timetracker/src/lib/auth/Auth_db.class.php at master · Ben0it-T/timetracker · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
<?php
/* Copyright (c) Anuko International Ltd. https://www.anuko.com
License: See license.txt */

/**
* Auth_db class is used to authenticate users against internal DB
* @package TimeTracker
*/
class Auth_db extends Auth {

  /**
   * Authenticate user against internal users DB
   *
   * @param string $login
   * @param string $password
   * @return mixed
   */
  function authenticate($login, $password)
  {
    $mdb2 = getConnection();

    if (AUTH_DB_HASH_ALGORITHM !== '') {
      $types = array('text', 'integer');
      $sth = $mdb2->prepare('SELECT id, password as hash FROM tt_users WHERE login=:login AND status=:status', $types);
      $data = array('login' => $login, 'status' => 1);
      $res = $sth->execute($data);

      if (is_a($res, 'PEAR_Error')) {
        die($res->getMessage());
      }
      $val = $res->fetchRow();
      if (isset($val['id']) && $val['id'] > 0) {
        if (password_verify($password, $val['hash'])) {
          if (password_needs_rehash($val['hash'], PASSWORD_ALGORITHM, AUTH_DB_HASH_ALGORITHM_OPTIONS)) {
            $types = array('text', 'integer');
            $sth = $mdb2->prepare('UPDATE tt_users SET password=:password WHERE id=:id', $types);
            $data = array('password' => password_hash($password, PASSWORD_ALGORITHM, AUTH_DB_HASH_ALGORITHM_OPTIONS), 'id' => $val['id']);
            $affected = $sth->execute($data);

            if (is_a($affected, 'PEAR_Error')) die($affected->getMessage());
          }
          return array('login'=>$login,'id'=>$val['id']);
        }
      }
    }
    else {
      // md5 hash
      $types = array('text', 'text', 'integer');
      $sth = $mdb2->prepare('SELECT id FROM tt_users WHERE login=:login AND password=:password AND status=:status', $types);
      $data = array('login' => $login, 'password' => md5($password), 'status' => 1);
      $res = $sth->execute($data);

      if (is_a($res, 'PEAR_Error')) {
        die($res->getMessage());
      }
      $val = $res->fetchRow();
      if (isset($val['id']) && $val['id'] > 0) {
        return array('login'=>$login,'id'=>$val['id']);
      }
    }
    return false;

    /*
    // Try md5 password match first.
    $sql = "SELECT id FROM tt_users"." WHERE login = ".$mdb2->quote($login)." AND password = md5(".$mdb2->quote($password).") AND status = 1";

    $res = $mdb2->query($sql);
    if (is_a($res, 'PEAR_Error')) {
      die($res->getMessage());
    }

    $val = $res->fetchRow();
    if (isset($val['id']) && $val['id'] > 0) {
      return array('login'=>$login,'id'=>$val['id']);
    } else {
      // If the OLD_PASSWORDS option is defined - set it.
      if (isTrue('OLD_PASSWORDS')) {
        $sql = "SET SESSION old_passwords = 1";
        $res = $mdb2->query($sql);
        if (is_a($res, 'PEAR_Error')) {
          die($res->getMessage());
        }
      }
      // Try legacy password match. This is needed for compatibility with older versions of TT.
      $sql = "SELECT id FROM tt_users
        WHERE login = ".$mdb2->quote($login)." AND password = old_password(".$mdb2->quote($password).") AND status = 1";
      $res = $mdb2->query($sql);
      if (is_a($res, 'PEAR_Error')) {
        return false; // Simply return false for a meaningful error message on screen, see the comment below.
        // die($res->getMessage()); // old_password() function is removed in MySQL 5.7.5.
                                    // We are getting a confusing "MDB2 Error: not found" in this case if we die.
        // TODO: perhaps it's time to simplify things and remove handling of old passwords completely.
        // HOWEVER: some users apparently never change their passwords. When I tried removing OLD_PASSWORDS
        // support in November 2018, there were login issues with such users.
      }
      $val = $res->fetchRow();
      if (isset($val['id']) && $val['id'] > 0) {
        return array('login'=>$login,'id'=>$val['id']);
      }
    }

    // Special handling for admin@localhost - search for an account with admin role with a matching password.
    if ($login == 'admin@localhost') {
      $sql = "SELECT u.id, u.login FROM tt_users u".
        " LEFT JOIN tt_roles r on (u.role_id = r.id)".
        " WHERE r.rank = 1024 AND password = md5(".$mdb2->quote($password).") AND u.status = 1";
      $res = $mdb2->query($sql);
      if (is_a($res, 'PEAR_Error')) {
        die($res->getMessage());
      }
      $val = $res->fetchRow();
      if (isset($val['id']) && $val['id'] > 0) {
        return array('login'=>$val['login'],'id'=>$val['id']);
      }
    }

    return false;
    */
  }

  function isPasswordExternal() {
    return false;
  }
}