1 | <?php |
||
2 | /** |
||
3 | * Library for managing user tokens |
||
4 | */ |
||
5 | |||
6 | /** |
||
7 | * Obtain a token for a user. |
||
8 | * |
||
9 | * @param string $username The username |
||
10 | * @param int $expire Minutes until token expires (default is 60 minutes) |
||
11 | * |
||
12 | * @return bool |
||
13 | */ |
||
14 | function create_user_token($username, $expire = 60) { |
||
15 | $dbprefix = elgg_get_config('dbprefix'); |
||
16 | $user = get_user_by_username($username); |
||
17 | $time = time() + 60 * $expire; |
||
18 | |||
19 | $token = _elgg_services()->crypto->getRandomString(32, ElggCrypto::CHARS_HEX); |
||
20 | |||
21 | if (!$user) { |
||
22 | return false; |
||
23 | } |
||
24 | |||
25 | if (insert_data("INSERT into {$dbprefix}users_apisessions |
||
26 | (user_guid, token, expires) values |
||
27 | ({$user->guid}, '$token', '$time') |
||
28 | on duplicate key update token='$token', expires='$time'")) { |
||
29 | return $token; |
||
30 | } |
||
31 | |||
32 | return false; |
||
33 | } |
||
34 | |||
35 | /** |
||
36 | * Get all tokens attached to a user |
||
37 | * |
||
38 | * @param int $user_guid The user GUID |
||
39 | * |
||
40 | * @return false if none available or array of stdClass objects |
||
41 | * (see users_apisessions schema for available variables in objects) |
||
42 | * @since 1.7.0 |
||
43 | */ |
||
44 | function get_user_tokens($user_guid) { |
||
45 | $dbprefix = elgg_get_config('dbprefix'); |
||
46 | $user_guid = (int) $user_guid; |
||
47 | |||
48 | $tokens = get_data("SELECT * from {$dbprefix}users_apisessions |
||
49 | where user_guid=$user_guid"); |
||
50 | |||
51 | return $tokens; |
||
0 ignored issues
–
show
Bug
Best Practice
introduced
by
Loading history...
|
|||
52 | } |
||
53 | |||
54 | /** |
||
55 | * Validate a token against a given site. |
||
56 | * |
||
57 | * A token registered with one site can not be used from a |
||
58 | * different apikey(site), so be aware of this during development. |
||
59 | * |
||
60 | * @param string $token The Token. |
||
61 | * |
||
62 | * @return mixed The user id attached to the token if not expired or false. |
||
63 | */ |
||
64 | function validate_user_token($token) { |
||
65 | $dbprefix = elgg_get_config('dbprefix'); |
||
66 | $token = sanitise_string($token); |
||
67 | $time = time(); |
||
68 | |||
69 | $user = get_data_row("SELECT * from {$dbprefix}users_apisessions |
||
70 | where token='$token' and $time < expires"); |
||
71 | |||
72 | if ($user) { |
||
0 ignored issues
–
show
The expression
$user of type array is implicitly converted to a boolean; are you sure this is intended? If so, consider using ! empty($expr) instead to make it clear that you intend to check for an array without elements.
This check marks implicit conversions of arrays to boolean values in a comparison. While in PHP an empty array is considered to be equal (but not identical) to false, this is not always apparent. Consider making the comparison explicit by using
Loading history...
|
|||
73 | return $user->user_guid; |
||
74 | } |
||
75 | |||
76 | return false; |
||
77 | } |
||
78 | |||
79 | /** |
||
80 | * Remove user token |
||
81 | * |
||
82 | * @param string $token The token |
||
83 | * |
||
84 | * @return bool |
||
85 | * @since 1.7.0 |
||
86 | */ |
||
87 | function remove_user_token($token) { |
||
88 | $dbprefix = elgg_get_config('dbprefix'); |
||
89 | $token = sanitise_string($token); |
||
90 | |||
91 | return delete_data("DELETE from {$dbprefix}users_apisessions |
||
92 | where token='$token'"); |
||
93 | } |
||
94 | |||
95 | /** |
||
96 | * Remove expired tokens |
||
97 | * |
||
98 | * @return bool |
||
99 | * @since 1.7.0 |
||
100 | */ |
||
101 | function remove_expired_user_tokens() { |
||
102 | $dbprefix = elgg_get_config('dbprefix'); |
||
103 | $time = time(); |
||
104 | |||
105 | return delete_data("DELETE from {$dbprefix}users_apisessions |
||
106 | where expires < $time"); |
||
107 | } |
||
108 | |||
109 | /** |
||
110 | * The auth.gettoken API. |
||
111 | * This API call lets a user log in, returning an authentication token which can be used |
||
112 | * to authenticate a user for a period of time. It is passed in future calls as the parameter |
||
113 | * auth_token. |
||
114 | * |
||
115 | * @param string $username Username |
||
116 | * @param string $password Clear text password |
||
117 | * |
||
118 | * @return string Token string or exception |
||
119 | * @throws SecurityException |
||
120 | * @access private |
||
121 | */ |
||
122 | function auth_gettoken($username, $password) { |
||
123 | // check if username is an email address |
||
124 | if (is_email_address($username)) { |
||
125 | $users = get_user_by_email($username); |
||
126 | |||
127 | // check if we have a unique user |
||
128 | if (is_array($users) && (count($users) == 1)) { |
||
129 | $username = $users[0]->username; |
||
130 | } |
||
131 | } |
||
132 | |||
133 | // validate username and password |
||
134 | if (true === elgg_authenticate($username, $password)) { |
||
135 | $token = create_user_token($username); |
||
136 | if ($token) { |
||
137 | return $token; |
||
138 | } |
||
139 | } |
||
140 | |||
141 | throw new SecurityException(elgg_echo('SecurityException:authenticationfailed')); |
||
142 | } |
||
143 |