Inicio Explorar Ayuda
Iniciar sesión
Troglodyne
/
tCMS
2
0
Fork 0
Archivos Incidencias 0 Pull Requests 0 Wiki
Árbol: f2e9aa70ca
Ramas Etiquetas
tCMS
/
lib
/
auth.inc

auth.inc 5.5 KB
Histórico Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110 
  1. <?php
    2. 

  2.     class auth {
    3. 

  3. 

  4.         public function __construct() {
    5. 

  5.             ini_set( "session.cookie_httponly", true );
    6. 

  6.             ini_set( "session.cookie_secure",   true );
    7. 

  7.             return;
    8. 

  8.         }
    9. 

  9. 

  10.         public function ensure_auth( $redirect=true ) {
    11. 

  11.             // Force HTTPS
    12. 

  12.             if( empty( $_SERVER["HTTPS"] ) ) {
    13. 

  13.                 http_response_code(301);
    14. 

  14.                 header("Location: https://" . $_SERVER["SERVER_NAME"] . "/" . $_SERVER["REQUEST_URI"]);
    15. 

  15.                 die();
    16. 

  16.             }
    17. 

  17.             // Check on the session
    18. 

  18.             $session_status = session_status();
    19. 

  19.             // Way to be consistent, PHP
    20. 

  20.             if( $session_status !== PHP_SESSION_ACTIVE || $session_status !== 2 ) session_start(); # Will re-use the existing session and jam the deets into the $_SESSION global
    21. 

  21.             $session_status = session_status();
    22. 

  22.             if( empty( $_SESSION )
    23. 

  23.                 || ( $session_status !== PHP_SESSION_ACTIVE || $session_status !== 2 )
    24. 

  24.                 || ( isset( $_SESSION['LAST_ACTIVITY'] ) && ( time() - $_SESSION['LAST_ACTIVITY'] > 3600 ) )
    25. 

  25.                 || $_SESSION['REMOTE_ADDR'] !== $_SERVER['REMOTE_ADDR'] ) {
    26. 

  26.                 $to = ( $_GET['app'] ) ? "&to=" . $_GET['app'] : "";
    27. 

  27.                 auth::invalidate_auth( $redirect, $to );
    28. 

  28.             }
    29. 

  29.             $_SESSION['LAST_ACTIVITY'] = time();
    30. 

  30.             return session_id();
    31. 

  31.         }
    32. 

  32. 

  33.         public function invalidate_auth( $redirect=true, $to="" ) { 
    34. 

  34.             // need to invalidate the session here, though we may not have loaded it yet, so do that first.
    35. 

  35.             $session_status = session_status();
    36. 

  36.             if( $session_status !== PHP_SESSION_ACTIVE || $session_status !== 2 ) session_start();
    37. 

  37.             $session_status = session_status();
    38. 

  38.             $session_id = session_id();
    39. 

  39.             if( $session_status === PHP_SESSION_ACTIVE || $session_status === 2 ) { 
    40. 

  40.                 session_unset();
    41. 

  41.                 session_destroy();
    42. 

  42.             }   
    43. 

  43.             setcookie('PHPSESSID'); //Otherwise it'll stick around. I don't wanna reuse these.
    44. 

  44.             if( $redirect ) {
    45. 

  45.                 http_response_code(302);
    46. 

  46.                 header( "Location: https://" . $_SERVER["SERVER_NAME"] . "/sys/admin/index.php?app=login$to" );
    47. 

  47.             } else {
    48. 

  48.                 http_response_code(401);
    49. 

  49.                 header('Content-Type: application/json');
    50. 

  50.                 echo json_encode( [ 'code' => '401', 'message' => 'Unauthorized' ] );
    51. 

  51.             }   
    52. 

  52.             die();
    53. 

  53.         }   
    54. 

  54. 

  55.         public function do_auth($user=null, $pass=null) {
    56. 

  56.             if( empty($user) || empty($pass) ) {
    57. 

  57.                 return array( 'err' => 1, 'msg' => "No Credentials provided yet" );
    58. 

  58.             }
    59. 

  59.                         if( empty( ini_get('session.entropy_file') ) && version_compare(PHP_VERSION, "7.1.0") === -1 ) {
    60. 

  60.                 ini_set('session.entropy_file', '/dev/urandom');
    61. 

  61.                 ini_set('session.entropy_length', '32');
    62. 

  62.             }
    63. 

  63.             // Check it
    64. 

  64.             $user_info = posix_getpwuid(posix_geteuid());
    65. 

  65.             $homedir = ( $user_info['dir'] ? $user_info['dir'] : '/var/www/' );
    66. 

  66.             $confdir = ( file_exists( "$homedir/.tCMS_basedir") ? file_get_contents("$homedir/.tCMS_basedir") . "/conf" : "$homedir/.tCMS/conf" );
    67. 

  67.             $conf = file_get_contents("$confdir/users.json");
    68. 

  68.             if( $conf === false ) return [ 'err' => 1, "msg" => "Login Failed: Configuration missing" ];
    69. 

  69.             $conf = json_decode( $conf, 1 );
    70. 

  70.             if( $conf === null ) return [ 'err' => 1, "msg" => "Login Failed: Configuration malformed" ];
    71. 

  71.             if( empty($conf[$user]) || empty($conf[$user]['auth_hash']) || !password_verify( $pass, $conf[$user]['auth_hash'] ) ) return [ 'err' => 1, 'msg' => "Login Failed" ];
    72. 

  72. 

  73.             // Gotta have a touch of eval
    74. 

  74.             $session_started = @session_start();
    75. 

  75.             if( empty($_SESSION) ) {
    76. 

  76.                 @session_destroy();
    77. 

  77.                 session_id(uniqid("tCMS-"));
    78. 

  78.                 session_start();
    79. 

  79.             }
    80. 

  80.             $session_state   = session_status();
    81. 

  81.             $session_id      = session_id();
    82. 

  82.             if( empty($session_started) || empty( $session_state ) || $session_state !== PHP_SESSION_ACTIVE || empty( $session_id ) ) {
    83. 

  83.                 return [ 'err' => 1, 'msg' => 'Failed to generate valid PHP Session' ];
    84. 

  84.             }
    85. 

  85.             $_SESSION['LAST_ACTIVITY'] = time(); //Timeout helper
    86. 

  86.             $_SESSION['REMOTE_ADDR'] = $_SERVER['REMOTE_ADDR']; // Hijacking prevention helper
    87. 

  87.             return [ 'success' => 1 ];
    88. 

  88.         }
    89. 

  89. 

  90.         public static function process_token( $api_token=null ) {
    91. 

  91.             if( session_status() !== PHP_SESSION_ACTIVE ) session_start();
    92. 

  92.             if( empty( $api_token ) ) return 0;
    93. 

  93.             $key = file_get_contents( "/var/cpanel/qa/.userdata_cache/global/session_keys/" . session_id() );
    94. 

  94.             if( empty( $key ) ) return 0;
    95. 

  95.             $api_token = base64_decode($api_token);
    96. 

  96.             $key = openssl_get_privatekey($key);
    97. 

  97.             openssl_private_decrypt( $api_token, $credentials, $key );
    98. 

  98.             if( empty( $credentials ) ) return 0;
    99. 

  99.             $credentials = explode( ":", $credentials );
    100. 

  100.             if( count( $credentials ) !== 2 ) return 0;
    101. 

  101.             return array( 'user' => $credentials[0], 'pass' => $credentials[1] );
    102. 

  102.         }
    103. 

  103. 

  104.         private static function get_tCMS_basedir() {
    105. 

  105.             $file = realpath( __FILE__ . "../../../basedir" );
    106. 

  106.             $exists = ( file_exists( $file ) ? explode( "\n", file_get_contents($file) )[0] : "/" );
    107. 

  107.         }
    108. 

  108. 

  109.     }
    110. 

  110. ?>
    111.