diff --git a/classes/pref/prefs.php b/classes/pref/prefs.php index 76dc526ab..a80583635 100644 --- a/classes/pref/prefs.php +++ b/classes/pref/prefs.php @@ -986,7 +986,6 @@ class Pref_Prefs extends Handler_Protected { $sth->execute([$_SESSION['uid']]); if ($row = $sth->fetch()) { - $secret = $this->otpsecret(); $login = $row['login']; diff --git a/plugins/auth_internal/init.php b/plugins/auth_internal/init.php index a374c0948..478ec1440 100644 --- a/plugins/auth_internal/init.php +++ b/plugins/auth_internal/init.php @@ -1,168 +1,157 @@ - host = $host; - $this->pdo = Db::pdo(); + /* @var PluginHost $host */ + function init($host) { + $this->host = $host; + $this->pdo = Db::pdo(); - $host->add_hook($host::HOOK_AUTH_USER, $this); - } + $host->add_hook($host::HOOK_AUTH_USER, $this); + } - function authenticate($login, $password, $service = '') { + function authenticate($login, $password, $service = '') { - $pwd_hash1 = encrypt_password($password); - $pwd_hash2 = encrypt_password($password, $login); - $otp = $_REQUEST["otp"]; + $pwd_hash1 = encrypt_password($password); + $pwd_hash2 = encrypt_password($password, $login); + $otp = $_REQUEST["otp"]; - if (get_schema_version() > 96) { + if (get_schema_version() > 96) { - $sth = $this->pdo->prepare("SELECT otp_enabled,salt FROM ttrss_users WHERE - login = ?"); - $sth->execute([$login]); + $sth = $this->pdo->prepare("SELECT otp_enabled,salt FROM ttrss_users WHERE + login = ?"); + $sth->execute([$login]); - if ($row = $sth->fetch()) { + if ($row = $sth->fetch()) { - $base32 = new \OTPHP\Base32(); + $base32 = new \OTPHP\Base32(); - $otp_enabled = $row['otp_enabled']; - $secret = $base32->encode(mb_substr(sha1($row["salt"]), 0, 12), false); + $otp_enabled = $row['otp_enabled']; + $secret = $base32->encode(mb_substr(sha1($row["salt"]), 0, 12), false); - $topt = new \OTPHP\TOTP($secret); - $otp_check = $topt->now(); + $topt = new \OTPHP\TOTP($secret); + $otp_check = $topt->now(); - if ($otp_enabled) { + if ($otp_enabled) { - // only allow app password checking if OTP is enabled - if ($service && get_schema_version() > 138) { - return $this->check_app_password($login, $password, $service); + // only allow app password checking if OTP is enabled + if ($service && get_schema_version() > 138) { + return $this->check_app_password($login, $password, $service); + } + + if ($otp) { + if ($otp != $otp_check) { + return false; } + } else { + $return = urlencode($_REQUEST["return"]); + ?> + + + + Tiny Tiny RSS + + + + +

+
+
+ + + + "> + "> + "> - if ($otp) { - if ($otp != $otp_check) { - return false; - } - } else { - $return = urlencode($_REQUEST["return"]); - ?> - - - - Tiny Tiny RSS - - - - -

-
- - - - - "> - "> - "> - -
- - - -
-
- - + + + + +
+ + 138) { - $user_id = $this->check_app_password($login, $password, $service); + if ($service && get_schema_version() > 138) { + $user_id = $this->check_app_password($login, $password, $service); - if ($user_id) - return $user_id; - } + if ($user_id) + return $user_id; + } - if (get_schema_version() > 87) { + if (get_schema_version() > 87) { - $sth = $this->pdo->prepare("SELECT salt FROM ttrss_users WHERE login = ?"); - $sth->execute([$login]); + $sth = $this->pdo->prepare("SELECT salt FROM ttrss_users WHERE login = ?"); + $sth->execute([$login]); - if ($row = $sth->fetch()) { - $salt = $row['salt']; + if ($row = $sth->fetch()) { + $salt = $row['salt']; - if ($salt == "") { + if ($salt == "") { - $sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE - login = ? AND (pwd_hash = ? OR pwd_hash = ?)"); + $sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE + login = ? AND (pwd_hash = ? OR pwd_hash = ?)"); - $sth->execute([$login, $pwd_hash1, $pwd_hash2]); + $sth->execute([$login, $pwd_hash1, $pwd_hash2]); - // verify and upgrade password to new salt base + // verify and upgrade password to new salt base - if ($row = $sth->fetch()) { - // upgrade password to MODE2 + if ($row = $sth->fetch()) { + // upgrade password to MODE2 - $user_id = $row['id']; + $user_id = $row['id']; - $salt = substr(bin2hex(get_random_bytes(125)), 0, 250); - $pwd_hash = encrypt_password($password, $salt, true); - - $sth = $this->pdo->prepare("UPDATE ttrss_users SET - pwd_hash = ?, salt = ? WHERE login = ?"); - - $sth->execute([$pwd_hash, $salt, $login]); - - return $user_id; - - } else { - return false; - } - - } else { + $salt = substr(bin2hex(get_random_bytes(125)), 0, 250); $pwd_hash = encrypt_password($password, $salt, true); - $sth = $this->pdo->prepare("SELECT id - FROM ttrss_users WHERE - login = ? AND pwd_hash = ?"); - $sth->execute([$login, $pwd_hash]); + $sth = $this->pdo->prepare("UPDATE ttrss_users SET + pwd_hash = ?, salt = ? WHERE login = ?"); - if ($row = $sth->fetch()) { - return $row['id']; - } + $sth->execute([$pwd_hash, $salt, $login]); + + return $user_id; + + } else { + return false; } } else { - $sth = $this->pdo->prepare("SELECT id - FROM ttrss_users WHERE - login = ? AND (pwd_hash = ? OR pwd_hash = ?)"); + $pwd_hash = encrypt_password($password, $salt, true); - $sth->execute([$login, $pwd_hash1, $pwd_hash2]); + $sth = $this->pdo->prepare("SELECT id + FROM ttrss_users WHERE + login = ? AND pwd_hash = ?"); + $sth->execute([$login, $pwd_hash]); if ($row = $sth->fetch()) { return $row['id']; } } + } else { $sth = $this->pdo->prepare("SELECT id - FROM ttrss_users WHERE - login = ? AND (pwd_hash = ? OR pwd_hash = ?)"); + FROM ttrss_users WHERE + login = ? AND (pwd_hash = ? OR pwd_hash = ?)"); $sth->execute([$login, $pwd_hash1, $pwd_hash2]); @@ -170,121 +159,132 @@ return $row['id']; } } + } else { + $sth = $this->pdo->prepare("SELECT id + FROM ttrss_users WHERE + login = ? AND (pwd_hash = ? OR pwd_hash = ?)"); - return false; + $sth->execute([$login, $pwd_hash1, $pwd_hash2]); + + if ($row = $sth->fetch()) { + return $row['id']; + } } - function check_password($owner_uid, $password) { + return false; + } - $sth = $this->pdo->prepare("SELECT salt,login,otp_enabled FROM ttrss_users WHERE - id = ?"); + function check_password($owner_uid, $password) { + + $sth = $this->pdo->prepare("SELECT salt,login,otp_enabled FROM ttrss_users WHERE + id = ?"); + $sth->execute([$owner_uid]); + + if ($row = $sth->fetch()) { + + $salt = $row['salt']; + $login = $row['login']; + + if (!$salt) { + $password_hash1 = encrypt_password($password); + $password_hash2 = encrypt_password($password, $login); + + $sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE + id = ? AND (pwd_hash = ? OR pwd_hash = ?)"); + + $sth->execute([$owner_uid, $password_hash1, $password_hash2]); + + return $sth->fetch(); + + } else { + $password_hash = encrypt_password($password, $salt, true); + + $sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE + id = ? AND pwd_hash = ?"); + + $sth->execute([$owner_uid, $password_hash]); + + return $sth->fetch(); + } + } + + return false; + } + + function change_password($owner_uid, $old_password, $new_password) { + + if ($this->check_password($owner_uid, $old_password)) { + + $new_salt = substr(bin2hex(get_random_bytes(125)), 0, 250); + $new_password_hash = encrypt_password($new_password, $new_salt, true); + + $sth = $this->pdo->prepare("UPDATE ttrss_users SET + pwd_hash = ?, salt = ?, otp_enabled = false + WHERE id = ?"); + $sth->execute([$new_password_hash, $new_salt, $owner_uid]); + + $_SESSION["pwd_hash"] = $new_password_hash; + + $sth = $this->pdo->prepare("SELECT email, login FROM ttrss_users WHERE id = ?"); $sth->execute([$owner_uid]); if ($row = $sth->fetch()) { + $mailer = new Mailer(); - $salt = $row['salt']; - $login = $row['login']; + require_once "lib/MiniTemplator.class.php"; - if (!$salt) { - $password_hash1 = encrypt_password($password); - $password_hash2 = encrypt_password($password, $login); + $tpl = new MiniTemplator; - $sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE - id = ? AND (pwd_hash = ? OR pwd_hash = ?)"); + $tpl->readTemplateFromFile("templates/password_change_template.txt"); - $sth->execute([$owner_uid, $password_hash1, $password_hash2]); + $tpl->setVariable('LOGIN', $row["login"]); + $tpl->setVariable('TTRSS_HOST', SELF_URL_PATH); - return $sth->fetch(); + $tpl->addBlock('message'); - } else { - $password_hash = encrypt_password($password, $salt, true); + $tpl->generateOutputToString($message); - $sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE - id = ? AND pwd_hash = ?"); + $mailer->mail(["to_name" => $row["login"], + "to_address" => $row["email"], + "subject" => "[tt-rss] Password change notification", + "message" => $message]); - $sth->execute([$owner_uid, $password_hash]); - - return $sth->fetch(); - } } - return false; + return __("Password has been changed."); + } else { + return "ERROR: ".__('Old password is incorrect.'); } - - function change_password($owner_uid, $old_password, $new_password) { - - if ($this->check_password($owner_uid, $old_password)) { - - $new_salt = substr(bin2hex(get_random_bytes(125)), 0, 250); - $new_password_hash = encrypt_password($new_password, $new_salt, true); - - $sth = $this->pdo->prepare("UPDATE ttrss_users SET - pwd_hash = ?, salt = ?, otp_enabled = false - WHERE id = ?"); - $sth->execute([$new_password_hash, $new_salt, $owner_uid]); - - $_SESSION["pwd_hash"] = $new_password_hash; - - $sth = $this->pdo->prepare("SELECT email, login FROM ttrss_users WHERE id = ?"); - $sth->execute([$owner_uid]); - - if ($row = $sth->fetch()) { - $mailer = new Mailer(); - - require_once "lib/MiniTemplator.class.php"; - - $tpl = new MiniTemplator; - - $tpl->readTemplateFromFile("templates/password_change_template.txt"); - - $tpl->setVariable('LOGIN', $row["login"]); - $tpl->setVariable('TTRSS_HOST', SELF_URL_PATH); - - $tpl->addBlock('message'); - - $tpl->generateOutputToString($message); - - $mailer->mail(["to_name" => $row["login"], - "to_address" => $row["email"], - "subject" => "[tt-rss] Password change notification", - "message" => $message]); - - } - - return __("Password has been changed."); - } else { - return "ERROR: ".__('Old password is incorrect.'); - } - } - - private function check_app_password($login, $password, $service) { - $sth = $this->pdo->prepare("SELECT p.id, p.pwd_hash, u.id AS uid - FROM ttrss_app_passwords p, ttrss_users u - WHERE p.owner_uid = u.id AND u.login = ? AND service = ?"); - $sth->execute([$login, $service]); - - while ($row = $sth->fetch()) { - list ($algo, $hash, $salt) = explode(":", $row["pwd_hash"]); - - if ($algo == "SSHA-512") { - $test_hash = hash('sha512', $salt . $password); - - if ($test_hash == $hash) { - $usth = $this->pdo->prepare("UPDATE ttrss_app_passwords SET last_used = NOW() WHERE id = ?"); - $usth->execute([$row['id']]); - - return $row['uid']; - } - } else { - user_error("Got unknown algo of app password for user $login: $algo"); - } - } - - return false; - } - - function api_version() { - return 2; - } - } + + private function check_app_password($login, $password, $service) { + $sth = $this->pdo->prepare("SELECT p.id, p.pwd_hash, u.id AS uid + FROM ttrss_app_passwords p, ttrss_users u + WHERE p.owner_uid = u.id AND u.login = ? AND service = ?"); + $sth->execute([$login, $service]); + + while ($row = $sth->fetch()) { + list ($algo, $hash, $salt) = explode(":", $row["pwd_hash"]); + + if ($algo == "SSHA-512") { + $test_hash = hash('sha512', $salt . $password); + + if ($test_hash == $hash) { + $usth = $this->pdo->prepare("UPDATE ttrss_app_passwords SET last_used = NOW() WHERE id = ?"); + $usth->execute([$row['id']]); + + return $row['uid']; + } + } else { + user_error("Got unknown algo of app password for user $login: $algo"); + } + } + + return false; + } + + function api_version() { + return 2; + } + +}