2013-05-10 17:25:51 +02:00
|
|
|
<?php
|
2016-12-30 17:40:14 +01:00
|
|
|
|
2016-07-19 20:28:11 +02:00
|
|
|
namespace PHPCensor\Controller;
|
2013-05-16 16:25:39 +02:00
|
|
|
|
2013-05-10 17:25:51 +02:00
|
|
|
use b8;
|
2016-07-19 20:28:11 +02:00
|
|
|
use PHPCensor\Helper\Email;
|
|
|
|
use PHPCensor\Helper\Lang;
|
|
|
|
use PHPCensor\Controller;
|
2016-12-29 06:43:02 +01:00
|
|
|
use PHPCensor\Security\Authentication\Service;
|
|
|
|
use PHPCensor\Store\UserStore;
|
2013-05-10 17:25:51 +02:00
|
|
|
|
2013-05-16 03:30:48 +02:00
|
|
|
/**
|
2017-03-04 16:39:56 +01:00
|
|
|
* Session Controller - Handles user login / logout.
|
2015-03-08 18:53:08 +01:00
|
|
|
*
|
2017-03-04 16:39:56 +01:00
|
|
|
* @author Dan Cryer <dan@block8.co.uk>
|
|
|
|
*/
|
2016-05-09 08:20:26 +02:00
|
|
|
class SessionController extends Controller
|
2013-05-10 17:25:51 +02:00
|
|
|
{
|
2013-10-08 19:24:20 +02:00
|
|
|
/**
|
2016-12-29 06:43:02 +01:00
|
|
|
* @var UserStore
|
2013-10-08 19:24:20 +02:00
|
|
|
*/
|
|
|
|
protected $userStore;
|
|
|
|
|
2015-03-08 18:53:08 +01:00
|
|
|
/**
|
2016-12-29 06:43:02 +01:00
|
|
|
* @var Service
|
2015-03-08 18:53:08 +01:00
|
|
|
*/
|
|
|
|
protected $authentication;
|
|
|
|
|
2014-12-08 12:25:33 +01:00
|
|
|
/**
|
|
|
|
* Initialise the controller, set up stores and services.
|
|
|
|
*/
|
2013-05-16 16:25:39 +02:00
|
|
|
public function init()
|
|
|
|
{
|
2013-07-30 19:45:27 +02:00
|
|
|
$this->response->disableLayout();
|
2017-01-22 12:05:24 +01:00
|
|
|
|
|
|
|
$this->userStore = b8\Store\Factory::getStore('User');
|
|
|
|
$this->authentication = Service::getInstance();
|
2013-05-16 16:25:39 +02:00
|
|
|
}
|
2013-05-10 17:25:51 +02:00
|
|
|
|
2013-05-16 18:17:29 +02:00
|
|
|
/**
|
2015-03-08 18:53:08 +01:00
|
|
|
* Handles user login (form and processing)
|
|
|
|
*/
|
2013-05-16 16:25:39 +02:00
|
|
|
public function login()
|
2013-07-30 19:45:27 +02:00
|
|
|
{
|
2013-10-08 08:50:42 +02:00
|
|
|
$isLoginFailure = false;
|
|
|
|
|
2013-05-22 17:36:55 +02:00
|
|
|
if ($this->request->getMethod() == 'POST') {
|
2015-03-08 17:57:16 +01:00
|
|
|
$token = $this->getParam('token');
|
2015-05-26 08:46:49 +02:00
|
|
|
if (!isset($token, $_SESSION['login_token']) || $token !== $_SESSION['login_token']) {
|
2013-10-08 08:50:42 +02:00
|
|
|
$isLoginFailure = true;
|
2015-03-08 17:57:16 +01:00
|
|
|
} else {
|
|
|
|
unset($_SESSION['login_token']);
|
|
|
|
|
2017-01-22 12:05:24 +01:00
|
|
|
$email = $this->getParam('email');
|
|
|
|
$password = $this->getParam('password', '');
|
2015-03-08 18:53:08 +01:00
|
|
|
$isLoginFailure = true;
|
|
|
|
|
|
|
|
$user = $this->userStore->getByEmailOrName($email);
|
2015-03-08 17:57:16 +01:00
|
|
|
|
2015-03-08 18:53:08 +01:00
|
|
|
$providers = $this->authentication->getLoginPasswordProviders();
|
|
|
|
|
|
|
|
if (null !== $user) {
|
|
|
|
// Delegate password verification to the user provider, if found
|
|
|
|
$key = $user->getProviderKey();
|
|
|
|
$isLoginFailure = !isset($providers[$key]) || !$providers[$key]->verifyPassword($user, $password);
|
|
|
|
} else {
|
|
|
|
// Ask each providers to provision the user
|
|
|
|
foreach ($providers as $provider) {
|
|
|
|
$user = $provider->provisionUser($email);
|
|
|
|
if ($user !== null && $provider->verifyPassword($user, $password)) {
|
|
|
|
$this->userStore->save($user);
|
|
|
|
$isLoginFailure = false;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!$isLoginFailure) {
|
|
|
|
$_SESSION['php-censor-user-id'] = $user->getId();
|
2015-03-08 17:57:16 +01:00
|
|
|
$response = new b8\Http\Response\RedirectResponse();
|
|
|
|
$response->setHeader('Location', $this->getLoginRedirect());
|
|
|
|
return $response;
|
|
|
|
}
|
2013-05-16 16:25:39 +02:00
|
|
|
}
|
|
|
|
}
|
2013-05-10 17:25:51 +02:00
|
|
|
|
2013-05-16 16:25:39 +02:00
|
|
|
$form = new b8\Form();
|
|
|
|
$form->setMethod('POST');
|
2015-03-08 18:53:08 +01:00
|
|
|
$form->setAction(APP_URL . 'session/login');
|
2013-05-10 17:25:51 +02:00
|
|
|
|
2017-01-04 19:39:23 +01:00
|
|
|
$email = new b8\Form\Element\Text('email');
|
2017-01-05 11:36:13 +01:00
|
|
|
$email->setLabel(Lang::get('login'));
|
2013-05-16 16:25:39 +02:00
|
|
|
$email->setRequired(true);
|
2013-08-01 12:55:10 +02:00
|
|
|
$email->setContainerClass('form-group');
|
2013-07-31 22:04:34 +02:00
|
|
|
$email->setClass('form-control');
|
2013-05-16 16:25:39 +02:00
|
|
|
$form->addField($email);
|
2013-05-10 17:25:51 +02:00
|
|
|
|
2013-05-16 16:25:39 +02:00
|
|
|
$pwd = new b8\Form\Element\Password('password');
|
2014-12-04 14:24:46 +01:00
|
|
|
$pwd->setLabel(Lang::get('password'));
|
2013-05-16 16:25:39 +02:00
|
|
|
$pwd->setRequired(true);
|
2013-08-01 12:55:10 +02:00
|
|
|
$pwd->setContainerClass('form-group');
|
2013-07-31 22:04:34 +02:00
|
|
|
$pwd->setClass('form-control');
|
2013-05-16 16:25:39 +02:00
|
|
|
$form->addField($pwd);
|
2013-05-10 17:25:51 +02:00
|
|
|
|
2013-05-16 16:25:39 +02:00
|
|
|
$pwd = new b8\Form\Element\Submit();
|
2014-12-04 14:24:46 +01:00
|
|
|
$pwd->setValue(Lang::get('log_in'));
|
2013-05-16 16:25:39 +02:00
|
|
|
$pwd->setClass('btn-success');
|
|
|
|
$form->addField($pwd);
|
2013-05-10 17:25:51 +02:00
|
|
|
|
2015-03-08 17:57:16 +01:00
|
|
|
$tokenValue = $this->generateToken();
|
|
|
|
$_SESSION['login_token'] = $tokenValue;
|
|
|
|
$token = new b8\Form\Element\Hidden('token');
|
|
|
|
$token->setValue($tokenValue);
|
|
|
|
$form->addField($token);
|
|
|
|
|
2013-05-22 17:36:55 +02:00
|
|
|
$this->view->form = $form->render();
|
2013-10-08 08:50:42 +02:00
|
|
|
$this->view->failed = $isLoginFailure;
|
2015-03-08 17:57:16 +01:00
|
|
|
|
2013-05-22 17:36:55 +02:00
|
|
|
return $this->view->render();
|
2013-05-16 16:25:39 +02:00
|
|
|
}
|
2013-05-10 17:25:51 +02:00
|
|
|
|
2013-05-16 18:17:29 +02:00
|
|
|
/**
|
|
|
|
* Handles user logout.
|
|
|
|
*/
|
2013-05-16 16:25:39 +02:00
|
|
|
public function logout()
|
|
|
|
{
|
2016-07-21 19:02:11 +02:00
|
|
|
unset($_SESSION['php-censor-user']);
|
|
|
|
unset($_SESSION['php-censor-user-id']);
|
2014-12-01 16:56:33 +01:00
|
|
|
|
2013-05-17 00:06:01 +02:00
|
|
|
session_destroy();
|
2015-02-12 13:37:56 +01:00
|
|
|
|
|
|
|
$response = new b8\Http\Response\RedirectResponse();
|
2016-07-21 17:20:34 +02:00
|
|
|
$response->setHeader('Location', APP_URL);
|
2015-02-12 13:37:56 +01:00
|
|
|
return $response;
|
2013-05-16 16:25:39 +02:00
|
|
|
}
|
2014-05-08 22:38:32 +02:00
|
|
|
|
2014-12-08 12:25:33 +01:00
|
|
|
/**
|
|
|
|
* Allows the user to request a password reset email.
|
|
|
|
* @return string
|
|
|
|
*/
|
2014-05-08 22:38:32 +02:00
|
|
|
public function forgotPassword()
|
|
|
|
{
|
|
|
|
if ($this->request->getMethod() == 'POST') {
|
|
|
|
$email = $this->getParam('email', null);
|
|
|
|
$user = $this->userStore->getByEmail($email);
|
|
|
|
|
|
|
|
if (empty($user)) {
|
2014-12-04 14:24:46 +01:00
|
|
|
$this->view->error = Lang::get('reset_no_user_exists');
|
2014-05-08 22:38:32 +02:00
|
|
|
return $this->view->render();
|
|
|
|
}
|
|
|
|
|
|
|
|
$key = md5(date('Y-m-d') . $user->getHash());
|
2016-07-21 17:20:34 +02:00
|
|
|
$url = APP_URL;
|
2014-05-08 22:38:32 +02:00
|
|
|
|
2014-12-04 14:24:46 +01:00
|
|
|
$message = Lang::get('reset_email_body', $user->getName(), $url, $user->getId(), $key);
|
2014-05-08 22:38:32 +02:00
|
|
|
|
|
|
|
$email = new Email();
|
2014-05-08 22:43:06 +02:00
|
|
|
$email->setEmailTo($user->getEmail(), $user->getName());
|
2014-12-04 14:24:46 +01:00
|
|
|
$email->setSubject(Lang::get('reset_email_title', $user->getName()));
|
2014-05-08 22:38:32 +02:00
|
|
|
$email->setBody($message);
|
|
|
|
$email->send();
|
|
|
|
|
|
|
|
$this->view->emailed = true;
|
|
|
|
}
|
|
|
|
|
|
|
|
return $this->view->render();
|
|
|
|
}
|
|
|
|
|
2014-12-08 12:25:33 +01:00
|
|
|
/**
|
|
|
|
* Allows the user to change their password after a password reset email.
|
|
|
|
* @param $userId
|
|
|
|
* @param $key
|
|
|
|
* @return string
|
|
|
|
*/
|
2014-05-08 22:43:06 +02:00
|
|
|
public function resetPassword($userId, $key)
|
2014-05-08 22:38:32 +02:00
|
|
|
{
|
2014-05-08 22:43:06 +02:00
|
|
|
$user = $this->userStore->getById($userId);
|
2014-05-08 22:38:32 +02:00
|
|
|
$userKey = md5(date('Y-m-d') . $user->getHash());
|
|
|
|
|
|
|
|
if (empty($user) || $key != $userKey) {
|
2014-12-04 14:24:46 +01:00
|
|
|
$this->view->error = Lang::get('reset_invalid');
|
2014-05-08 22:38:32 +02:00
|
|
|
return $this->view->render();
|
|
|
|
}
|
|
|
|
|
|
|
|
if ($this->request->getMethod() == 'POST') {
|
|
|
|
$hash = password_hash($this->getParam('password'), PASSWORD_DEFAULT);
|
|
|
|
$user->setHash($hash);
|
|
|
|
|
2016-07-21 19:02:11 +02:00
|
|
|
$_SESSION['php-censor-user'] = $this->userStore->save($user);
|
|
|
|
$_SESSION['php-censor-user-id'] = $user->getId();
|
2014-05-08 22:38:32 +02:00
|
|
|
|
2015-02-12 13:37:56 +01:00
|
|
|
$response = new b8\Http\Response\RedirectResponse();
|
2016-07-21 17:20:34 +02:00
|
|
|
$response->setHeader('Location', APP_URL);
|
2015-02-12 13:37:56 +01:00
|
|
|
return $response;
|
2014-05-08 22:38:32 +02:00
|
|
|
}
|
|
|
|
|
2014-05-08 22:43:06 +02:00
|
|
|
$this->view->id = $userId;
|
2014-05-08 22:38:32 +02:00
|
|
|
$this->view->key = $key;
|
|
|
|
|
|
|
|
return $this->view->render();
|
|
|
|
}
|
2014-05-09 12:41:34 +02:00
|
|
|
|
2014-12-08 12:25:33 +01:00
|
|
|
/**
|
|
|
|
* Get the URL the user was trying to go to prior to being asked to log in.
|
|
|
|
* @return string
|
|
|
|
*/
|
2014-05-09 12:41:34 +02:00
|
|
|
protected function getLoginRedirect()
|
|
|
|
{
|
2016-07-21 17:20:34 +02:00
|
|
|
$rtn = APP_URL;
|
2014-05-09 12:41:34 +02:00
|
|
|
|
2016-07-21 19:02:11 +02:00
|
|
|
if (!empty($_SESSION['php-censor-login-redirect'])) {
|
|
|
|
$rtn .= $_SESSION['php-censor-login-redirect'];
|
|
|
|
$_SESSION['php-censor-login-redirect'] = null;
|
2014-05-09 12:41:34 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
return $rtn;
|
|
|
|
}
|
2015-03-08 17:57:16 +01:00
|
|
|
|
|
|
|
/** Generate a random token.
|
|
|
|
*
|
|
|
|
* @return string
|
|
|
|
*/
|
|
|
|
protected function generateToken()
|
|
|
|
{
|
2015-03-10 21:29:10 +01:00
|
|
|
if (function_exists('openssl_random_pseudo_bytes')) {
|
2015-03-08 17:57:16 +01:00
|
|
|
return bin2hex(openssl_random_pseudo_bytes(16));
|
|
|
|
}
|
|
|
|
|
|
|
|
return sprintf("%04x", mt_rand(0, 0xFFFF))
|
|
|
|
. sprintf("%04x", mt_rand(0, 0xFFFF))
|
|
|
|
. sprintf("%04x", mt_rand(0, 0xFFFF))
|
|
|
|
. sprintf("%04x", mt_rand(0, 0xFFFF));
|
|
|
|
}
|
2013-05-16 16:25:39 +02:00
|
|
|
}
|