Commit 785555c4 authored by Tino Goratsch's avatar Tino Goratsch

- reworked the Auth process

- normalized the user password and password hash into separate db fields
- save passwords as sha512 hashes and not sha1 hashes
parent a0809820
This diff is collapsed.
......@@ -66,16 +66,13 @@ class SessionHandler implements \SessionHandlerInterface
ini_set('session.save_handler', 'user');
session_set_save_handler($this, true);
session_register_shutdown();
// Start the session and secure it
$this->startSession();
}
}
public function __destruct()
{
session_write_close();
}
/**
* Session starten
*/
......@@ -84,8 +81,6 @@ class SessionHandler implements \SessionHandlerInterface
// Set the session cookie parameters
session_set_cookie_params(0, ROOT_DIR);
session_write_close();
// Start the session
session_start();
}
......
......@@ -166,15 +166,20 @@ class Account extends Core\Modules\FrontendController
// Neues Passwort
if (!empty($formData['new_pwd']) && !empty($formData['new_pwd_repeat'])) {
$salt = $this->secureHelper->salt(12);
$newPassword = $this->secureHelper->generateSaltedPassword($salt, $formData['new_pwd']);
$updateValues['pwd'] = $newPassword . ':' . $salt;
$salt = $this->secureHelper->salt(Core\Auth::SALT_LENGTH);
$newPassword = $this->secureHelper->generateSaltedPassword($salt, $formData['new_pwd'], 'sha512');
$updateValues['pwd'] = $newPassword;
$updateValues['pwd_salt'] = $salt;
}
$bool = $this->usersModel->update($updateValues, $this->auth->getUserId());
$cookieArr = explode('|', base64_decode($this->request->getCookie()->get('ACP3_AUTH', '')));
$this->auth->setCookie($formData['nickname'], isset($newPassword) ? $newPassword : $cookieArr[1], 3600);
$user = $this->usersModel->getOneById($this->auth->getUserId());
$this->auth->setCookie(
$this->auth->getUserId(),
$user['remember_me_token'],
Core\Auth::REMEMBER_ME_COOKIE_LIFETIME
);
$this->formTokenHelper->unsetFormToken();
......
......@@ -252,13 +252,14 @@ class Index extends Core\Modules\AdminController
$this->handleCreatePostAction(function() use ($formData) {
$this->usersValidator->validate($formData);
$salt = $this->secureHelper->salt(12);
$salt = $this->secureHelper->salt(15);
$insertValues = [
'id' => '',
'super_user' => (int)$formData['super_user'],
'nickname' => Core\Functions::strEncode($formData['nickname']),
'pwd' => $this->secureHelper->generateSaltedPassword($salt, $formData['pwd']) . ':' . $salt,
'pwd' => $this->secureHelper->generateSaltedPassword($salt, $formData['pwd'], 'sha512'),
'pwd_salt' => $salt,
'realname' => Core\Functions::strEncode($formData['realname']),
'gender' => (int)$formData['gender'],
'birthday' => $formData['birthday'],
......@@ -333,17 +334,22 @@ class Index extends Core\Modules\AdminController
// Neues Passwort
if (!empty($formData['new_pwd']) && !empty($formData['new_pwd_repeat'])) {
$salt = $this->secureHelper->salt(12);
$newPassword = $this->secureHelper->generateSaltedPassword($salt, $formData['new_pwd']);
$updateValues['pwd'] = $newPassword . ':' . $salt;
$salt = $this->secureHelper->salt(Core\Auth::SALT_LENGTH);
$newPassword = $this->secureHelper->generateSaltedPassword($salt, $formData['new_pwd'], 'sha512');
$updateValues['pwd'] = $newPassword;
$updateValues['pwd_salt'] = $salt;
}
$bool = $this->usersModel->update($updateValues, $id);
// Falls sich der User selbst bearbeitet hat, Cookie aktualisieren
if ($this->request->getParameters()->get('id') == $this->auth->getUserId()) {
$cookieArray = explode('|', base64_decode($this->request->getCookie()->get('ACP3_AUTH', '')));
$this->auth->setCookie($formData['nickname'], isset($newPassword) ? $newPassword : $cookieArray[1], 3600);
if ($id == $this->auth->getUserId() && $this->request->getCookie()->has(Core\Auth::AUTH_NAME)) {
$user = $this->usersModel->getOneById($id);
$this->auth->setCookie(
$id,
$user['remember_me_token'],
Core\Auth::REMEMBER_ME_COOKIE_LIFETIME
);
}
$this->formTokenHelper->unsetFormToken();
......
......@@ -226,7 +226,7 @@ class Index extends Core\Modules\FrontendController
$this->usersValidator->validateForgotPassword($formData);
// Neues Passwort und neuen Zufallsschlüssel erstellen
$newPassword = $this->secureHelper->salt(8);
$newPassword = $this->secureHelper->salt(Core\Auth::SALT_LENGTH);
$host = $this->request->getHostname();
// Je nachdem, wie das Feld ausgefüllt wurde, dieses auswählen
......@@ -249,9 +249,10 @@ class Index extends Core\Modules\FrontendController
// Das Passwort des Benutzers nur abändern, wenn die E-Mail erfolgreich versendet werden konnte
if ($mailIsSent === true) {
$salt = $this->secureHelper->salt(12);
$salt = $this->secureHelper->salt(Core\Auth::SALT_LENGTH);
$updateValues = [
'pwd' => $this->secureHelper->generateSaltedPassword($salt, $newPassword) . ':' . $salt,
'pwd' => $this->secureHelper->generateSaltedPassword($salt, $newPassword, 'sha512'),
'pwd_salt' => $salt,
'login_errors' => 0
];
$bool = $this->usersModel->update($updateValues, $user['id']);
......@@ -294,11 +295,12 @@ class Index extends Core\Modules\FrontendController
);
$mailIsSent = $this->sendEmail->execute('', $formData['mail'], $settings['mail'], $subject, $body);
$salt = $this->secureHelper->salt(12);
$salt = $this->secureHelper->salt(Core\Auth::SALT_LENGTH);
$insertValues = [
'id' => '',
'nickname' => Core\Functions::strEncode($formData['nickname']),
'pwd' => $this->secureHelper->generateSaltedPassword($salt, $formData['pwd']) . ':' . $salt,
'pwd' => $this->secureHelper->generateSaltedPassword($salt, $formData['pwd'], 'sha512'),
'pwd_salt' => $salt,
'mail' => $formData['mail'],
'date_format_long' => $systemSettings['date_format_long'],
'date_format_short' => $systemSettings['date_format_short'],
......
......@@ -73,6 +73,12 @@ class Migration extends Modules\Installer\AbstractMigration
$this->schemaHelper->moduleIsInstalled('menus') || $this->schemaHelper->moduleIsInstalled('menu_items') ? 'UPDATE `{pre}menu_items` SET `uri`=REPLACE(`uri`, "users/logout/", "users/index/logout/") WHERE `uri` LIKE "users/logout/%";' : '',
$this->schemaHelper->moduleIsInstalled('menus') || $this->schemaHelper->moduleIsInstalled('menu_items') ? 'UPDATE `{pre}menu_items` SET `uri`=REPLACE(`uri`, "users/register/", "users/index/register/") WHERE `uri` LIKE "users/register/%";' : '',
$this->schemaHelper->moduleIsInstalled('menus') || $this->schemaHelper->moduleIsInstalled('menu_items') ? 'UPDATE `{pre}menu_items` SET `uri`=REPLACE(`uri`, "users/view_profile/", "users/index/view_profile/") WHERE `uri` LIKE "users/view_profile/%";' : '',
],
40 => [
"ALTER TABLE `{pre}users` ADD `pwd_salt` VARCHAR(16) NOT NULL AFTER `pwd`;",
"UPDATE `{pre}users` SET `pwd_salt` = SUBSTRING(`pwd`, 42), `pwd` = SUBSTRING(`pwd`, 1, 40);",
"ALTER TABLE `{pre}users` ADD `remember_me_token` VARCHAR(128) NOT NULL AFTER `pwd_salt`;",
"ALTER TABLE `{pre}users` CHANGE `pwd` `pwd` VARCHAR(128) NOT NULL;",
]
];
}
......
......@@ -31,7 +31,7 @@ class Schema implements Modules\Installer\SchemaInterface
*/
public function getSchemaVersion()
{
return 39;
return 40;
}
/**
......@@ -44,7 +44,9 @@ class Schema implements Modules\Installer\SchemaInterface
`id` INT(10) UNSIGNED NOT NULL AUTO_INCREMENT,
`super_user` TINYINT(1) UNSIGNED NOT NULL,
`nickname` VARCHAR(30) NOT NULL,
`pwd` VARCHAR(53) NOT NULL,
`pwd` VARCHAR(128) NOT NULL,
`pwd_salt` VARCHAR(16) NOT NULL,
`remember_me_token` VARCHAR(128) NOT NULL,
`login_errors` TINYINT(1) UNSIGNED NOT NULL,
`realname` VARCHAR(80) NOT NULL,
`gender` TINYINT(1) NOT NULL,
......
......@@ -2,6 +2,7 @@
namespace ACP3\Installer\Modules\Install\Controller;
use ACP3\Core\Auth;
use ACP3\Core\Filesystem;
use ACP3\Core\Functions;
use ACP3\Core\Helpers\Secure;
......@@ -282,14 +283,14 @@ class Install extends AbstractController
/** @var \ACP3\Core\DB db */
$this->db = $this->get('core.db');
$salt = $this->secureHelper->salt(12);
$salt = $this->secureHelper->salt(Auth::SALT_LENGTH);
$currentDate = gmdate('Y-m-d H:i:s');
$queries = [
"INSERT INTO
`{pre}users`
VALUES
('', 1, {$this->db->getConnection()->quote($formData["user_name"])}, '{$this->secureHelper->generateSaltedPassword($salt, $formData["user_pwd"])}:{$salt}', 0, '', '1', '', 0, '{$formData["mail"]}', 0, '', '', '', '', '', '', '', '', 0, 0, {$this->db->getConnection()->quote($formData["date_format_long"])}, {$this->db->getConnection()->quote($formData["date_format_short"])}, '{$formData["date_time_zone"]}', '{$this->lang->getLanguage()}', '20', '', '{$currentDate}');",
('', 1, {$this->db->getConnection()->quote($formData["user_name"])}, '{$this->secureHelper->generateSaltedPassword($salt, $formData["user_pwd"], 'sha512')}', '{$salt}', '', 0, '', '1', '', 0, '{$formData["mail"]}', 0, '', '', '', '', '', '', '', '', 0, 0, {$this->db->getConnection()->quote($formData["date_format_long"])}, {$this->db->getConnection()->quote($formData["date_format_short"])}, '{$formData["date_time_zone"]}', '{$this->lang->getLanguage()}', '20', '', '{$currentDate}');",
];
return $this->get('core.modules.schemaHelper')->executeSqlQueries($queries);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment