1
|
|
|
<?php |
2
|
|
|
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1; |
3
|
|
|
|
4
|
|
|
class Token Extends Base { |
5
|
|
|
protected $table = 'tokens'; |
6
|
|
|
|
7
|
|
|
/** |
8
|
|
|
* Return time token was created |
9
|
|
|
* @param id int Token ID |
10
|
|
|
* @param time string Creation timestamp |
11
|
|
|
**/ |
12
|
|
|
public function getCreationTime($token) { |
13
|
|
|
return $this->getSingle($token, 'time', 'token', 's'); |
14
|
|
|
} |
15
|
|
|
|
16
|
|
|
/** |
17
|
|
|
* Fetch a token from our table |
18
|
|
|
* @param name string Setting name |
19
|
|
|
* @return value string Value |
20
|
|
|
**/ |
21
|
|
|
public function getToken($strToken, $strType=NULL) { |
22
|
|
View Code Duplication |
if (empty($strType) || ! $iToken_id = $this->tokentype->getTypeId($strType)) { |
|
|
|
|
23
|
|
|
$this->setErrorMessage('Invalid token type: ' . $strType); |
24
|
|
|
return false; |
|
|
|
|
25
|
|
|
} |
26
|
|
|
$stmt = $this->mysqli->prepare("SELECT * FROM $this->table WHERE token = ? LIMIT 1"); |
27
|
|
|
if ($stmt && $stmt->bind_param('s', $strToken) && $stmt->execute() && $result = $stmt->get_result()) |
28
|
|
|
return $result->fetch_assoc(); |
29
|
|
|
return $this->sqlError(); |
|
|
|
|
30
|
|
|
} |
31
|
|
|
|
32
|
|
|
/** |
33
|
|
|
* Check if a token we're passing in is completely valid |
34
|
|
|
* @param account_id int Account id of user |
35
|
|
|
* @param token string Token to check |
36
|
|
|
* @param type int Type of token |
37
|
|
|
* @param checkTimeExplicitly Check the token time for expiration; can cause issues w/ timezone & sync |
38
|
|
|
* @return int 0 or 1 |
39
|
|
|
*/ |
40
|
|
|
public function isTokenValid($account_id, $token, $type, $checkTimeExplicitly=false) { |
41
|
|
|
if (!is_int($account_id) || !is_int($type)) { |
42
|
|
|
$this->setErrorMessage("Invalid token"); |
43
|
|
|
return 0; |
44
|
|
|
} |
45
|
|
|
$expiretime = $this->tokentype->getExpiration($type); |
46
|
|
|
$ctimedata = new DateTime($this->getCreationTime($token)); |
47
|
|
|
$checktime = $ctimedata->getTimestamp() + $expiretime; |
48
|
|
|
$now = time(); |
49
|
|
|
if ($checktime >= $now && $checkTimeExplicitly || !$checkTimeExplicitly) { |
50
|
|
|
if ($checkTimeExplicitly) { |
51
|
|
|
$stmt = $this->mysqli->prepare("SELECT * FROM $this->table WHERE account_id = ? AND token = ? AND type = ? AND ? >= UNIX_TIMESTAMP() LIMIT 1"); |
52
|
|
|
$stmt->bind_param('isii', $account_id, $token, $type, $checktime); |
53
|
|
|
} else { |
54
|
|
|
$stmt = $this->mysqli->prepare("SELECT * FROM $this->table WHERE account_id = ? AND token = ? AND type = ? LIMIT 1"); |
55
|
|
|
$stmt->bind_param('isi', $account_id, $token, $type); |
56
|
|
|
} |
57
|
|
|
if ($stmt->execute()) |
58
|
|
|
$res = $stmt->get_result(); |
59
|
|
|
return $res->num_rows; |
|
|
|
|
60
|
|
|
return $this->sqlError(); |
|
|
|
|
61
|
|
|
} else { |
62
|
|
|
$this->setErrorMessage("Token has expired or is invalid"); |
63
|
|
|
return 0; |
64
|
|
|
} |
65
|
|
|
} |
66
|
|
|
|
67
|
|
|
/** |
68
|
|
|
* Check if a token of this type already exists for a given account_id |
69
|
|
|
* @param strType string Name of the type of token |
70
|
|
|
* @param account_id int Account id of user to check |
71
|
|
|
* @return mixed Number of rows on success, false on failure |
72
|
|
|
*/ |
73
|
|
|
public function doesTokenExist($strType=NULL, $account_id=NULL) { |
74
|
|
View Code Duplication |
if (!$iToken_id = $this->tokentype->getTypeId($strType)) { |
|
|
|
|
75
|
|
|
$this->setErrorMessage('Invalid token type: ' . $strType); |
76
|
|
|
return false; |
77
|
|
|
} |
78
|
|
|
$stmt = $this->mysqli->prepare("SELECT * FROM $this->table WHERE account_id = ? AND type = ? LIMIT 1"); |
79
|
|
|
if ($stmt && $stmt->bind_param('ii', $account_id, $iToken_id) && $stmt->execute()) |
80
|
|
|
return $stmt->get_result()->num_rows; |
81
|
|
|
return $this->sqlError(); |
82
|
|
|
} |
83
|
|
|
|
84
|
|
|
/** |
85
|
|
|
* Insert a new token |
86
|
|
|
* @param name string Name of the variable |
87
|
|
|
* @param value string Variable value |
88
|
|
|
* @return mixed Token string on success, false on failure |
89
|
|
|
**/ |
90
|
|
|
public function createToken($strType, $account_id=NULL) { |
91
|
|
View Code Duplication |
if (!$iToken_id = $this->tokentype->getTypeId($strType)) { |
|
|
|
|
92
|
|
|
$this->setErrorMessage('Invalid token type: ' . $strType); |
93
|
|
|
return false; |
94
|
|
|
} |
95
|
|
|
$strToken = bin2hex(openssl_random_pseudo_bytes(32)); |
96
|
|
|
$stmt = $this->mysqli->prepare(" |
97
|
|
|
INSERT INTO $this->table (token, type, account_id) |
98
|
|
|
VALUES (?, ?, ?) |
99
|
|
|
"); |
100
|
|
|
if ($stmt && $stmt->bind_param('sii', $strToken, $iToken_id, $account_id) && $stmt->execute()) |
101
|
|
|
return $strToken; |
102
|
|
|
return $this->sqlError(); |
103
|
|
|
} |
104
|
|
|
|
105
|
|
|
/** |
106
|
|
|
* Delete a used token |
107
|
|
|
* @param token string Token name |
108
|
|
|
* @return bool |
109
|
|
|
**/ |
110
|
|
|
public function deleteToken($token) { |
111
|
|
|
$stmt = $this->mysqli->prepare("DELETE FROM $this->table WHERE token = ? LIMIT 1"); |
112
|
|
|
if ($stmt && $stmt->bind_param('s', $token) && $stmt->execute()) |
113
|
|
|
return true; |
114
|
|
|
return $this->sqlError(); |
115
|
|
|
} |
116
|
|
|
|
117
|
|
|
/** |
118
|
|
|
* Cleanup token table of expired tokens |
119
|
|
|
* @param none |
120
|
|
|
* @return bool |
121
|
|
|
**/ |
122
|
|
|
public function cleanupTokens() { |
123
|
|
|
// Get all tokens that have an expiration set |
124
|
|
|
if (!$aTokenTypes = $this->tokentype->getAllExpirations()) { |
125
|
|
|
// Verbose error for crons since this should not happen |
126
|
|
|
$this->setCronMessage('Failed to fetch tokens with expiration times: ' . $this->tokentype->getCronError()); |
127
|
|
|
return false; |
128
|
|
|
} |
129
|
|
|
|
130
|
|
|
$failed = $this->deleted = 0; |
|
|
|
|
131
|
|
|
foreach ($aTokenTypes as $aTokenType) { |
132
|
|
|
$stmt = $this->mysqli->prepare("DELETE FROM $this->table WHERE (NOW() - time) > ? AND type = ?"); |
133
|
|
View Code Duplication |
if (! ($this->checkStmt($stmt) && $stmt->bind_param('ii', $aTokenType['expiration'], $aTokenType['id']) && $stmt->execute())) { |
|
|
|
|
134
|
|
|
$failed++; |
135
|
|
|
} else { |
136
|
|
|
$this->deleted += $stmt->affected_rows; |
137
|
|
|
} |
138
|
|
|
} |
139
|
|
View Code Duplication |
if ($failed > 0) { |
|
|
|
|
140
|
|
|
$this->setCronMessage('Failed to delete ' . $failed . ' token types from ' . $this->table . ' table'); |
141
|
|
|
return false; |
142
|
|
|
} |
143
|
|
|
return true; |
144
|
|
|
} |
145
|
|
|
} |
146
|
|
|
|
147
|
|
|
$oToken = new Token(); |
148
|
|
|
$oToken->setDebug($debug); |
149
|
|
|
$oToken->setMysql($mysqli); |
150
|
|
|
$oToken->setTokenType($tokentype); |
151
|
|
|
$oToken->setErrorCodes($aErrorCodes); |
152
|
|
|
|
In PHP it is possible to write to properties without declaring them. For example, the following is perfectly valid PHP code:
Generally, it is a good practice to explictly declare properties to avoid accidental typos and provide IDE auto-completion: