Skip to content

Commit

Permalink
#15: PHP 5.5 hash API
Browse files Browse the repository at this point in the history
  • Loading branch information
@ulrichblock
ulrichblock committed Oct 18, 2013
1 parent 787d28e commit 2f606b3
Show file tree
Hide file tree
Showing 13 changed files with 420 additions and 111 deletions.
8 changes: 7 additions & 1 deletion THIRDPARTY
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,4 +25,10 @@ https://github.com/aFarkas/html5shiv
These icons are public domain, and as such are free for any use (attribution appreciated but not required).
Note that these flags are named using the ISO3166-1 alpha-2 country codes where appropriate. A list of codes can be found at http://en.wikipedia.org/wiki/ISO_3166-1_alpha-2
If you find these icons useful, please donate via paypal to [email protected] (or click the donate button available at http://www.famfamfam.com/lab/icons/silk)
Contact: [email protected]
Contact: [email protected]

* password_compat
https://github.com/ircmaxell/password_compat/
Copyright Anthony Ferrara
Released under the MIT license
http://opensource.org/licenses/MIT
138 changes: 113 additions & 25 deletions external/api_users.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -89,8 +89,9 @@
$pdo=new PDO("mysql:host=".$config['dbHost'].";dbname=".$config['dbName'],$config['dbUser'],$config['dbPwd'],array(PDO::MYSQL_ATTR_INIT_COMMAND=>"SET NAMES utf8"));
$pdo->setAttribute(PDO::ATTR_ERRMODE,PDO::ERRMODE_EXCEPTION);

// JSON array
$json=array();
// Define default values so we always have a proper return
$total = 0;
$json = array();

// User export
if ($list == 'user') {
Expand Down Expand Up @@ -148,20 +149,21 @@
} else if ($config['sourceType']=='teklab') {

// Get amount of users that are new or received an update
// The Query needs to be altered to your database. This is just an example!
$sql="SELECT COUNT(`id`) AS `amount` FROM `{$config['tblPrefix']}_members`
WHERE `rank`=1";
$query=$pdo->prepare($sql);
$query->execute(array($lastID,$updateTime));
$query->execute();
$total=$query->fetchColumn();

// users
$sql = "SELECT * FROM `{$config['tblPrefix']}_members`
WHERE `rank`=1
LIMIT $start,$chunkSize";
$query=$pdo->prepare($sql);
$query->execute(array($lastID,$updateTime));
$query->execute();
foreach ($query->fetchAll(PDO::FETCH_ASSOC) as $row) {
// Easy-Wi stores the salutation with numbers

// Teklab has also 3 for company which Easy-WI currently does not maintain
if ($row['title'] == 0) {
$salutation = 1;
} else if ($row['title']==1) {
Expand All @@ -170,6 +172,7 @@
$salutation = null;
}

// Easy-WI uses ISO code for storing countries
if ($row['country'] == 1) {
$country = 'de';
} else if ($row['country'] == 2) {
Expand All @@ -182,17 +185,17 @@
$country = null;
}

// Street and streetnumber are stored in the same column Easy-WI has individual columns
$exploded = explode(" ", $row['street']);
if (count($exploded) > 2) {
if (count($exploded) > 1) {
$streetNumber = $exploded[count($exploded) - 1];
unset($exploded[count($exploded) - 1]);
$streetName = implode(' ', $exploded);
} else {
$streetName = null;
$streetNumber = null;
}

// the keys needs to be adjusted to your table layout and query!

$json[]=array(
'externalID' => $row['id'],
'salutation' => $salutation,
Expand All @@ -215,29 +218,114 @@
);
}
}
// Echo the JSON reply with
echo json_encode(array('total' => $total,'entries' => $json));
} else if ($list == 'substitutes' and $config['sourceType']=='teklab') {
die;

} else if ($list == 'dedicated' and $config['sourceType']=='teklab') {
die;

/**
} else if ($list == 'gameroots') {
if ($config['sourceType']=='teklab') {
// Get amount of users that are new or received an update
$sql="SELECT COUNT(`id`) AS `amount` FROM `{$config['tblPrefix']}_rootserver`
WHERE `active`=1
AND `games`=1";
$query=$pdo->prepare($sql);
$query->execute();
$total=$query->fetchColumn();
// users
$sql = "SELECT * FROM `{$config['tblPrefix']}_rootserver`
WHERE `active`=1
AND `games`=1
LIMIT $start,$chunkSize";
$query=$pdo->prepare($sql);
$query->execute();
foreach ($query->fetchAll(PDO::FETCH_ASSOC) as $row) {
$json[]=array(
'externalID' => $row['id'],
'userID' => $row['memberid'],
'description' => $row['name'],
'serverIP' => $row['serverip'],
'sshPort' => $row['sshport'],
'ftpPort' => $row['ftpport'],
'cpuCores' => $row['cpucores'],
'maxRam' => $row['ram']
);
}
} else if ($list == 'gameserver' and $config['sourceType']=='teklab') {
die;
}
} else if ($list == 'gameimages') {
if ($config['sourceType']=='teklab') {
} else if ($list == 'voice' and $config['sourceType']=='teklab') {
die;
}
} else if ($list == 'gameserver') {
if ($config['sourceType']=='teklab') {
} else if ($list == 'node' and $config['sourceType']=='teklab') {
die;
}
/**
} else if ($list == 'addons') {
if ($config['sourceType']=='teklab') {
// Get amount of users that are new or received an update
$sql="SELECT COUNT(`id`) AS `amount` FROM `{$config['tblPrefix']}_games_addons`";
$query=$pdo->prepare($sql);
$query->execute();
$total=$query->fetchColumn();
// users
$sql = "SELECT * FROM `{$config['tblPrefix']}_games_addons`
LIMIT $start,$chunkSize";
$query=$pdo->prepare($sql);
$query->execute();
foreach ($query->fetchAll(PDO::FETCH_ASSOC) as $row) {
$json[]=array(
'externalID' => $row['id'],
'name' => $row['addonname'],
'description' => $row['text'],
'shortName' => $row['sname']
);
}
} else if ($list == 'virt' and $config['sourceType']=='teklab') {
die;
}
**/
} else if ($list == 'voice') {
if ($config['sourceType']=='teklab') {

}

// Substitutes at last so we can get access permissions as well
} else if ($list == 'substitutes') {
if ($config['sourceType']=='teklab') {

// Get amount of users that are new or received an update
$sql="SELECT COUNT(`id`) AS `amount` FROM `{$config['tblPrefix']}_subusers`";
$query=$pdo->prepare($sql);
$query->execute();
$total=$query->fetchColumn();

// users
$sql = "SELECT * FROM `{$config['tblPrefix']}_subusers`
LIMIT $start,$chunkSize";
$query=$pdo->prepare($sql);
$query->execute();
foreach ($query->fetchAll(PDO::FETCH_ASSOC) as $row) {
$json[]=array(
'externalID' => $row['id'],
'belongsToExternalID' => $row['memberid'],
'loginName' => $row['user'],
'firstName' => null,
'lastName' => null,
'password' => $row['password']
);
}
}
}

// Catch database error and display
// Echo the JSON reply with
echo json_encode(array('total' => $total,'entries' => $json));

// Catch database error and display
} catch(PDOException $error) {
echo json_encode(array('error' => $error->getMessage()));
}
Expand Down
61 changes: 21 additions & 40 deletions web/login.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,7 @@

include(EASYWIDIR . '/stuff/vorlage.php');
include(EASYWIDIR . '/stuff/class_validator.php');
include(EASYWIDIR . '/third_party/password_compat/password.php');
include(EASYWIDIR . '/stuff/functions.php');
include(EASYWIDIR . '/stuff/settings.php');
include(EASYWIDIR . '/stuff/keyphrasefile.php');
Expand Down Expand Up @@ -150,19 +151,17 @@

} else if ($ui->password('password1', 255, 'post') and $ui->password('password2', 255, 'post') and $ui->w('token', 32, 'get')) {

if ($ui->password('password1', 255, 'post')==$ui->password('password2', 255, 'post')) {
if ($ui->password('password1', 255, 'post') == $ui->password('password2', 255, 'post')) {

$query = $sql->prepare("SELECT `id`,`cname` FROM `userdata` WHERE `token`=? LIMIT 1");
$query->execute(array($ui->w('token',32, 'get')));
foreach ($query->fetchAll(PDO::FETCH_ASSOC) as $row) {
$username = $row['cname'];

$salt = md5(mt_rand() . date('Y-m-d H:i:s:u'));
$password = createHash($username, $ui->password('password1', 255, 'post'), $salt, $aeskey);
$text = $sprache->passwordreseted;

$query2 = $sql->prepare("UPDATE `userdata` SET `token`='',`security`=?,`salt`=? WHERE `id`=? LIMIT 1");
$query2->execute(array($password, $salt, $row['id']));
$query2 = $sql->prepare("UPDATE `userdata` SET `token`='',`security`=? WHERE `id`=? LIMIT 1");
$query2->execute(array(password_hash($ui->password('password1', 255, 'post'), PASSWORD_DEFAULT), $row['id']));
}

} else if ($ui->password('password1', 255, 'post') != $ui->password('password2', 255, 'post')) {
Expand Down Expand Up @@ -223,36 +222,15 @@
$id = $row['id'];
$active = $row['active'];
$mail = $row['mail'];
$salt = $row['salt'];
$externalID = $row['externalID'];
$security = $row['security'];
$resellerid = $row['resellerid'];
$accounttype = $row['accounttype'];

$userpassNew = createHash($username, $password, $salt, $aeskey);
$passwordCorrect = passwordCheck($password, $row['security'], $row['cname'], $row['salt'], $aeskey);

if (isset($security) and $security != $userpassNew) {

$userpassOld = passwordhash($username, $password);

// some systems do not care about security at all.
// In case we imported users from such insecure implementations we need to migrate to something safe
$md5Import = md5($password);

if ($userpassOld == $security or $md5Import == $security) {

$salt = md5(mt_rand() . date('Y-m-d H:i:s:u'));
$userpass = ($userpassOld == $security) ? $userpassOld : $security;

$query = $sql->prepare("UPDATE `userdata` SET `security`=?,`salt`=? WHERE `id`=? LIMIT 1");
$query->execute(array(createHash($username, $password, $salt, $aeskey), $salt, $id));

} else {
$userpass = $userpassNew;
}

} else {
$userpass = $userpassNew;
if ($passwordCorrect !== true and $passwordCorrect !== false) {
$query = $sql->prepare("UPDATE `userdata` SET `security`=? WHERE `id`=? LIMIT 1");
$query->execute(array($passwordCorrect, $id));
}
}

Expand All @@ -267,14 +245,18 @@
$id = $row['userID'];
$username = $row['loginName'];
$active = $row['active'];
$salt = $row['salt'];
$security = $row['passwordHashed'];
$resellerid = $row['resellerID'];
$userpass = createHash($username, $password, $salt, $aeskey);

$passwordCorrect = passwordCheck($password, $row['passwordHashed'], $row['loginName'], $row['salt'], $aeskey);

if ($passwordCorrect !== true and $passwordCorrect !== false) {
$query = $sql->prepare("UPDATE `userdata_substitutes` SET `passwordHashed`=? WHERE `sID`=? LIMIT 1");
$query->execute(array($passwordCorrect, $sID));
}
}
}

if (isset($active) and $active == 'Y' and $security != $userpass) {
if (!isset($sID) and isset($active) and $active == 'Y' and isset($passwordCorrect) and $passwordCorrect === false) {

$authLookupID = ($resellerid == $id) ? 0 : $resellerid;

Expand Down Expand Up @@ -316,11 +298,10 @@

if ($xmlReply and isset($xmlReply->success) and $xmlReply->success == 1 and $xmlReply->user == $username) {

$externalOK = 1;
$salt = md5(mt_rand() . date('Y-m-d H:i:s:u'));
$passwordCorrect = true;

$query = $sql->prepare("UPDATE `userdata` SET `security`=?,`salt`=? WHERE `id`=? LIMIT 1");
$query->execute(array(createHash($username, $password, $salt, $aeskey), $salt, $id));
$query = $sql->prepare("UPDATE `userdata` SET `security`=? WHERE `id`=? LIMIT 1");
$query->execute(array(password_hash($password, PASSWORD_DEFAULT), $id));

} else if ($xmlReply and isset($xmlReply->error)) {
$externalAuthError = $xmlReply->error;
Expand All @@ -331,7 +312,7 @@
}
}

if (isset($active) and $active == 'Y' and ($security == $userpass or (isset($externalOK) and $externalOK == 1))) {
if (isset($active) and $active == 'Y' and isset($passwordCorrect) and $passwordCorrect) {

session_unset();
session_destroy();
Expand Down Expand Up @@ -433,7 +414,7 @@
}
}

} else if (!isset($security) or $security != $userpass) {
} else if (!isset($passwordCorrect) or $passwordCorrect === false) {

$halfhour = date('Y-m-d H:i:s', strtotime('+30 minutes'));

Expand Down
15 changes: 8 additions & 7 deletions web/stuff/api_users.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@
*/

include(EASYWIDIR . '/stuff/keyphrasefile.php');
include(EASYWIDIR . '/third_party/password_compat/password.php');

$username = '';
$externalID = '';
Expand Down Expand Up @@ -170,11 +171,14 @@
}
if (!isset($success) and isset($localID) and isset($insert) and $insert == true) {
if (!isset($data['password']) or in_array($data['password'],$bad)) $password=passwordgenerate(10);
$passwordhash=createHash($username,$password,$salt,$aeskey);

$query = $sql->prepare("UPDATE `userdata` SET `cname`=?,`security`=? WHERE `id`=? LIMIT 1");
$query->execute(array($username,$passwordhash,$localID));
$query->execute(array($username, password_hash($password, PASSWORD_DEFAULT), $localID));

$query = $sql->prepare("INSERT INTO `userdata_groups` (`userID`,`groupID`,`resellerID`) VALUES (?,?,?)");
foreach ($userGroupIDs as $groupID) $query->execute(array($localID,$groupID,$resellerID));
foreach ($userGroupIDs as $groupID) {
$query->execute(array($localID, $groupID, $resellerID));
}
} else if (!isset($success)) {
$success['false'][] = 'Could not write user to database';
}
Expand All @@ -200,10 +204,7 @@
$what = array();
if (isset($data['password']) and !in_array($data['password'],$bad)) {
$password = $data['password'];
$salt=md5(mt_rand().date('Y-m-d H:i:s:u'));
$security=createHash($name,$data['password'],$salt,$aeskey);
$what['security'] = $security;
$what['salt'] = $salt;
$what['security'] = password_hash($password, PASSWORD_DEFAULT);
}
if (isset($data['email']) and ismail($data['email'])) {
$what['mail'] = $data['email'];
Expand Down
Loading

0 comments on commit 2f606b3

Please sign in to comment.