mirror of
https://github.com/FreshRSS/FreshRSS.git
synced 2026-01-28 15:11:07 -05:00
a81656c3ed
* Upgrade to PHP 8.1 As discussed in https://github.com/FreshRSS/FreshRSS/discussions/5474 https://www.php.net/releases/8.0/en.php https://www.php.net/releases/8.1/en.php Upgrade to available native type declarations https://php.net/language.types.declarations Upgrade to https://phpunit.de/announcements/phpunit-10.html which requires PHP 8.1+ (good timing, as version 9 was not maintained anymore) Upgrade `:oldest` Docker dev image to oldest Alpine version supporting PHP 8.1: Alpine 3.16, which includes PHP 8.1.22. * Include 6736 https://github.com/FreshRSS/FreshRSS/pull/6736
90 lines
3.0 KiB
PHP
90 lines
3.0 KiB
PHP
<?php
|
|
declare(strict_types=1);
|
|
|
|
class FreshRSS_FormAuth {
|
|
public static function checkCredentials(string $username, string $hash, string $nonce, string $challenge): bool {
|
|
if (!FreshRSS_user_Controller::checkUsername($username) ||
|
|
!ctype_graph($hash) ||
|
|
!ctype_graph($challenge) ||
|
|
!ctype_alnum($nonce)) {
|
|
Minz_Log::debug("Invalid credential parameters: user={$username}, challenge={$challenge}, nonce={$nonce}");
|
|
return false;
|
|
}
|
|
|
|
return password_verify($nonce . $hash, $challenge);
|
|
}
|
|
|
|
/** @return array<string> */
|
|
public static function getCredentialsFromCookie(): array {
|
|
$token = Minz_Session::getLongTermCookie('FreshRSS_login');
|
|
if (!ctype_alnum($token)) {
|
|
return [];
|
|
}
|
|
|
|
$token_file = DATA_PATH . '/tokens/' . $token . '.txt';
|
|
$mtime = @filemtime($token_file) ?: 0;
|
|
$limits = FreshRSS_Context::systemConf()->limits;
|
|
$cookie_duration = empty($limits['cookie_duration']) ? FreshRSS_Auth::DEFAULT_COOKIE_DURATION : $limits['cookie_duration'];
|
|
if ($mtime + $cookie_duration < time()) {
|
|
// Token has expired (> cookie_duration) or does not exist.
|
|
@unlink($token_file);
|
|
return [];
|
|
}
|
|
|
|
$credentials = @file_get_contents($token_file);
|
|
if ($credentials !== false && self::renewCookie($token)) {
|
|
return explode("\t", $credentials, 2);
|
|
}
|
|
return [];
|
|
}
|
|
|
|
private static function renewCookie(string $token): string|false {
|
|
$token_file = DATA_PATH . '/tokens/' . $token . '.txt';
|
|
if (touch($token_file)) {
|
|
$limits = FreshRSS_Context::systemConf()->limits;
|
|
$cookie_duration = empty($limits['cookie_duration']) ? FreshRSS_Auth::DEFAULT_COOKIE_DURATION : $limits['cookie_duration'];
|
|
$expire = time() + $cookie_duration;
|
|
Minz_Session::setLongTermCookie('FreshRSS_login', $token, $expire);
|
|
return $token;
|
|
}
|
|
return false;
|
|
}
|
|
|
|
public static function makeCookie(string $username, string $password_hash): string|false {
|
|
do {
|
|
$token = sha1(FreshRSS_Context::systemConf()->salt . $username . uniqid('' . mt_rand(), true));
|
|
$token_file = DATA_PATH . '/tokens/' . $token . '.txt';
|
|
} while (file_exists($token_file));
|
|
|
|
if (@file_put_contents($token_file, $username . "\t" . $password_hash) === false) {
|
|
return false;
|
|
}
|
|
|
|
return self::renewCookie($token);
|
|
}
|
|
|
|
public static function deleteCookie(): void {
|
|
$token = Minz_Session::getLongTermCookie('FreshRSS_login');
|
|
if (ctype_alnum($token)) {
|
|
Minz_Session::deleteLongTermCookie('FreshRSS_login');
|
|
@unlink(DATA_PATH . '/tokens/' . $token . '.txt');
|
|
}
|
|
|
|
if (rand(0, 10) === 1) {
|
|
self::purgeTokens();
|
|
}
|
|
}
|
|
|
|
public static function purgeTokens(): void {
|
|
$limits = FreshRSS_Context::systemConf()->limits;
|
|
$cookie_duration = empty($limits['cookie_duration']) ? FreshRSS_Auth::DEFAULT_COOKIE_DURATION : $limits['cookie_duration'];
|
|
$oldest = time() - $cookie_duration;
|
|
foreach (new DirectoryIterator(DATA_PATH . '/tokens/') as $file_info) {
|
|
$extension = $file_info->getExtension();
|
|
if ($extension === 'txt' && $file_info->getMTime() < $oldest) {
|
|
@unlink($file_info->getPathname());
|
|
}
|
|
}
|
|
}
|
|
}
|