php-censor/src/PHPCensor/Controller/SessionController.php

<?php

namespace PHPCensor\Controller;

use b8;
use PHPCensor\Helper\Email;
use PHPCensor\Helper\Lang;
use PHPCensor\Controller;
use PHPCensor\Security\Authentication\Service;
use PHPCensor\Store\UserStore;

/**
 * Session Controller - Handles user login / logout.
 * 
 * @author Dan Cryer <dan@block8.co.uk>
 */
class SessionController extends Controller
{
    /**
     * @var UserStore
     */
    protected $userStore;

    /**
     * @var Service
     */
    protected $authentication;

    /**
     * Initialise the controller, set up stores and services.
     */
    public function init()
    {
        $this->response->disableLayout();

        $this->userStore      = b8\Store\Factory::getStore('User');
        $this->authentication = Service::getInstance();
    }

    /**
     * Handles user login (form and processing)
     */
    public function login()
    {
        $isLoginFailure = false;

        if ($this->request->getMethod() == 'POST') {
            $token = $this->getParam('token');
            if (!isset($token, $_SESSION['login_token']) || $token !== $_SESSION['login_token']) {
                $isLoginFailure = true;
            } else {
                unset($_SESSION['login_token']);

                $email          = $this->getParam('email');
                $password       = $this->getParam('password', '');
                $isLoginFailure = true;

                $user = $this->userStore->getByEmailOrName($email);

                $providers = $this->authentication->getLoginPasswordProviders();

                if (null !== $user) {
                    // Delegate password verification to the user provider, if found
                    $key = $user->getProviderKey();
                    $isLoginFailure = !isset($providers[$key]) || !$providers[$key]->verifyPassword($user, $password);
                } else {
                    // Ask each providers to provision the user
                    foreach ($providers as $provider) {
                        $user = $provider->provisionUser($email);
                        if ($user !== null && $provider->verifyPassword($user, $password)) {
                            $this->userStore->save($user);
                            $isLoginFailure = false;
                            break;
                        }
                    }
                }

                if (!$isLoginFailure) {
                    $_SESSION['php-censor-user-id'] = $user->getId();
                    $response = new b8\Http\Response\RedirectResponse();
                    $response->setHeader('Location', $this->getLoginRedirect());
                    return $response;
                }
            }
        }

        $form = new b8\Form();
        $form->setMethod('POST');
        $form->setAction(APP_URL . 'session/login');

        $email = new b8\Form\Element\Text('email');
        $email->setLabel(Lang::get('login'));
        $email->setRequired(true);
        $email->setContainerClass('form-group');
        $email->setClass('form-control');
        $form->addField($email);

        $pwd = new b8\Form\Element\Password('password');
        $pwd->setLabel(Lang::get('password'));
        $pwd->setRequired(true);
        $pwd->setContainerClass('form-group');
        $pwd->setClass('form-control');
        $form->addField($pwd);

        $pwd = new b8\Form\Element\Submit();
        $pwd->setValue(Lang::get('log_in'));
        $pwd->setClass('btn-success');
        $form->addField($pwd);

        $tokenValue = $this->generateToken();
        $_SESSION['login_token'] = $tokenValue;
        $token = new b8\Form\Element\Hidden('token');
        $token->setValue($tokenValue);
        $form->addField($token);

        $this->view->form = $form->render();
        $this->view->failed = $isLoginFailure;

        return $this->view->render();
    }

    /**
    * Handles user logout.
    */
    public function logout()
    {
        unset($_SESSION['php-censor-user']);
        unset($_SESSION['php-censor-user-id']);

        session_destroy();

        $response = new b8\Http\Response\RedirectResponse();
        $response->setHeader('Location', APP_URL);
        return $response;
    }

    /**
     * Allows the user to request a password reset email.
     * @return string
     */
    public function forgotPassword()
    {
        if ($this->request->getMethod() == 'POST') {
            $email = $this->getParam('email', null);
            $user = $this->userStore->getByEmail($email);

            if (empty($user)) {
                $this->view->error = Lang::get('reset_no_user_exists');
                return $this->view->render();
            }

            $key = md5(date('Y-m-d') . $user->getHash());
            $url = APP_URL;

            $message = Lang::get('reset_email_body', $user->getName(), $url, $user->getId(), $key);

            $email = new Email();
            $email->setEmailTo($user->getEmail(), $user->getName());
            $email->setSubject(Lang::get('reset_email_title', $user->getName()));
            $email->setBody($message);
            $email->send();

            $this->view->emailed = true;
        }

        return $this->view->render();
    }

    /**
     * Allows the user to change their password after a password reset email.
     * @param $userId
     * @param $key
     * @return string
     */
    public function resetPassword($userId, $key)
    {
        $user = $this->userStore->getById($userId);
        $userKey = md5(date('Y-m-d') . $user->getHash());

        if (empty($user) || $key != $userKey) {
            $this->view->error = Lang::get('reset_invalid');
            return $this->view->render();
        }

        if ($this->request->getMethod() == 'POST') {
            $hash = password_hash($this->getParam('password'), PASSWORD_DEFAULT);
            $user->setHash($hash);

            $_SESSION['php-censor-user']    = $this->userStore->save($user);
            $_SESSION['php-censor-user-id'] = $user->getId();

            $response = new b8\Http\Response\RedirectResponse();
            $response->setHeader('Location', APP_URL);
            return $response;
        }

        $this->view->id = $userId;
        $this->view->key = $key;

        return $this->view->render();
    }

    /**
     * Get the URL the user was trying to go to prior to being asked to log in.
     * @return string
     */
    protected function getLoginRedirect()
    {
        $rtn = APP_URL;

        if (!empty($_SESSION['php-censor-login-redirect'])) {
            $rtn .= $_SESSION['php-censor-login-redirect'];
            $_SESSION['php-censor-login-redirect'] = null;
        }

        return $rtn;
    }

    /** Generate a random token.
     *
     * @return string
     */
    protected function generateToken()
    {
        if (function_exists('openssl_random_pseudo_bytes')) {
            return bin2hex(openssl_random_pseudo_bytes(16));
        }

        return sprintf("%04x", mt_rand(0, 0xFFFF))
            . sprintf("%04x", mt_rand(0, 0xFFFF))
            . sprintf("%04x", mt_rand(0, 0xFFFF))
            . sprintf("%04x", mt_rand(0, 0xFFFF));
    }
}
Adding user accounts. 2013-05-10 17:25:51 +02:00			`<?php`
Added custom console Application class with migrations 2016-12-30 17:40:14 +01:00
Fixed namespaces (PHPCI -> PHPCensor) 2016-07-19 20:28:11 +02:00			`namespace PHPCensor\Controller;`
PSR2 compliance for PHPCI/Controller - Issue #18 2013-05-16 16:25:39 +02:00
Adding user accounts. 2013-05-10 17:25:51 +02:00			`use b8;`
Fixed namespaces (PHPCI -> PHPCensor) 2016-07-19 20:28:11 +02:00			`use PHPCensor\Helper\Email;`
			`use PHPCensor\Helper\Lang;`
			`use PHPCensor\Controller;`
PHP Censor fixes 2016-12-29 06:43:02 +01:00			`use PHPCensor\Security\Authentication\Service;`
			`use PHPCensor\Store\UserStore;`
Adding user accounts. 2013-05-10 17:25:51 +02:00
Add class-level docblock to every file. 2013-05-16 03:30:48 +02:00			`/**`
Code style fixes 2017-03-04 16:39:56 +01:00			`* Session Controller - Handles user login / logout.`
First version of the pluggable authentication. 2015-03-08 18:53:08 +01:00			`*`
Code style fixes 2017-03-04 16:39:56 +01:00			`* @author Dan Cryer <dan@block8.co.uk>`
			`*/`
Code style and other small fixes 2016-05-09 08:20:26 +02:00			`class SessionController extends Controller`
Adding user accounts. 2013-05-10 17:25:51 +02:00			`{`
Better docblock type hinting for stores. 2013-10-08 19:24:20 +02:00			`/**`
PHP Censor fixes 2016-12-29 06:43:02 +01:00			`* @var UserStore`
Better docblock type hinting for stores. 2013-10-08 19:24:20 +02:00			`*/`
			`protected $userStore;`

First version of the pluggable authentication. 2015-03-08 18:53:08 +01:00			`/**`
PHP Censor fixes 2016-12-29 06:43:02 +01:00			`* @var Service`
First version of the pluggable authentication. 2015-03-08 18:53:08 +01:00			`*/`
			`protected $authentication;`

Adding Docblocks throughout the project and lowering the missing docblock limit in phpci.yml to zero. Closes #692 2014-12-08 12:25:33 +01:00			`/**`
			`* Initialise the controller, set up stores and services.`
			`*/`
PSR2 compliance for PHPCI/Controller - Issue #18 2013-05-16 16:25:39 +02:00			`public function init()`
			`{`
Some fixes for subdirectory support. 2013-07-30 19:45:27 +02:00			`$this->response->disableLayout();`
Fixed LDAP authentication + unified app config options: authenticate_settings, security and ldap 2017-01-22 12:05:24 +01:00
			`$this->userStore = b8\Store\Factory::getStore('User');`
			`$this->authentication = Service::getInstance();`
PSR2 compliance for PHPCI/Controller - Issue #18 2013-05-16 16:25:39 +02:00			`}`
Adding user accounts. 2013-05-10 17:25:51 +02:00
Improved commenting throughout the project. Fixes #18 2013-05-16 18:17:29 +02:00			`/**`
First version of the pluggable authentication. 2015-03-08 18:53:08 +01:00			`* Handles user login (form and processing)`
			`*/`
PSR2 compliance for PHPCI/Controller - Issue #18 2013-05-16 16:25:39 +02:00			`public function login()`
Some fixes for subdirectory support. 2013-07-30 19:45:27 +02:00			`{`
Fixes #125 2013-10-08 08:50:42 +02:00			`$isLoginFailure = false;`

Refactoring to support updated b8framework. 2013-05-22 17:36:55 +02:00			`if ($this->request->getMethod() == 'POST') {`
Use a CSRF token on the login form to prevent CSRF attacks. 2015-03-08 17:57:16 +01:00			`$token = $this->getParam('token');`
Fixes "Undefined index: login_token". Fixes https://github.com/Block8/PHPCI/issues/994. 2015-05-26 08:46:49 +02:00			`if (!isset($token, $_SESSION['login_token']) \|\| $token !== $_SESSION['login_token']) {`
Fixes #125 2013-10-08 08:50:42 +02:00			`$isLoginFailure = true;`
Use a CSRF token on the login form to prevent CSRF attacks. 2015-03-08 17:57:16 +01:00			`} else {`
			`unset($_SESSION['login_token']);`

Fixed LDAP authentication + unified app config options: authenticate_settings, security and ldap 2017-01-22 12:05:24 +01:00			`$email = $this->getParam('email');`
			`$password = $this->getParam('password', '');`
First version of the pluggable authentication. 2015-03-08 18:53:08 +01:00			`$isLoginFailure = true;`

			`$user = $this->userStore->getByEmailOrName($email);`
Use a CSRF token on the login form to prevent CSRF attacks. 2015-03-08 17:57:16 +01:00
First version of the pluggable authentication. 2015-03-08 18:53:08 +01:00			`$providers = $this->authentication->getLoginPasswordProviders();`

			`if (null !== $user) {`
			`// Delegate password verification to the user provider, if found`
			`$key = $user->getProviderKey();`
			`$isLoginFailure = !isset($providers[$key]) \|\| !$providers[$key]->verifyPassword($user, $password);`
			`} else {`
			`// Ask each providers to provision the user`
			`foreach ($providers as $provider) {`
			`$user = $provider->provisionUser($email);`
			`if ($user !== null && $provider->verifyPassword($user, $password)) {`
			`$this->userStore->save($user);`
			`$isLoginFailure = false;`
			`break;`
			`}`
			`}`
			`}`

			`if (!$isLoginFailure) {`
			`$_SESSION['php-censor-user-id'] = $user->getId();`
Use a CSRF token on the login form to prevent CSRF attacks. 2015-03-08 17:57:16 +01:00			`$response = new b8\Http\Response\RedirectResponse();`
			`$response->setHeader('Location', $this->getLoginRedirect());`
			`return $response;`
			`}`
PSR2 compliance for PHPCI/Controller - Issue #18 2013-05-16 16:25:39 +02:00			`}`
			`}`
Adding user accounts. 2013-05-10 17:25:51 +02:00
PSR2 compliance for PHPCI/Controller - Issue #18 2013-05-16 16:25:39 +02:00			`$form = new b8\Form();`
			`$form->setMethod('POST');`
First version of the pluggable authentication. 2015-03-08 18:53:08 +01:00			`$form->setAction(APP_URL . 'session/login');`
Adding user accounts. 2013-05-10 17:25:51 +02:00
Added login by Login or Email 2017-01-04 19:39:23 +01:00			`$email = new b8\Form\Element\Text('email');`
Small fixes 2017-01-05 11:36:13 +01:00			`$email->setLabel(Lang::get('login'));`
PSR2 compliance for PHPCI/Controller - Issue #18 2013-05-16 16:25:39 +02:00			`$email->setRequired(true);`
Initial work on upgrading to Bootstrap v3 2013-08-01 12:55:10 +02:00			`$email->setContainerClass('form-group');`
Finishing updates to make PHPCI use Bootstrap v3, as per issue #99 2013-07-31 22:04:34 +02:00			`$email->setClass('form-control');`
PSR2 compliance for PHPCI/Controller - Issue #18 2013-05-16 16:25:39 +02:00			`$form->addField($email);`
Adding user accounts. 2013-05-10 17:25:51 +02:00
PSR2 compliance for PHPCI/Controller - Issue #18 2013-05-16 16:25:39 +02:00			`$pwd = new b8\Form\Element\Password('password');`
Login, forgot password and password reset. 2014-12-04 14:24:46 +01:00			`$pwd->setLabel(Lang::get('password'));`
PSR2 compliance for PHPCI/Controller - Issue #18 2013-05-16 16:25:39 +02:00			`$pwd->setRequired(true);`
Initial work on upgrading to Bootstrap v3 2013-08-01 12:55:10 +02:00			`$pwd->setContainerClass('form-group');`
Finishing updates to make PHPCI use Bootstrap v3, as per issue #99 2013-07-31 22:04:34 +02:00			`$pwd->setClass('form-control');`
PSR2 compliance for PHPCI/Controller - Issue #18 2013-05-16 16:25:39 +02:00			`$form->addField($pwd);`
Adding user accounts. 2013-05-10 17:25:51 +02:00
PSR2 compliance for PHPCI/Controller - Issue #18 2013-05-16 16:25:39 +02:00			`$pwd = new b8\Form\Element\Submit();`
Login, forgot password and password reset. 2014-12-04 14:24:46 +01:00			`$pwd->setValue(Lang::get('log_in'));`
PSR2 compliance for PHPCI/Controller - Issue #18 2013-05-16 16:25:39 +02:00			`$pwd->setClass('btn-success');`
			`$form->addField($pwd);`
Adding user accounts. 2013-05-10 17:25:51 +02:00
Use a CSRF token on the login form to prevent CSRF attacks. 2015-03-08 17:57:16 +01:00			`$tokenValue = $this->generateToken();`
			`$_SESSION['login_token'] = $tokenValue;`
			`$token = new b8\Form\Element\Hidden('token');`
			`$token->setValue($tokenValue);`
			`$form->addField($token);`

Refactoring to support updated b8framework. 2013-05-22 17:36:55 +02:00			`$this->view->form = $form->render();`
Fixes #125 2013-10-08 08:50:42 +02:00			`$this->view->failed = $isLoginFailure;`
Use a CSRF token on the login form to prevent CSRF attacks. 2015-03-08 17:57:16 +01:00
Refactoring to support updated b8framework. 2013-05-22 17:36:55 +02:00			`return $this->view->render();`
PSR2 compliance for PHPCI/Controller - Issue #18 2013-05-16 16:25:39 +02:00			`}`
Adding user accounts. 2013-05-10 17:25:51 +02:00
Improved commenting throughout the project. Fixes #18 2013-05-16 18:17:29 +02:00			`/**`
			`* Handles user logout.`
			`*/`
PSR2 compliance for PHPCI/Controller - Issue #18 2013-05-16 16:25:39 +02:00			`public function logout()`
			`{`
Fixed naming (phpci -> php-censor) 2016-07-21 19:02:11 +02:00			`unset($_SESSION['php-censor-user']);`
			`unset($_SESSION['php-censor-user-id']);`
Updating session variables to add phpci_ prefix. Fixes #652 2014-12-01 16:56:33 +01:00
Validate if github_token exists Validate if the github_token session key exists before call it 2013-05-17 00:06:01 +02:00			`session_destroy();`
Cleaning up unnecessary use of 'die' and 'exit' 2015-02-12 13:37:56 +01:00
			`$response = new b8\Http\Response\RedirectResponse();`
Fixed constants 2016-07-21 17:20:34 +02:00			`$response->setHeader('Location', APP_URL);`
Cleaning up unnecessary use of 'die' and 'exit' 2015-02-12 13:37:56 +01:00			`return $response;`
PSR2 compliance for PHPCI/Controller - Issue #18 2013-05-16 16:25:39 +02:00			`}`
Adding forgot password functionality. 2014-05-08 22:38:32 +02:00
Adding Docblocks throughout the project and lowering the missing docblock limit in phpci.yml to zero. Closes #692 2014-12-08 12:25:33 +01:00			`/**`
			`* Allows the user to request a password reset email.`
			`* @return string`
			`*/`
Adding forgot password functionality. 2014-05-08 22:38:32 +02:00			`public function forgotPassword()`
			`{`
			`if ($this->request->getMethod() == 'POST') {`
			`$email = $this->getParam('email', null);`
			`$user = $this->userStore->getByEmail($email);`

			`if (empty($user)) {`
Login, forgot password and password reset. 2014-12-04 14:24:46 +01:00			`$this->view->error = Lang::get('reset_no_user_exists');`
Adding forgot password functionality. 2014-05-08 22:38:32 +02:00			`return $this->view->render();`
			`}`

			`$key = md5(date('Y-m-d') . $user->getHash());`
Fixed constants 2016-07-21 17:20:34 +02:00			`$url = APP_URL;`
Adding forgot password functionality. 2014-05-08 22:38:32 +02:00
Login, forgot password and password reset. 2014-12-04 14:24:46 +01:00			`$message = Lang::get('reset_email_body', $user->getName(), $url, $user->getId(), $key);`
Adding forgot password functionality. 2014-05-08 22:38:32 +02:00
			`$email = new Email();`
Fixing PHPCS and PHPMD errors 2014-05-08 22:43:06 +02:00			`$email->setEmailTo($user->getEmail(), $user->getName());`
Login, forgot password and password reset. 2014-12-04 14:24:46 +01:00			`$email->setSubject(Lang::get('reset_email_title', $user->getName()));`
Adding forgot password functionality. 2014-05-08 22:38:32 +02:00			`$email->setBody($message);`
			`$email->send();`

			`$this->view->emailed = true;`
			`}`

			`return $this->view->render();`
			`}`

Adding Docblocks throughout the project and lowering the missing docblock limit in phpci.yml to zero. Closes #692 2014-12-08 12:25:33 +01:00			`/**`
			`* Allows the user to change their password after a password reset email.`
			`* @param $userId`
			`* @param $key`
			`* @return string`
			`*/`
Fixing PHPCS and PHPMD errors 2014-05-08 22:43:06 +02:00			`public function resetPassword($userId, $key)`
Adding forgot password functionality. 2014-05-08 22:38:32 +02:00			`{`
Fixing PHPCS and PHPMD errors 2014-05-08 22:43:06 +02:00			`$user = $this->userStore->getById($userId);`
Adding forgot password functionality. 2014-05-08 22:38:32 +02:00			`$userKey = md5(date('Y-m-d') . $user->getHash());`

			`if (empty($user) \|\| $key != $userKey) {`
Login, forgot password and password reset. 2014-12-04 14:24:46 +01:00			`$this->view->error = Lang::get('reset_invalid');`
Adding forgot password functionality. 2014-05-08 22:38:32 +02:00			`return $this->view->render();`
			`}`

			`if ($this->request->getMethod() == 'POST') {`
			`$hash = password_hash($this->getParam('password'), PASSWORD_DEFAULT);`
			`$user->setHash($hash);`

Fixed naming (phpci -> php-censor) 2016-07-21 19:02:11 +02:00			`$_SESSION['php-censor-user'] = $this->userStore->save($user);`
			`$_SESSION['php-censor-user-id'] = $user->getId();`
Adding forgot password functionality. 2014-05-08 22:38:32 +02:00
Cleaning up unnecessary use of 'die' and 'exit' 2015-02-12 13:37:56 +01:00			`$response = new b8\Http\Response\RedirectResponse();`
Fixed constants 2016-07-21 17:20:34 +02:00			`$response->setHeader('Location', APP_URL);`
Cleaning up unnecessary use of 'die' and 'exit' 2015-02-12 13:37:56 +01:00			`return $response;`
Adding forgot password functionality. 2014-05-08 22:38:32 +02:00			`}`

Fixing PHPCS and PHPMD errors 2014-05-08 22:43:06 +02:00			`$this->view->id = $userId;`
Adding forgot password functionality. 2014-05-08 22:38:32 +02:00			`$this->view->key = $key;`

			`return $this->view->render();`
			`}`
Making login redirect you to where you were trying to go after logging in. 2014-05-09 12:41:34 +02:00
Adding Docblocks throughout the project and lowering the missing docblock limit in phpci.yml to zero. Closes #692 2014-12-08 12:25:33 +01:00			`/**`
			`* Get the URL the user was trying to go to prior to being asked to log in.`
			`* @return string`
			`*/`
Making login redirect you to where you were trying to go after logging in. 2014-05-09 12:41:34 +02:00			`protected function getLoginRedirect()`
			`{`
Fixed constants 2016-07-21 17:20:34 +02:00			`$rtn = APP_URL;`
Making login redirect you to where you were trying to go after logging in. 2014-05-09 12:41:34 +02:00
Fixed naming (phpci -> php-censor) 2016-07-21 19:02:11 +02:00			`if (!empty($_SESSION['php-censor-login-redirect'])) {`
			`$rtn .= $_SESSION['php-censor-login-redirect'];`
			`$_SESSION['php-censor-login-redirect'] = null;`
Making login redirect you to where you were trying to go after logging in. 2014-05-09 12:41:34 +02:00			`}`

			`return $rtn;`
			`}`
Use a CSRF token on the login form to prevent CSRF attacks. 2015-03-08 17:57:16 +01:00
			`/** Generate a random token.`
			`*`
			`* @return string`
			`*/`
			`protected function generateToken()`
			`{`
Code style fixed. 2015-03-10 21:29:10 +01:00			`if (function_exists('openssl_random_pseudo_bytes')) {`
Use a CSRF token on the login form to prevent CSRF attacks. 2015-03-08 17:57:16 +01:00			`return bin2hex(openssl_random_pseudo_bytes(16));`
			`}`

			`return sprintf("%04x", mt_rand(0, 0xFFFF))`
			`. sprintf("%04x", mt_rand(0, 0xFFFF))`
			`. sprintf("%04x", mt_rand(0, 0xFFFF))`
			`. sprintf("%04x", mt_rand(0, 0xFFFF));`
			`}`
PSR2 compliance for PHPCI/Controller - Issue #18 2013-05-16 16:25:39 +02:00			`}`