Inspection of "Merge pull request #151 from michalsn/feature/bett..." - ci-bonfire/Sprint - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Push — develop ( e2250a...6bb0fd )

by Lonnie

created 2016-01-12 20:37 UTC

Status

Indentation +3 added lines, -3 removed lines patch added patch discarded remove patch

@@ -74,7 +74,7 @@  discard block
 block discarded – undo
 	 */
 	public function setRealm($realm)
 	{
-	    $this->realm = $realm;
+		$this->realm = $realm;
 		return $this;
 	}
 
@@ -116,7 +116,7 @@  discard block
 block discarded – undo
 			'password'  => $password
 		];
 
-	    $user = $this->validate($data, true);
+		$user = $this->validate($data, true);
 
 		$this->user = $user;
 
@@ -272,7 +272,7 @@  discard block
 block discarded – undo
 	 */
 	public function checkIPBlacklist()
 	{
-	    $blacklist = explode(',', config_item('api.ip_blacklist'));
+		$blacklist = explode(',', config_item('api.ip_blacklist'));
 
 		array_walk($blacklist, function (&$item, $key) {
 			$item = trim($item);

Please login to merge, or discard this patch.

myth/CIModules/auth/models/Login_model.php 1 patch

Indentation +344 added lines, -344 removed lines patch added patch discarded remove patch

@@ -41,349 +41,349 @@
 block discarded – undo
  */
 class Login_model extends \Myth\Models\CIDbModel {
 
-    protected $table_name = 'auth_logins';
-
-    protected $set_created = false;
-    protected $set_modified = false;
-
-    //--------------------------------------------------------------------
-
-    //--------------------------------------------------------------------
-    // Login Attempts
-    //--------------------------------------------------------------------
-
-    /**
-     * Records a login attempt. This is used to implement
-     * throttling of application, ip address and user login attempts.
-     *
-     * @param $ip_address
-     * @param $user_id
-     * @return void
-     */
-    public function recordLoginAttempt($ip_address, $user_id = null)
-    {
-        $datetime = date('Y-m-d H:i:s');
-
-        // log attempt for app
-        $data = [
-            'type' => 'app',
-            'datetime' => $datetime
-        ];
-
-        $this->db->insert('auth_login_attempts', $data);
-
-        // log attempt for ip address
-        if (! empty($ip_address))
-        {
-            $data = [
-                'type' => 'ip',
-                'ip_address' => $ip_address,
-                'datetime' => $datetime
-            ];
-
-            $this->db->insert('auth_login_attempts', $data);
-        }
-
-        // log attempt for user
-        if ($user_id)
-        {
-            $data = [
-                'type' => 'user',
-                'user_id' => $user_id,
-                'datetime' => $datetime
-            ];
-
-            $this->db->insert('auth_login_attempts', $data);
-        }
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Purges all login attempt records from the database.
-     *
-     * @param $ip_address
-     * @param $user_id
-     * @return mixed
-     */
-    public function purgeLoginAttempts($ip_address, $user_id)
-    {
-        return $this->db->where('ip_address', $ip_address)
-                        ->or_where('user_id', $user_id)
-                        ->delete('auth_login_attempts');
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Checks to see if how many login attempts have been attempted in the
-     * last 60 seconds. If over 100, it is considered to be under a
-     * brute force attempt.
-     *
-     * @param $ip_address
-     * @param $user_id
-     * @return bool
-     */
-    public function isBruteForced($ip_address, $user_id)
-    {
-        $start_time = date('Y-m-d H:i:s', time() - 60);
-
-        $attempts_ip = $this->db->where('type', 'ip')
-                                ->where('ip_address', $ip_address)
-                                ->where('datetime >=', $start_time)
-                                ->count_all_results('auth_login_attempts');
-
-        if (! $user_id)
-        {
-            return $attempts_ip > 100;
-        }
-
-        $attempts_user = $this->db->where('type', 'user')
-                                  ->where('user_id', $user_id)
-                                  ->where('datetime >=', $start_time)
-                                  ->count_all_results('auth_login_attempts');
-
-        if ($attempts_user > $attempts_ip) 
-        {
-            return $attempts_user > 100;
-        }
-        else
-        {
-            return $attempts_ip > 100;
-        }
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Attempts to determine if the system is under a distributed
-     * brute force attack.
-     *
-     * To determine if we are in under a brute force attack, we first
-     * find the average number of bad logins per day that never converted to
-     * successful logins over the last 3 months. Then we compare
-     * that to the the average number of logins in the past 24 hours.
-     *
-     * If the number of attempts in the last 24 hours is more than X (see config)
-     * times the average, then institute additional throttling.
-     *
-     * @return int The time to add to any throttling.
-     */
-    public function distributedBruteForceTime()
-    {
-        if (! $time = $this->cache->get('dbrutetime'))
-        {
-            $time = 0;
-
-            // Compute our daily average over the last 3 months.
-            $avg_start_time = date('Y-m-d 00:00:00', strtotime('-3 months'));
-
-            $query = $this->db->query("SELECT COUNT(*) / COUNT(DISTINCT DATE(`datetime`)) as num_rows FROM `auth_login_attempts` WHERE `type` = 'app' AND `datetime` >= ?", $avg_start_time);
-
-            if (! $query->num_rows())
-            {
-                $average = 0;
-            }
-            else
-            {
-                $average = $query->row()->num_rows;
-            }
-
-            // Get the total in the last 24 hours
-            $today_start_time = date('Y-m-d H:i:s', strtotime('-24 hours'));
-
-            $attempts = $this->db->where('type', 'app')
-                                 ->where('datetime >=', $today_start_time)
-                                 ->count_all_results('auth_login_attempts');
-
-            if ($attempts > (config_item('auth.dbrute_multiplier') * $average))
-            {
-                $time = config_item('auth.distributed_brute_add_time');
-            }
-
-            // Cache it for 3 hours.
-            $this->cache->save('dbrutetime', $time, 60*60*3);
-        }
-
-        return $time;
-    }
-
-    //--------------------------------------------------------------------
-
-    //--------------------------------------------------------------------
-    // Logins
-    //--------------------------------------------------------------------
-
-    /**
-     * Records a successful login. This stores in a table so that a
-     * history can be pulled up later if needed for security analyses.
-     *
-     * @param $user
-     */
-    public function recordLogin($user)
-    {
-        $data = [
-            'user_id'    => (int)$user['id'],
-            'datetime'   => date('Y-m-d H:i:s'),
-            'ip_address' => $this->input->ip_address()
-        ];
-
-        return $this->db->insert('auth_logins', $data);
-    }
-
-    //--------------------------------------------------------------------
-
-    //--------------------------------------------------------------------
-    // Tokens
-    //--------------------------------------------------------------------
-
-    /**
-     * Generates a new token for the rememberme cookie.
-     *
-     * The token is based on the user's email address (since everyone will have one)
-     * with the '@' turned to a '.', followed by a pipe (|) and a random 128-character
-     * string with letters and numbers.
-     *
-     * @param $user
-     * @return mixed
-     */
-    public function generateRememberToken($user)
-    {
-        $this->load->helper('string');
-
-        return str_replace('@', '.', $user['email']) .'|' . random_string('alnum', 128);
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Hashes the token for the Remember Me Functionality.
-     *
-     * @param $token
-     * @return string
-     */
-    public function hashRememberToken($token)
-    {
-        return sha1(config_item('auth.salt') . $token);
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Deletes a single token that matches the email/token combo.
-     *
-     * @param $email
-     * @param $token
-     * @return mixed
-     */
-    public function deleteRememberToken($email, $token)
-    {
-        $where = [
-            'email' => $email,
-            'hash'  => $this->hashRememberToken($token)
-        ];
-
-        $this->db->delete('auth_tokens', $where);
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Removes all persistent login tokens (RememberMe) for a single user
-     * across all devices they may have logged in with.
-     *
-     * @param $email
-     * @return mixed
-     */
-    public function purgeRememberTokens($email)
-    {
-        return $this->db->delete('auth_tokens', ['email' => $email]);
-    }
-
-    //--------------------------------------------------------------------
-
-
-    /**
-     * Purges the 'auth_tokens' table of any records that are too old
-     * to be of any use anymore. This equates to 1 week older than
-     * the remember_length set in the config file.
-     */
-    public function purgeOldRememberTokens()
-    {
-        if (! config_item('auth.allow_remembering'))
-        {
-            return;
-        }
-
-        $date = time() - config_item('auth.remember_length') - 604800; // 1 week
-        $date = date('Y-m-d 00:00:00', $date);
-
-        $this->db->where('created <=', $date)
-                 ->delete('auth_tokens');
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Gets the timestamp of the last attempted login for this user.
-     *
-     * @param $ip_address
-     * @param $user_id
-     * @return int|null
-     */
-    public function lastLoginAttemptTime($ip_address, $user_id)
-    {
-        $query = $this->db->where('type', 'ip')
-                          ->where('ip_address', $ip_address)
-                          ->order_by('datetime', 'desc')
-                          ->limit(1)
-                          ->get('auth_login_attempts');
-
-        $last_ip = ! $query->num_rows() ? 0 : strtotime($query->row()->datetime);
-
-        if (! $user_id)
-        {
-            return $last_ip;
-        }
-
-        $query = $this->db->where('type', 'user')
-                          ->where('user_id', $user_id)
-                          ->order_by('datetime', 'desc')
-                          ->limit(1)
-                          ->get('auth_login_attempts');
-
-        $last_user = ! $query->num_rows() ? 0 : strtotime($query->row()->datetime);
-
-        return ($last_user > $last_ip) ? $last_user : $last_ip;
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Returns the number of failed login attempts for a given type.
-     *
-     * @param $ip_address
-     * @param $user_id
-     * @return int
-     */
-    public function countLoginAttempts($ip_address, $user_id)
-    {
-        $count_ip = $this->db->where('type', 'ip')
-                             ->where('ip_address', $ip_address)
-                             ->count_all_results('auth_login_attempts');
-
-        if (! $user_id)
-        {
-            return $count_ip;
-        }
-
-        $count_user = $this->db->where('type', 'user')
-                               ->where('user_id', $user_id)
-                               ->count_all_results('auth_login_attempts');
-
-        return ($count_user > $count_ip) ? $count_user : $count_ip;
-    }
-
-    //--------------------------------------------------------------------
+	protected $table_name = 'auth_logins';
+
+	protected $set_created = false;
+	protected $set_modified = false;
+
+	//--------------------------------------------------------------------
+
+	//--------------------------------------------------------------------
+	// Login Attempts
+	//--------------------------------------------------------------------
+
+	/**
+	 * Records a login attempt. This is used to implement
+	 * throttling of application, ip address and user login attempts.
+	 *
+	 * @param $ip_address
+	 * @param $user_id
+	 * @return void
+	 */
+	public function recordLoginAttempt($ip_address, $user_id = null)
+	{
+		$datetime = date('Y-m-d H:i:s');
+
+		// log attempt for app
+		$data = [
+			'type' => 'app',
+			'datetime' => $datetime
+		];
+
+		$this->db->insert('auth_login_attempts', $data);
+
+		// log attempt for ip address
+		if (! empty($ip_address))
+		{
+			$data = [
+				'type' => 'ip',
+				'ip_address' => $ip_address,
+				'datetime' => $datetime
+			];
+
+			$this->db->insert('auth_login_attempts', $data);
+		}
+
+		// log attempt for user
+		if ($user_id)
+		{
+			$data = [
+				'type' => 'user',
+				'user_id' => $user_id,
+				'datetime' => $datetime
+			];
+
+			$this->db->insert('auth_login_attempts', $data);
+		}
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Purges all login attempt records from the database.
+	 *
+	 * @param $ip_address
+	 * @param $user_id
+	 * @return mixed
+	 */
+	public function purgeLoginAttempts($ip_address, $user_id)
+	{
+		return $this->db->where('ip_address', $ip_address)
+						->or_where('user_id', $user_id)
+						->delete('auth_login_attempts');
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Checks to see if how many login attempts have been attempted in the
+	 * last 60 seconds. If over 100, it is considered to be under a
+	 * brute force attempt.
+	 *
+	 * @param $ip_address
+	 * @param $user_id
+	 * @return bool
+	 */
+	public function isBruteForced($ip_address, $user_id)
+	{
+		$start_time = date('Y-m-d H:i:s', time() - 60);
+
+		$attempts_ip = $this->db->where('type', 'ip')
+								->where('ip_address', $ip_address)
+								->where('datetime >=', $start_time)
+								->count_all_results('auth_login_attempts');
+
+		if (! $user_id)
+		{
+			return $attempts_ip > 100;
+		}
+
+		$attempts_user = $this->db->where('type', 'user')
+								  ->where('user_id', $user_id)
+								  ->where('datetime >=', $start_time)
+								  ->count_all_results('auth_login_attempts');
+
+		if ($attempts_user > $attempts_ip) 
+		{
+			return $attempts_user > 100;
+		}
+		else
+		{
+			return $attempts_ip > 100;
+		}
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Attempts to determine if the system is under a distributed
+	 * brute force attack.
+	 *
+	 * To determine if we are in under a brute force attack, we first
+	 * find the average number of bad logins per day that never converted to
+	 * successful logins over the last 3 months. Then we compare
+	 * that to the the average number of logins in the past 24 hours.
+	 *
+	 * If the number of attempts in the last 24 hours is more than X (see config)
+	 * times the average, then institute additional throttling.
+	 *
+	 * @return int The time to add to any throttling.
+	 */
+	public function distributedBruteForceTime()
+	{
+		if (! $time = $this->cache->get('dbrutetime'))
+		{
+			$time = 0;
+
+			// Compute our daily average over the last 3 months.
+			$avg_start_time = date('Y-m-d 00:00:00', strtotime('-3 months'));
+
+			$query = $this->db->query("SELECT COUNT(*) / COUNT(DISTINCT DATE(`datetime`)) as num_rows FROM `auth_login_attempts` WHERE `type` = 'app' AND `datetime` >= ?", $avg_start_time);
+
+			if (! $query->num_rows())
+			{
+				$average = 0;
+			}
+			else
+			{
+				$average = $query->row()->num_rows;
+			}
+
+			// Get the total in the last 24 hours
+			$today_start_time = date('Y-m-d H:i:s', strtotime('-24 hours'));
+
+			$attempts = $this->db->where('type', 'app')
+								 ->where('datetime >=', $today_start_time)
+								 ->count_all_results('auth_login_attempts');
+
+			if ($attempts > (config_item('auth.dbrute_multiplier') * $average))
+			{
+				$time = config_item('auth.distributed_brute_add_time');
+			}
+
+			// Cache it for 3 hours.
+			$this->cache->save('dbrutetime', $time, 60*60*3);
+		}
+
+		return $time;
+	}
+
+	//--------------------------------------------------------------------
+
+	//--------------------------------------------------------------------
+	// Logins
+	//--------------------------------------------------------------------
+
+	/**
+	 * Records a successful login. This stores in a table so that a
+	 * history can be pulled up later if needed for security analyses.
+	 *
+	 * @param $user
+	 */
+	public function recordLogin($user)
+	{
+		$data = [
+			'user_id'    => (int)$user['id'],
+			'datetime'   => date('Y-m-d H:i:s'),
+			'ip_address' => $this->input->ip_address()
+		];
+
+		return $this->db->insert('auth_logins', $data);
+	}
+
+	//--------------------------------------------------------------------
+
+	//--------------------------------------------------------------------
+	// Tokens
+	//--------------------------------------------------------------------
+
+	/**
+	 * Generates a new token for the rememberme cookie.
+	 *
+	 * The token is based on the user's email address (since everyone will have one)
+	 * with the '@' turned to a '.', followed by a pipe (|) and a random 128-character
+	 * string with letters and numbers.
+	 *
+	 * @param $user
+	 * @return mixed
+	 */
+	public function generateRememberToken($user)
+	{
+		$this->load->helper('string');
+
+		return str_replace('@', '.', $user['email']) .'|' . random_string('alnum', 128);
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Hashes the token for the Remember Me Functionality.
+	 *
+	 * @param $token
+	 * @return string
+	 */
+	public function hashRememberToken($token)
+	{
+		return sha1(config_item('auth.salt') . $token);
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Deletes a single token that matches the email/token combo.
+	 *
+	 * @param $email
+	 * @param $token
+	 * @return mixed
+	 */
+	public function deleteRememberToken($email, $token)
+	{
+		$where = [
+			'email' => $email,
+			'hash'  => $this->hashRememberToken($token)
+		];
+
+		$this->db->delete('auth_tokens', $where);
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Removes all persistent login tokens (RememberMe) for a single user
+	 * across all devices they may have logged in with.
+	 *
+	 * @param $email
+	 * @return mixed
+	 */
+	public function purgeRememberTokens($email)
+	{
+		return $this->db->delete('auth_tokens', ['email' => $email]);
+	}
+
+	//--------------------------------------------------------------------
+
+
+	/**
+	 * Purges the 'auth_tokens' table of any records that are too old
+	 * to be of any use anymore. This equates to 1 week older than
+	 * the remember_length set in the config file.
+	 */
+	public function purgeOldRememberTokens()
+	{
+		if (! config_item('auth.allow_remembering'))
+		{
+			return;
+		}
+
+		$date = time() - config_item('auth.remember_length') - 604800; // 1 week
+		$date = date('Y-m-d 00:00:00', $date);
+
+		$this->db->where('created <=', $date)
+				 ->delete('auth_tokens');
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Gets the timestamp of the last attempted login for this user.
+	 *
+	 * @param $ip_address
+	 * @param $user_id
+	 * @return int|null
+	 */
+	public function lastLoginAttemptTime($ip_address, $user_id)
+	{
+		$query = $this->db->where('type', 'ip')
+						  ->where('ip_address', $ip_address)
+						  ->order_by('datetime', 'desc')
+						  ->limit(1)
+						  ->get('auth_login_attempts');
+
+		$last_ip = ! $query->num_rows() ? 0 : strtotime($query->row()->datetime);
+
+		if (! $user_id)
+		{
+			return $last_ip;
+		}
+
+		$query = $this->db->where('type', 'user')
+						  ->where('user_id', $user_id)
+						  ->order_by('datetime', 'desc')
+						  ->limit(1)
+						  ->get('auth_login_attempts');
+
+		$last_user = ! $query->num_rows() ? 0 : strtotime($query->row()->datetime);
+
+		return ($last_user > $last_ip) ? $last_user : $last_ip;
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Returns the number of failed login attempts for a given type.
+	 *
+	 * @param $ip_address
+	 * @param $user_id
+	 * @return int
+	 */
+	public function countLoginAttempts($ip_address, $user_id)
+	{
+		$count_ip = $this->db->where('type', 'ip')
+							 ->where('ip_address', $ip_address)
+							 ->count_all_results('auth_login_attempts');
+
+		if (! $user_id)
+		{
+			return $count_ip;
+		}
+
+		$count_user = $this->db->where('type', 'user')
+							   ->where('user_id', $user_id)
+							   ->count_all_results('auth_login_attempts');
+
+		return ($count_user > $count_ip) ? $count_user : $count_ip;
+	}
+
+	//--------------------------------------------------------------------
 
 }

Please login to merge, or discard this patch.

application/database/migrations/20160111121139_UpdateLoginAttemptsTable.php 1 patch

Indentation +43 added lines, -43 removed lines patch added patch discarded remove patch

@@ -10,57 +10,57 @@
 block discarded – undo
  */
 class Migration_UpdateLoginAttemmptsTable extends CI_Migration {
 
-    public function up()
-    {
-        $fields = array(
-            'type' => array(
-                'type'       => 'varchar',
-                'constraint' => 64,
-                'null'       => false,
-                'default'    => 'app',
-                'after'      => 'id'
-            ),
-            'ip_address' => array(
-                'type'       => 'varchar',
-                'constraint' => 255,
-                'null'       => true,
-                'after'      => 'type'
-            ),
-            'user_id' => array(
-                'type'       => 'int',
-                'constraint' => 11,
-                'unsigned'   => true,
-                'null'       => true,
-                'after'      => 'ip_address'
-            )
-        );
+	public function up()
+	{
+		$fields = array(
+			'type' => array(
+				'type'       => 'varchar',
+				'constraint' => 64,
+				'null'       => false,
+				'default'    => 'app',
+				'after'      => 'id'
+			),
+			'ip_address' => array(
+				'type'       => 'varchar',
+				'constraint' => 255,
+				'null'       => true,
+				'after'      => 'type'
+			),
+			'user_id' => array(
+				'type'       => 'int',
+				'constraint' => 11,
+				'unsigned'   => true,
+				'null'       => true,
+				'after'      => 'ip_address'
+			)
+		);
 
-        $this->dbforge->add_column('auth_login_attempts', $fields);
+		$this->dbforge->add_column('auth_login_attempts', $fields);
 
-        $this->db->query('ALTER TABLE `auth_login_attempts` ADD KEY (`user_id`)');
+		$this->db->query('ALTER TABLE `auth_login_attempts` ADD KEY (`user_id`)');
 
-        $this->dbforge->drop_column('auth_login_attempts', 'email');
-    }
+		$this->dbforge->drop_column('auth_login_attempts', 'email');
+	}
 
-    //--------------------------------------------------------------------
+	//--------------------------------------------------------------------
 
-    public function down()
-    {
-        $this->dbforge->drop_column('auth_login_attempts', 'type');
-        $this->dbforge->drop_column('auth_login_attempts', 'ip_address');
-        $this->dbforge->drop_column('auth_login_attempts', 'user_id');
+	public function down()
+	{
+		$this->dbforge->drop_column('auth_login_attempts', 'type');
+		$this->dbforge->drop_column('auth_login_attempts', 'ip_address');
+		$this->dbforge->drop_column('auth_login_attempts', 'user_id');
 
-        $column = ['email' => [
-            'type'       => 'varchar',
-            'constraint' => 255,
-            'after'      => 'id'
-        ]];
+		$column = ['email' => [
+			'type'       => 'varchar',
+			'constraint' => 255,
+			'after'      => 'id'
+		]];
 
-        $this->dbforge->add_column('auth_login_attempts', $column);
+		$this->dbforge->add_column('auth_login_attempts', $column);
 
-        $this->db->query('ALTER TABLE `auth_login_attempts` ADD KEY (`email`)');
-    }
+		$this->db->query('ALTER TABLE `auth_login_attempts` ADD KEY (`email`)');
+	}
 
-    //--------------------------------------------------------------------
+	//--------------------------------------------------------------------
 
 }
\ No newline at end of file

Please login to merge, or discard this patch.

myth/Auth/LocalAuthentication.php 1 patch

Indentation +894 added lines, -894 removed lines patch added patch discarded remove patch

@@ -52,901 +52,901 @@
 block discarded – undo
  */
 class LocalAuthentication implements AuthenticateInterface {
 
-    protected $ci;
-
-    protected $user = null;
-
-    public $user_model = null;
-
-    public $error = null;
-
-    //--------------------------------------------------------------------
-
-    public function __construct( $ci=null )
-    {
-        if ($ci)
-        {
-            $this->ci= $ci;
-        }
-        else
-        {
-            $this->ci =& get_instance();
-        }
-
-        // Get our compatibility password file loaded up.
-        if (! function_exists('password_hash'))
-        {
-            require_once dirname(__FILE__) .'password.php';
-        }
-
-        if (empty($this->ci->session))
-        {
-            $this->ci->load->library('session');
-        }
-
-        $this->ci->config->load('auth');
-        $this->ci->load->model('auth/login_model');
-        $this->ci->load->language('auth/auth');
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Attempt to log a user into the system.
-     *
-     * $credentials is an array of key/value pairs needed to log the user in.
-     * This is often email/password, or username/password.
-     *
-     * @param array $credentials
-     * @param bool  $remember
-     * @return bool|mixed
-     */
-    public function login($credentials, $remember=false)
-    {
-        $user = $this->validate($credentials, true);
-
-        // If the user is throttled due to too many invalid logins
-        // or the system is under attack, kick them back.
-        // We need to test for this after validation because we
-        // don't want it to affect a valid login.
-
-        // If throttling time is above zero, we can't allow
-        // logins now.
-        $time = (int)$this->isThrottled($user);
-        if ($time > 0)
-        {
-            $this->error = sprintf(lang('auth.throttled'), $time);
-            return false;
-        }
-
-        if (! $user)
-        {
-            if (empty($this->error))
-            {
-                // We need to set an error if there is no one
-                $this->error = lang('auth.invalid_user');
-            }
-            $this->user = null;
-            return $user;
-        }       
-
-        $this->loginUser($user);
-
-        if ($remember)
-        {
-            $this->rememberUser($user);
-        }
-
-        Events::trigger('didLogin', [$user]);
-
-        return true;
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Validates user login information without logging them in.
-     *
-     * $credentials is an array of key/value pairs needed to log the user in.
-     * This is often email/password, or username/password.
-     *
-     * @param $credentials
-     * @param bool $return_user
-     * @return mixed
-     */
-    public function validate($credentials, $return_user=false)
-    {
-        // Get ip address
-        $ip_address = $this->ci->input->ip_address();
-
-        // We do not want to force case-sensitivity on things
-        // like username and email for usability sake.
-        if (! empty($credentials['email']))
-        {
-            $credentials['email'] = strtolower($credentials['email']);
-        }
-
-        // Can't validate without a password.
-        if (empty($credentials['password']) || count($credentials) < 2)
-        {
-            $this->ci->login_model->recordLoginAttempt($ip_address);
-            return null;
-        }
-
-        $password = $credentials['password'];
-        unset($credentials['password']);
-
-        // We should only be allowed 1 single other credential to
-        // test against.
-        if (count($credentials) > 1)
-        {
-            $this->error = lang('auth.too_many_credentials');
-            $this->ci->login_model->recordLoginAttempt($ip_address);
-            return false;
-        }
-
-        // Ensure that the fields are allowed validation fields
-        if (! in_array(key($credentials), config_item('auth.valid_fields')) )
-        {
-            $this->error = lang('auth.invalid_credentials');
-            $this->ci->login_model->recordLoginAttempt($ip_address);
-            return false;
-        }
-
-        // Can we find a user with those credentials?
-        $user = $this->user_model->as_array()
-                                 ->where($credentials)
-                                 ->first();
-
-        if (! $user)
-        {
-            $this->error = lang('auth.invalid_user');
-            $this->ci->login_model->recordLoginAttempt($ip_address);
-            return false;
-        }
-
-        // Now, try matching the passwords.
-        $result =  password_verify($password, $user['password_hash']);
-
-        if (! $result)
-        {
-            $this->error = lang('auth.invalid_password');
-            $this->ci->login_model->recordLoginAttempt($ip_address, $user['id']);
-            return false;
-        }
-
-        // Check to see if the password needs to be rehashed.
-        // This would be due to the hash algorithm or hash
-        // cost changing since the last time that a user
-        // logged in.
-        if (password_needs_rehash($user['password_hash'], PASSWORD_DEFAULT, ['cost' => config_item('auth.hash_cost')] ))
-        {
-            $new_hash = Password::hashPassword($password);
-            $this->user_model->skip_validation()
-                             ->update($user['id'], ['password_hash' => $new_hash]);
-            unset($new_hash);
-        }
-
-        // Is the user active?
-        if (! $user['active'])
-        {
-            $this->error = lang('auth.inactive_account');
-            return false;
-        }
-
-        return $return_user ? $user : true;
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Logs a user out and removes all session information.
-     *
-     * @return mixed
-     */
-    public function logout()
-    {
-        $this->ci->load->helper('cookie');
-
-        if (! Events::trigger('beforeLogout', [$this->user]))
-        {
-            return false;
-        }
-
-        // Destroy the session data - but ensure a session is still
-        // available for flash messages, etc.
-        if (isset($_SESSION))
-        {
-            foreach ( $_SESSION as $key => $value )
-            {
-                $_SESSION[ $key ] = NULL;
-                unset( $_SESSION[ $key ] );
-            }
-        }
-        // Also, regenerate the session ID for a touch of added safety.
-        $this->ci->session->sess_regenerate(true);
-
-        // Take care of any rememberme functionality.
-        if (config_item('auth.allow_remembering'))
-        {
-            $token = get_cookie('remember');
-
-            $this->invalidateRememberCookie($this->user['email'], $token);
-        }
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Checks whether a user is logged in or not.
-     *
-     * @return bool
-     */
-    public function isLoggedIn()
-    {
-        $id = $this->ci->session->userdata('logged_in');
-
-        if (! $id)
-        {
-            return false;
-        }
-
-        // If the user var hasn't been filled in, we need to fill it in,
-        // since this method will typically be used as the only method
-        // to determine whether a user is logged in or not.
-        if (! $this->user)
-        {
-            $this->user = $this->user_model->as_array()
-                                           ->find_by('id', (int)$id);
-
-            if (empty($this->user))
-            {
-                return false;
-            }
-        }
-
-        // If logged in, ensure cache control
-        // headers are in place
-        $this->setHeaders();
-
-        return true;
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Attempts to log a user in based on the "remember me" cookie.
-     *
-     * @return bool
-     */
-    public function viaRemember()
-    {
-        if (! config_item('auth.allow_remembering'))
-        {
-            return false;
-        }
-
-        $this->ci->load->helper('cookie');
-
-        if (! $token = get_cookie('remember'))
-        {
-            return false;
-        }
-
-        // Attempt to match the token against our auth_tokens table.
-        $query = $this->ci->db->where('hash', $this->ci->login_model->hashRememberToken($token))
-                              ->get('auth_tokens');
-
-        if (! $query->num_rows())
-        {
-            return false;
-        }
-
-        // Grab the user
-        $email = $query->row()->email;
-
-        $user = $this->user_model->as_array()
-                                 ->find_by('email', $email);
-
-        $this->loginUser($user);
-
-        // We only want our remember me tokens to be valid
-        // for a single use.
-        $this->refreshRememberCookie($user, $token);
-
-        return true;
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Registers a new user and handles activation method.
-     *
-     * @param $user_data
-     * @return bool
-     */
-    public function registerUser($user_data)
-    {
-        // Anything special needed for Activation?
-        $method = config_item('auth.activation_method');
-
-        $user_data['active'] = $method == 'auto' ? 1 : 0;
-
-        // If via email, we need to generate a hash
-        $this->ci->load->helper('string');
-        $token = random_string('alnum', 24);
-        $user_data['activate_hash'] = hash('sha1', config_item('auth.salt') . $token);
-
-        // Email should NOT be case sensitive.
-        if (! empty($user_data['email']))
-        {
-            $user_data['email'] = strtolower($user_data['email']);
-        }
-
-        // Save the user
-        if (! $id = $this->user_model->insert($user_data))
-        {
-            $this->error = $this->user_model->error();
-            return false;
-        }
-
-        $data = [
-            'user_id' => $id,
-            'email'   => $user_data['email'],
-            'token'   => $token,
-            'method'  => $method
-        ];
-
-        Events::trigger('didRegisterUser', [$data]);
-
-        return true;
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Used to verify the user values and activate a user so they can
-     * visit the site.
-     *
-     * @param $data
-     * @return bool
-     */
-    public function activateUser($data)
-    {
-        $post = [
-            'email'         => $data['email'],
-            'activate_hash' => hash('sha1', config_item('auth.salt') . $data['code'])
-        ];
-
-        $user = $this->user_model->where($post)
-                                 ->first();
-
-        if (! $user) {
-            $this->error = $this->user_model->error() ? $this->user_model->error() : lang('auth.activate_no_user');
-
-            return false;
-        }
-
-        if (! $this->user_model->update($user->id, ['active' => 1, 'activate_hash' => null]))
-        {
-            $this->error = $this->user_model->error();
-            return false;
-        }
-
-        Events::trigger('didActivate', [(array)$user]);
-
-        return true;
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Used to allow manual activation of a user with a known ID.
-     *
-     * @param $id
-     * @return bool
-     */
-    public function activateUserById($id)
-    {
-        if (! $this->user_model->update($id, ['active' => 1, 'activate_hash' => null]))
-        {
-            $this->error = $this->user_model->error();
-            return false;
-        }
-
-        Events::trigger('didActivate', [$this->user_model->as_array()->find($id)]);
-
-        return true;
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Grabs the current user object. Returns NULL if nothing found.
-     *
-     * @return array|null
-     */
-    public function user()
-    {
-        return $this->user;
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * A convenience method to grab the current user's ID.
-     *
-     * @return int|null
-     */
-    public function id()
-    {
-        if (! is_array($this->user) || empty($this->user['id']))
-        {
-            return null;
-        }
-
-        return (int)$this->user['id'];
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Checks to see if the user is currently being throttled.
-     *
-     *  - If they are NOT, will return FALSE.
-     *  - If they ARE, will return the number of seconds until they can try again.
-     *
-     * @param $email
-     * @return mixed
-     */
-    public function isThrottled($user)
-    {
-        // Not throttling? Get outta here!
-        if (! config_item('auth.allow_throttling'))
-        {
-            return false;
-        }
-
-        // Get user_id
-        $user_id = $user ? $user['id'] : null;
+	protected $ci;
+
+	protected $user = null;
+
+	public $user_model = null;
+
+	public $error = null;
+
+	//--------------------------------------------------------------------
+
+	public function __construct( $ci=null )
+	{
+		if ($ci)
+		{
+			$this->ci= $ci;
+		}
+		else
+		{
+			$this->ci =& get_instance();
+		}
+
+		// Get our compatibility password file loaded up.
+		if (! function_exists('password_hash'))
+		{
+			require_once dirname(__FILE__) .'password.php';
+		}
+
+		if (empty($this->ci->session))
+		{
+			$this->ci->load->library('session');
+		}
+
+		$this->ci->config->load('auth');
+		$this->ci->load->model('auth/login_model');
+		$this->ci->load->language('auth/auth');
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Attempt to log a user into the system.
+	 *
+	 * $credentials is an array of key/value pairs needed to log the user in.
+	 * This is often email/password, or username/password.
+	 *
+	 * @param array $credentials
+	 * @param bool  $remember
+	 * @return bool|mixed
+	 */
+	public function login($credentials, $remember=false)
+	{
+		$user = $this->validate($credentials, true);
+
+		// If the user is throttled due to too many invalid logins
+		// or the system is under attack, kick them back.
+		// We need to test for this after validation because we
+		// don't want it to affect a valid login.
+
+		// If throttling time is above zero, we can't allow
+		// logins now.
+		$time = (int)$this->isThrottled($user);
+		if ($time > 0)
+		{
+			$this->error = sprintf(lang('auth.throttled'), $time);
+			return false;
+		}
+
+		if (! $user)
+		{
+			if (empty($this->error))
+			{
+				// We need to set an error if there is no one
+				$this->error = lang('auth.invalid_user');
+			}
+			$this->user = null;
+			return $user;
+		}       
+
+		$this->loginUser($user);
+
+		if ($remember)
+		{
+			$this->rememberUser($user);
+		}
+
+		Events::trigger('didLogin', [$user]);
+
+		return true;
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Validates user login information without logging them in.
+	 *
+	 * $credentials is an array of key/value pairs needed to log the user in.
+	 * This is often email/password, or username/password.
+	 *
+	 * @param $credentials
+	 * @param bool $return_user
+	 * @return mixed
+	 */
+	public function validate($credentials, $return_user=false)
+	{
+		// Get ip address
+		$ip_address = $this->ci->input->ip_address();
+
+		// We do not want to force case-sensitivity on things
+		// like username and email for usability sake.
+		if (! empty($credentials['email']))
+		{
+			$credentials['email'] = strtolower($credentials['email']);
+		}
+
+		// Can't validate without a password.
+		if (empty($credentials['password']) || count($credentials) < 2)
+		{
+			$this->ci->login_model->recordLoginAttempt($ip_address);
+			return null;
+		}
+
+		$password = $credentials['password'];
+		unset($credentials['password']);
+
+		// We should only be allowed 1 single other credential to
+		// test against.
+		if (count($credentials) > 1)
+		{
+			$this->error = lang('auth.too_many_credentials');
+			$this->ci->login_model->recordLoginAttempt($ip_address);
+			return false;
+		}
+
+		// Ensure that the fields are allowed validation fields
+		if (! in_array(key($credentials), config_item('auth.valid_fields')) )
+		{
+			$this->error = lang('auth.invalid_credentials');
+			$this->ci->login_model->recordLoginAttempt($ip_address);
+			return false;
+		}
+
+		// Can we find a user with those credentials?
+		$user = $this->user_model->as_array()
+								 ->where($credentials)
+								 ->first();
+
+		if (! $user)
+		{
+			$this->error = lang('auth.invalid_user');
+			$this->ci->login_model->recordLoginAttempt($ip_address);
+			return false;
+		}
+
+		// Now, try matching the passwords.
+		$result =  password_verify($password, $user['password_hash']);
+
+		if (! $result)
+		{
+			$this->error = lang('auth.invalid_password');
+			$this->ci->login_model->recordLoginAttempt($ip_address, $user['id']);
+			return false;
+		}
+
+		// Check to see if the password needs to be rehashed.
+		// This would be due to the hash algorithm or hash
+		// cost changing since the last time that a user
+		// logged in.
+		if (password_needs_rehash($user['password_hash'], PASSWORD_DEFAULT, ['cost' => config_item('auth.hash_cost')] ))
+		{
+			$new_hash = Password::hashPassword($password);
+			$this->user_model->skip_validation()
+							 ->update($user['id'], ['password_hash' => $new_hash]);
+			unset($new_hash);
+		}
+
+		// Is the user active?
+		if (! $user['active'])
+		{
+			$this->error = lang('auth.inactive_account');
+			return false;
+		}
+
+		return $return_user ? $user : true;
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Logs a user out and removes all session information.
+	 *
+	 * @return mixed
+	 */
+	public function logout()
+	{
+		$this->ci->load->helper('cookie');
+
+		if (! Events::trigger('beforeLogout', [$this->user]))
+		{
+			return false;
+		}
+
+		// Destroy the session data - but ensure a session is still
+		// available for flash messages, etc.
+		if (isset($_SESSION))
+		{
+			foreach ( $_SESSION as $key => $value )
+			{
+				$_SESSION[ $key ] = NULL;
+				unset( $_SESSION[ $key ] );
+			}
+		}
+		// Also, regenerate the session ID for a touch of added safety.
+		$this->ci->session->sess_regenerate(true);
+
+		// Take care of any rememberme functionality.
+		if (config_item('auth.allow_remembering'))
+		{
+			$token = get_cookie('remember');
+
+			$this->invalidateRememberCookie($this->user['email'], $token);
+		}
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Checks whether a user is logged in or not.
+	 *
+	 * @return bool
+	 */
+	public function isLoggedIn()
+	{
+		$id = $this->ci->session->userdata('logged_in');
+
+		if (! $id)
+		{
+			return false;
+		}
+
+		// If the user var hasn't been filled in, we need to fill it in,
+		// since this method will typically be used as the only method
+		// to determine whether a user is logged in or not.
+		if (! $this->user)
+		{
+			$this->user = $this->user_model->as_array()
+										   ->find_by('id', (int)$id);
+
+			if (empty($this->user))
+			{
+				return false;
+			}
+		}
+
+		// If logged in, ensure cache control
+		// headers are in place
+		$this->setHeaders();
+
+		return true;
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Attempts to log a user in based on the "remember me" cookie.
+	 *
+	 * @return bool
+	 */
+	public function viaRemember()
+	{
+		if (! config_item('auth.allow_remembering'))
+		{
+			return false;
+		}
+
+		$this->ci->load->helper('cookie');
+
+		if (! $token = get_cookie('remember'))
+		{
+			return false;
+		}
+
+		// Attempt to match the token against our auth_tokens table.
+		$query = $this->ci->db->where('hash', $this->ci->login_model->hashRememberToken($token))
+							  ->get('auth_tokens');
+
+		if (! $query->num_rows())
+		{
+			return false;
+		}
+
+		// Grab the user
+		$email = $query->row()->email;
+
+		$user = $this->user_model->as_array()
+								 ->find_by('email', $email);
+
+		$this->loginUser($user);
+
+		// We only want our remember me tokens to be valid
+		// for a single use.
+		$this->refreshRememberCookie($user, $token);
+
+		return true;
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Registers a new user and handles activation method.
+	 *
+	 * @param $user_data
+	 * @return bool
+	 */
+	public function registerUser($user_data)
+	{
+		// Anything special needed for Activation?
+		$method = config_item('auth.activation_method');
+
+		$user_data['active'] = $method == 'auto' ? 1 : 0;
+
+		// If via email, we need to generate a hash
+		$this->ci->load->helper('string');
+		$token = random_string('alnum', 24);
+		$user_data['activate_hash'] = hash('sha1', config_item('auth.salt') . $token);
+
+		// Email should NOT be case sensitive.
+		if (! empty($user_data['email']))
+		{
+			$user_data['email'] = strtolower($user_data['email']);
+		}
+
+		// Save the user
+		if (! $id = $this->user_model->insert($user_data))
+		{
+			$this->error = $this->user_model->error();
+			return false;
+		}
+
+		$data = [
+			'user_id' => $id,
+			'email'   => $user_data['email'],
+			'token'   => $token,
+			'method'  => $method
+		];
+
+		Events::trigger('didRegisterUser', [$data]);
+
+		return true;
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Used to verify the user values and activate a user so they can
+	 * visit the site.
+	 *
+	 * @param $data
+	 * @return bool
+	 */
+	public function activateUser($data)
+	{
+		$post = [
+			'email'         => $data['email'],
+			'activate_hash' => hash('sha1', config_item('auth.salt') . $data['code'])
+		];
+
+		$user = $this->user_model->where($post)
+								 ->first();
+
+		if (! $user) {
+			$this->error = $this->user_model->error() ? $this->user_model->error() : lang('auth.activate_no_user');
+
+			return false;
+		}
+
+		if (! $this->user_model->update($user->id, ['active' => 1, 'activate_hash' => null]))
+		{
+			$this->error = $this->user_model->error();
+			return false;
+		}
+
+		Events::trigger('didActivate', [(array)$user]);
+
+		return true;
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Used to allow manual activation of a user with a known ID.
+	 *
+	 * @param $id
+	 * @return bool
+	 */
+	public function activateUserById($id)
+	{
+		if (! $this->user_model->update($id, ['active' => 1, 'activate_hash' => null]))
+		{
+			$this->error = $this->user_model->error();
+			return false;
+		}
+
+		Events::trigger('didActivate', [$this->user_model->as_array()->find($id)]);
+
+		return true;
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Grabs the current user object. Returns NULL if nothing found.
+	 *
+	 * @return array|null
+	 */
+	public function user()
+	{
+		return $this->user;
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * A convenience method to grab the current user's ID.
+	 *
+	 * @return int|null
+	 */
+	public function id()
+	{
+		if (! is_array($this->user) || empty($this->user['id']))
+		{
+			return null;
+		}
+
+		return (int)$this->user['id'];
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Checks to see if the user is currently being throttled.
+	 *
+	 *  - If they are NOT, will return FALSE.
+	 *  - If they ARE, will return the number of seconds until they can try again.
+	 *
+	 * @param $email
+	 * @return mixed
+	 */
+	public function isThrottled($user)
+	{
+		// Not throttling? Get outta here!
+		if (! config_item('auth.allow_throttling'))
+		{
+			return false;
+		}
+
+		// Get user_id
+		$user_id = $user ? $user['id'] : null;
         
-        // Get ip address
-        $ip_address = $this->ci->input->ip_address();
-
-        // Have any attempts been made?
-        $attempts = $this->ci->login_model->countLoginAttempts($ip_address, $user_id);
-
-        // Grab the amount of time to add if the system thinks we're
-        // under a distributed brute force attack.
-        // Affect users that have at least 1 failure login attempt
-        $dbrute_time = ($attempts === 0) ? 0 : $this->ci->login_model->distributedBruteForceTime();
-
-        // If this user was found to possibly be under a brute
-        // force attack, their account would have been banned
-        // for 15 minutes.
-        if ($time = isset($_SESSION['bruteBan']) ? $_SESSION['bruteBan'] : false)
-        {
-            // If the current time is less than the
-            // the ban expiration, plus any distributed time
-            // then the user can't login just yet.
-            if ($time + $dbrute_time > time())
-            {
-                // The user is banned still...
-                $this->error = lang('auth.bruteBan_notice');
-                return ($time + $dbrute_time) - time();
-            }
-
-            // Still here? The the ban time is over...
-            unset($_SESSION['bruteBan']);
-        }
-
-        // Grab the time of last attempt and
-        // determine if we're throttled by amount of time passed.
-        $last_time = $this->ci->login_model->lastLoginAttemptTime($ip_address, $user_id);
-
-        $allowed = config_item('auth.allowed_login_attempts');
-
-        // We're not throttling if there are 0 attempts or
-        // the number is less than or equal to the allowed free attempts
-        if ($attempts === 0 || $attempts <= $allowed)
-        {
-            // Before we can say there's nothing up here,
-            // we need to check dbrute time.
-            $time_left = $last_time + $dbrute_time - time();
-
-            if ($time_left > 0)
-            {
-                return $time_left;
-            }
-
-            return false;
-        }
-
-        // If the number of attempts is excessive (above 100) we need
-        // to check the elapsed time of all of these attacks. If they are
-        // less than 1 minute it's obvious this is a brute force attack,
-        // so we'll set a session flag and block that user for 15 minutes.
-        if ($attempts > 100 && $this->ci->login_model->isBruteForced($ip_address, $user_id))
-        {
-            $this->error = lang('auth.bruteBan_notice');
-
-            $ban_time = 60 * 15;    // 15 minutes
-            $_SESSION['bruteBan'] = time() + $ban_time;
-            return $ban_time;
-        }
-
-        // Get our allowed attempts out of the picture.
-        $attempts = $attempts - $allowed;
-
-        $max_time = config_item('auth.max_throttle_time');
-
-        $add_time = 5 * pow(2, $attempts - 1);
-
-        if ($add_time > $max_time)
-        {
-            $add_time = $max_time;
-        }
-
-        $next_time = $last_time + $add_time + $dbrute_time;
-
-        $current = time();
-
-        // We are NOT throttled if we are already
-        // past the allowed time.
-        if ($current > $next_time)
-        {
-            return false;
-        }
-
-        return $next_time - $current;
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Sends a password reset link email to the user associated with
-     * the passed in $email.
-     *
-     * @param $email
-     * @return mixed
-     */
-    public function remindUser($email)
-    {
-        // Emails should NOT be case sensitive.
-        $email = strtolower($email);
-
-        // Is it a valid user?
-        $user = $this->user_model->find_by('email', $email);
-
-        if (! $user)
-        {
-            $this->error = lang('auth.invalid_email');
-            return false;
-        }
-
-        // Generate/store our codes
-        $this->ci->load->helper('string');
-        $token = random_string('alnum', 24);
-        $hash = hash('sha1', config_item('auth.salt') .$token);
-
-        $result = $this->user_model->update($user->id, ['reset_hash' => $hash]);
-
-        if (! $result)
-        {
-            $this->error = $this->user_model->error();
-            return false;
-        }
-
-        Events::trigger('didRemindUser', [(array)$user, $token]);
-
-        return true;
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Validates the credentials provided and, if valid, resets the password.
-     *
-     * The $credentials array MUST contain a 'code' key with the string to
-     * hash and check against the reset_hash.
-     *
-     * @param $credentials
-     * @param $password
-     * @param $passConfirm
-     * @return mixed
-     */
-    public function resetPassword($credentials, $password, $passConfirm)
-    {
-        if (empty($credentials['code']))
-        {
-            $this->error = lang('auth.need_reset_code');
-            return false;
-        }
-
-        // Generate a hash to match against the table.
-        $credentials['reset_hash'] = hash('sha1', config_item('auth.salt') .$credentials['code']);
-        unset($credentials['code']);
-
-        if (! empty($credentials['email']))
-        {
-            $credentials['email'] = strtolower($credentials['email']);
-        }
-
-        // Is there a matching user?
-        $user = $this->user_model->find_by($credentials);
-
-        if (! $user)
-        {
-            $this->error = lang('auth.reset_no_user');
-            return false;
-        }
-
-        // Update their password and reset their reset_hash
-        $data = [
-            'password'     => $password,
-            'pass_confirm' => $passConfirm,
-            'reset_hash'   => null
-        ];
-
-        if (! $this->user_model->update($user->id, $data))
-        {
-            $this->error = $this->user_model->error();
-            return false;
-        }
-
-        Events::trigger('didResetPassword', [(array)$user]);
-
-        return true;
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Provides a way for implementations to allow new statuses to be set
-     * on the user. The details will vary based upon implementation, but
-     * will often allow for banning or suspending users.
-     *
-     * @param $newStatus
-     * @param null $message
-     * @return mixed
-     */
-    public function changeStatus($newStatus, $message=null)
-    {
-        // todo actually record new users status!
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Allows the consuming application to pass in a reference to the
-     * model that should be used.
-     *
-     * The model MUST extend Myth\Models\CIDbModel.
-     *
-     * @param $model
-     * @param bool $allow_any_parent
-     * @return mixed
-     */
-    public function useModel($model, $allow_any_parent=false)
-    {
-        if (! $allow_any_parent && get_parent_class($model) != 'Myth\Models\CIDbModel')
-        {
-            throw new \RuntimeException('Models passed into LocalAuthenticate MUST extend Myth\Models\CIDbModel');
-        }
-
-        $this->user_model =& $model;
-
-        return $this;
-    }
-
-    //--------------------------------------------------------------------
-
-    public function error()
-    {
-        if (validation_errors())
-        {
-            return validation_errors();
-        }
-
-        return $this->error;
-    }
-
-    //--------------------------------------------------------------------
-
-    //--------------------------------------------------------------------
-    // Login Records
-    //--------------------------------------------------------------------
-
-    /**
-     * Purges all login attempt records from the database.
-     *
-     * @param $email
-     */
-    public function purgeLoginAttempts($email)
-    {
-        // Emails should NOT be case sensitive.
-        $email = strtolower($email);
-
-        $this->ci->login_model->purgeLoginAttempts($email);
-
-        // @todo record activity of login attempts purge.
-        Events::trigger('didPurgeLoginAttempts', [$email]);
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Purges all remember tokens for a single user. Effectively logs
-     * a user out of all devices. Intended to allow users to log themselves
-     * out of all devices as a security measure.
-     *
-     * @param $email
-     */
-    public function purgeRememberTokens($email)
-    {
-        // Emails should NOT be case sensitive.
-        $email = strtolower($email);
-
-        $this->ci->login_model->purgeRememberTokens($email);
-
-        // todo record activity of remember me purges.
-        Events::trigger('didPurgeRememberTokens', [$email]);
-    }
-
-    //--------------------------------------------------------------------
-
-    //--------------------------------------------------------------------
-    // Protected Methods
-    //--------------------------------------------------------------------
-
-    /**
-     * Check if Allow Persistent Login Cookies is enable
-     *
-     * @param $user
-     */
-    protected function rememberUser($user)
-    {
-        if (! config_item('auth.allow_remembering'))
-        {
-            log_message('debug', 'Auth library set to refuse "Remember Me" functionality.');
-            return false;
-        }
-
-        $this->refreshRememberCookie($user);
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Invalidates the current rememberme cookie/database entry, creates
-     * a new one, stores it and returns the new value.
-     *
-     * @param $user
-     * @param null $token
-     * @return mixed
-     */
-    protected function refreshRememberCookie($user, $token=null)
-    {
-        $this->ci->load->helper('cookie');
-
-        // If a token is passed in, we know we're removing the
-        // old one.
-        if (! empty($token))
-        {
-            $this->invalidateRememberCookie($user['email'], $token);
-        }
-
-        $new_token = $this->ci->login_model->generateRememberToken($user);
-
-        // Save the token to the database.
-        $data = [
-            'email'   => $user['email'],
-            'hash'    => sha1(config_item('auth.salt') . $new_token),
-            'created' => date('Y-m-d H:i:s')
-        ];
-
-        $this->ci->db->insert('auth_tokens', $data);
-
-        // Create the cookie
-        set_cookie(
-            'remember',                             // Cookie Name
-            $new_token,                             // Value
-            config_item('auth.remember_length'),    // # Seconds until it expires
-            config_item('cookie_domain'),
-            config_item('cookie_path'),
-            config_item('cookie_prefix'),
-            false,                                  // Only send over HTTPS?
-            true                                    // Hide from Javascript?
-        );
-
-        return $new_token;
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Deletes any current remember me cookies and database entries.
-     *
-     * @param $email
-     * @param $token
-     * @return string The new token (not the hash).
-     */
-    protected function invalidateRememberCookie($email, $token)
-    {
-        // Emails should NOT be case sensitive.
-        $email = strtolower($email);
-
-        // Remove from the database
-        $this->ci->login_model->deleteRememberToken($email, $token);
-
-        // Remove the cookie
-        delete_cookie(
-            'remember',
-            config_item('cookie_domain'),
-            config_item('cookie_path'),
-            config_item('cookie_prefix')
-        );
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Handles the nitty gritty of actually logging our user into the system.
-     * Does NOT perform the authentication, just sets the system up so that
-     * it knows we're here.
-     *
-     * @param $user
-     */
-    protected function loginUser($user)
-    {
-        // Save the user for later access
-        $this->user = $user;
-
-        // Get ip address
-        $ip_address = $this->ci->input->ip_address();
-
-        // Regenerate the session ID to help protect
-        // against session fixation
-        $this->ci->session->sess_regenerate();
-
-        // Let the session know that we're logged in.
-        $this->ci->session->set_userdata('logged_in', $user['id']);
-
-        // Clear our login attempts
-        $this->ci->login_model->purgeLoginAttempts($ip_address, $user['id']);
-
-        // Record a new Login
-        $this->ci->login_model->recordLogin($user);
-
-        // If logged in, ensure cache control
-        // headers are in place
-        $this->setHeaders();
-
-        // We'll give a 20% chance to need to do a purge since we
-        // don't need to purge THAT often, it's just a maintenance issue.
-        // to keep the table from getting out of control.
-        if (mt_rand(1, 100) < 20)
-        {
-            $this->ci->login_model->purgeOldRememberTokens();
-        }
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Sets the headers to ensure that pages are not cached when a user
-     * is logged in, helping to protect against logging out and then
-     * simply hitting the Back button on the browser and getting private
-     * information because the page was loaded from cache.
-     */
-    protected function setHeaders()
-    {
-        $this->ci->output->set_header('Cache-Control: no-store, no-cache, must-revalidate');
-        $this->ci->output->set_header('Cache-Control: post-check=0, pre-check=0');
-        $this->ci->output->set_header('Pragma: no-cache');
-    }
-
-    //--------------------------------------------------------------------
+		// Get ip address
+		$ip_address = $this->ci->input->ip_address();
+
+		// Have any attempts been made?
+		$attempts = $this->ci->login_model->countLoginAttempts($ip_address, $user_id);
+
+		// Grab the amount of time to add if the system thinks we're
+		// under a distributed brute force attack.
+		// Affect users that have at least 1 failure login attempt
+		$dbrute_time = ($attempts === 0) ? 0 : $this->ci->login_model->distributedBruteForceTime();
+
+		// If this user was found to possibly be under a brute
+		// force attack, their account would have been banned
+		// for 15 minutes.
+		if ($time = isset($_SESSION['bruteBan']) ? $_SESSION['bruteBan'] : false)
+		{
+			// If the current time is less than the
+			// the ban expiration, plus any distributed time
+			// then the user can't login just yet.
+			if ($time + $dbrute_time > time())
+			{
+				// The user is banned still...
+				$this->error = lang('auth.bruteBan_notice');
+				return ($time + $dbrute_time) - time();
+			}
+
+			// Still here? The the ban time is over...
+			unset($_SESSION['bruteBan']);
+		}
+
+		// Grab the time of last attempt and
+		// determine if we're throttled by amount of time passed.
+		$last_time = $this->ci->login_model->lastLoginAttemptTime($ip_address, $user_id);
+
+		$allowed = config_item('auth.allowed_login_attempts');
+
+		// We're not throttling if there are 0 attempts or
+		// the number is less than or equal to the allowed free attempts
+		if ($attempts === 0 || $attempts <= $allowed)
+		{
+			// Before we can say there's nothing up here,
+			// we need to check dbrute time.
+			$time_left = $last_time + $dbrute_time - time();
+
+			if ($time_left > 0)
+			{
+				return $time_left;
+			}
+
+			return false;
+		}
+
+		// If the number of attempts is excessive (above 100) we need
+		// to check the elapsed time of all of these attacks. If they are
+		// less than 1 minute it's obvious this is a brute force attack,
+		// so we'll set a session flag and block that user for 15 minutes.
+		if ($attempts > 100 && $this->ci->login_model->isBruteForced($ip_address, $user_id))
+		{
+			$this->error = lang('auth.bruteBan_notice');
+
+			$ban_time = 60 * 15;    // 15 minutes
+			$_SESSION['bruteBan'] = time() + $ban_time;
+			return $ban_time;
+		}
+
+		// Get our allowed attempts out of the picture.
+		$attempts = $attempts - $allowed;
+
+		$max_time = config_item('auth.max_throttle_time');
+
+		$add_time = 5 * pow(2, $attempts - 1);
+
+		if ($add_time > $max_time)
+		{
+			$add_time = $max_time;
+		}
+
+		$next_time = $last_time + $add_time + $dbrute_time;
+
+		$current = time();
+
+		// We are NOT throttled if we are already
+		// past the allowed time.
+		if ($current > $next_time)
+		{
+			return false;
+		}
+
+		return $next_time - $current;
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Sends a password reset link email to the user associated with
+	 * the passed in $email.
+	 *
+	 * @param $email
+	 * @return mixed
+	 */
+	public function remindUser($email)
+	{
+		// Emails should NOT be case sensitive.
+		$email = strtolower($email);
+
+		// Is it a valid user?
+		$user = $this->user_model->find_by('email', $email);
+
+		if (! $user)
+		{
+			$this->error = lang('auth.invalid_email');
+			return false;
+		}
+
+		// Generate/store our codes
+		$this->ci->load->helper('string');
+		$token = random_string('alnum', 24);
+		$hash = hash('sha1', config_item('auth.salt') .$token);
+
+		$result = $this->user_model->update($user->id, ['reset_hash' => $hash]);
+
+		if (! $result)
+		{
+			$this->error = $this->user_model->error();
+			return false;
+		}
+
+		Events::trigger('didRemindUser', [(array)$user, $token]);
+
+		return true;
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Validates the credentials provided and, if valid, resets the password.
+	 *
+	 * The $credentials array MUST contain a 'code' key with the string to
+	 * hash and check against the reset_hash.
+	 *
+	 * @param $credentials
+	 * @param $password
+	 * @param $passConfirm
+	 * @return mixed
+	 */
+	public function resetPassword($credentials, $password, $passConfirm)
+	{
+		if (empty($credentials['code']))
+		{
+			$this->error = lang('auth.need_reset_code');
+			return false;
+		}
+
+		// Generate a hash to match against the table.
+		$credentials['reset_hash'] = hash('sha1', config_item('auth.salt') .$credentials['code']);
+		unset($credentials['code']);
+
+		if (! empty($credentials['email']))
+		{
+			$credentials['email'] = strtolower($credentials['email']);
+		}
+
+		// Is there a matching user?
+		$user = $this->user_model->find_by($credentials);
+
+		if (! $user)
+		{
+			$this->error = lang('auth.reset_no_user');
+			return false;
+		}
+
+		// Update their password and reset their reset_hash
+		$data = [
+			'password'     => $password,
+			'pass_confirm' => $passConfirm,
+			'reset_hash'   => null
+		];
+
+		if (! $this->user_model->update($user->id, $data))
+		{
+			$this->error = $this->user_model->error();
+			return false;
+		}
+
+		Events::trigger('didResetPassword', [(array)$user]);
+
+		return true;
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Provides a way for implementations to allow new statuses to be set
+	 * on the user. The details will vary based upon implementation, but
+	 * will often allow for banning or suspending users.
+	 *
+	 * @param $newStatus
+	 * @param null $message
+	 * @return mixed
+	 */
+	public function changeStatus($newStatus, $message=null)
+	{
+		// todo actually record new users status!
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Allows the consuming application to pass in a reference to the
+	 * model that should be used.
+	 *
+	 * The model MUST extend Myth\Models\CIDbModel.
+	 *
+	 * @param $model
+	 * @param bool $allow_any_parent
+	 * @return mixed
+	 */
+	public function useModel($model, $allow_any_parent=false)
+	{
+		if (! $allow_any_parent && get_parent_class($model) != 'Myth\Models\CIDbModel')
+		{
+			throw new \RuntimeException('Models passed into LocalAuthenticate MUST extend Myth\Models\CIDbModel');
+		}
+
+		$this->user_model =& $model;
+
+		return $this;
+	}
+
+	//--------------------------------------------------------------------
+
+	public function error()
+	{
+		if (validation_errors())
+		{
+			return validation_errors();
+		}
+
+		return $this->error;
+	}
+
+	//--------------------------------------------------------------------
+
+	//--------------------------------------------------------------------
+	// Login Records
+	//--------------------------------------------------------------------
+
+	/**
+	 * Purges all login attempt records from the database.
+	 *
+	 * @param $email
+	 */
+	public function purgeLoginAttempts($email)
+	{
+		// Emails should NOT be case sensitive.
+		$email = strtolower($email);
+
+		$this->ci->login_model->purgeLoginAttempts($email);
+
+		// @todo record activity of login attempts purge.
+		Events::trigger('didPurgeLoginAttempts', [$email]);
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Purges all remember tokens for a single user. Effectively logs
+	 * a user out of all devices. Intended to allow users to log themselves
+	 * out of all devices as a security measure.
+	 *
+	 * @param $email
+	 */
+	public function purgeRememberTokens($email)
+	{
+		// Emails should NOT be case sensitive.
+		$email = strtolower($email);
+
+		$this->ci->login_model->purgeRememberTokens($email);
+
+		// todo record activity of remember me purges.
+		Events::trigger('didPurgeRememberTokens', [$email]);
+	}
+
+	//--------------------------------------------------------------------
+
+	//--------------------------------------------------------------------
+	// Protected Methods
+	//--------------------------------------------------------------------
+
+	/**
+	 * Check if Allow Persistent Login Cookies is enable
+	 *
+	 * @param $user
+	 */
+	protected function rememberUser($user)
+	{
+		if (! config_item('auth.allow_remembering'))
+		{
+			log_message('debug', 'Auth library set to refuse "Remember Me" functionality.');
+			return false;
+		}
+
+		$this->refreshRememberCookie($user);
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Invalidates the current rememberme cookie/database entry, creates
+	 * a new one, stores it and returns the new value.
+	 *
+	 * @param $user
+	 * @param null $token
+	 * @return mixed
+	 */
+	protected function refreshRememberCookie($user, $token=null)
+	{
+		$this->ci->load->helper('cookie');
+
+		// If a token is passed in, we know we're removing the
+		// old one.
+		if (! empty($token))
+		{
+			$this->invalidateRememberCookie($user['email'], $token);
+		}
+
+		$new_token = $this->ci->login_model->generateRememberToken($user);
+
+		// Save the token to the database.
+		$data = [
+			'email'   => $user['email'],
+			'hash'    => sha1(config_item('auth.salt') . $new_token),
+			'created' => date('Y-m-d H:i:s')
+		];
+
+		$this->ci->db->insert('auth_tokens', $data);
+
+		// Create the cookie
+		set_cookie(
+			'remember',                             // Cookie Name
+			$new_token,                             // Value
+			config_item('auth.remember_length'),    // # Seconds until it expires
+			config_item('cookie_domain'),
+			config_item('cookie_path'),
+			config_item('cookie_prefix'),
+			false,                                  // Only send over HTTPS?
+			true                                    // Hide from Javascript?
+		);
+
+		return $new_token;
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Deletes any current remember me cookies and database entries.
+	 *
+	 * @param $email
+	 * @param $token
+	 * @return string The new token (not the hash).
+	 */
+	protected function invalidateRememberCookie($email, $token)
+	{
+		// Emails should NOT be case sensitive.
+		$email = strtolower($email);
+
+		// Remove from the database
+		$this->ci->login_model->deleteRememberToken($email, $token);
+
+		// Remove the cookie
+		delete_cookie(
+			'remember',
+			config_item('cookie_domain'),
+			config_item('cookie_path'),
+			config_item('cookie_prefix')
+		);
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Handles the nitty gritty of actually logging our user into the system.
+	 * Does NOT perform the authentication, just sets the system up so that
+	 * it knows we're here.
+	 *
+	 * @param $user
+	 */
+	protected function loginUser($user)
+	{
+		// Save the user for later access
+		$this->user = $user;
+
+		// Get ip address
+		$ip_address = $this->ci->input->ip_address();
+
+		// Regenerate the session ID to help protect
+		// against session fixation
+		$this->ci->session->sess_regenerate();
+
+		// Let the session know that we're logged in.
+		$this->ci->session->set_userdata('logged_in', $user['id']);
+
+		// Clear our login attempts
+		$this->ci->login_model->purgeLoginAttempts($ip_address, $user['id']);
+
+		// Record a new Login
+		$this->ci->login_model->recordLogin($user);
+
+		// If logged in, ensure cache control
+		// headers are in place
+		$this->setHeaders();
+
+		// We'll give a 20% chance to need to do a purge since we
+		// don't need to purge THAT often, it's just a maintenance issue.
+		// to keep the table from getting out of control.
+		if (mt_rand(1, 100) < 20)
+		{
+			$this->ci->login_model->purgeOldRememberTokens();
+		}
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Sets the headers to ensure that pages are not cached when a user
+	 * is logged in, helping to protect against logging out and then
+	 * simply hitting the Back button on the browser and getting private
+	 * information because the page was loaded from cache.
+	 */
+	protected function setHeaders()
+	{
+		$this->ci->output->set_header('Cache-Control: no-store, no-cache, must-revalidate');
+		$this->ci->output->set_header('Cache-Control: post-check=0, pre-check=0');
+		$this->ci->output->set_header('Pragma: no-cache');
+	}
+
+	//--------------------------------------------------------------------
 
 
 }

Please login to merge, or discard this patch.

GitHub Access Token became invalid

Push — develop ( e2250a...6bb0fd )

Status

Category

Indentation +3 added lines, -3 removed lines patch added patch discarded remove patch

Indentation +344 added lines, -344 removed lines patch added patch discarded remove patch

Indentation +43 added lines, -43 removed lines patch added patch discarded remove patch

Indentation +894 added lines, -894 removed lines patch added patch discarded remove patch

		@@ -74,7 +74,7 @@ discard block
		block discarded – undo
74	74	*/
75	75	public function setRealm($realm)
76	76	{
77		- $this->realm = $realm;
	77	+ $this->realm = $realm;
78	78	return $this;
79	79	}
80	80
		@@ -116,7 +116,7 @@ discard block
		block discarded – undo
116	116	'password' => $password
117	117	];
118	118
119		- $user = $this->validate($data, true);
	119	+ $user = $this->validate($data, true);
120	120
121	121	$this->user = $user;
122	122
		@@ -272,7 +272,7 @@ discard block
		block discarded – undo
272	272	*/
273	273	public function checkIPBlacklist()
274	274	{
275		- $blacklist = explode(',', config_item('api.ip_blacklist'));
	275	+ $blacklist = explode(',', config_item('api.ip_blacklist'));
276	276
277	277	array_walk($blacklist, function (&$item, $key) {
278	278	$item = trim($item);

		@@ -41,349 +41,349 @@
		block discarded – undo
41	41	*/
42	42	class Login_model extends \Myth\Models\CIDbModel {
43	43
44		- protected $table_name = 'auth_logins';
45		-
46		- protected $set_created = false;
47		- protected $set_modified = false;
48		-
49		- //--------------------------------------------------------------------
50		-
51		- //--------------------------------------------------------------------
52		- // Login Attempts
53		- //--------------------------------------------------------------------
54		-
55		- /**
56		- * Records a login attempt. This is used to implement
57		- * throttling of application, ip address and user login attempts.
58		- *
59		- * @param $ip_address
60		- * @param $user_id
61		- * @return void
62		- */
63		- public function recordLoginAttempt($ip_address, $user_id = null)
64		- {
65		- $datetime = date('Y-m-d H:i:s');
66		-
67		- // log attempt for app
68		- $data = [
69		- 'type' => 'app',
70		- 'datetime' => $datetime
71		- ];
72		-
73		- $this->db->insert('auth_login_attempts', $data);
74		-
75		- // log attempt for ip address
76		- if (! empty($ip_address))
77		- {
78		- $data = [
79		- 'type' => 'ip',
80		- 'ip_address' => $ip_address,
81		- 'datetime' => $datetime
82		- ];
83		-
84		- $this->db->insert('auth_login_attempts', $data);
85		- }
86		-
87		- // log attempt for user
88		- if ($user_id)
89		- {
90		- $data = [
91		- 'type' => 'user',
92		- 'user_id' => $user_id,
93		- 'datetime' => $datetime
94		- ];
95		-
96		- $this->db->insert('auth_login_attempts', $data);
97		- }
98		- }
99		-
100		- //--------------------------------------------------------------------
101		-
102		- /**
103		- * Purges all login attempt records from the database.
104		- *
105		- * @param $ip_address
106		- * @param $user_id
107		- * @return mixed
108		- */
109		- public function purgeLoginAttempts($ip_address, $user_id)
110		- {
111		- return $this->db->where('ip_address', $ip_address)
112		- ->or_where('user_id', $user_id)
113		- ->delete('auth_login_attempts');
114		- }
115		-
116		- //--------------------------------------------------------------------
117		-
118		- /**
119		- * Checks to see if how many login attempts have been attempted in the
120		- * last 60 seconds. If over 100, it is considered to be under a
121		- * brute force attempt.
122		- *
123		- * @param $ip_address
124		- * @param $user_id
125		- * @return bool
126		- */
127		- public function isBruteForced($ip_address, $user_id)
128		- {
129		- $start_time = date('Y-m-d H:i:s', time() - 60);
130		-
131		- $attempts_ip = $this->db->where('type', 'ip')
132		- ->where('ip_address', $ip_address)
133		- ->where('datetime >=', $start_time)
134		- ->count_all_results('auth_login_attempts');
135		-
136		- if (! $user_id)
137		- {
138		- return $attempts_ip > 100;
139		- }
140		-
141		- $attempts_user = $this->db->where('type', 'user')
142		- ->where('user_id', $user_id)
143		- ->where('datetime >=', $start_time)
144		- ->count_all_results('auth_login_attempts');
145		-
146		- if ($attempts_user > $attempts_ip)
147		- {
148		- return $attempts_user > 100;
149		- }
150		- else
151		- {
152		- return $attempts_ip > 100;
153		- }
154		- }
155		-
156		- //--------------------------------------------------------------------
157		-
158		- /**
159		- * Attempts to determine if the system is under a distributed
160		- * brute force attack.
161		- *
162		- * To determine if we are in under a brute force attack, we first
163		- * find the average number of bad logins per day that never converted to
164		- * successful logins over the last 3 months. Then we compare
165		- * that to the the average number of logins in the past 24 hours.
166		- *
167		- * If the number of attempts in the last 24 hours is more than X (see config)
168		- * times the average, then institute additional throttling.
169		- *
170		- * @return int The time to add to any throttling.
171		- */
172		- public function distributedBruteForceTime()
173		- {
174		- if (! $time = $this->cache->get('dbrutetime'))
175		- {
176		- $time = 0;
177		-
178		- // Compute our daily average over the last 3 months.
179		- $avg_start_time = date('Y-m-d 00:00:00', strtotime('-3 months'));
180		-
181		- $query = $this->db->query("SELECT COUNT(*) / COUNT(DISTINCT DATE(`datetime`)) as num_rows FROM `auth_login_attempts` WHERE `type` = 'app' AND `datetime` >= ?", $avg_start_time);
182		-
183		- if (! $query->num_rows())
184		- {
185		- $average = 0;
186		- }
187		- else
188		- {
189		- $average = $query->row()->num_rows;
190		- }
191		-
192		- // Get the total in the last 24 hours
193		- $today_start_time = date('Y-m-d H:i:s', strtotime('-24 hours'));
194		-
195		- $attempts = $this->db->where('type', 'app')
196		- ->where('datetime >=', $today_start_time)
197		- ->count_all_results('auth_login_attempts');
198		-
199		- if ($attempts > (config_item('auth.dbrute_multiplier') * $average))
200		- {
201		- $time = config_item('auth.distributed_brute_add_time');
202		- }
203		-
204		- // Cache it for 3 hours.
205		- $this->cache->save('dbrutetime', $time, 60603);
206		- }
207		-
208		- return $time;
209		- }
210		-
211		- //--------------------------------------------------------------------
212		-
213		- //--------------------------------------------------------------------
214		- // Logins
215		- //--------------------------------------------------------------------
216		-
217		- /**
218		- * Records a successful login. This stores in a table so that a
219		- * history can be pulled up later if needed for security analyses.
220		- *
221		- * @param $user
222		- */
223		- public function recordLogin($user)
224		- {
225		- $data = [
226		- 'user_id' => (int)$user['id'],
227		- 'datetime' => date('Y-m-d H:i:s'),
228		- 'ip_address' => $this->input->ip_address()
229		- ];
230		-
231		- return $this->db->insert('auth_logins', $data);
232		- }
233		-
234		- //--------------------------------------------------------------------
235		-
236		- //--------------------------------------------------------------------
237		- // Tokens
238		- //--------------------------------------------------------------------
239		-
240		- /**
241		- * Generates a new token for the rememberme cookie.
242		- *
243		- * The token is based on the user's email address (since everyone will have one)
244		- * with the '@' turned to a '.', followed by a pipe (\|) and a random 128-character
245		- * string with letters and numbers.
246		- *
247		- * @param $user
248		- * @return mixed
249		- */
250		- public function generateRememberToken($user)
251		- {
252		- $this->load->helper('string');
253		-
254		- return str_replace('@', '.', $user['email']) .'\|' . random_string('alnum', 128);
255		- }
256		-
257		- //--------------------------------------------------------------------
258		-
259		- /**
260		- * Hashes the token for the Remember Me Functionality.
261		- *
262		- * @param $token
263		- * @return string
264		- */
265		- public function hashRememberToken($token)
266		- {
267		- return sha1(config_item('auth.salt') . $token);
268		- }
269		-
270		- //--------------------------------------------------------------------
271		-
272		- /**
273		- * Deletes a single token that matches the email/token combo.
274		- *
275		- * @param $email
276		- * @param $token
277		- * @return mixed
278		- */
279		- public function deleteRememberToken($email, $token)
280		- {
281		- $where = [
282		- 'email' => $email,
283		- 'hash' => $this->hashRememberToken($token)
284		- ];
285		-
286		- $this->db->delete('auth_tokens', $where);
287		- }
288		-
289		- //--------------------------------------------------------------------
290		-
291		- /**
292		- * Removes all persistent login tokens (RememberMe) for a single user
293		- * across all devices they may have logged in with.
294		- *
295		- * @param $email
296		- * @return mixed
297		- */
298		- public function purgeRememberTokens($email)
299		- {
300		- return $this->db->delete('auth_tokens', ['email' => $email]);
301		- }
302		-
303		- //--------------------------------------------------------------------
304		-
305		-
306		- /**
307		- * Purges the 'auth_tokens' table of any records that are too old
308		- * to be of any use anymore. This equates to 1 week older than
309		- * the remember_length set in the config file.
310		- */
311		- public function purgeOldRememberTokens()
312		- {
313		- if (! config_item('auth.allow_remembering'))
314		- {
315		- return;
316		- }
317		-
318		- $date = time() - config_item('auth.remember_length') - 604800; // 1 week
319		- $date = date('Y-m-d 00:00:00', $date);
320		-
321		- $this->db->where('created <=', $date)
322		- ->delete('auth_tokens');
323		- }
324		-
325		- //--------------------------------------------------------------------
326		-
327		- /**
328		- * Gets the timestamp of the last attempted login for this user.
329		- *
330		- * @param $ip_address
331		- * @param $user_id
332		- * @return int\|null
333		- */
334		- public function lastLoginAttemptTime($ip_address, $user_id)
335		- {
336		- $query = $this->db->where('type', 'ip')
337		- ->where('ip_address', $ip_address)
338		- ->order_by('datetime', 'desc')
339		- ->limit(1)
340		- ->get('auth_login_attempts');
341		-
342		- $last_ip = ! $query->num_rows() ? 0 : strtotime($query->row()->datetime);
343		-
344		- if (! $user_id)
345		- {
346		- return $last_ip;
347		- }
348		-
349		- $query = $this->db->where('type', 'user')
350		- ->where('user_id', $user_id)
351		- ->order_by('datetime', 'desc')
352		- ->limit(1)
353		- ->get('auth_login_attempts');
354		-
355		- $last_user = ! $query->num_rows() ? 0 : strtotime($query->row()->datetime);
356		-
357		- return ($last_user > $last_ip) ? $last_user : $last_ip;
358		- }
359		-
360		- //--------------------------------------------------------------------
361		-
362		- /**
363		- * Returns the number of failed login attempts for a given type.
364		- *
365		- * @param $ip_address
366		- * @param $user_id
367		- * @return int
368		- */
369		- public function countLoginAttempts($ip_address, $user_id)
370		- {
371		- $count_ip = $this->db->where('type', 'ip')
372		- ->where('ip_address', $ip_address)
373		- ->count_all_results('auth_login_attempts');
374		-
375		- if (! $user_id)
376		- {
377		- return $count_ip;
378		- }
379		-
380		- $count_user = $this->db->where('type', 'user')
381		- ->where('user_id', $user_id)
382		- ->count_all_results('auth_login_attempts');
383		-
384		- return ($count_user > $count_ip) ? $count_user : $count_ip;
385		- }
386		-
387		- //--------------------------------------------------------------------
	44	+ protected $table_name = 'auth_logins';
	45	+
	46	+ protected $set_created = false;
	47	+ protected $set_modified = false;
	48	+
	49	+ //--------------------------------------------------------------------
	50	+
	51	+ //--------------------------------------------------------------------
	52	+ // Login Attempts
	53	+ //--------------------------------------------------------------------
	54	+
	55	+ /**
	56	+ * Records a login attempt. This is used to implement
	57	+ * throttling of application, ip address and user login attempts.
	58	+ *
	59	+ * @param $ip_address
	60	+ * @param $user_id
	61	+ * @return void
	62	+ */
	63	+ public function recordLoginAttempt($ip_address, $user_id = null)
	64	+ {
	65	+ $datetime = date('Y-m-d H:i:s');
	66	+
	67	+ // log attempt for app
	68	+ $data = [
	69	+ 'type' => 'app',
	70	+ 'datetime' => $datetime
	71	+ ];
	72	+
	73	+ $this->db->insert('auth_login_attempts', $data);
	74	+
	75	+ // log attempt for ip address
	76	+ if (! empty($ip_address))
	77	+ {
	78	+ $data = [
	79	+ 'type' => 'ip',
	80	+ 'ip_address' => $ip_address,
	81	+ 'datetime' => $datetime
	82	+ ];
	83	+
	84	+ $this->db->insert('auth_login_attempts', $data);
	85	+ }
	86	+
	87	+ // log attempt for user
	88	+ if ($user_id)
	89	+ {
	90	+ $data = [
	91	+ 'type' => 'user',
	92	+ 'user_id' => $user_id,
	93	+ 'datetime' => $datetime
	94	+ ];
	95	+
	96	+ $this->db->insert('auth_login_attempts', $data);
	97	+ }
	98	+ }
	99	+
	100	+ //--------------------------------------------------------------------
	101	+
	102	+ /**
	103	+ * Purges all login attempt records from the database.
	104	+ *
	105	+ * @param $ip_address
	106	+ * @param $user_id
	107	+ * @return mixed
	108	+ */
	109	+ public function purgeLoginAttempts($ip_address, $user_id)
	110	+ {
	111	+ return $this->db->where('ip_address', $ip_address)
	112	+ ->or_where('user_id', $user_id)
	113	+ ->delete('auth_login_attempts');
	114	+ }
	115	+
	116	+ //--------------------------------------------------------------------
	117	+
	118	+ /**
	119	+ * Checks to see if how many login attempts have been attempted in the
	120	+ * last 60 seconds. If over 100, it is considered to be under a
	121	+ * brute force attempt.
	122	+ *
	123	+ * @param $ip_address
	124	+ * @param $user_id
	125	+ * @return bool
	126	+ */
	127	+ public function isBruteForced($ip_address, $user_id)
	128	+ {
	129	+ $start_time = date('Y-m-d H:i:s', time() - 60);
	130	+
	131	+ $attempts_ip = $this->db->where('type', 'ip')
	132	+ ->where('ip_address', $ip_address)
	133	+ ->where('datetime >=', $start_time)
	134	+ ->count_all_results('auth_login_attempts');
	135	+
	136	+ if (! $user_id)
	137	+ {
	138	+ return $attempts_ip > 100;
	139	+ }
	140	+
	141	+ $attempts_user = $this->db->where('type', 'user')
	142	+ ->where('user_id', $user_id)
	143	+ ->where('datetime >=', $start_time)
	144	+ ->count_all_results('auth_login_attempts');
	145	+
	146	+ if ($attempts_user > $attempts_ip)
	147	+ {
	148	+ return $attempts_user > 100;
	149	+ }
	150	+ else
	151	+ {
	152	+ return $attempts_ip > 100;
	153	+ }
	154	+ }
	155	+
	156	+ //--------------------------------------------------------------------
	157	+
	158	+ /**
	159	+ * Attempts to determine if the system is under a distributed
	160	+ * brute force attack.
	161	+ *
	162	+ * To determine if we are in under a brute force attack, we first
	163	+ * find the average number of bad logins per day that never converted to
	164	+ * successful logins over the last 3 months. Then we compare
	165	+ * that to the the average number of logins in the past 24 hours.
	166	+ *
	167	+ * If the number of attempts in the last 24 hours is more than X (see config)
	168	+ * times the average, then institute additional throttling.
	169	+ *
	170	+ * @return int The time to add to any throttling.
	171	+ */
	172	+ public function distributedBruteForceTime()
	173	+ {
	174	+ if (! $time = $this->cache->get('dbrutetime'))
	175	+ {
	176	+ $time = 0;
	177	+
	178	+ // Compute our daily average over the last 3 months.
	179	+ $avg_start_time = date('Y-m-d 00:00:00', strtotime('-3 months'));
	180	+
	181	+ $query = $this->db->query("SELECT COUNT(*) / COUNT(DISTINCT DATE(`datetime`)) as num_rows FROM `auth_login_attempts` WHERE `type` = 'app' AND `datetime` >= ?", $avg_start_time);
	182	+
	183	+ if (! $query->num_rows())
	184	+ {
	185	+ $average = 0;
	186	+ }
	187	+ else
	188	+ {
	189	+ $average = $query->row()->num_rows;
	190	+ }
	191	+
	192	+ // Get the total in the last 24 hours
	193	+ $today_start_time = date('Y-m-d H:i:s', strtotime('-24 hours'));
	194	+
	195	+ $attempts = $this->db->where('type', 'app')
	196	+ ->where('datetime >=', $today_start_time)
	197	+ ->count_all_results('auth_login_attempts');
	198	+
	199	+ if ($attempts > (config_item('auth.dbrute_multiplier') * $average))
	200	+ {
	201	+ $time = config_item('auth.distributed_brute_add_time');
	202	+ }
	203	+
	204	+ // Cache it for 3 hours.
	205	+ $this->cache->save('dbrutetime', $time, 60603);
	206	+ }
	207	+
	208	+ return $time;
	209	+ }
	210	+
	211	+ //--------------------------------------------------------------------
	212	+
	213	+ //--------------------------------------------------------------------
	214	+ // Logins
	215	+ //--------------------------------------------------------------------
	216	+
	217	+ /**
	218	+ * Records a successful login. This stores in a table so that a
	219	+ * history can be pulled up later if needed for security analyses.
	220	+ *
	221	+ * @param $user
	222	+ */
	223	+ public function recordLogin($user)
	224	+ {
	225	+ $data = [
	226	+ 'user_id' => (int)$user['id'],
	227	+ 'datetime' => date('Y-m-d H:i:s'),
	228	+ 'ip_address' => $this->input->ip_address()
	229	+ ];
	230	+
	231	+ return $this->db->insert('auth_logins', $data);
	232	+ }
	233	+
	234	+ //--------------------------------------------------------------------
	235	+
	236	+ //--------------------------------------------------------------------
	237	+ // Tokens
	238	+ //--------------------------------------------------------------------
	239	+
	240	+ /**
	241	+ * Generates a new token for the rememberme cookie.
	242	+ *
	243	+ * The token is based on the user's email address (since everyone will have one)
	244	+ * with the '@' turned to a '.', followed by a pipe (\|) and a random 128-character
	245	+ * string with letters and numbers.
	246	+ *
	247	+ * @param $user
	248	+ * @return mixed
	249	+ */
	250	+ public function generateRememberToken($user)
	251	+ {
	252	+ $this->load->helper('string');
	253	+
	254	+ return str_replace('@', '.', $user['email']) .'\|' . random_string('alnum', 128);
	255	+ }
	256	+
	257	+ //--------------------------------------------------------------------
	258	+
	259	+ /**
	260	+ * Hashes the token for the Remember Me Functionality.
	261	+ *
	262	+ * @param $token
	263	+ * @return string
	264	+ */
	265	+ public function hashRememberToken($token)
	266	+ {
	267	+ return sha1(config_item('auth.salt') . $token);
	268	+ }
	269	+
	270	+ //--------------------------------------------------------------------
	271	+
	272	+ /**
	273	+ * Deletes a single token that matches the email/token combo.
	274	+ *
	275	+ * @param $email
	276	+ * @param $token
	277	+ * @return mixed
	278	+ */
	279	+ public function deleteRememberToken($email, $token)
	280	+ {
	281	+ $where = [
	282	+ 'email' => $email,
	283	+ 'hash' => $this->hashRememberToken($token)
	284	+ ];
	285	+
	286	+ $this->db->delete('auth_tokens', $where);
	287	+ }
	288	+
	289	+ //--------------------------------------------------------------------
	290	+
	291	+ /**
	292	+ * Removes all persistent login tokens (RememberMe) for a single user
	293	+ * across all devices they may have logged in with.
	294	+ *
	295	+ * @param $email
	296	+ * @return mixed
	297	+ */
	298	+ public function purgeRememberTokens($email)
	299	+ {
	300	+ return $this->db->delete('auth_tokens', ['email' => $email]);
	301	+ }
	302	+
	303	+ //--------------------------------------------------------------------
	304	+
	305	+
	306	+ /**
	307	+ * Purges the 'auth_tokens' table of any records that are too old
	308	+ * to be of any use anymore. This equates to 1 week older than
	309	+ * the remember_length set in the config file.
	310	+ */
	311	+ public function purgeOldRememberTokens()
	312	+ {
	313	+ if (! config_item('auth.allow_remembering'))
	314	+ {
	315	+ return;
	316	+ }
	317	+
	318	+ $date = time() - config_item('auth.remember_length') - 604800; // 1 week
	319	+ $date = date('Y-m-d 00:00:00', $date);
	320	+
	321	+ $this->db->where('created <=', $date)
	322	+ ->delete('auth_tokens');
	323	+ }
	324	+
	325	+ //--------------------------------------------------------------------
	326	+
	327	+ /**
	328	+ * Gets the timestamp of the last attempted login for this user.
	329	+ *
	330	+ * @param $ip_address
	331	+ * @param $user_id
	332	+ * @return int\|null
	333	+ */
	334	+ public function lastLoginAttemptTime($ip_address, $user_id)
	335	+ {
	336	+ $query = $this->db->where('type', 'ip')
	337	+ ->where('ip_address', $ip_address)
	338	+ ->order_by('datetime', 'desc')
	339	+ ->limit(1)
	340	+ ->get('auth_login_attempts');
	341	+
	342	+ $last_ip = ! $query->num_rows() ? 0 : strtotime($query->row()->datetime);
	343	+
	344	+ if (! $user_id)
	345	+ {
	346	+ return $last_ip;
	347	+ }
	348	+
	349	+ $query = $this->db->where('type', 'user')
	350	+ ->where('user_id', $user_id)
	351	+ ->order_by('datetime', 'desc')
	352	+ ->limit(1)
	353	+ ->get('auth_login_attempts');
	354	+
	355	+ $last_user = ! $query->num_rows() ? 0 : strtotime($query->row()->datetime);
	356	+
	357	+ return ($last_user > $last_ip) ? $last_user : $last_ip;
	358	+ }
	359	+
	360	+ //--------------------------------------------------------------------
	361	+
	362	+ /**
	363	+ * Returns the number of failed login attempts for a given type.
	364	+ *
	365	+ * @param $ip_address
	366	+ * @param $user_id
	367	+ * @return int
	368	+ */
	369	+ public function countLoginAttempts($ip_address, $user_id)
	370	+ {
	371	+ $count_ip = $this->db->where('type', 'ip')
	372	+ ->where('ip_address', $ip_address)
	373	+ ->count_all_results('auth_login_attempts');
	374	+
	375	+ if (! $user_id)
	376	+ {
	377	+ return $count_ip;
	378	+ }
	379	+
	380	+ $count_user = $this->db->where('type', 'user')
	381	+ ->where('user_id', $user_id)
	382	+ ->count_all_results('auth_login_attempts');
	383	+
	384	+ return ($count_user > $count_ip) ? $count_user : $count_ip;
	385	+ }
	386	+
	387	+ //--------------------------------------------------------------------
388	388
389	389	}

		@@ -10,57 +10,57 @@
		block discarded – undo
10	10	*/
11	11	class Migration_UpdateLoginAttemmptsTable extends CI_Migration {
12	12
13		- public function up()
14		- {
15		- $fields = array(
16		- 'type' => array(
17		- 'type' => 'varchar',
18		- 'constraint' => 64,
19		- 'null' => false,
20		- 'default' => 'app',
21		- 'after' => 'id'
22		- ),
23		- 'ip_address' => array(
24		- 'type' => 'varchar',
25		- 'constraint' => 255,
26		- 'null' => true,
27		- 'after' => 'type'
28		- ),
29		- 'user_id' => array(
30		- 'type' => 'int',
31		- 'constraint' => 11,
32		- 'unsigned' => true,
33		- 'null' => true,
34		- 'after' => 'ip_address'
35		- )
36		- );
	13	+ public function up()
	14	+ {
	15	+ $fields = array(
	16	+ 'type' => array(
	17	+ 'type' => 'varchar',
	18	+ 'constraint' => 64,
	19	+ 'null' => false,
	20	+ 'default' => 'app',
	21	+ 'after' => 'id'
	22	+ ),
	23	+ 'ip_address' => array(
	24	+ 'type' => 'varchar',
	25	+ 'constraint' => 255,
	26	+ 'null' => true,
	27	+ 'after' => 'type'
	28	+ ),
	29	+ 'user_id' => array(
	30	+ 'type' => 'int',
	31	+ 'constraint' => 11,
	32	+ 'unsigned' => true,
	33	+ 'null' => true,
	34	+ 'after' => 'ip_address'
	35	+ )
	36	+ );
37	37
38		- $this->dbforge->add_column('auth_login_attempts', $fields);
	38	+ $this->dbforge->add_column('auth_login_attempts', $fields);
39	39
40		- $this->db->query('ALTER TABLE `auth_login_attempts` ADD KEY (`user_id`)');
	40	+ $this->db->query('ALTER TABLE `auth_login_attempts` ADD KEY (`user_id`)');
41	41
42		- $this->dbforge->drop_column('auth_login_attempts', 'email');
43		- }
	42	+ $this->dbforge->drop_column('auth_login_attempts', 'email');
	43	+ }
44	44
45		- //--------------------------------------------------------------------
	45	+ //--------------------------------------------------------------------
46	46
47		- public function down()
48		- {
49		- $this->dbforge->drop_column('auth_login_attempts', 'type');
50		- $this->dbforge->drop_column('auth_login_attempts', 'ip_address');
51		- $this->dbforge->drop_column('auth_login_attempts', 'user_id');
	47	+ public function down()
	48	+ {
	49	+ $this->dbforge->drop_column('auth_login_attempts', 'type');
	50	+ $this->dbforge->drop_column('auth_login_attempts', 'ip_address');
	51	+ $this->dbforge->drop_column('auth_login_attempts', 'user_id');
52	52
53		- $column = ['email' => [
54		- 'type' => 'varchar',
55		- 'constraint' => 255,
56		- 'after' => 'id'
57		- ]];
	53	+ $column = ['email' => [
	54	+ 'type' => 'varchar',
	55	+ 'constraint' => 255,
	56	+ 'after' => 'id'
	57	+ ]];
58	58
59		- $this->dbforge->add_column('auth_login_attempts', $column);
	59	+ $this->dbforge->add_column('auth_login_attempts', $column);
60	60
61		- $this->db->query('ALTER TABLE `auth_login_attempts` ADD KEY (`email`)');
62		- }
	61	+ $this->db->query('ALTER TABLE `auth_login_attempts` ADD KEY (`email`)');
	62	+ }
63	63
64		- //--------------------------------------------------------------------
	64	+ //--------------------------------------------------------------------
65	65
66	66	}
67	67	\ No newline at end of file

ci-bonfire / Sprint

GitHub Access Token became invalid

Push — develop ( e2250a...6bb0fd )

Status

Category

Indentation +3 added lines, -3 removed lines patch added patch discarded remove patch

Indentation +344 added lines, -344 removed lines patch added patch discarded remove patch

Indentation +43 added lines, -43 removed lines patch added patch discarded remove patch

Indentation +894 added lines, -894 removed lines patch added patch discarded remove patch