ci-bonfire / Sprint

myth/Api/Auth/APIAuthentication.php

Indentation +3 added lines, -3 removed lines

@@ -74,7 +74,7 @@ 
 	 */
 	public function setRealm($realm)
 	{
-	    $this->realm = $realm;
+		$this->realm = $realm;
 		return $this;
 	}
 
@@ -116,7 +116,7 @@ 
 			'password'  => $password
 		];
 
-	    $user = $this->validate($data, true);
+		$user = $this->validate($data, true);
 
 		$this->user = $user;
 
@@ -272,7 +272,7 @@ 
 	 */
 	public function checkIPBlacklist()
 	{
-	    $blacklist = explode(',', config_item('api.ip_blacklist'));
+		$blacklist = explode(',', config_item('api.ip_blacklist'));
 
 		array_walk($blacklist, function (&$item, $key) {
 			$item = trim($item);

Spacing +22 added lines, -22 removed lines

@@ -46,7 +46,7 @@ 
 
 	//--------------------------------------------------------------------
 
-	public function __construct($ci=null)
+	public function __construct($ci = null)
 	{
 		parent::__construct($ci);
 
@@ -112,7 +112,7 @@ 
 		// so request authorization by the client.
 		if (empty($username) || empty($password))
 		{
-			$this->ci->output->set_header('WWW-Authenticate: Basic realm="'. config_item('api.realm') .'"');
+			$this->ci->output->set_header('WWW-Authenticate: Basic realm="'.config_item('api.realm').'"');
 			return false;
 		}
 
@@ -162,7 +162,7 @@ 
 		// No digest string? Then you're done. Go home.
 		if (empty($digest_string))
 		{
-			$this->ci->output->set_header( sprintf('WWW-Authenticate: Digest realm="%s", nonce="%s", opaque="%s"', config_item('api.realm'), $nonce, $opaque) );
+			$this->ci->output->set_header(sprintf('WWW-Authenticate: Digest realm="%s", nonce="%s", opaque="%s"', config_item('api.realm'), $nonce, $opaque));
 			return false;
 		}
 
@@ -172,18 +172,18 @@ 
 		preg_match_all('@(username|nonce|uri|nc|cnonce|qop|response)=[\'"]?([^\'",]+)@', $digest_string, $matches);
 		$digest = (empty($matches[1]) || empty($matches[2])) ? array() : array_combine($matches[1], $matches[2]);
 
-		if (! array_key_exists('username', $digest))
+		if ( ! array_key_exists('username', $digest))
 		{
-			$this->ci->output->set_header( sprintf('WWW-Authenticate: Digest realm="%s", nonce="%s", opaque="%s"', config_item('api.realm'), $nonce, $opaque) );
+			$this->ci->output->set_header(sprintf('WWW-Authenticate: Digest realm="%s", nonce="%s", opaque="%s"', config_item('api.realm'), $nonce, $opaque));
 			return false;
 		}
 
 		// Grab the user that corresponds to that "username"
 		// exact field determined in the api config file - api.auth_field setting.
-		$user = $this->user_model->as_array()->find_by( config_item('api.auth_field'), $digest['username'] );
-		if (!  $user)
+		$user = $this->user_model->as_array()->find_by(config_item('api.auth_field'), $digest['username']);
+		if ( ! $user)
 		{
-			$this->ci->output->set_header( sprintf('WWW-Authenticate: Digest realm="%s", nonce="%s", opaque="%s"', config_item('api.realm'), $nonce, $opaque) );          
+			$this->ci->output->set_header(sprintf('WWW-Authenticate: Digest realm="%s", nonce="%s", opaque="%s"', config_item('api.realm'), $nonce, $opaque));          
             $this->ci->login_model->recordLoginAttempt($_SERVER['REMOTE_ADDR']);
 			return false;
 		}
@@ -193,16 +193,16 @@ 
 
 		if ($digest['qop'] == 'auth')
 		{
-			$A2 = md5( strtoupper( $_SERVER['REQUEST_METHOD'] ) .':'. $digest['uri'] );
+			$A2 = md5(strtoupper($_SERVER['REQUEST_METHOD']).':'.$digest['uri']);
 		} else {
 			$body = file_get_contents('php://input');
-			$A2 = md5( strtoupper( $_SERVER['REQUEST_METHOD'] ) .':'. $digest['uri'] .':'. md5($body) );
+			$A2 = md5(strtoupper($_SERVER['REQUEST_METHOD']).':'.$digest['uri'].':'.md5($body));
 		}
-		$valid_response = md5($A1 .':'. $digest['nonce'].':'. $digest['nc'] .':'. $digest['cnonce'] .':'. $digest['qop'] .':'. $A2);
+		$valid_response = md5($A1.':'.$digest['nonce'].':'.$digest['nc'].':'.$digest['cnonce'].':'.$digest['qop'].':'.$A2);
 
 		if ($digest['response'] != $valid_response)
 		{
-			$this->ci->output->set_header( sprintf('WWW-Authenticate: Digest realm="%s", nonce="%s", opaque="%s"', config_item('api.realm'), $nonce, $opaque) );
+			$this->ci->output->set_header(sprintf('WWW-Authenticate: Digest realm="%s", nonce="%s", opaque="%s"', config_item('api.realm'), $nonce, $opaque));
 			$this->ci->login_model->recordLoginAttempt($_SERVER['REMOTE_ADDR'], $user['id']);
 			return false;
 		}
@@ -247,13 +247,13 @@ 
 
 		// If throttling time is above zero, we can't allow
 		// logins now.
-		if ($time = (int)$this->isThrottled($user) > 0)
+		if ($time = (int) $this->isThrottled($user) > 0)
 		{
 			$this->error = sprintf(lang('api.throttled'), $time);
 			return false;
 		}
 
-		if (! $user)
+		if ( ! $user)
 		{
 			$this->user = null;
 			return $user;
@@ -281,13 +281,13 @@ 
 	{
 	    $blacklist = explode(',', config_item('api.ip_blacklist'));
 
-		array_walk($blacklist, function (&$item, $key) {
+		array_walk($blacklist, function(&$item, $key) {
 			$item = trim($item);
 		});
 
 		if (in_array($this->ci->input->ip_address(), $blacklist))
 		{
-			throw new \Exception( lang('api.ip_denied'), 401);
+			throw new \Exception(lang('api.ip_denied'), 401);
 		}
 
 		return true;
@@ -306,13 +306,13 @@ 
 
 		array_push($whitelist, '127.0.0.1', '0.0.0.0');
 
-		array_walk($whitelist, function (&$item, $key) {
+		array_walk($whitelist, function(&$item, $key) {
 			$item = trim($item);
 		});
 
-		if (! in_array($this->ci->input->ip_address(), $whitelist))
+		if ( ! in_array($this->ci->input->ip_address(), $whitelist))
 		{
-			throw new \Exception( lang('api.ip_denied'), 401);
+			throw new \Exception(lang('api.ip_denied'), 401);
 		}
 
 		return true;
@@ -369,9 +369,9 @@ 
 	 *
 	 * @return bool|mixed|void
 	 */
-	public function login($credentials, $remember=false)
+	public function login($credentials, $remember = false)
 	{
-		throw new \BadMethodCallException( lang('api.unused_method') );
+		throw new \BadMethodCallException(lang('api.unused_method'));
 	}
 
 	//--------------------------------------------------------------------
@@ -386,7 +386,7 @@ 
 	 */
 	public function logout()
 	{
-		throw new \BadMethodCallException( lang('api.unused_method') );
+		throw new \BadMethodCallException(lang('api.unused_method'));
 	}
 
 	//--------------------------------------------------------------------

myth/Auth/LocalAuthentication.php

Spacing +59 added lines, -59 removed lines

@@ -62,21 +62,21 @@ 
 
     //--------------------------------------------------------------------
 
-    public function __construct( $ci=null )
+    public function __construct($ci = null)
     {
         if ($ci)
         {
-            $this->ci= $ci;
+            $this->ci = $ci;
         }
         else
         {
-            $this->ci =& get_instance();
+            $this->ci = & get_instance();
         }
 
         // Get our compatibility password file loaded up.
-        if (! function_exists('password_hash'))
+        if ( ! function_exists('password_hash'))
         {
-            require_once dirname(__FILE__) .'password.php';
+            require_once dirname(__FILE__).'password.php';
         }
 
         if (empty($this->ci->session))
@@ -101,7 +101,7 @@ 
      * @param bool  $remember
      * @return bool|mixed
      */
-    public function login($credentials, $remember=false)
+    public function login($credentials, $remember = false)
     {
         $user = $this->validate($credentials, true);
 
@@ -112,14 +112,14 @@ 
 
         // If throttling time is above zero, we can't allow
         // logins now.
-        $time = (int)$this->isThrottled($user);
+        $time = (int) $this->isThrottled($user);
         if ($time > 0)
         {
             $this->error = sprintf(lang('auth.throttled'), $time);
             return false;
         }
 
-        if (! $user)
+        if ( ! $user)
         {
         	if (empty($this->error))
             {
@@ -154,14 +154,14 @@ 
      * @param bool $return_user
      * @return mixed
      */
-    public function validate($credentials, $return_user=false)
+    public function validate($credentials, $return_user = false)
     {
         // Get ip address
         $ip_address = $this->ci->input->server('REMOTE_ADDR');
 
         // We do not want to force case-sensitivity on things
         // like username and email for usability sake.
-        if (! empty($credentials['email']))
+        if ( ! empty($credentials['email']))
         {
             $credentials['email'] = strtolower($credentials['email']);
         }
@@ -186,7 +186,7 @@ 
         }
 
         // Ensure that the fields are allowed validation fields
-        if (! in_array(key($credentials), config_item('auth.valid_fields')) )
+        if ( ! in_array(key($credentials), config_item('auth.valid_fields')))
         {
             $this->error = lang('auth.invalid_credentials');
             $this->ci->login_model->recordLoginAttempt($ip_address);
@@ -198,7 +198,7 @@ 
                                  ->where($credentials)
                                  ->first();
 
-        if (! $user)
+        if ( ! $user)
         {
             $this->error = lang('auth.invalid_user');
             $this->ci->login_model->recordLoginAttempt($ip_address);
@@ -206,9 +206,9 @@ 
         }
 
         // Now, try matching the passwords.
-        $result =  password_verify($password, $user['password_hash']);
+        $result = password_verify($password, $user['password_hash']);
 
-        if (! $result)
+        if ( ! $result)
         {
             $this->error = lang('auth.invalid_password');
             $this->ci->login_model->recordLoginAttempt($ip_address, $user['id']);
@@ -219,7 +219,7 @@ 
         // This would be due to the hash algorithm or hash
         // cost changing since the last time that a user
         // logged in.
-        if (password_needs_rehash($user['password_hash'], PASSWORD_DEFAULT, ['cost' => config_item('auth.hash_cost')] ))
+        if (password_needs_rehash($user['password_hash'], PASSWORD_DEFAULT, ['cost' => config_item('auth.hash_cost')]))
         {
             $new_hash = Password::hashPassword($password);
             $this->user_model->skip_validation()
@@ -228,7 +228,7 @@ 
         }
 
         // Is the user active?
-        if (! $user['active'])
+        if ( ! $user['active'])
         {
             $this->error = lang('auth.inactive_account');
             return false;
@@ -248,7 +248,7 @@ 
     {
         $this->ci->load->helper('cookie');
 
-        if (! Events::trigger('beforeLogout', [$this->user]))
+        if ( ! Events::trigger('beforeLogout', [$this->user]))
         {
             return false;
         }
@@ -257,10 +257,10 @@ 
         // available for flash messages, etc.
         if (isset($_SESSION))
         {
-            foreach ( $_SESSION as $key => $value )
+            foreach ($_SESSION as $key => $value)
             {
-                $_SESSION[ $key ] = NULL;
-                unset( $_SESSION[ $key ] );
+                $_SESSION[$key] = NULL;
+                unset($_SESSION[$key]);
             }
         }
         // Also, regenerate the session ID for a touch of added safety.
@@ -286,7 +286,7 @@ 
     {
         $id = $this->ci->session->userdata('logged_in');
 
-        if (! $id)
+        if ( ! $id)
         {
             return false;
         }
@@ -294,10 +294,10 @@ 
         // If the user var hasn't been filled in, we need to fill it in,
         // since this method will typically be used as the only method
         // to determine whether a user is logged in or not.
-        if (! $this->user)
+        if ( ! $this->user)
         {
             $this->user = $this->user_model->as_array()
-                                           ->find_by('id', (int)$id);
+                                           ->find_by('id', (int) $id);
 
             if (empty($this->user))
             {
@@ -321,14 +321,14 @@ 
      */
     public function viaRemember()
     {
-        if (! config_item('auth.allow_remembering'))
+        if ( ! config_item('auth.allow_remembering'))
         {
             return false;
         }
 
         $this->ci->load->helper('cookie');
 
-        if (! $token = get_cookie('remember'))
+        if ( ! $token = get_cookie('remember'))
         {
             return false;
         }
@@ -337,7 +337,7 @@ 
         $query = $this->ci->db->where('hash', $this->ci->login_model->hashRememberToken($token))
                               ->get('auth_tokens');
 
-        if (! $query->num_rows())
+        if ( ! $query->num_rows())
         {
             return false;
         }
@@ -375,16 +375,16 @@ 
         // If via email, we need to generate a hash
         $this->ci->load->helper('string');
         $token = random_string('alnum', 24);
-        $user_data['activate_hash'] = hash('sha1', config_item('auth.salt') . $token);
+        $user_data['activate_hash'] = hash('sha1', config_item('auth.salt').$token);
 
         // Email should NOT be case sensitive.
-        if (! empty($user_data['email']))
+        if ( ! empty($user_data['email']))
         {
             $user_data['email'] = strtolower($user_data['email']);
         }
 
         // Save the user
-        if (! $id = $this->user_model->insert($user_data))
+        if ( ! $id = $this->user_model->insert($user_data))
         {
             $this->error = $this->user_model->error();
             return false;
@@ -415,25 +415,25 @@ 
     {
         $post = [
             'email'         => $data['email'],
-            'activate_hash' => hash('sha1', config_item('auth.salt') . $data['code'])
+            'activate_hash' => hash('sha1', config_item('auth.salt').$data['code'])
         ];
 
         $user = $this->user_model->where($post)
                                  ->first();
 
-        if (! $user) {
+        if ( ! $user) {
             $this->error = $this->user_model->error() ? $this->user_model->error() : lang('auth.activate_no_user');
 
             return false;
         }
 
-        if (! $this->user_model->update($user->id, ['active' => 1, 'activate_hash' => null]))
+        if ( ! $this->user_model->update($user->id, ['active' => 1, 'activate_hash' => null]))
         {
             $this->error = $this->user_model->error();
             return false;
         }
 
-        Events::trigger('didActivate', [(array)$user]);
+        Events::trigger('didActivate', [(array) $user]);
 
         return true;
     }
@@ -448,7 +448,7 @@ 
      */
     public function activateUserById($id)
     {
-        if (! $this->user_model->update($id, ['active' => 1, 'activate_hash' => null]))
+        if ( ! $this->user_model->update($id, ['active' => 1, 'activate_hash' => null]))
         {
             $this->error = $this->user_model->error();
             return false;
@@ -480,12 +480,12 @@ 
      */
     public function id()
     {
-        if (! is_array($this->user) || empty($this->user['id']))
+        if ( ! is_array($this->user) || empty($this->user['id']))
         {
             return null;
         }
 
-        return (int)$this->user['id'];
+        return (int) $this->user['id'];
     }
 
     //--------------------------------------------------------------------
@@ -502,7 +502,7 @@ 
     public function isThrottled($user)
     {
         // Not throttling? Get outta here!
-        if (! config_item('auth.allow_throttling'))
+        if ( ! config_item('auth.allow_throttling'))
         {
             return false;
         }
@@ -570,7 +570,7 @@ 
         {
             $this->error = lang('auth.bruteBan_notice');
 
-            $ban_time = 60 * 15;    // 15 minutes
+            $ban_time = 60 * 15; // 15 minutes
             $_SESSION['bruteBan'] = time() + $ban_time;
             return $ban_time;
         }
@@ -618,7 +618,7 @@ 
         // Is it a valid user?
         $user = $this->user_model->find_by('email', $email);
 
-        if (! $user)
+        if ( ! $user)
         {
             $this->error = lang('auth.invalid_email');
             return false;
@@ -627,17 +627,17 @@ 
         // Generate/store our codes
         $this->ci->load->helper('string');
         $token = random_string('alnum', 24);
-        $hash = hash('sha1', config_item('auth.salt') .$token);
+        $hash = hash('sha1', config_item('auth.salt').$token);
 
         $result = $this->user_model->update($user->id, ['reset_hash' => $hash]);
 
-        if (! $result)
+        if ( ! $result)
         {
             $this->error = $this->user_model->error();
             return false;
         }
 
-        Events::trigger('didRemindUser', [(array)$user, $token]);
+        Events::trigger('didRemindUser', [(array) $user, $token]);
 
         return true;
     }
@@ -664,10 +664,10 @@ 
         }
 
         // Generate a hash to match against the table.
-        $credentials['reset_hash'] = hash('sha1', config_item('auth.salt') .$credentials['code']);
+        $credentials['reset_hash'] = hash('sha1', config_item('auth.salt').$credentials['code']);
         unset($credentials['code']);
 
-        if (! empty($credentials['email']))
+        if ( ! empty($credentials['email']))
         {
             $credentials['email'] = strtolower($credentials['email']);
         }
@@ -675,7 +675,7 @@ 
         // Is there a matching user?
         $user = $this->user_model->find_by($credentials);
 
-        if (! $user)
+        if ( ! $user)
         {
             $this->error = lang('auth.reset_no_user');
             return false;
@@ -688,13 +688,13 @@ 
             'reset_hash'   => null
         ];
 
-        if (! $this->user_model->update($user->id, $data))
+        if ( ! $this->user_model->update($user->id, $data))
         {
             $this->error = $this->user_model->error();
             return false;
         }
 
-        Events::trigger('didResetPassword', [(array)$user]);
+        Events::trigger('didResetPassword', [(array) $user]);
 
         return true;
     }
@@ -710,7 +710,7 @@ 
      * @param null $message
      * @return mixed
      */
-    public function changeStatus($newStatus, $message=null)
+    public function changeStatus($newStatus, $message = null)
     {
         // todo actually record new users status!
     }
@@ -727,14 +727,14 @@ 
      * @param bool $allow_any_parent
      * @return mixed
      */
-    public function useModel($model, $allow_any_parent=false)
+    public function useModel($model, $allow_any_parent = false)
     {
-        if (! $allow_any_parent && get_parent_class($model) != 'Myth\Models\CIDbModel')
+        if ( ! $allow_any_parent && get_parent_class($model) != 'Myth\Models\CIDbModel')
         {
             throw new \RuntimeException('Models passed into LocalAuthenticate MUST extend Myth\Models\CIDbModel');
         }
 
-        $this->user_model =& $model;
+        $this->user_model = & $model;
 
         return $this;
     }
@@ -806,7 +806,7 @@ 
      */
     protected function rememberUser($user)
     {
-        if (! config_item('auth.allow_remembering'))
+        if ( ! config_item('auth.allow_remembering'))
         {
             log_message('debug', 'Auth library set to refuse "Remember Me" functionality.');
             return false;
@@ -825,13 +825,13 @@ 
      * @param null $token
      * @return mixed
      */
-    protected function refreshRememberCookie($user, $token=null)
+    protected function refreshRememberCookie($user, $token = null)
     {
         $this->ci->load->helper('cookie');
 
         // If a token is passed in, we know we're removing the
         // old one.
-        if (! empty($token))
+        if ( ! empty($token))
         {
             $this->invalidateRememberCookie($user['email'], $token);
         }
@@ -841,7 +841,7 @@ 
         // Save the token to the database.
         $data = [
             'email'   => $user['email'],
-            'hash'    => sha1(config_item('auth.salt') . $new_token),
+            'hash'    => sha1(config_item('auth.salt').$new_token),
             'created' => date('Y-m-d H:i:s')
         ];
 
@@ -849,13 +849,13 @@ 
 
         // Create the cookie
         set_cookie(
-            'remember',                             // Cookie Name
-            $new_token,                             // Value
-            config_item('auth.remember_length'),    // # Seconds until it expires
+            'remember', // Cookie Name
+            $new_token, // Value
+            config_item('auth.remember_length'), // # Seconds until it expires
             config_item('cookie_domain'),
             config_item('cookie_path'),
             config_item('cookie_prefix'),
-            false,                                  // Only send over HTTPS?
+            false, // Only send over HTTPS?
             true                                    // Hide from Javascript?
         );
 

Indentation +894 added lines, -894 removed lines

@@ -52,901 +52,901 @@
  */
 class LocalAuthentication implements AuthenticateInterface {
 
-    protected $ci;
-
-    protected $user = null;
-
-    public $user_model = null;
-
-    public $error = null;
-
-    //--------------------------------------------------------------------
-
-    public function __construct( $ci=null )
-    {
-        if ($ci)
-        {
-            $this->ci= $ci;
-        }
-        else
-        {
-            $this->ci =& get_instance();
-        }
-
-        // Get our compatibility password file loaded up.
-        if (! function_exists('password_hash'))
-        {
-            require_once dirname(__FILE__) .'password.php';
-        }
-
-        if (empty($this->ci->session))
-        {
-            $this->ci->load->library('session');
-        }
-
-        $this->ci->config->load('auth');
-        $this->ci->load->model('auth/login_model');
-        $this->ci->load->language('auth/auth');
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Attempt to log a user into the system.
-     *
-     * $credentials is an array of key/value pairs needed to log the user in.
-     * This is often email/password, or username/password.
-     *
-     * @param array $credentials
-     * @param bool  $remember
-     * @return bool|mixed
-     */
-    public function login($credentials, $remember=false)
-    {
-        $user = $this->validate($credentials, true);
-
-        // If the user is throttled due to too many invalid logins
-        // or the system is under attack, kick them back.
-        // We need to test for this after validation because we
-        // don't want it to affect a valid login.
-
-        // If throttling time is above zero, we can't allow
-        // logins now.
-        $time = (int)$this->isThrottled($user);
-        if ($time > 0)
-        {
-            $this->error = sprintf(lang('auth.throttled'), $time);
-            return false;
-        }
-
-        if (! $user)
-        {
-            if (empty($this->error))
-            {
-                // We need to set an error if there is no one
-                $this->error = lang('auth.invalid_user');
-            }
-            $this->user = null;
-            return $user;
-        }       
-
-        $this->loginUser($user);
-
-        if ($remember)
-        {
-            $this->rememberUser($user);
-        }
-
-        Events::trigger('didLogin', [$user]);
-
-        return true;
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Validates user login information without logging them in.
-     *
-     * $credentials is an array of key/value pairs needed to log the user in.
-     * This is often email/password, or username/password.
-     *
-     * @param $credentials
-     * @param bool $return_user
-     * @return mixed
-     */
-    public function validate($credentials, $return_user=false)
-    {
-        // Get ip address
-        $ip_address = $this->ci->input->ip_address();
-
-        // We do not want to force case-sensitivity on things
-        // like username and email for usability sake.
-        if (! empty($credentials['email']))
-        {
-            $credentials['email'] = strtolower($credentials['email']);
-        }
-
-        // Can't validate without a password.
-        if (empty($credentials['password']) || count($credentials) < 2)
-        {
-            $this->ci->login_model->recordLoginAttempt($ip_address);
-            return null;
-        }
-
-        $password = $credentials['password'];
-        unset($credentials['password']);
-
-        // We should only be allowed 1 single other credential to
-        // test against.
-        if (count($credentials) > 1)
-        {
-            $this->error = lang('auth.too_many_credentials');
-            $this->ci->login_model->recordLoginAttempt($ip_address);
-            return false;
-        }
-
-        // Ensure that the fields are allowed validation fields
-        if (! in_array(key($credentials), config_item('auth.valid_fields')) )
-        {
-            $this->error = lang('auth.invalid_credentials');
-            $this->ci->login_model->recordLoginAttempt($ip_address);
-            return false;
-        }
-
-        // Can we find a user with those credentials?
-        $user = $this->user_model->as_array()
-                                 ->where($credentials)
-                                 ->first();
-
-        if (! $user)
-        {
-            $this->error = lang('auth.invalid_user');
-            $this->ci->login_model->recordLoginAttempt($ip_address);
-            return false;
-        }
-
-        // Now, try matching the passwords.
-        $result =  password_verify($password, $user['password_hash']);
-
-        if (! $result)
-        {
-            $this->error = lang('auth.invalid_password');
-            $this->ci->login_model->recordLoginAttempt($ip_address, $user['id']);
-            return false;
-        }
-
-        // Check to see if the password needs to be rehashed.
-        // This would be due to the hash algorithm or hash
-        // cost changing since the last time that a user
-        // logged in.
-        if (password_needs_rehash($user['password_hash'], PASSWORD_DEFAULT, ['cost' => config_item('auth.hash_cost')] ))
-        {
-            $new_hash = Password::hashPassword($password);
-            $this->user_model->skip_validation()
-                             ->update($user['id'], ['password_hash' => $new_hash]);
-            unset($new_hash);
-        }
-
-        // Is the user active?
-        if (! $user['active'])
-        {
-            $this->error = lang('auth.inactive_account');
-            return false;
-        }
-
-        return $return_user ? $user : true;
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Logs a user out and removes all session information.
-     *
-     * @return mixed
-     */
-    public function logout()
-    {
-        $this->ci->load->helper('cookie');
-
-        if (! Events::trigger('beforeLogout', [$this->user]))
-        {
-            return false;
-        }
-
-        // Destroy the session data - but ensure a session is still
-        // available for flash messages, etc.
-        if (isset($_SESSION))
-        {
-            foreach ( $_SESSION as $key => $value )
-            {
-                $_SESSION[ $key ] = NULL;
-                unset( $_SESSION[ $key ] );
-            }
-        }
-        // Also, regenerate the session ID for a touch of added safety.
-        $this->ci->session->sess_regenerate(true);
-
-        // Take care of any rememberme functionality.
-        if (config_item('auth.allow_remembering'))
-        {
-            $token = get_cookie('remember');
-
-            $this->invalidateRememberCookie($this->user['email'], $token);
-        }
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Checks whether a user is logged in or not.
-     *
-     * @return bool
-     */
-    public function isLoggedIn()
-    {
-        $id = $this->ci->session->userdata('logged_in');
-
-        if (! $id)
-        {
-            return false;
-        }
-
-        // If the user var hasn't been filled in, we need to fill it in,
-        // since this method will typically be used as the only method
-        // to determine whether a user is logged in or not.
-        if (! $this->user)
-        {
-            $this->user = $this->user_model->as_array()
-                                           ->find_by('id', (int)$id);
-
-            if (empty($this->user))
-            {
-                return false;
-            }
-        }
-
-        // If logged in, ensure cache control
-        // headers are in place
-        $this->setHeaders();
-
-        return true;
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Attempts to log a user in based on the "remember me" cookie.
-     *
-     * @return bool
-     */
-    public function viaRemember()
-    {
-        if (! config_item('auth.allow_remembering'))
-        {
-            return false;
-        }
-
-        $this->ci->load->helper('cookie');
-
-        if (! $token = get_cookie('remember'))
-        {
-            return false;
-        }
-
-        // Attempt to match the token against our auth_tokens table.
-        $query = $this->ci->db->where('hash', $this->ci->login_model->hashRememberToken($token))
-                              ->get('auth_tokens');
-
-        if (! $query->num_rows())
-        {
-            return false;
-        }
-
-        // Grab the user
-        $email = $query->row()->email;
-
-        $user = $this->user_model->as_array()
-                                 ->find_by('email', $email);
-
-        $this->loginUser($user);
-
-        // We only want our remember me tokens to be valid
-        // for a single use.
-        $this->refreshRememberCookie($user, $token);
-
-        return true;
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Registers a new user and handles activation method.
-     *
-     * @param $user_data
-     * @return bool
-     */
-    public function registerUser($user_data)
-    {
-        // Anything special needed for Activation?
-        $method = config_item('auth.activation_method');
-
-        $user_data['active'] = $method == 'auto' ? 1 : 0;
-
-        // If via email, we need to generate a hash
-        $this->ci->load->helper('string');
-        $token = random_string('alnum', 24);
-        $user_data['activate_hash'] = hash('sha1', config_item('auth.salt') . $token);
-
-        // Email should NOT be case sensitive.
-        if (! empty($user_data['email']))
-        {
-            $user_data['email'] = strtolower($user_data['email']);
-        }
-
-        // Save the user
-        if (! $id = $this->user_model->insert($user_data))
-        {
-            $this->error = $this->user_model->error();
-            return false;
-        }
-
-        $data = [
-            'user_id' => $id,
-            'email'   => $user_data['email'],
-            'token'   => $token,
-            'method'  => $method
-        ];
-
-        Events::trigger('didRegisterUser', [$data]);
-
-        return true;
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Used to verify the user values and activate a user so they can
-     * visit the site.
-     *
-     * @param $data
-     * @return bool
-     */
-    public function activateUser($data)
-    {
-        $post = [
-            'email'         => $data['email'],
-            'activate_hash' => hash('sha1', config_item('auth.salt') . $data['code'])
-        ];
-
-        $user = $this->user_model->where($post)
-                                 ->first();
-
-        if (! $user) {
-            $this->error = $this->user_model->error() ? $this->user_model->error() : lang('auth.activate_no_user');
-
-            return false;
-        }
-
-        if (! $this->user_model->update($user->id, ['active' => 1, 'activate_hash' => null]))
-        {
-            $this->error = $this->user_model->error();
-            return false;
-        }
-
-        Events::trigger('didActivate', [(array)$user]);
-
-        return true;
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Used to allow manual activation of a user with a known ID.
-     *
-     * @param $id
-     * @return bool
-     */
-    public function activateUserById($id)
-    {
-        if (! $this->user_model->update($id, ['active' => 1, 'activate_hash' => null]))
-        {
-            $this->error = $this->user_model->error();
-            return false;
-        }
-
-        Events::trigger('didActivate', [$this->user_model->as_array()->find($id)]);
-
-        return true;
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Grabs the current user object. Returns NULL if nothing found.
-     *
-     * @return array|null
-     */
-    public function user()
-    {
-        return $this->user;
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * A convenience method to grab the current user's ID.
-     *
-     * @return int|null
-     */
-    public function id()
-    {
-        if (! is_array($this->user) || empty($this->user['id']))
-        {
-            return null;
-        }
-
-        return (int)$this->user['id'];
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Checks to see if the user is currently being throttled.
-     *
-     *  - If they are NOT, will return FALSE.
-     *  - If they ARE, will return the number of seconds until they can try again.
-     *
-     * @param $email
-     * @return mixed
-     */
-    public function isThrottled($user)
-    {
-        // Not throttling? Get outta here!
-        if (! config_item('auth.allow_throttling'))
-        {
-            return false;
-        }
-
-        // Get user_id
-        $user_id = $user ? $user['id'] : null;
+	protected $ci;
+
+	protected $user = null;
+
+	public $user_model = null;
+
+	public $error = null;
+
+	//--------------------------------------------------------------------
+
+	public function __construct( $ci=null )
+	{
+		if ($ci)
+		{
+			$this->ci= $ci;
+		}
+		else
+		{
+			$this->ci =& get_instance();
+		}
+
+		// Get our compatibility password file loaded up.
+		if (! function_exists('password_hash'))
+		{
+			require_once dirname(__FILE__) .'password.php';
+		}
+
+		if (empty($this->ci->session))
+		{
+			$this->ci->load->library('session');
+		}
+
+		$this->ci->config->load('auth');
+		$this->ci->load->model('auth/login_model');
+		$this->ci->load->language('auth/auth');
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Attempt to log a user into the system.
+	 *
+	 * $credentials is an array of key/value pairs needed to log the user in.
+	 * This is often email/password, or username/password.
+	 *
+	 * @param array $credentials
+	 * @param bool  $remember
+	 * @return bool|mixed
+	 */
+	public function login($credentials, $remember=false)
+	{
+		$user = $this->validate($credentials, true);
+
+		// If the user is throttled due to too many invalid logins
+		// or the system is under attack, kick them back.
+		// We need to test for this after validation because we
+		// don't want it to affect a valid login.
+
+		// If throttling time is above zero, we can't allow
+		// logins now.
+		$time = (int)$this->isThrottled($user);
+		if ($time > 0)
+		{
+			$this->error = sprintf(lang('auth.throttled'), $time);
+			return false;
+		}
+
+		if (! $user)
+		{
+			if (empty($this->error))
+			{
+				// We need to set an error if there is no one
+				$this->error = lang('auth.invalid_user');
+			}
+			$this->user = null;
+			return $user;
+		}       
+
+		$this->loginUser($user);
+
+		if ($remember)
+		{
+			$this->rememberUser($user);
+		}
+
+		Events::trigger('didLogin', [$user]);
+
+		return true;
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Validates user login information without logging them in.
+	 *
+	 * $credentials is an array of key/value pairs needed to log the user in.
+	 * This is often email/password, or username/password.
+	 *
+	 * @param $credentials
+	 * @param bool $return_user
+	 * @return mixed
+	 */
+	public function validate($credentials, $return_user=false)
+	{
+		// Get ip address
+		$ip_address = $this->ci->input->ip_address();
+
+		// We do not want to force case-sensitivity on things
+		// like username and email for usability sake.
+		if (! empty($credentials['email']))
+		{
+			$credentials['email'] = strtolower($credentials['email']);
+		}
+
+		// Can't validate without a password.
+		if (empty($credentials['password']) || count($credentials) < 2)
+		{
+			$this->ci->login_model->recordLoginAttempt($ip_address);
+			return null;
+		}
+
+		$password = $credentials['password'];
+		unset($credentials['password']);
+
+		// We should only be allowed 1 single other credential to
+		// test against.
+		if (count($credentials) > 1)
+		{
+			$this->error = lang('auth.too_many_credentials');
+			$this->ci->login_model->recordLoginAttempt($ip_address);
+			return false;
+		}
+
+		// Ensure that the fields are allowed validation fields
+		if (! in_array(key($credentials), config_item('auth.valid_fields')) )
+		{
+			$this->error = lang('auth.invalid_credentials');
+			$this->ci->login_model->recordLoginAttempt($ip_address);
+			return false;
+		}
+
+		// Can we find a user with those credentials?
+		$user = $this->user_model->as_array()
+								 ->where($credentials)
+								 ->first();
+
+		if (! $user)
+		{
+			$this->error = lang('auth.invalid_user');
+			$this->ci->login_model->recordLoginAttempt($ip_address);
+			return false;
+		}
+
+		// Now, try matching the passwords.
+		$result =  password_verify($password, $user['password_hash']);
+
+		if (! $result)
+		{
+			$this->error = lang('auth.invalid_password');
+			$this->ci->login_model->recordLoginAttempt($ip_address, $user['id']);
+			return false;
+		}
+
+		// Check to see if the password needs to be rehashed.
+		// This would be due to the hash algorithm or hash
+		// cost changing since the last time that a user
+		// logged in.
+		if (password_needs_rehash($user['password_hash'], PASSWORD_DEFAULT, ['cost' => config_item('auth.hash_cost')] ))
+		{
+			$new_hash = Password::hashPassword($password);
+			$this->user_model->skip_validation()
+							 ->update($user['id'], ['password_hash' => $new_hash]);
+			unset($new_hash);
+		}
+
+		// Is the user active?
+		if (! $user['active'])
+		{
+			$this->error = lang('auth.inactive_account');
+			return false;
+		}
+
+		return $return_user ? $user : true;
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Logs a user out and removes all session information.
+	 *
+	 * @return mixed
+	 */
+	public function logout()
+	{
+		$this->ci->load->helper('cookie');
+
+		if (! Events::trigger('beforeLogout', [$this->user]))
+		{
+			return false;
+		}
+
+		// Destroy the session data - but ensure a session is still
+		// available for flash messages, etc.
+		if (isset($_SESSION))
+		{
+			foreach ( $_SESSION as $key => $value )
+			{
+				$_SESSION[ $key ] = NULL;
+				unset( $_SESSION[ $key ] );
+			}
+		}
+		// Also, regenerate the session ID for a touch of added safety.
+		$this->ci->session->sess_regenerate(true);
+
+		// Take care of any rememberme functionality.
+		if (config_item('auth.allow_remembering'))
+		{
+			$token = get_cookie('remember');
+
+			$this->invalidateRememberCookie($this->user['email'], $token);
+		}
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Checks whether a user is logged in or not.
+	 *
+	 * @return bool
+	 */
+	public function isLoggedIn()
+	{
+		$id = $this->ci->session->userdata('logged_in');
+
+		if (! $id)
+		{
+			return false;
+		}
+
+		// If the user var hasn't been filled in, we need to fill it in,
+		// since this method will typically be used as the only method
+		// to determine whether a user is logged in or not.
+		if (! $this->user)
+		{
+			$this->user = $this->user_model->as_array()
+										   ->find_by('id', (int)$id);
+
+			if (empty($this->user))
+			{
+				return false;
+			}
+		}
+
+		// If logged in, ensure cache control
+		// headers are in place
+		$this->setHeaders();
+
+		return true;
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Attempts to log a user in based on the "remember me" cookie.
+	 *
+	 * @return bool
+	 */
+	public function viaRemember()
+	{
+		if (! config_item('auth.allow_remembering'))
+		{
+			return false;
+		}
+
+		$this->ci->load->helper('cookie');
+
+		if (! $token = get_cookie('remember'))
+		{
+			return false;
+		}
+
+		// Attempt to match the token against our auth_tokens table.
+		$query = $this->ci->db->where('hash', $this->ci->login_model->hashRememberToken($token))
+							  ->get('auth_tokens');
+
+		if (! $query->num_rows())
+		{
+			return false;
+		}
+
+		// Grab the user
+		$email = $query->row()->email;
+
+		$user = $this->user_model->as_array()
+								 ->find_by('email', $email);
+
+		$this->loginUser($user);
+
+		// We only want our remember me tokens to be valid
+		// for a single use.
+		$this->refreshRememberCookie($user, $token);
+
+		return true;
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Registers a new user and handles activation method.
+	 *
+	 * @param $user_data
+	 * @return bool
+	 */
+	public function registerUser($user_data)
+	{
+		// Anything special needed for Activation?
+		$method = config_item('auth.activation_method');
+
+		$user_data['active'] = $method == 'auto' ? 1 : 0;
+
+		// If via email, we need to generate a hash
+		$this->ci->load->helper('string');
+		$token = random_string('alnum', 24);
+		$user_data['activate_hash'] = hash('sha1', config_item('auth.salt') . $token);
+
+		// Email should NOT be case sensitive.
+		if (! empty($user_data['email']))
+		{
+			$user_data['email'] = strtolower($user_data['email']);
+		}
+
+		// Save the user
+		if (! $id = $this->user_model->insert($user_data))
+		{
+			$this->error = $this->user_model->error();
+			return false;
+		}
+
+		$data = [
+			'user_id' => $id,
+			'email'   => $user_data['email'],
+			'token'   => $token,
+			'method'  => $method
+		];
+
+		Events::trigger('didRegisterUser', [$data]);
+
+		return true;
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Used to verify the user values and activate a user so they can
+	 * visit the site.
+	 *
+	 * @param $data
+	 * @return bool
+	 */
+	public function activateUser($data)
+	{
+		$post = [
+			'email'         => $data['email'],
+			'activate_hash' => hash('sha1', config_item('auth.salt') . $data['code'])
+		];
+
+		$user = $this->user_model->where($post)
+								 ->first();
+
+		if (! $user) {
+			$this->error = $this->user_model->error() ? $this->user_model->error() : lang('auth.activate_no_user');
+
+			return false;
+		}
+
+		if (! $this->user_model->update($user->id, ['active' => 1, 'activate_hash' => null]))
+		{
+			$this->error = $this->user_model->error();
+			return false;
+		}
+
+		Events::trigger('didActivate', [(array)$user]);
+
+		return true;
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Used to allow manual activation of a user with a known ID.
+	 *
+	 * @param $id
+	 * @return bool
+	 */
+	public function activateUserById($id)
+	{
+		if (! $this->user_model->update($id, ['active' => 1, 'activate_hash' => null]))
+		{
+			$this->error = $this->user_model->error();
+			return false;
+		}
+
+		Events::trigger('didActivate', [$this->user_model->as_array()->find($id)]);
+
+		return true;
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Grabs the current user object. Returns NULL if nothing found.
+	 *
+	 * @return array|null
+	 */
+	public function user()
+	{
+		return $this->user;
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * A convenience method to grab the current user's ID.
+	 *
+	 * @return int|null
+	 */
+	public function id()
+	{
+		if (! is_array($this->user) || empty($this->user['id']))
+		{
+			return null;
+		}
+
+		return (int)$this->user['id'];
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Checks to see if the user is currently being throttled.
+	 *
+	 *  - If they are NOT, will return FALSE.
+	 *  - If they ARE, will return the number of seconds until they can try again.
+	 *
+	 * @param $email
+	 * @return mixed
+	 */
+	public function isThrottled($user)
+	{
+		// Not throttling? Get outta here!
+		if (! config_item('auth.allow_throttling'))
+		{
+			return false;
+		}
+
+		// Get user_id
+		$user_id = $user ? $user['id'] : null;
         
-        // Get ip address
-        $ip_address = $this->ci->input->ip_address();
-
-        // Have any attempts been made?
-        $attempts = $this->ci->login_model->countLoginAttempts($ip_address, $user_id);
-
-        // Grab the amount of time to add if the system thinks we're
-        // under a distributed brute force attack.
-        // Affect users that have at least 1 failure login attempt
-        $dbrute_time = ($attempts === 0) ? 0 : $this->ci->login_model->distributedBruteForceTime();
-
-        // If this user was found to possibly be under a brute
-        // force attack, their account would have been banned
-        // for 15 minutes.
-        if ($time = isset($_SESSION['bruteBan']) ? $_SESSION['bruteBan'] : false)
-        {
-            // If the current time is less than the
-            // the ban expiration, plus any distributed time
-            // then the user can't login just yet.
-            if ($time + $dbrute_time > time())
-            {
-                // The user is banned still...
-                $this->error = lang('auth.bruteBan_notice');
-                return ($time + $dbrute_time) - time();
-            }
-
-            // Still here? The the ban time is over...
-            unset($_SESSION['bruteBan']);
-        }
-
-        // Grab the time of last attempt and
-        // determine if we're throttled by amount of time passed.
-        $last_time = $this->ci->login_model->lastLoginAttemptTime($ip_address, $user_id);
-
-        $allowed = config_item('auth.allowed_login_attempts');
-
-        // We're not throttling if there are 0 attempts or
-        // the number is less than or equal to the allowed free attempts
-        if ($attempts === 0 || $attempts <= $allowed)
-        {
-            // Before we can say there's nothing up here,
-            // we need to check dbrute time.
-            $time_left = $last_time + $dbrute_time - time();
-
-            if ($time_left > 0)
-            {
-                return $time_left;
-            }
-
-            return false;
-        }
-
-        // If the number of attempts is excessive (above 100) we need
-        // to check the elapsed time of all of these attacks. If they are
-        // less than 1 minute it's obvious this is a brute force attack,
-        // so we'll set a session flag and block that user for 15 minutes.
-        if ($attempts > 100 && $this->ci->login_model->isBruteForced($ip_address, $user_id))
-        {
-            $this->error = lang('auth.bruteBan_notice');
-
-            $ban_time = 60 * 15;    // 15 minutes
-            $_SESSION['bruteBan'] = time() + $ban_time;
-            return $ban_time;
-        }
-
-        // Get our allowed attempts out of the picture.
-        $attempts = $attempts - $allowed;
-
-        $max_time = config_item('auth.max_throttle_time');
-
-        $add_time = 5 * pow(2, $attempts - 1);
-
-        if ($add_time > $max_time)
-        {
-            $add_time = $max_time;
-        }
-
-        $next_time = $last_time + $add_time + $dbrute_time;
-
-        $current = time();
-
-        // We are NOT throttled if we are already
-        // past the allowed time.
-        if ($current > $next_time)
-        {
-            return false;
-        }
-
-        return $next_time - $current;
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Sends a password reset link email to the user associated with
-     * the passed in $email.
-     *
-     * @param $email
-     * @return mixed
-     */
-    public function remindUser($email)
-    {
-        // Emails should NOT be case sensitive.
-        $email = strtolower($email);
-
-        // Is it a valid user?
-        $user = $this->user_model->find_by('email', $email);
-
-        if (! $user)
-        {
-            $this->error = lang('auth.invalid_email');
-            return false;
-        }
-
-        // Generate/store our codes
-        $this->ci->load->helper('string');
-        $token = random_string('alnum', 24);
-        $hash = hash('sha1', config_item('auth.salt') .$token);
-
-        $result = $this->user_model->update($user->id, ['reset_hash' => $hash]);
-
-        if (! $result)
-        {
-            $this->error = $this->user_model->error();
-            return false;
-        }
-
-        Events::trigger('didRemindUser', [(array)$user, $token]);
-
-        return true;
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Validates the credentials provided and, if valid, resets the password.
-     *
-     * The $credentials array MUST contain a 'code' key with the string to
-     * hash and check against the reset_hash.
-     *
-     * @param $credentials
-     * @param $password
-     * @param $passConfirm
-     * @return mixed
-     */
-    public function resetPassword($credentials, $password, $passConfirm)
-    {
-        if (empty($credentials['code']))
-        {
-            $this->error = lang('auth.need_reset_code');
-            return false;
-        }
-
-        // Generate a hash to match against the table.
-        $credentials['reset_hash'] = hash('sha1', config_item('auth.salt') .$credentials['code']);
-        unset($credentials['code']);
-
-        if (! empty($credentials['email']))
-        {
-            $credentials['email'] = strtolower($credentials['email']);
-        }
-
-        // Is there a matching user?
-        $user = $this->user_model->find_by($credentials);
-
-        if (! $user)
-        {
-            $this->error = lang('auth.reset_no_user');
-            return false;
-        }
-
-        // Update their password and reset their reset_hash
-        $data = [
-            'password'     => $password,
-            'pass_confirm' => $passConfirm,
-            'reset_hash'   => null
-        ];
-
-        if (! $this->user_model->update($user->id, $data))
-        {
-            $this->error = $this->user_model->error();
-            return false;
-        }
-
-        Events::trigger('didResetPassword', [(array)$user]);
-
-        return true;
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Provides a way for implementations to allow new statuses to be set
-     * on the user. The details will vary based upon implementation, but
-     * will often allow for banning or suspending users.
-     *
-     * @param $newStatus
-     * @param null $message
-     * @return mixed
-     */
-    public function changeStatus($newStatus, $message=null)
-    {
-        // todo actually record new users status!
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Allows the consuming application to pass in a reference to the
-     * model that should be used.
-     *
-     * The model MUST extend Myth\Models\CIDbModel.
-     *
-     * @param $model
-     * @param bool $allow_any_parent
-     * @return mixed
-     */
-    public function useModel($model, $allow_any_parent=false)
-    {
-        if (! $allow_any_parent && get_parent_class($model) != 'Myth\Models\CIDbModel')
-        {
-            throw new \RuntimeException('Models passed into LocalAuthenticate MUST extend Myth\Models\CIDbModel');
-        }
-
-        $this->user_model =& $model;
-
-        return $this;
-    }
-
-    //--------------------------------------------------------------------
-
-    public function error()
-    {
-        if (validation_errors())
-        {
-            return validation_errors();
-        }
-
-        return $this->error;
-    }
-
-    //--------------------------------------------------------------------
-
-    //--------------------------------------------------------------------
-    // Login Records
-    //--------------------------------------------------------------------
-
-    /**
-     * Purges all login attempt records from the database.
-     *
-     * @param $email
-     */
-    public function purgeLoginAttempts($email)
-    {
-        // Emails should NOT be case sensitive.
-        $email = strtolower($email);
-
-        $this->ci->login_model->purgeLoginAttempts($email);
-
-        // @todo record activity of login attempts purge.
-        Events::trigger('didPurgeLoginAttempts', [$email]);
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Purges all remember tokens for a single user. Effectively logs
-     * a user out of all devices. Intended to allow users to log themselves
-     * out of all devices as a security measure.
-     *
-     * @param $email
-     */
-    public function purgeRememberTokens($email)
-    {
-        // Emails should NOT be case sensitive.
-        $email = strtolower($email);
-
-        $this->ci->login_model->purgeRememberTokens($email);
-
-        // todo record activity of remember me purges.
-        Events::trigger('didPurgeRememberTokens', [$email]);
-    }
-
-    //--------------------------------------------------------------------
-
-    //--------------------------------------------------------------------
-    // Protected Methods
-    //--------------------------------------------------------------------
-
-    /**
-     * Check if Allow Persistent Login Cookies is enable
-     *
-     * @param $user
-     */
-    protected function rememberUser($user)
-    {
-        if (! config_item('auth.allow_remembering'))
-        {
-            log_message('debug', 'Auth library set to refuse "Remember Me" functionality.');
-            return false;
-        }
-
-        $this->refreshRememberCookie($user);
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Invalidates the current rememberme cookie/database entry, creates
-     * a new one, stores it and returns the new value.
-     *
-     * @param $user
-     * @param null $token
-     * @return mixed
-     */
-    protected function refreshRememberCookie($user, $token=null)
-    {
-        $this->ci->load->helper('cookie');
-
-        // If a token is passed in, we know we're removing the
-        // old one.
-        if (! empty($token))
-        {
-            $this->invalidateRememberCookie($user['email'], $token);
-        }
-
-        $new_token = $this->ci->login_model->generateRememberToken($user);
-
-        // Save the token to the database.
-        $data = [
-            'email'   => $user['email'],
-            'hash'    => sha1(config_item('auth.salt') . $new_token),
-            'created' => date('Y-m-d H:i:s')
-        ];
-
-        $this->ci->db->insert('auth_tokens', $data);
-
-        // Create the cookie
-        set_cookie(
-            'remember',                             // Cookie Name
-            $new_token,                             // Value
-            config_item('auth.remember_length'),    // # Seconds until it expires
-            config_item('cookie_domain'),
-            config_item('cookie_path'),
-            config_item('cookie_prefix'),
-            false,                                  // Only send over HTTPS?
-            true                                    // Hide from Javascript?
-        );
-
-        return $new_token;
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Deletes any current remember me cookies and database entries.
-     *
-     * @param $email
-     * @param $token
-     * @return string The new token (not the hash).
-     */
-    protected function invalidateRememberCookie($email, $token)
-    {
-        // Emails should NOT be case sensitive.
-        $email = strtolower($email);
-
-        // Remove from the database
-        $this->ci->login_model->deleteRememberToken($email, $token);
-
-        // Remove the cookie
-        delete_cookie(
-            'remember',
-            config_item('cookie_domain'),
-            config_item('cookie_path'),
-            config_item('cookie_prefix')
-        );
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Handles the nitty gritty of actually logging our user into the system.
-     * Does NOT perform the authentication, just sets the system up so that
-     * it knows we're here.
-     *
-     * @param $user
-     */
-    protected function loginUser($user)
-    {
-        // Save the user for later access
-        $this->user = $user;
-
-        // Get ip address
-        $ip_address = $this->ci->input->ip_address();
-
-        // Regenerate the session ID to help protect
-        // against session fixation
-        $this->ci->session->sess_regenerate();
-
-        // Let the session know that we're logged in.
-        $this->ci->session->set_userdata('logged_in', $user['id']);
-
-        // Clear our login attempts
-        $this->ci->login_model->purgeLoginAttempts($ip_address, $user['id']);
-
-        // Record a new Login
-        $this->ci->login_model->recordLogin($user);
-
-        // If logged in, ensure cache control
-        // headers are in place
-        $this->setHeaders();
-
-        // We'll give a 20% chance to need to do a purge since we
-        // don't need to purge THAT often, it's just a maintenance issue.
-        // to keep the table from getting out of control.
-        if (mt_rand(1, 100) < 20)
-        {
-            $this->ci->login_model->purgeOldRememberTokens();
-        }
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Sets the headers to ensure that pages are not cached when a user
-     * is logged in, helping to protect against logging out and then
-     * simply hitting the Back button on the browser and getting private
-     * information because the page was loaded from cache.
-     */
-    protected function setHeaders()
-    {
-        $this->ci->output->set_header('Cache-Control: no-store, no-cache, must-revalidate');
-        $this->ci->output->set_header('Cache-Control: post-check=0, pre-check=0');
-        $this->ci->output->set_header('Pragma: no-cache');
-    }
-
-    //--------------------------------------------------------------------
+		// Get ip address
+		$ip_address = $this->ci->input->ip_address();
+
+		// Have any attempts been made?
+		$attempts = $this->ci->login_model->countLoginAttempts($ip_address, $user_id);
+
+		// Grab the amount of time to add if the system thinks we're
+		// under a distributed brute force attack.
+		// Affect users that have at least 1 failure login attempt
+		$dbrute_time = ($attempts === 0) ? 0 : $this->ci->login_model->distributedBruteForceTime();
+
+		// If this user was found to possibly be under a brute
+		// force attack, their account would have been banned
+		// for 15 minutes.
+		if ($time = isset($_SESSION['bruteBan']) ? $_SESSION['bruteBan'] : false)
+		{
+			// If the current time is less than the
+			// the ban expiration, plus any distributed time
+			// then the user can't login just yet.
+			if ($time + $dbrute_time > time())
+			{
+				// The user is banned still...
+				$this->error = lang('auth.bruteBan_notice');
+				return ($time + $dbrute_time) - time();
+			}
+
+			// Still here? The the ban time is over...
+			unset($_SESSION['bruteBan']);
+		}
+
+		// Grab the time of last attempt and
+		// determine if we're throttled by amount of time passed.
+		$last_time = $this->ci->login_model->lastLoginAttemptTime($ip_address, $user_id);
+
+		$allowed = config_item('auth.allowed_login_attempts');
+
+		// We're not throttling if there are 0 attempts or
+		// the number is less than or equal to the allowed free attempts
+		if ($attempts === 0 || $attempts <= $allowed)
+		{
+			// Before we can say there's nothing up here,
+			// we need to check dbrute time.
+			$time_left = $last_time + $dbrute_time - time();
+
+			if ($time_left > 0)
+			{
+				return $time_left;
+			}
+
+			return false;
+		}
+
+		// If the number of attempts is excessive (above 100) we need
+		// to check the elapsed time of all of these attacks. If they are
+		// less than 1 minute it's obvious this is a brute force attack,
+		// so we'll set a session flag and block that user for 15 minutes.
+		if ($attempts > 100 && $this->ci->login_model->isBruteForced($ip_address, $user_id))
+		{
+			$this->error = lang('auth.bruteBan_notice');
+
+			$ban_time = 60 * 15;    // 15 minutes
+			$_SESSION['bruteBan'] = time() + $ban_time;
+			return $ban_time;
+		}
+
+		// Get our allowed attempts out of the picture.
+		$attempts = $attempts - $allowed;
+
+		$max_time = config_item('auth.max_throttle_time');
+
+		$add_time = 5 * pow(2, $attempts - 1);
+
+		if ($add_time > $max_time)
+		{
+			$add_time = $max_time;
+		}
+
+		$next_time = $last_time + $add_time + $dbrute_time;
+
+		$current = time();
+
+		// We are NOT throttled if we are already
+		// past the allowed time.
+		if ($current > $next_time)
+		{
+			return false;
+		}
+
+		return $next_time - $current;
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Sends a password reset link email to the user associated with
+	 * the passed in $email.
+	 *
+	 * @param $email
+	 * @return mixed
+	 */
+	public function remindUser($email)
+	{
+		// Emails should NOT be case sensitive.
+		$email = strtolower($email);
+
+		// Is it a valid user?
+		$user = $this->user_model->find_by('email', $email);
+
+		if (! $user)
+		{
+			$this->error = lang('auth.invalid_email');
+			return false;
+		}
+
+		// Generate/store our codes
+		$this->ci->load->helper('string');
+		$token = random_string('alnum', 24);
+		$hash = hash('sha1', config_item('auth.salt') .$token);
+
+		$result = $this->user_model->update($user->id, ['reset_hash' => $hash]);
+
+		if (! $result)
+		{
+			$this->error = $this->user_model->error();
+			return false;
+		}
+
+		Events::trigger('didRemindUser', [(array)$user, $token]);
+
+		return true;
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Validates the credentials provided and, if valid, resets the password.
+	 *
+	 * The $credentials array MUST contain a 'code' key with the string to
+	 * hash and check against the reset_hash.
+	 *
+	 * @param $credentials
+	 * @param $password
+	 * @param $passConfirm
+	 * @return mixed
+	 */
+	public function resetPassword($credentials, $password, $passConfirm)
+	{
+		if (empty($credentials['code']))
+		{
+			$this->error = lang('auth.need_reset_code');
+			return false;
+		}
+
+		// Generate a hash to match against the table.
+		$credentials['reset_hash'] = hash('sha1', config_item('auth.salt') .$credentials['code']);
+		unset($credentials['code']);
+
+		if (! empty($credentials['email']))
+		{
+			$credentials['email'] = strtolower($credentials['email']);
+		}
+
+		// Is there a matching user?
+		$user = $this->user_model->find_by($credentials);
+
+		if (! $user)
+		{
+			$this->error = lang('auth.reset_no_user');
+			return false;
+		}
+
+		// Update their password and reset their reset_hash
+		$data = [
+			'password'     => $password,
+			'pass_confirm' => $passConfirm,
+			'reset_hash'   => null
+		];
+
+		if (! $this->user_model->update($user->id, $data))
+		{
+			$this->error = $this->user_model->error();
+			return false;
+		}
+
+		Events::trigger('didResetPassword', [(array)$user]);
+
+		return true;
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Provides a way for implementations to allow new statuses to be set
+	 * on the user. The details will vary based upon implementation, but
+	 * will often allow for banning or suspending users.
+	 *
+	 * @param $newStatus
+	 * @param null $message
+	 * @return mixed
+	 */
+	public function changeStatus($newStatus, $message=null)
+	{
+		// todo actually record new users status!
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Allows the consuming application to pass in a reference to the
+	 * model that should be used.
+	 *
+	 * The model MUST extend Myth\Models\CIDbModel.
+	 *
+	 * @param $model
+	 * @param bool $allow_any_parent
+	 * @return mixed
+	 */
+	public function useModel($model, $allow_any_parent=false)
+	{
+		if (! $allow_any_parent && get_parent_class($model) != 'Myth\Models\CIDbModel')
+		{
+			throw new \RuntimeException('Models passed into LocalAuthenticate MUST extend Myth\Models\CIDbModel');
+		}
+
+		$this->user_model =& $model;
+
+		return $this;
+	}
+
+	//--------------------------------------------------------------------
+
+	public function error()
+	{
+		if (validation_errors())
+		{
+			return validation_errors();
+		}
+
+		return $this->error;
+	}
+
+	//--------------------------------------------------------------------
+
+	//--------------------------------------------------------------------
+	// Login Records
+	//--------------------------------------------------------------------
+
+	/**
+	 * Purges all login attempt records from the database.
+	 *
+	 * @param $email
+	 */
+	public function purgeLoginAttempts($email)
+	{
+		// Emails should NOT be case sensitive.
+		$email = strtolower($email);
+
+		$this->ci->login_model->purgeLoginAttempts($email);
+
+		// @todo record activity of login attempts purge.
+		Events::trigger('didPurgeLoginAttempts', [$email]);
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Purges all remember tokens for a single user. Effectively logs
+	 * a user out of all devices. Intended to allow users to log themselves
+	 * out of all devices as a security measure.
+	 *
+	 * @param $email
+	 */
+	public function purgeRememberTokens($email)
+	{
+		// Emails should NOT be case sensitive.
+		$email = strtolower($email);
+
+		$this->ci->login_model->purgeRememberTokens($email);
+
+		// todo record activity of remember me purges.
+		Events::trigger('didPurgeRememberTokens', [$email]);
+	}
+
+	//--------------------------------------------------------------------
+
+	//--------------------------------------------------------------------
+	// Protected Methods
+	//--------------------------------------------------------------------
+
+	/**
+	 * Check if Allow Persistent Login Cookies is enable
+	 *
+	 * @param $user
+	 */
+	protected function rememberUser($user)
+	{
+		if (! config_item('auth.allow_remembering'))
+		{
+			log_message('debug', 'Auth library set to refuse "Remember Me" functionality.');
+			return false;
+		}
+
+		$this->refreshRememberCookie($user);
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Invalidates the current rememberme cookie/database entry, creates
+	 * a new one, stores it and returns the new value.
+	 *
+	 * @param $user
+	 * @param null $token
+	 * @return mixed
+	 */
+	protected function refreshRememberCookie($user, $token=null)
+	{
+		$this->ci->load->helper('cookie');
+
+		// If a token is passed in, we know we're removing the
+		// old one.
+		if (! empty($token))
+		{
+			$this->invalidateRememberCookie($user['email'], $token);
+		}
+
+		$new_token = $this->ci->login_model->generateRememberToken($user);
+
+		// Save the token to the database.
+		$data = [
+			'email'   => $user['email'],
+			'hash'    => sha1(config_item('auth.salt') . $new_token),
+			'created' => date('Y-m-d H:i:s')
+		];
+
+		$this->ci->db->insert('auth_tokens', $data);
+
+		// Create the cookie
+		set_cookie(
+			'remember',                             // Cookie Name
+			$new_token,                             // Value
+			config_item('auth.remember_length'),    // # Seconds until it expires
+			config_item('cookie_domain'),
+			config_item('cookie_path'),
+			config_item('cookie_prefix'),
+			false,                                  // Only send over HTTPS?
+			true                                    // Hide from Javascript?
+		);
+
+		return $new_token;
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Deletes any current remember me cookies and database entries.
+	 *
+	 * @param $email
+	 * @param $token
+	 * @return string The new token (not the hash).
+	 */
+	protected function invalidateRememberCookie($email, $token)
+	{
+		// Emails should NOT be case sensitive.
+		$email = strtolower($email);
+
+		// Remove from the database
+		$this->ci->login_model->deleteRememberToken($email, $token);
+
+		// Remove the cookie
+		delete_cookie(
+			'remember',
+			config_item('cookie_domain'),
+			config_item('cookie_path'),
+			config_item('cookie_prefix')
+		);
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Handles the nitty gritty of actually logging our user into the system.
+	 * Does NOT perform the authentication, just sets the system up so that
+	 * it knows we're here.
+	 *
+	 * @param $user
+	 */
+	protected function loginUser($user)
+	{
+		// Save the user for later access
+		$this->user = $user;
+
+		// Get ip address
+		$ip_address = $this->ci->input->ip_address();
+
+		// Regenerate the session ID to help protect
+		// against session fixation
+		$this->ci->session->sess_regenerate();
+
+		// Let the session know that we're logged in.
+		$this->ci->session->set_userdata('logged_in', $user['id']);
+
+		// Clear our login attempts
+		$this->ci->login_model->purgeLoginAttempts($ip_address, $user['id']);
+
+		// Record a new Login
+		$this->ci->login_model->recordLogin($user);
+
+		// If logged in, ensure cache control
+		// headers are in place
+		$this->setHeaders();
+
+		// We'll give a 20% chance to need to do a purge since we
+		// don't need to purge THAT often, it's just a maintenance issue.
+		// to keep the table from getting out of control.
+		if (mt_rand(1, 100) < 20)
+		{
+			$this->ci->login_model->purgeOldRememberTokens();
+		}
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Sets the headers to ensure that pages are not cached when a user
+	 * is logged in, helping to protect against logging out and then
+	 * simply hitting the Back button on the browser and getting private
+	 * information because the page was loaded from cache.
+	 */
+	protected function setHeaders()
+	{
+		$this->ci->output->set_header('Cache-Control: no-store, no-cache, must-revalidate');
+		$this->ci->output->set_header('Cache-Control: post-check=0, pre-check=0');
+		$this->ci->output->set_header('Pragma: no-cache');
+	}
+
+	//--------------------------------------------------------------------
 
 
 }

myth/CIModules/auth/models/Login_model.php

Indentation +344 added lines, -344 removed lines

@@ -41,349 +41,349 @@
  */
 class Login_model extends \Myth\Models\CIDbModel {
 
-    protected $table_name = 'auth_logins';
-
-    protected $set_created = false;
-    protected $set_modified = false;
-
-    //--------------------------------------------------------------------
-
-    //--------------------------------------------------------------------
-    // Login Attempts
-    //--------------------------------------------------------------------
-
-    /**
-     * Records a login attempt. This is used to implement
-     * throttling of application, ip address and user login attempts.
-     *
-     * @param $ip_address
-     * @param $user_id
-     * @return void
-     */
-    public function recordLoginAttempt($ip_address, $user_id = null)
-    {
-        $datetime = date('Y-m-d H:i:s');
-
-        // log attempt for app
-        $data = [
-            'type' => 'app',
-            'datetime' => $datetime
-        ];
-
-        $this->db->insert('auth_login_attempts', $data);
-
-        // log attempt for ip address
-        if (! empty($ip_address))
-        {
-            $data = [
-                'type' => 'ip',
-                'ip_address' => $ip_address,
-                'datetime' => $datetime
-            ];
-
-            $this->db->insert('auth_login_attempts', $data);
-        }
-
-        // log attempt for user
-        if ($user_id)
-        {
-            $data = [
-                'type' => 'user',
-                'user_id' => $user_id,
-                'datetime' => $datetime
-            ];
-
-            $this->db->insert('auth_login_attempts', $data);
-        }
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Purges all login attempt records from the database.
-     *
-     * @param $ip_address
-     * @param $user_id
-     * @return mixed
-     */
-    public function purgeLoginAttempts($ip_address, $user_id)
-    {
-        return $this->db->where('ip_address', $ip_address)
-                        ->or_where('user_id', $user_id)
-                        ->delete('auth_login_attempts');
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Checks to see if how many login attempts have been attempted in the
-     * last 60 seconds. If over 100, it is considered to be under a
-     * brute force attempt.
-     *
-     * @param $ip_address
-     * @param $user_id
-     * @return bool
-     */
-    public function isBruteForced($ip_address, $user_id)
-    {
-        $start_time = date('Y-m-d H:i:s', time() - 60);
-
-        $attempts_ip = $this->db->where('type', 'ip')
-                                ->where('ip_address', $ip_address)
-                                ->where('datetime >=', $start_time)
-                                ->count_all_results('auth_login_attempts');
-
-        if (! $user_id)
-        {
-            return $attempts_ip > 100;
-        }
-
-        $attempts_user = $this->db->where('type', 'user')
-                                  ->where('user_id', $user_id)
-                                  ->where('datetime >=', $start_time)
-                                  ->count_all_results('auth_login_attempts');
-
-        if ($attempts_user > $attempts_ip) 
-        {
-            return $attempts_user > 100;
-        }
-        else
-        {
-            return $attempts_ip > 100;
-        }
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Attempts to determine if the system is under a distributed
-     * brute force attack.
-     *
-     * To determine if we are in under a brute force attack, we first
-     * find the average number of bad logins per day that never converted to
-     * successful logins over the last 3 months. Then we compare
-     * that to the the average number of logins in the past 24 hours.
-     *
-     * If the number of attempts in the last 24 hours is more than X (see config)
-     * times the average, then institute additional throttling.
-     *
-     * @return int The time to add to any throttling.
-     */
-    public function distributedBruteForceTime()
-    {
-        if (! $time = $this->cache->get('dbrutetime'))
-        {
-            $time = 0;
-
-            // Compute our daily average over the last 3 months.
-            $avg_start_time = date('Y-m-d 00:00:00', strtotime('-3 months'));
-
-            $query = $this->db->query("SELECT COUNT(*) / COUNT(DISTINCT DATE(`datetime`)) as num_rows FROM `auth_login_attempts` WHERE `type` = 'app' AND `datetime` >= ?", $avg_start_time);
-
-            if (! $query->num_rows())
-            {
-                $average = 0;
-            }
-            else
-            {
-                $average = $query->row()->num_rows;
-            }
-
-            // Get the total in the last 24 hours
-            $today_start_time = date('Y-m-d H:i:s', strtotime('-24 hours'));
-
-            $attempts = $this->db->where('type', 'app')
-                                 ->where('datetime >=', $today_start_time)
-                                 ->count_all_results('auth_login_attempts');
-
-            if ($attempts > (config_item('auth.dbrute_multiplier') * $average))
-            {
-                $time = config_item('auth.distributed_brute_add_time');
-            }
-
-            // Cache it for 3 hours.
-            $this->cache->save('dbrutetime', $time, 60*60*3);
-        }
-
-        return $time;
-    }
-
-    //--------------------------------------------------------------------
-
-    //--------------------------------------------------------------------
-    // Logins
-    //--------------------------------------------------------------------
-
-    /**
-     * Records a successful login. This stores in a table so that a
-     * history can be pulled up later if needed for security analyses.
-     *
-     * @param $user
-     */
-    public function recordLogin($user)
-    {
-        $data = [
-            'user_id'    => (int)$user['id'],
-            'datetime'   => date('Y-m-d H:i:s'),
-            'ip_address' => $this->input->ip_address()
-        ];
-
-        return $this->db->insert('auth_logins', $data);
-    }
-
-    //--------------------------------------------------------------------
-
-    //--------------------------------------------------------------------
-    // Tokens
-    //--------------------------------------------------------------------
-
-    /**
-     * Generates a new token for the rememberme cookie.
-     *
-     * The token is based on the user's email address (since everyone will have one)
-     * with the '@' turned to a '.', followed by a pipe (|) and a random 128-character
-     * string with letters and numbers.
-     *
-     * @param $user
-     * @return mixed
-     */
-    public function generateRememberToken($user)
-    {
-        $this->load->helper('string');
-
-        return str_replace('@', '.', $user['email']) .'|' . random_string('alnum', 128);
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Hashes the token for the Remember Me Functionality.
-     *
-     * @param $token
-     * @return string
-     */
-    public function hashRememberToken($token)
-    {
-        return sha1(config_item('auth.salt') . $token);
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Deletes a single token that matches the email/token combo.
-     *
-     * @param $email
-     * @param $token
-     * @return mixed
-     */
-    public function deleteRememberToken($email, $token)
-    {
-        $where = [
-            'email' => $email,
-            'hash'  => $this->hashRememberToken($token)
-        ];
-
-        $this->db->delete('auth_tokens', $where);
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Removes all persistent login tokens (RememberMe) for a single user
-     * across all devices they may have logged in with.
-     *
-     * @param $email
-     * @return mixed
-     */
-    public function purgeRememberTokens($email)
-    {
-        return $this->db->delete('auth_tokens', ['email' => $email]);
-    }
-
-    //--------------------------------------------------------------------
-
-
-    /**
-     * Purges the 'auth_tokens' table of any records that are too old
-     * to be of any use anymore. This equates to 1 week older than
-     * the remember_length set in the config file.
-     */
-    public function purgeOldRememberTokens()
-    {
-        if (! config_item('auth.allow_remembering'))
-        {
-            return;
-        }
-
-        $date = time() - config_item('auth.remember_length') - 604800; // 1 week
-        $date = date('Y-m-d 00:00:00', $date);
-
-        $this->db->where('created <=', $date)
-                 ->delete('auth_tokens');
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Gets the timestamp of the last attempted login for this user.
-     *
-     * @param $ip_address
-     * @param $user_id
-     * @return int|null
-     */
-    public function lastLoginAttemptTime($ip_address, $user_id)
-    {
-        $query = $this->db->where('type', 'ip')
-                          ->where('ip_address', $ip_address)
-                          ->order_by('datetime', 'desc')
-                          ->limit(1)
-                          ->get('auth_login_attempts');
-
-        $last_ip = ! $query->num_rows() ? 0 : strtotime($query->row()->datetime);
-
-        if (! $user_id)
-        {
-            return $last_ip;
-        }
-
-        $query = $this->db->where('type', 'user')
-                          ->where('user_id', $user_id)
-                          ->order_by('datetime', 'desc')
-                          ->limit(1)
-                          ->get('auth_login_attempts');
-
-        $last_user = ! $query->num_rows() ? 0 : strtotime($query->row()->datetime);
-
-        return ($last_user > $last_ip) ? $last_user : $last_ip;
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Returns the number of failed login attempts for a given type.
-     *
-     * @param $ip_address
-     * @param $user_id
-     * @return int
-     */
-    public function countLoginAttempts($ip_address, $user_id)
-    {
-        $count_ip = $this->db->where('type', 'ip')
-                             ->where('ip_address', $ip_address)
-                             ->count_all_results('auth_login_attempts');
-
-        if (! $user_id)
-        {
-            return $count_ip;
-        }
-
-        $count_user = $this->db->where('type', 'user')
-                               ->where('user_id', $user_id)
-                               ->count_all_results('auth_login_attempts');
-
-        return ($count_user > $count_ip) ? $count_user : $count_ip;
-    }
-
-    //--------------------------------------------------------------------
+	protected $table_name = 'auth_logins';
+
+	protected $set_created = false;
+	protected $set_modified = false;
+
+	//--------------------------------------------------------------------
+
+	//--------------------------------------------------------------------
+	// Login Attempts
+	//--------------------------------------------------------------------
+
+	/**
+	 * Records a login attempt. This is used to implement
+	 * throttling of application, ip address and user login attempts.
+	 *
+	 * @param $ip_address
+	 * @param $user_id
+	 * @return void
+	 */
+	public function recordLoginAttempt($ip_address, $user_id = null)
+	{
+		$datetime = date('Y-m-d H:i:s');
+
+		// log attempt for app
+		$data = [
+			'type' => 'app',
+			'datetime' => $datetime
+		];
+
+		$this->db->insert('auth_login_attempts', $data);
+
+		// log attempt for ip address
+		if (! empty($ip_address))
+		{
+			$data = [
+				'type' => 'ip',
+				'ip_address' => $ip_address,
+				'datetime' => $datetime
+			];
+
+			$this->db->insert('auth_login_attempts', $data);
+		}
+
+		// log attempt for user
+		if ($user_id)
+		{
+			$data = [
+				'type' => 'user',
+				'user_id' => $user_id,
+				'datetime' => $datetime
+			];
+
+			$this->db->insert('auth_login_attempts', $data);
+		}
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Purges all login attempt records from the database.
+	 *
+	 * @param $ip_address
+	 * @param $user_id
+	 * @return mixed
+	 */
+	public function purgeLoginAttempts($ip_address, $user_id)
+	{
+		return $this->db->where('ip_address', $ip_address)
+						->or_where('user_id', $user_id)
+						->delete('auth_login_attempts');
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Checks to see if how many login attempts have been attempted in the
+	 * last 60 seconds. If over 100, it is considered to be under a
+	 * brute force attempt.
+	 *
+	 * @param $ip_address
+	 * @param $user_id
+	 * @return bool
+	 */
+	public function isBruteForced($ip_address, $user_id)
+	{
+		$start_time = date('Y-m-d H:i:s', time() - 60);
+
+		$attempts_ip = $this->db->where('type', 'ip')
+								->where('ip_address', $ip_address)
+								->where('datetime >=', $start_time)
+								->count_all_results('auth_login_attempts');
+
+		if (! $user_id)
+		{
+			return $attempts_ip > 100;
+		}
+
+		$attempts_user = $this->db->where('type', 'user')
+								  ->where('user_id', $user_id)
+								  ->where('datetime >=', $start_time)
+								  ->count_all_results('auth_login_attempts');
+
+		if ($attempts_user > $attempts_ip) 
+		{
+			return $attempts_user > 100;
+		}
+		else
+		{
+			return $attempts_ip > 100;
+		}
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Attempts to determine if the system is under a distributed
+	 * brute force attack.
+	 *
+	 * To determine if we are in under a brute force attack, we first
+	 * find the average number of bad logins per day that never converted to
+	 * successful logins over the last 3 months. Then we compare
+	 * that to the the average number of logins in the past 24 hours.
+	 *
+	 * If the number of attempts in the last 24 hours is more than X (see config)
+	 * times the average, then institute additional throttling.
+	 *
+	 * @return int The time to add to any throttling.
+	 */
+	public function distributedBruteForceTime()
+	{
+		if (! $time = $this->cache->get('dbrutetime'))
+		{
+			$time = 0;
+
+			// Compute our daily average over the last 3 months.
+			$avg_start_time = date('Y-m-d 00:00:00', strtotime('-3 months'));
+
+			$query = $this->db->query("SELECT COUNT(*) / COUNT(DISTINCT DATE(`datetime`)) as num_rows FROM `auth_login_attempts` WHERE `type` = 'app' AND `datetime` >= ?", $avg_start_time);
+
+			if (! $query->num_rows())
+			{
+				$average = 0;
+			}
+			else
+			{
+				$average = $query->row()->num_rows;
+			}
+
+			// Get the total in the last 24 hours
+			$today_start_time = date('Y-m-d H:i:s', strtotime('-24 hours'));
+
+			$attempts = $this->db->where('type', 'app')
+								 ->where('datetime >=', $today_start_time)
+								 ->count_all_results('auth_login_attempts');
+
+			if ($attempts > (config_item('auth.dbrute_multiplier') * $average))
+			{
+				$time = config_item('auth.distributed_brute_add_time');
+			}
+
+			// Cache it for 3 hours.
+			$this->cache->save('dbrutetime', $time, 60*60*3);
+		}
+
+		return $time;
+	}
+
+	//--------------------------------------------------------------------
+
+	//--------------------------------------------------------------------
+	// Logins
+	//--------------------------------------------------------------------
+
+	/**
+	 * Records a successful login. This stores in a table so that a
+	 * history can be pulled up later if needed for security analyses.
+	 *
+	 * @param $user
+	 */
+	public function recordLogin($user)
+	{
+		$data = [
+			'user_id'    => (int)$user['id'],
+			'datetime'   => date('Y-m-d H:i:s'),
+			'ip_address' => $this->input->ip_address()
+		];
+
+		return $this->db->insert('auth_logins', $data);
+	}
+
+	//--------------------------------------------------------------------
+
+	//--------------------------------------------------------------------
+	// Tokens
+	//--------------------------------------------------------------------
+
+	/**
+	 * Generates a new token for the rememberme cookie.
+	 *
+	 * The token is based on the user's email address (since everyone will have one)
+	 * with the '@' turned to a '.', followed by a pipe (|) and a random 128-character
+	 * string with letters and numbers.
+	 *
+	 * @param $user
+	 * @return mixed
+	 */
+	public function generateRememberToken($user)
+	{
+		$this->load->helper('string');
+
+		return str_replace('@', '.', $user['email']) .'|' . random_string('alnum', 128);
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Hashes the token for the Remember Me Functionality.
+	 *
+	 * @param $token
+	 * @return string
+	 */
+	public function hashRememberToken($token)
+	{
+		return sha1(config_item('auth.salt') . $token);
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Deletes a single token that matches the email/token combo.
+	 *
+	 * @param $email
+	 * @param $token
+	 * @return mixed
+	 */
+	public function deleteRememberToken($email, $token)
+	{
+		$where = [
+			'email' => $email,
+			'hash'  => $this->hashRememberToken($token)
+		];
+
+		$this->db->delete('auth_tokens', $where);
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Removes all persistent login tokens (RememberMe) for a single user
+	 * across all devices they may have logged in with.
+	 *
+	 * @param $email
+	 * @return mixed
+	 */
+	public function purgeRememberTokens($email)
+	{
+		return $this->db->delete('auth_tokens', ['email' => $email]);
+	}
+
+	//--------------------------------------------------------------------
+
+
+	/**
+	 * Purges the 'auth_tokens' table of any records that are too old
+	 * to be of any use anymore. This equates to 1 week older than
+	 * the remember_length set in the config file.
+	 */
+	public function purgeOldRememberTokens()
+	{
+		if (! config_item('auth.allow_remembering'))
+		{
+			return;
+		}
+
+		$date = time() - config_item('auth.remember_length') - 604800; // 1 week
+		$date = date('Y-m-d 00:00:00', $date);
+
+		$this->db->where('created <=', $date)
+				 ->delete('auth_tokens');
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Gets the timestamp of the last attempted login for this user.
+	 *
+	 * @param $ip_address
+	 * @param $user_id
+	 * @return int|null
+	 */
+	public function lastLoginAttemptTime($ip_address, $user_id)
+	{
+		$query = $this->db->where('type', 'ip')
+						  ->where('ip_address', $ip_address)
+						  ->order_by('datetime', 'desc')
+						  ->limit(1)
+						  ->get('auth_login_attempts');
+
+		$last_ip = ! $query->num_rows() ? 0 : strtotime($query->row()->datetime);
+
+		if (! $user_id)
+		{
+			return $last_ip;
+		}
+
+		$query = $this->db->where('type', 'user')
+						  ->where('user_id', $user_id)
+						  ->order_by('datetime', 'desc')
+						  ->limit(1)
+						  ->get('auth_login_attempts');
+
+		$last_user = ! $query->num_rows() ? 0 : strtotime($query->row()->datetime);
+
+		return ($last_user > $last_ip) ? $last_user : $last_ip;
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Returns the number of failed login attempts for a given type.
+	 *
+	 * @param $ip_address
+	 * @param $user_id
+	 * @return int
+	 */
+	public function countLoginAttempts($ip_address, $user_id)
+	{
+		$count_ip = $this->db->where('type', 'ip')
+							 ->where('ip_address', $ip_address)
+							 ->count_all_results('auth_login_attempts');
+
+		if (! $user_id)
+		{
+			return $count_ip;
+		}
+
+		$count_user = $this->db->where('type', 'user')
+							   ->where('user_id', $user_id)
+							   ->count_all_results('auth_login_attempts');
+
+		return ($count_user > $count_ip) ? $count_user : $count_ip;
+	}
+
+	//--------------------------------------------------------------------
 
 }

Spacing +11 added lines, -11 removed lines

@@ -73,7 +73,7 @@ 
         $this->db->insert('auth_login_attempts', $data);
 
         // log attempt for ip address
-        if (! empty($ip_address))
+        if ( ! empty($ip_address))
         {
             $data = [
                 'type' => 'ip',
@@ -133,7 +133,7 @@ 
                                 ->where('datetime >=', $start_time)
                                 ->count_all_results('auth_login_attempts');
 
-        if (! $user_id)
+        if ( ! $user_id)
         {
             return $attempts_ip > 100;
         }
@@ -171,7 +171,7 @@ 
      */
     public function distributedBruteForceTime()
     {
-        if (! $time = $this->cache->get('dbrutetime'))
+        if ( ! $time = $this->cache->get('dbrutetime'))
         {
             $time = 0;
 
@@ -180,7 +180,7 @@ 
 
             $query = $this->db->query("SELECT COUNT(*) / COUNT(DISTINCT DATE(`datetime`)) as num_rows FROM `auth_login_attempts` WHERE `type` = 'app' AND `datetime` >= ?", $avg_start_time);
 
-            if (! $query->num_rows())
+            if ( ! $query->num_rows())
             {
                 $average = 0;
             }
@@ -202,7 +202,7 @@ 
             }
 
             // Cache it for 3 hours.
-            $this->cache->save('dbrutetime', $time, 60*60*3);
+            $this->cache->save('dbrutetime', $time, 60 * 60 * 3);
         }
 
         return $time;
@@ -223,7 +223,7 @@ 
     public function recordLogin($user)
     {
         $data = [
-            'user_id'    => (int)$user['id'],
+            'user_id'    => (int) $user['id'],
             'datetime'   => date('Y-m-d H:i:s'),
             'ip_address' => $this->input->ip_address()
         ];
@@ -251,7 +251,7 @@ 
     {
         $this->load->helper('string');
 
-        return str_replace('@', '.', $user['email']) .'|' . random_string('alnum', 128);
+        return str_replace('@', '.', $user['email']).'|'.random_string('alnum', 128);
     }
 
     //--------------------------------------------------------------------
@@ -264,7 +264,7 @@ 
      */
     public function hashRememberToken($token)
     {
-        return sha1(config_item('auth.salt') . $token);
+        return sha1(config_item('auth.salt').$token);
     }
 
     //--------------------------------------------------------------------
@@ -310,7 +310,7 @@ 
      */
     public function purgeOldRememberTokens()
     {
-        if (! config_item('auth.allow_remembering'))
+        if ( ! config_item('auth.allow_remembering'))
         {
             return;
         }
@@ -341,7 +341,7 @@ 
 
         $last_ip = ! $query->num_rows() ? 0 : strtotime($query->row()->datetime);
 
-        if (! $user_id)
+        if ( ! $user_id)
         {
             return $last_ip;
         }
@@ -372,7 +372,7 @@ 
                              ->where('ip_address', $ip_address)
                              ->count_all_results('auth_login_attempts');
 
-        if (! $user_id)
+        if ( ! $user_id)
         {
             return $count_ip;
         }

Braces +2 added lines, -4 removed lines

@@ -146,8 +146,7 @@ 
         if ($attempts_user > $attempts_ip) 
         {
             return $attempts_user > 100;
-        }
-        else
+        } else
         {
             return $attempts_ip > 100;
         }
@@ -183,8 +182,7 @@ 
             if (! $query->num_rows())
             {
                 $average = 0;
-            }
-            else
+            } else
             {
                 $average = $query->row()->num_rows;
             }

application/database/migrations/20160111121139_UpdateLoginAttemptsTable.php

Indentation +43 added lines, -43 removed lines

@@ -10,57 +10,57 @@
  */
 class Migration_UpdateLoginAttemmptsTable extends CI_Migration {
 
-    public function up()
-    {
-        $fields = array(
-            'type' => array(
-                'type'       => 'varchar',
-                'constraint' => 64,
-                'null'       => false,
-                'default'    => 'app',
-                'after'      => 'id'
-            ),
-            'ip_address' => array(
-                'type'       => 'varchar',
-                'constraint' => 255,
-                'null'       => true,
-                'after'      => 'type'
-            ),
-            'user_id' => array(
-                'type'       => 'int',
-                'constraint' => 11,
-                'unsigned'   => true,
-                'null'       => true,
-                'after'      => 'ip_address'
-            )
-        );
+	public function up()
+	{
+		$fields = array(
+			'type' => array(
+				'type'       => 'varchar',
+				'constraint' => 64,
+				'null'       => false,
+				'default'    => 'app',
+				'after'      => 'id'
+			),
+			'ip_address' => array(
+				'type'       => 'varchar',
+				'constraint' => 255,
+				'null'       => true,
+				'after'      => 'type'
+			),
+			'user_id' => array(
+				'type'       => 'int',
+				'constraint' => 11,
+				'unsigned'   => true,
+				'null'       => true,
+				'after'      => 'ip_address'
+			)
+		);
 
-        $this->dbforge->add_column('auth_login_attempts', $fields);
+		$this->dbforge->add_column('auth_login_attempts', $fields);
 
-        $this->db->query('ALTER TABLE `auth_login_attempts` ADD KEY (`user_id`)');
+		$this->db->query('ALTER TABLE `auth_login_attempts` ADD KEY (`user_id`)');
 
-        $this->dbforge->drop_column('auth_login_attempts', 'email');
-    }
+		$this->dbforge->drop_column('auth_login_attempts', 'email');
+	}
 
-    //--------------------------------------------------------------------
+	//--------------------------------------------------------------------
 
-    public function down()
-    {
-        $this->dbforge->drop_column('auth_login_attempts', 'type');
-        $this->dbforge->drop_column('auth_login_attempts', 'ip_address');
-        $this->dbforge->drop_column('auth_login_attempts', 'user_id');
+	public function down()
+	{
+		$this->dbforge->drop_column('auth_login_attempts', 'type');
+		$this->dbforge->drop_column('auth_login_attempts', 'ip_address');
+		$this->dbforge->drop_column('auth_login_attempts', 'user_id');
 
-        $column = ['email' => [
-            'type'       => 'varchar',
-            'constraint' => 255,
-            'after'      => 'id'
-        ]];
+		$column = ['email' => [
+			'type'       => 'varchar',
+			'constraint' => 255,
+			'after'      => 'id'
+		]];
 
-        $this->dbforge->add_column('auth_login_attempts', $column);
+		$this->dbforge->add_column('auth_login_attempts', $column);
 
-        $this->db->query('ALTER TABLE `auth_login_attempts` ADD KEY (`email`)');
-    }
+		$this->db->query('ALTER TABLE `auth_login_attempts` ADD KEY (`email`)');
+	}
 
-    //--------------------------------------------------------------------
+	//--------------------------------------------------------------------
 
 }
\ No newline at end of file