINGLE_USER_MODE)) $login = "admin";
|
||||||
|
|
||||||
if ($uid = UserHelper::find_user_by_login($login)) {
|
if ($uid = UserHelper::find_user_by_login($login)) {
|
||||||
if (get_pref(Prefs::ENABLE_API_ACCESS, $uid)) {
|
if (get_pref(Prefs::ENABLE_API_ACCESS, $uid)) {
|
||||||
if (UserHelper::authenticate($login, $password, false, Auth_Base::AUTH_SERVICE_API)) { // try login with normal password
|
if (UserHelper::authenticate($login, $password, false, Auth_Base::AUTH_SERVICE_API)) {
|
||||||
$this->_wrap(self::STATUS_OK, array("session_id" => session_id(),
|
$this->_wrap(self::STATUS_OK, array("session_id" => session_id(),
|
||||||
"api_level" => self::API_LEVEL));
|
"api_level" => self::API_LEVEL));
|
||||||
} else if (UserHelper::authenticate($login, $password_base64, false, Auth_Base::AUTH_SERVICE_API)) { // else try with base64_decoded password
|
} else {
|
||||||
$this->_wrap(self::STATUS_OK, array("session_id" => session_id(),
|
|
||||||
"api_level" => self::API_LEVEL));
|
|
||||||
} else { // else we are not logged in
|
|
||||||
user_error("Failed login attempt for $login from " . UserHelper::get_user_ip(), E_USER_WARNING);
|
|
||||||
$this->_wrap(self::STATUS_ERR, array("error" => self::E_LOGIN_ERROR));
|
$this->_wrap(self::STATUS_ERR, array("error" => self::E_LOGIN_ERROR));
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
|
|
|
||||||
|
|
@ -395,8 +395,6 @@ class Handler_Public extends Handler {
|
||||||
|
|
||||||
if (!isset($_SESSION["login_error_msg"]))
|
if (!isset($_SESSION["login_error_msg"]))
|
||||||
$_SESSION["login_error_msg"] = __("Incorrect username or password");
|
$_SESSION["login_error_msg"] = __("Incorrect username or password");
|
||||||
|
|
||||||
user_error("Failed login attempt for $login from " . UserHelper::get_user_ip(), E_USER_WARNING);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
$return = clean($_REQUEST['return']);
|
$return = clean($_REQUEST['return']);
|
||||||
|
|
|
||||||
|
|
@ -57,7 +57,7 @@ class Logger {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public static function get() {
|
public static function get() : Logger {
|
||||||
if (self::$instance == null)
|
if (self::$instance == null)
|
||||||
self::$instance = new self();
|
self::$instance = new self();
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -46,6 +46,9 @@ class UserHelper {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (!$user_id)
|
||||||
|
Logger::get()->log(E_USER_WARNING, "Failed login attempt for $login (service: $service) from " . UserHelper::get_user_ip());
|
||||||
|
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
} else {
|
} else {
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue