php-censor/src/PHPCensor/Controller/SessionController.php

<?php
/**
 * PHPCI - Continuous Integration for PHP
 *
 * @copyright    Copyright 2014, Block 8 Limited.
 * @license      https://github.com/Block8/PHPCI/blob/master/LICENSE.md
 * @link         https://www.phptesting.org/
 */

namespace PHPCensor\Controller;

use b8;
use PHPCensor\Helper\Email;
use PHPCensor\Helper\Lang;
use PHPCensor\Controller;

/**
* Session Controller - Handles user login / logout.
* @author       Dan Cryer <dan@block8.co.uk>
* @package      PHPCI
* @subpackage   Web
*/
class SessionController extends Controller
{
    /**
     * @var \PHPCensor\Store\UserStore
     */
    protected $userStore;

    /**
     * Initialise the controller, set up stores and services.
     */
    public function init()
    {
        $this->response->disableLayout();
        $this->userStore       = b8\Store\Factory::getStore('User');
    }

    /**
    * Handles user login (form and processing)
    */
    public function login()
    {
        $isLoginFailure = false;

        if ($this->request->getMethod() == 'POST') {
            $token = $this->getParam('token');
            if (!isset($token, $_SESSION['login_token']) || $token !== $_SESSION['login_token']) {
                $isLoginFailure = true;
            } else {
                unset($_SESSION['login_token']);

                $user = $this->userStore->getByEmail($this->getParam('email'));

                if ($user && password_verify($this->getParam('password', ''), $user->getHash())) {
                    session_regenerate_id(true);
                    $_SESSION['php-censor-user-id']    = $user->getId();
                    $response = new b8\Http\Response\RedirectResponse();
                    $response->setHeader('Location', $this->getLoginRedirect());
                    return $response;
                } else {
                    $isLoginFailure = true;
                }
            }
        }

        $form = new b8\Form();
        $form->setMethod('POST');
        $form->setAction(APP_URL.'session/login');

        $email = new b8\Form\Element\Email('email');
        $email->setLabel(Lang::get('email_address'));
        $email->setRequired(true);
        $email->setContainerClass('form-group');
        $email->setClass('form-control');
        $form->addField($email);

        $pwd = new b8\Form\Element\Password('password');
        $pwd->setLabel(Lang::get('password'));
        $pwd->setRequired(true);
        $pwd->setContainerClass('form-group');
        $pwd->setClass('form-control');
        $form->addField($pwd);

        $pwd = new b8\Form\Element\Submit();
        $pwd->setValue(Lang::get('log_in'));
        $pwd->setClass('btn-success');
        $form->addField($pwd);

        $tokenValue = $this->generateToken();
        $_SESSION['login_token'] = $tokenValue;
        $token = new b8\Form\Element\Hidden('token');
        $token->setValue($tokenValue);
        $form->addField($token);

        $this->view->form = $form->render();
        $this->view->failed = $isLoginFailure;

        return $this->view->render();
    }

    /**
    * Handles user logout.
    */
    public function logout()
    {
        unset($_SESSION['php-censor-user']);
        unset($_SESSION['php-censor-user-id']);

        session_destroy();

        $response = new b8\Http\Response\RedirectResponse();
        $response->setHeader('Location', APP_URL);
        return $response;
    }

    /**
     * Allows the user to request a password reset email.
     * @return string
     */
    public function forgotPassword()
    {
        if ($this->request->getMethod() == 'POST') {
            $email = $this->getParam('email', null);
            $user = $this->userStore->getByEmail($email);

            if (empty($user)) {
                $this->view->error = Lang::get('reset_no_user_exists');
                return $this->view->render();
            }

            $key = md5(date('Y-m-d') . $user->getHash());
            $url = APP_URL;

            $message = Lang::get('reset_email_body', $user->getName(), $url, $user->getId(), $key);

            $email = new Email();
            $email->setEmailTo($user->getEmail(), $user->getName());
            $email->setSubject(Lang::get('reset_email_title', $user->getName()));
            $email->setBody($message);
            $email->send();

            $this->view->emailed = true;
        }

        return $this->view->render();
    }

    /**
     * Allows the user to change their password after a password reset email.
     * @param $userId
     * @param $key
     * @return string
     */
    public function resetPassword($userId, $key)
    {
        $user = $this->userStore->getById($userId);
        $userKey = md5(date('Y-m-d') . $user->getHash());

        if (empty($user) || $key != $userKey) {
            $this->view->error = Lang::get('reset_invalid');
            return $this->view->render();
        }

        if ($this->request->getMethod() == 'POST') {
            $hash = password_hash($this->getParam('password'), PASSWORD_DEFAULT);
            $user->setHash($hash);

            $_SESSION['php-censor-user']    = $this->userStore->save($user);
            $_SESSION['php-censor-user-id'] = $user->getId();

            $response = new b8\Http\Response\RedirectResponse();
            $response->setHeader('Location', APP_URL);
            return $response;
        }

        $this->view->id = $userId;
        $this->view->key = $key;

        return $this->view->render();
    }

    /**
     * Get the URL the user was trying to go to prior to being asked to log in.
     * @return string
     */
    protected function getLoginRedirect()
    {
        $rtn = APP_URL;

        if (!empty($_SESSION['php-censor-login-redirect'])) {
            $rtn .= $_SESSION['php-censor-login-redirect'];
            $_SESSION['php-censor-login-redirect'] = null;
        }

        return $rtn;
    }

    /** Generate a random token.
     *
     * @return string
     */
    protected function generateToken()
    {
        if (function_exists('openssl_random_pseudo_bytes')) {
            return bin2hex(openssl_random_pseudo_bytes(16));
        }

        return sprintf("%04x", mt_rand(0, 0xFFFF))
            . sprintf("%04x", mt_rand(0, 0xFFFF))
            . sprintf("%04x", mt_rand(0, 0xFFFF))
            . sprintf("%04x", mt_rand(0, 0xFFFF));
    }
}
Adding user accounts. 2013-05-10 17:25:51 +02:00			`<?php`
Add file-level docblock to every file. 2013-05-16 03:16:56 +02:00			`/**`
Adding / correcting the file docblock throughout the project 2014-05-12 18:26:17 +02:00			`* PHPCI - Continuous Integration for PHP`
			`*`
			`* @copyright Copyright 2014, Block 8 Limited.`
			`* @license https://github.com/Block8/PHPCI/blob/master/LICENSE.md`
			`* @link https://www.phptesting.org/`
			`*/`
Adding user accounts. 2013-05-10 17:25:51 +02:00
Fixed namespaces (PHPCI -> PHPCensor) 2016-07-19 20:28:11 +02:00			`namespace PHPCensor\Controller;`
PSR2 compliance for PHPCI/Controller - Issue #18 2013-05-16 16:25:39 +02:00
Adding user accounts. 2013-05-10 17:25:51 +02:00			`use b8;`
Fixed namespaces (PHPCI -> PHPCensor) 2016-07-19 20:28:11 +02:00			`use PHPCensor\Helper\Email;`
			`use PHPCensor\Helper\Lang;`
			`use PHPCensor\Controller;`
Adding user accounts. 2013-05-10 17:25:51 +02:00
Add class-level docblock to every file. 2013-05-16 03:30:48 +02:00			`/**`
			`* Session Controller - Handles user login / logout.`
			`* @author Dan Cryer <dan@block8.co.uk>`
			`* @package PHPCI`
			`* @subpackage Web`
			`*/`
Code style and other small fixes 2016-05-09 08:20:26 +02:00			`class SessionController extends Controller`
Adding user accounts. 2013-05-10 17:25:51 +02:00			`{`
Better docblock type hinting for stores. 2013-10-08 19:24:20 +02:00			`/**`
Fixed namespaces in docblocks (PHPCI -> PHPCensor) 2016-07-21 19:20:59 +02:00			`* @var \PHPCensor\Store\UserStore`
Better docblock type hinting for stores. 2013-10-08 19:24:20 +02:00			`*/`
			`protected $userStore;`

Adding Docblocks throughout the project and lowering the missing docblock limit in phpci.yml to zero. Closes #692 2014-12-08 12:25:33 +01:00			`/**`
			`* Initialise the controller, set up stores and services.`
			`*/`
PSR2 compliance for PHPCI/Controller - Issue #18 2013-05-16 16:25:39 +02:00			`public function init()`
			`{`
Some fixes for subdirectory support. 2013-07-30 19:45:27 +02:00			`$this->response->disableLayout();`
Better docblock type hinting for stores. 2013-10-08 19:24:20 +02:00			`$this->userStore = b8\Store\Factory::getStore('User');`
PSR2 compliance for PHPCI/Controller - Issue #18 2013-05-16 16:25:39 +02:00			`}`
Adding user accounts. 2013-05-10 17:25:51 +02:00
Improved commenting throughout the project. Fixes #18 2013-05-16 18:17:29 +02:00			`/**`
			`* Handles user login (form and processing)`
			`*/`
PSR2 compliance for PHPCI/Controller - Issue #18 2013-05-16 16:25:39 +02:00			`public function login()`
Some fixes for subdirectory support. 2013-07-30 19:45:27 +02:00			`{`
Fixes #125 2013-10-08 08:50:42 +02:00			`$isLoginFailure = false;`

Refactoring to support updated b8framework. 2013-05-22 17:36:55 +02:00			`if ($this->request->getMethod() == 'POST') {`
Use a CSRF token on the login form to prevent CSRF attacks. 2015-03-08 17:57:16 +01:00			`$token = $this->getParam('token');`
Fixes "Undefined index: login_token". Fixes https://github.com/Block8/PHPCI/issues/994. 2015-05-26 08:46:49 +02:00			`if (!isset($token, $_SESSION['login_token']) \|\| $token !== $_SESSION['login_token']) {`
Fixes #125 2013-10-08 08:50:42 +02:00			`$isLoginFailure = true;`
Use a CSRF token on the login form to prevent CSRF attacks. 2015-03-08 17:57:16 +01:00			`} else {`
			`unset($_SESSION['login_token']);`

Restoring to login by email. 2015-10-08 21:15:20 +02:00			`$user = $this->userStore->getByEmail($this->getParam('email'));`
Use a CSRF token on the login form to prevent CSRF attacks. 2015-03-08 17:57:16 +01:00
			`if ($user && password_verify($this->getParam('password', ''), $user->getHash())) {`
Generate an new session identifier on successful login to prevent session fixation attacks. 2015-03-08 17:53:27 +01:00			`session_regenerate_id(true);`
Fixed naming (phpci -> php-censor) 2016-07-21 19:02:11 +02:00			`$_SESSION['php-censor-user-id'] = $user->getId();`
Use a CSRF token on the login form to prevent CSRF attacks. 2015-03-08 17:57:16 +01:00			`$response = new b8\Http\Response\RedirectResponse();`
			`$response->setHeader('Location', $this->getLoginRedirect());`
			`return $response;`
			`} else {`
			`$isLoginFailure = true;`
			`}`
PSR2 compliance for PHPCI/Controller - Issue #18 2013-05-16 16:25:39 +02:00			`}`
			`}`
Adding user accounts. 2013-05-10 17:25:51 +02:00
PSR2 compliance for PHPCI/Controller - Issue #18 2013-05-16 16:25:39 +02:00			`$form = new b8\Form();`
			`$form->setMethod('POST');`
Fixed constants 2016-07-21 17:20:34 +02:00			`$form->setAction(APP_URL.'session/login');`
Adding user accounts. 2013-05-10 17:25:51 +02:00
PSR2 compliance for PHPCI/Controller - Issue #18 2013-05-16 16:25:39 +02:00			`$email = new b8\Form\Element\Email('email');`
Restoring to login by email. 2015-10-08 21:15:20 +02:00			`$email->setLabel(Lang::get('email_address'));`
PSR2 compliance for PHPCI/Controller - Issue #18 2013-05-16 16:25:39 +02:00			`$email->setRequired(true);`
Initial work on upgrading to Bootstrap v3 2013-08-01 12:55:10 +02:00			`$email->setContainerClass('form-group');`
Finishing updates to make PHPCI use Bootstrap v3, as per issue #99 2013-07-31 22:04:34 +02:00			`$email->setClass('form-control');`
PSR2 compliance for PHPCI/Controller - Issue #18 2013-05-16 16:25:39 +02:00			`$form->addField($email);`
Adding user accounts. 2013-05-10 17:25:51 +02:00
PSR2 compliance for PHPCI/Controller - Issue #18 2013-05-16 16:25:39 +02:00			`$pwd = new b8\Form\Element\Password('password');`
Login, forgot password and password reset. 2014-12-04 14:24:46 +01:00			`$pwd->setLabel(Lang::get('password'));`
PSR2 compliance for PHPCI/Controller - Issue #18 2013-05-16 16:25:39 +02:00			`$pwd->setRequired(true);`
Initial work on upgrading to Bootstrap v3 2013-08-01 12:55:10 +02:00			`$pwd->setContainerClass('form-group');`
Finishing updates to make PHPCI use Bootstrap v3, as per issue #99 2013-07-31 22:04:34 +02:00			`$pwd->setClass('form-control');`
PSR2 compliance for PHPCI/Controller - Issue #18 2013-05-16 16:25:39 +02:00			`$form->addField($pwd);`
Adding user accounts. 2013-05-10 17:25:51 +02:00
PSR2 compliance for PHPCI/Controller - Issue #18 2013-05-16 16:25:39 +02:00			`$pwd = new b8\Form\Element\Submit();`
Login, forgot password and password reset. 2014-12-04 14:24:46 +01:00			`$pwd->setValue(Lang::get('log_in'));`
PSR2 compliance for PHPCI/Controller - Issue #18 2013-05-16 16:25:39 +02:00			`$pwd->setClass('btn-success');`
			`$form->addField($pwd);`
Adding user accounts. 2013-05-10 17:25:51 +02:00
Use a CSRF token on the login form to prevent CSRF attacks. 2015-03-08 17:57:16 +01:00			`$tokenValue = $this->generateToken();`
			`$_SESSION['login_token'] = $tokenValue;`
			`$token = new b8\Form\Element\Hidden('token');`
			`$token->setValue($tokenValue);`
			`$form->addField($token);`

Refactoring to support updated b8framework. 2013-05-22 17:36:55 +02:00			`$this->view->form = $form->render();`
Fixes #125 2013-10-08 08:50:42 +02:00			`$this->view->failed = $isLoginFailure;`
Use a CSRF token on the login form to prevent CSRF attacks. 2015-03-08 17:57:16 +01:00
Refactoring to support updated b8framework. 2013-05-22 17:36:55 +02:00			`return $this->view->render();`
PSR2 compliance for PHPCI/Controller - Issue #18 2013-05-16 16:25:39 +02:00			`}`
Adding user accounts. 2013-05-10 17:25:51 +02:00
Improved commenting throughout the project. Fixes #18 2013-05-16 18:17:29 +02:00			`/**`
			`* Handles user logout.`
			`*/`
PSR2 compliance for PHPCI/Controller - Issue #18 2013-05-16 16:25:39 +02:00			`public function logout()`
			`{`
Fixed naming (phpci -> php-censor) 2016-07-21 19:02:11 +02:00			`unset($_SESSION['php-censor-user']);`
			`unset($_SESSION['php-censor-user-id']);`
Updating session variables to add phpci_ prefix. Fixes #652 2014-12-01 16:56:33 +01:00
Validate if github_token exists Validate if the github_token session key exists before call it 2013-05-17 00:06:01 +02:00			`session_destroy();`
Cleaning up unnecessary use of 'die' and 'exit' 2015-02-12 13:37:56 +01:00
			`$response = new b8\Http\Response\RedirectResponse();`
Fixed constants 2016-07-21 17:20:34 +02:00			`$response->setHeader('Location', APP_URL);`
Cleaning up unnecessary use of 'die' and 'exit' 2015-02-12 13:37:56 +01:00			`return $response;`
PSR2 compliance for PHPCI/Controller - Issue #18 2013-05-16 16:25:39 +02:00			`}`
Adding forgot password functionality. 2014-05-08 22:38:32 +02:00
Adding Docblocks throughout the project and lowering the missing docblock limit in phpci.yml to zero. Closes #692 2014-12-08 12:25:33 +01:00			`/**`
			`* Allows the user to request a password reset email.`
			`* @return string`
			`*/`
Adding forgot password functionality. 2014-05-08 22:38:32 +02:00			`public function forgotPassword()`
			`{`
			`if ($this->request->getMethod() == 'POST') {`
			`$email = $this->getParam('email', null);`
			`$user = $this->userStore->getByEmail($email);`

			`if (empty($user)) {`
Login, forgot password and password reset. 2014-12-04 14:24:46 +01:00			`$this->view->error = Lang::get('reset_no_user_exists');`
Adding forgot password functionality. 2014-05-08 22:38:32 +02:00			`return $this->view->render();`
			`}`

			`$key = md5(date('Y-m-d') . $user->getHash());`
Fixed constants 2016-07-21 17:20:34 +02:00			`$url = APP_URL;`
Adding forgot password functionality. 2014-05-08 22:38:32 +02:00
Login, forgot password and password reset. 2014-12-04 14:24:46 +01:00			`$message = Lang::get('reset_email_body', $user->getName(), $url, $user->getId(), $key);`
Adding forgot password functionality. 2014-05-08 22:38:32 +02:00
			`$email = new Email();`
Fixing PHPCS and PHPMD errors 2014-05-08 22:43:06 +02:00			`$email->setEmailTo($user->getEmail(), $user->getName());`
Login, forgot password and password reset. 2014-12-04 14:24:46 +01:00			`$email->setSubject(Lang::get('reset_email_title', $user->getName()));`
Adding forgot password functionality. 2014-05-08 22:38:32 +02:00			`$email->setBody($message);`
			`$email->send();`

			`$this->view->emailed = true;`
			`}`

			`return $this->view->render();`
			`}`

Adding Docblocks throughout the project and lowering the missing docblock limit in phpci.yml to zero. Closes #692 2014-12-08 12:25:33 +01:00			`/**`
			`* Allows the user to change their password after a password reset email.`
			`* @param $userId`
			`* @param $key`
			`* @return string`
			`*/`
Fixing PHPCS and PHPMD errors 2014-05-08 22:43:06 +02:00			`public function resetPassword($userId, $key)`
Adding forgot password functionality. 2014-05-08 22:38:32 +02:00			`{`
Fixing PHPCS and PHPMD errors 2014-05-08 22:43:06 +02:00			`$user = $this->userStore->getById($userId);`
Adding forgot password functionality. 2014-05-08 22:38:32 +02:00			`$userKey = md5(date('Y-m-d') . $user->getHash());`

			`if (empty($user) \|\| $key != $userKey) {`
Login, forgot password and password reset. 2014-12-04 14:24:46 +01:00			`$this->view->error = Lang::get('reset_invalid');`
Adding forgot password functionality. 2014-05-08 22:38:32 +02:00			`return $this->view->render();`
			`}`

			`if ($this->request->getMethod() == 'POST') {`
			`$hash = password_hash($this->getParam('password'), PASSWORD_DEFAULT);`
			`$user->setHash($hash);`

Fixed naming (phpci -> php-censor) 2016-07-21 19:02:11 +02:00			`$_SESSION['php-censor-user'] = $this->userStore->save($user);`
			`$_SESSION['php-censor-user-id'] = $user->getId();`
Adding forgot password functionality. 2014-05-08 22:38:32 +02:00
Cleaning up unnecessary use of 'die' and 'exit' 2015-02-12 13:37:56 +01:00			`$response = new b8\Http\Response\RedirectResponse();`
Fixed constants 2016-07-21 17:20:34 +02:00			`$response->setHeader('Location', APP_URL);`
Cleaning up unnecessary use of 'die' and 'exit' 2015-02-12 13:37:56 +01:00			`return $response;`
Adding forgot password functionality. 2014-05-08 22:38:32 +02:00			`}`

Fixing PHPCS and PHPMD errors 2014-05-08 22:43:06 +02:00			`$this->view->id = $userId;`
Adding forgot password functionality. 2014-05-08 22:38:32 +02:00			`$this->view->key = $key;`

			`return $this->view->render();`
			`}`
Making login redirect you to where you were trying to go after logging in. 2014-05-09 12:41:34 +02:00
Adding Docblocks throughout the project and lowering the missing docblock limit in phpci.yml to zero. Closes #692 2014-12-08 12:25:33 +01:00			`/**`
			`* Get the URL the user was trying to go to prior to being asked to log in.`
			`* @return string`
			`*/`
Making login redirect you to where you were trying to go after logging in. 2014-05-09 12:41:34 +02:00			`protected function getLoginRedirect()`
			`{`
Fixed constants 2016-07-21 17:20:34 +02:00			`$rtn = APP_URL;`
Making login redirect you to where you were trying to go after logging in. 2014-05-09 12:41:34 +02:00
Fixed naming (phpci -> php-censor) 2016-07-21 19:02:11 +02:00			`if (!empty($_SESSION['php-censor-login-redirect'])) {`
			`$rtn .= $_SESSION['php-censor-login-redirect'];`
			`$_SESSION['php-censor-login-redirect'] = null;`
Making login redirect you to where you were trying to go after logging in. 2014-05-09 12:41:34 +02:00			`}`

			`return $rtn;`
			`}`
Use a CSRF token on the login form to prevent CSRF attacks. 2015-03-08 17:57:16 +01:00
			`/** Generate a random token.`
			`*`
			`* @return string`
			`*/`
			`protected function generateToken()`
			`{`
Code style fixed. 2015-03-10 21:29:10 +01:00			`if (function_exists('openssl_random_pseudo_bytes')) {`
Use a CSRF token on the login form to prevent CSRF attacks. 2015-03-08 17:57:16 +01:00			`return bin2hex(openssl_random_pseudo_bytes(16));`
			`}`

			`return sprintf("%04x", mt_rand(0, 0xFFFF))`
			`. sprintf("%04x", mt_rand(0, 0xFFFF))`
			`. sprintf("%04x", mt_rand(0, 0xFFFF))`
			`. sprintf("%04x", mt_rand(0, 0xFFFF));`
			`}`
PSR2 compliance for PHPCI/Controller - Issue #18 2013-05-16 16:25:39 +02:00			`}`