Inspection of "Merge pull request #153 from michalsn/patch/patch-..." - ci-bonfire/Sprint - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Push — develop ( 154c58...727d1c )

by Lonnie

created 2016-01-15 04:43 UTC

Status

Doc Comments +4 added lines, -4 removed lines patch added patch discarded remove patch

@@ -242,7 +242,7 @@  discard block
 block discarded – undo
     /**
      * Logs a user out and removes all session information.
      *
-     * @return mixed
+     * @return false|null
      */
     public function logout()
     {
@@ -608,7 +608,7 @@  discard block
 block discarded – undo
      * the passed in $email.
      *
      * @param $email
-     * @return mixed
+     * @return boolean
      */
     public function remindUser($email)
     {
@@ -653,7 +653,7 @@  discard block
 block discarded – undo
      * @param $credentials
      * @param $password
      * @param $passConfirm
-     * @return mixed
+     * @return boolean
      */
     public function resetPassword($credentials, $password, $passConfirm)
     {
@@ -751,7 +751,7 @@  discard block
 block discarded – undo
      *
      * @param $model
      * @param bool $allow_any_parent
-     * @return mixed
+     * @return LocalAuthentication
      */
     public function useModel($model, $allow_any_parent=false)
     {

Please login to merge, or discard this patch.

Indentation +918 added lines, -918 removed lines patch added patch discarded remove patch

@@ -52,925 +52,925 @@
 block discarded – undo
  */
 class LocalAuthentication implements AuthenticateInterface {
 
-    protected $ci;
-
-    protected $user = null;
-
-    public $user_model = null;
-
-    public $error = null;
-
-    //--------------------------------------------------------------------
-
-    public function __construct( $ci=null )
-    {
-        if ($ci)
-        {
-            $this->ci= $ci;
-        }
-        else
-        {
-            $this->ci =& get_instance();
-        }
-
-        // Get our compatibility password file loaded up.
-        if (! function_exists('password_hash'))
-        {
-            require_once dirname(__FILE__) .'password.php';
-        }
-
-        if (empty($this->ci->session))
-        {
-            $this->ci->load->library('session');
-        }
-
-        $this->ci->config->load('auth');
-        $this->ci->load->model('auth/login_model');
-        $this->ci->load->language('auth/auth');
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Attempt to log a user into the system.
-     *
-     * $credentials is an array of key/value pairs needed to log the user in.
-     * This is often email/password, or username/password.
-     *
-     * @param array $credentials
-     * @param bool  $remember
-     * @return bool|mixed
-     */
-    public function login($credentials, $remember=false)
-    {
-        $user = $this->validate($credentials, true);
-
-        // If the user is throttled due to too many invalid logins
-        // or the system is under attack, kick them back.
-        // We need to test for this after validation because we
-        // don't want it to affect a valid login.
-
-        // If throttling time is above zero, we can't allow
-        // logins now.
-        $time = (int)$this->isThrottled($user);
-        if ($time > 0)
-        {
-            $this->error = sprintf(lang('auth.throttled'), $time);
-            return false;
-        }
-
-        if (! $user)
-        {
-            if (empty($this->error))
-            {
-                // We need to set an error if there is no one
-                $this->error = lang('auth.invalid_user');
-            }
-            $this->user = null;
-            return $user;
-        }       
-
-        $this->loginUser($user);
-
-        if ($remember)
-        {
-            $this->rememberUser($user);
-        }
-
-        Events::trigger('didLogin', [$user]);
-
-        return true;
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Validates user login information without logging them in.
-     *
-     * $credentials is an array of key/value pairs needed to log the user in.
-     * This is often email/password, or username/password.
-     *
-     * @param $credentials
-     * @param bool $return_user
-     * @return mixed
-     */
-    public function validate($credentials, $return_user=false)
-    {
-        // Get ip address
-        $ip_address = $this->ci->input->ip_address();
-
-        // We do not want to force case-sensitivity on things
-        // like username and email for usability sake.
-        if (! empty($credentials['email']))
-        {
-            $credentials['email'] = strtolower($credentials['email']);
-        }
-
-        // Can't validate without a password.
-        if (empty($credentials['password']) || count($credentials) < 2)
-        {
-            $this->ci->login_model->recordLoginAttempt($ip_address);
-            return null;
-        }
-
-        $password = $credentials['password'];
-        unset($credentials['password']);
-
-        // We should only be allowed 1 single other credential to
-        // test against.
-        if (count($credentials) > 1)
-        {
-            $this->error = lang('auth.too_many_credentials');
-            $this->ci->login_model->recordLoginAttempt($ip_address);
-            return false;
-        }
-
-        // Ensure that the fields are allowed validation fields
-        if (! in_array(key($credentials), config_item('auth.valid_fields')) )
-        {
-            $this->error = lang('auth.invalid_credentials');
-            $this->ci->login_model->recordLoginAttempt($ip_address);
-            return false;
-        }
-
-        // Can we find a user with those credentials?
-        $user = $this->user_model->as_array()
-                                 ->where($credentials)
-                                 ->first();
-
-        if (! $user)
-        {
-            $this->error = lang('auth.invalid_user');
-            $this->ci->login_model->recordLoginAttempt($ip_address);
-            return false;
-        }
-
-        // Now, try matching the passwords.
-        $result =  password_verify($password, $user['password_hash']);
-
-        if (! $result)
-        {
-            $this->error = lang('auth.invalid_password');
-            $this->ci->login_model->recordLoginAttempt($ip_address, $user['id']);
-            return false;
-        }
-
-        // Check to see if the password needs to be rehashed.
-        // This would be due to the hash algorithm or hash
-        // cost changing since the last time that a user
-        // logged in.
-        if (password_needs_rehash($user['password_hash'], PASSWORD_DEFAULT, ['cost' => config_item('auth.hash_cost')] ))
-        {
-            $new_hash = Password::hashPassword($password);
-            $this->user_model->skip_validation()
-                             ->update($user['id'], ['password_hash' => $new_hash]);
-            unset($new_hash);
-        }
-
-        // Is the user active?
-        if (! $user['active'])
-        {
-            $this->error = lang('auth.inactive_account');
-            return false;
-        }
-
-        return $return_user ? $user : true;
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Logs a user out and removes all session information.
-     *
-     * @return mixed
-     */
-    public function logout()
-    {
-        $this->ci->load->helper('cookie');
-
-        if (! Events::trigger('beforeLogout', [$this->user]))
-        {
-            return false;
-        }
-
-        // Destroy the session data - but ensure a session is still
-        // available for flash messages, etc.
-        if (isset($_SESSION))
-        {
-            foreach ( $_SESSION as $key => $value )
-            {
-                $_SESSION[ $key ] = NULL;
-                unset( $_SESSION[ $key ] );
-            }
-        }
-        // Also, regenerate the session ID for a touch of added safety.
-        $this->ci->session->sess_regenerate(true);
-
-        // Take care of any rememberme functionality.
-        if (config_item('auth.allow_remembering'))
-        {
-            $token = get_cookie('remember');
-
-            $this->invalidateRememberCookie($this->user['email'], $token);
-        }
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Checks whether a user is logged in or not.
-     *
-     * @return bool
-     */
-    public function isLoggedIn()
-    {
-        $id = $this->ci->session->userdata('logged_in');
-
-        if (! $id)
-        {
-            return false;
-        }
-
-        // If the user var hasn't been filled in, we need to fill it in,
-        // since this method will typically be used as the only method
-        // to determine whether a user is logged in or not.
-        if (! $this->user)
-        {
-            $this->user = $this->user_model->as_array()
-                                           ->find_by('id', (int)$id);
-
-            if (empty($this->user))
-            {
-                return false;
-            }
-        }
-
-        // If logged in, ensure cache control
-        // headers are in place
-        $this->setHeaders();
-
-        return true;
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Attempts to log a user in based on the "remember me" cookie.
-     *
-     * @return bool
-     */
-    public function viaRemember()
-    {
-        if (! config_item('auth.allow_remembering'))
-        {
-            return false;
-        }
-
-        $this->ci->load->helper('cookie');
-
-        if (! $token = get_cookie('remember'))
-        {
-            return false;
-        }
-
-        // Attempt to match the token against our auth_tokens table.
-        $query = $this->ci->db->where('hash', $this->ci->login_model->hashRememberToken($token))
-                              ->get('auth_tokens');
-
-        if (! $query->num_rows())
-        {
-            return false;
-        }
-
-        // Grab the user
-        $email = $query->row()->email;
-
-        $user = $this->user_model->as_array()
-                                 ->find_by('email', $email);
-
-        $this->loginUser($user);
-
-        // We only want our remember me tokens to be valid
-        // for a single use.
-        $this->refreshRememberCookie($user, $token);
-
-        return true;
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Registers a new user and handles activation method.
-     *
-     * @param $user_data
-     * @return bool
-     */
-    public function registerUser($user_data)
-    {
-        // Anything special needed for Activation?
-        $method = config_item('auth.activation_method');
-
-        $user_data['active'] = $method == 'auto' ? 1 : 0;
-
-        // If via email, we need to generate a hash
-        $this->ci->load->helper('string');
-        $token = random_string('alnum', 24);
-        $user_data['activate_hash'] = hash('sha1', config_item('auth.salt') . $token);
-
-        // Email should NOT be case sensitive.
-        if (! empty($user_data['email']))
-        {
-            $user_data['email'] = strtolower($user_data['email']);
-        }
-
-        // Save the user
-        if (! $id = $this->user_model->insert($user_data))
-        {
-            $this->error = $this->user_model->error();
-            return false;
-        }
-
-        $data = [
-            'user_id' => $id,
-            'email'   => $user_data['email'],
-            'token'   => $token,
-            'method'  => $method
-        ];
-
-        Events::trigger('didRegisterUser', [$data]);
-
-        return true;
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Used to verify the user values and activate a user so they can
-     * visit the site.
-     *
-     * @param $data
-     * @return bool
-     */
-    public function activateUser($data)
-    {
-        $post = [
-            'email'         => $data['email'],
-            'activate_hash' => hash('sha1', config_item('auth.salt') . $data['code'])
-        ];
-
-        $user = $this->user_model->where($post)
-                                 ->first();
-
-        if (! $user) {
-            $this->error = $this->user_model->error() ? $this->user_model->error() : lang('auth.activate_no_user');
-
-            return false;
-        }
-
-        if (! $this->user_model->update($user->id, ['active' => 1, 'activate_hash' => null]))
-        {
-            $this->error = $this->user_model->error();
-            return false;
-        }
-
-        Events::trigger('didActivate', [(array)$user]);
-
-        return true;
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Used to allow manual activation of a user with a known ID.
-     *
-     * @param $id
-     * @return bool
-     */
-    public function activateUserById($id)
-    {
-        if (! $this->user_model->update($id, ['active' => 1, 'activate_hash' => null]))
-        {
-            $this->error = $this->user_model->error();
-            return false;
-        }
-
-        Events::trigger('didActivate', [$this->user_model->as_array()->find($id)]);
-
-        return true;
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Grabs the current user object. Returns NULL if nothing found.
-     *
-     * @return array|null
-     */
-    public function user()
-    {
-        return $this->user;
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * A convenience method to grab the current user's ID.
-     *
-     * @return int|null
-     */
-    public function id()
-    {
-        if (! is_array($this->user) || empty($this->user['id']))
-        {
-            return null;
-        }
-
-        return (int)$this->user['id'];
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Checks to see if the user is currently being throttled.
-     *
-     *  - If they are NOT, will return FALSE.
-     *  - If they ARE, will return the number of seconds until they can try again.
-     *
-     * @param $user
-     * @return mixed
-     */
-    public function isThrottled($user)
-    {
-        // Not throttling? Get outta here!
-        if (! config_item('auth.allow_throttling'))
-        {
-            return false;
-        }
-
-        // Get user_id
-        $user_id = $user ? $user['id'] : null;
+	protected $ci;
+
+	protected $user = null;
+
+	public $user_model = null;
+
+	public $error = null;
+
+	//--------------------------------------------------------------------
+
+	public function __construct( $ci=null )
+	{
+		if ($ci)
+		{
+			$this->ci= $ci;
+		}
+		else
+		{
+			$this->ci =& get_instance();
+		}
+
+		// Get our compatibility password file loaded up.
+		if (! function_exists('password_hash'))
+		{
+			require_once dirname(__FILE__) .'password.php';
+		}
+
+		if (empty($this->ci->session))
+		{
+			$this->ci->load->library('session');
+		}
+
+		$this->ci->config->load('auth');
+		$this->ci->load->model('auth/login_model');
+		$this->ci->load->language('auth/auth');
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Attempt to log a user into the system.
+	 *
+	 * $credentials is an array of key/value pairs needed to log the user in.
+	 * This is often email/password, or username/password.
+	 *
+	 * @param array $credentials
+	 * @param bool  $remember
+	 * @return bool|mixed
+	 */
+	public function login($credentials, $remember=false)
+	{
+		$user = $this->validate($credentials, true);
+
+		// If the user is throttled due to too many invalid logins
+		// or the system is under attack, kick them back.
+		// We need to test for this after validation because we
+		// don't want it to affect a valid login.
+
+		// If throttling time is above zero, we can't allow
+		// logins now.
+		$time = (int)$this->isThrottled($user);
+		if ($time > 0)
+		{
+			$this->error = sprintf(lang('auth.throttled'), $time);
+			return false;
+		}
+
+		if (! $user)
+		{
+			if (empty($this->error))
+			{
+				// We need to set an error if there is no one
+				$this->error = lang('auth.invalid_user');
+			}
+			$this->user = null;
+			return $user;
+		}       
+
+		$this->loginUser($user);
+
+		if ($remember)
+		{
+			$this->rememberUser($user);
+		}
+
+		Events::trigger('didLogin', [$user]);
+
+		return true;
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Validates user login information without logging them in.
+	 *
+	 * $credentials is an array of key/value pairs needed to log the user in.
+	 * This is often email/password, or username/password.
+	 *
+	 * @param $credentials
+	 * @param bool $return_user
+	 * @return mixed
+	 */
+	public function validate($credentials, $return_user=false)
+	{
+		// Get ip address
+		$ip_address = $this->ci->input->ip_address();
+
+		// We do not want to force case-sensitivity on things
+		// like username and email for usability sake.
+		if (! empty($credentials['email']))
+		{
+			$credentials['email'] = strtolower($credentials['email']);
+		}
+
+		// Can't validate without a password.
+		if (empty($credentials['password']) || count($credentials) < 2)
+		{
+			$this->ci->login_model->recordLoginAttempt($ip_address);
+			return null;
+		}
+
+		$password = $credentials['password'];
+		unset($credentials['password']);
+
+		// We should only be allowed 1 single other credential to
+		// test against.
+		if (count($credentials) > 1)
+		{
+			$this->error = lang('auth.too_many_credentials');
+			$this->ci->login_model->recordLoginAttempt($ip_address);
+			return false;
+		}
+
+		// Ensure that the fields are allowed validation fields
+		if (! in_array(key($credentials), config_item('auth.valid_fields')) )
+		{
+			$this->error = lang('auth.invalid_credentials');
+			$this->ci->login_model->recordLoginAttempt($ip_address);
+			return false;
+		}
+
+		// Can we find a user with those credentials?
+		$user = $this->user_model->as_array()
+								 ->where($credentials)
+								 ->first();
+
+		if (! $user)
+		{
+			$this->error = lang('auth.invalid_user');
+			$this->ci->login_model->recordLoginAttempt($ip_address);
+			return false;
+		}
+
+		// Now, try matching the passwords.
+		$result =  password_verify($password, $user['password_hash']);
+
+		if (! $result)
+		{
+			$this->error = lang('auth.invalid_password');
+			$this->ci->login_model->recordLoginAttempt($ip_address, $user['id']);
+			return false;
+		}
+
+		// Check to see if the password needs to be rehashed.
+		// This would be due to the hash algorithm or hash
+		// cost changing since the last time that a user
+		// logged in.
+		if (password_needs_rehash($user['password_hash'], PASSWORD_DEFAULT, ['cost' => config_item('auth.hash_cost')] ))
+		{
+			$new_hash = Password::hashPassword($password);
+			$this->user_model->skip_validation()
+							 ->update($user['id'], ['password_hash' => $new_hash]);
+			unset($new_hash);
+		}
+
+		// Is the user active?
+		if (! $user['active'])
+		{
+			$this->error = lang('auth.inactive_account');
+			return false;
+		}
+
+		return $return_user ? $user : true;
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Logs a user out and removes all session information.
+	 *
+	 * @return mixed
+	 */
+	public function logout()
+	{
+		$this->ci->load->helper('cookie');
+
+		if (! Events::trigger('beforeLogout', [$this->user]))
+		{
+			return false;
+		}
+
+		// Destroy the session data - but ensure a session is still
+		// available for flash messages, etc.
+		if (isset($_SESSION))
+		{
+			foreach ( $_SESSION as $key => $value )
+			{
+				$_SESSION[ $key ] = NULL;
+				unset( $_SESSION[ $key ] );
+			}
+		}
+		// Also, regenerate the session ID for a touch of added safety.
+		$this->ci->session->sess_regenerate(true);
+
+		// Take care of any rememberme functionality.
+		if (config_item('auth.allow_remembering'))
+		{
+			$token = get_cookie('remember');
+
+			$this->invalidateRememberCookie($this->user['email'], $token);
+		}
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Checks whether a user is logged in or not.
+	 *
+	 * @return bool
+	 */
+	public function isLoggedIn()
+	{
+		$id = $this->ci->session->userdata('logged_in');
+
+		if (! $id)
+		{
+			return false;
+		}
+
+		// If the user var hasn't been filled in, we need to fill it in,
+		// since this method will typically be used as the only method
+		// to determine whether a user is logged in or not.
+		if (! $this->user)
+		{
+			$this->user = $this->user_model->as_array()
+										   ->find_by('id', (int)$id);
+
+			if (empty($this->user))
+			{
+				return false;
+			}
+		}
+
+		// If logged in, ensure cache control
+		// headers are in place
+		$this->setHeaders();
+
+		return true;
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Attempts to log a user in based on the "remember me" cookie.
+	 *
+	 * @return bool
+	 */
+	public function viaRemember()
+	{
+		if (! config_item('auth.allow_remembering'))
+		{
+			return false;
+		}
+
+		$this->ci->load->helper('cookie');
+
+		if (! $token = get_cookie('remember'))
+		{
+			return false;
+		}
+
+		// Attempt to match the token against our auth_tokens table.
+		$query = $this->ci->db->where('hash', $this->ci->login_model->hashRememberToken($token))
+							  ->get('auth_tokens');
+
+		if (! $query->num_rows())
+		{
+			return false;
+		}
+
+		// Grab the user
+		$email = $query->row()->email;
+
+		$user = $this->user_model->as_array()
+								 ->find_by('email', $email);
+
+		$this->loginUser($user);
+
+		// We only want our remember me tokens to be valid
+		// for a single use.
+		$this->refreshRememberCookie($user, $token);
+
+		return true;
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Registers a new user and handles activation method.
+	 *
+	 * @param $user_data
+	 * @return bool
+	 */
+	public function registerUser($user_data)
+	{
+		// Anything special needed for Activation?
+		$method = config_item('auth.activation_method');
+
+		$user_data['active'] = $method == 'auto' ? 1 : 0;
+
+		// If via email, we need to generate a hash
+		$this->ci->load->helper('string');
+		$token = random_string('alnum', 24);
+		$user_data['activate_hash'] = hash('sha1', config_item('auth.salt') . $token);
+
+		// Email should NOT be case sensitive.
+		if (! empty($user_data['email']))
+		{
+			$user_data['email'] = strtolower($user_data['email']);
+		}
+
+		// Save the user
+		if (! $id = $this->user_model->insert($user_data))
+		{
+			$this->error = $this->user_model->error();
+			return false;
+		}
+
+		$data = [
+			'user_id' => $id,
+			'email'   => $user_data['email'],
+			'token'   => $token,
+			'method'  => $method
+		];
+
+		Events::trigger('didRegisterUser', [$data]);
+
+		return true;
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Used to verify the user values and activate a user so they can
+	 * visit the site.
+	 *
+	 * @param $data
+	 * @return bool
+	 */
+	public function activateUser($data)
+	{
+		$post = [
+			'email'         => $data['email'],
+			'activate_hash' => hash('sha1', config_item('auth.salt') . $data['code'])
+		];
+
+		$user = $this->user_model->where($post)
+								 ->first();
+
+		if (! $user) {
+			$this->error = $this->user_model->error() ? $this->user_model->error() : lang('auth.activate_no_user');
+
+			return false;
+		}
+
+		if (! $this->user_model->update($user->id, ['active' => 1, 'activate_hash' => null]))
+		{
+			$this->error = $this->user_model->error();
+			return false;
+		}
+
+		Events::trigger('didActivate', [(array)$user]);
+
+		return true;
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Used to allow manual activation of a user with a known ID.
+	 *
+	 * @param $id
+	 * @return bool
+	 */
+	public function activateUserById($id)
+	{
+		if (! $this->user_model->update($id, ['active' => 1, 'activate_hash' => null]))
+		{
+			$this->error = $this->user_model->error();
+			return false;
+		}
+
+		Events::trigger('didActivate', [$this->user_model->as_array()->find($id)]);
+
+		return true;
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Grabs the current user object. Returns NULL if nothing found.
+	 *
+	 * @return array|null
+	 */
+	public function user()
+	{
+		return $this->user;
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * A convenience method to grab the current user's ID.
+	 *
+	 * @return int|null
+	 */
+	public function id()
+	{
+		if (! is_array($this->user) || empty($this->user['id']))
+		{
+			return null;
+		}
+
+		return (int)$this->user['id'];
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Checks to see if the user is currently being throttled.
+	 *
+	 *  - If they are NOT, will return FALSE.
+	 *  - If they ARE, will return the number of seconds until they can try again.
+	 *
+	 * @param $user
+	 * @return mixed
+	 */
+	public function isThrottled($user)
+	{
+		// Not throttling? Get outta here!
+		if (! config_item('auth.allow_throttling'))
+		{
+			return false;
+		}
+
+		// Get user_id
+		$user_id = $user ? $user['id'] : null;
         
-        // Get ip address
-        $ip_address = $this->ci->input->ip_address();
-
-        // Have any attempts been made?
-        $attempts = $this->ci->login_model->countLoginAttempts($ip_address, $user_id);
-
-        // Grab the amount of time to add if the system thinks we're
-        // under a distributed brute force attack.
-        // Affect users that have at least 1 failure login attempt
-        $dbrute_time = ($attempts === 0) ? 0 : $this->ci->login_model->distributedBruteForceTime();
-
-        // If this user was found to possibly be under a brute
-        // force attack, their account would have been banned
-        // for 15 minutes.
-        if ($time = isset($_SESSION['bruteBan']) ? $_SESSION['bruteBan'] : false)
-        {
-            // If the current time is less than the
-            // the ban expiration, plus any distributed time
-            // then the user can't login just yet.
-            if ($time + $dbrute_time > time())
-            {
-                // The user is banned still...
-                $this->error = lang('auth.bruteBan_notice');
-                return ($time + $dbrute_time) - time();
-            }
-
-            // Still here? The the ban time is over...
-            unset($_SESSION['bruteBan']);
-        }
-
-        // Grab the time of last attempt and
-        // determine if we're throttled by amount of time passed.
-        $last_time = $this->ci->login_model->lastLoginAttemptTime($ip_address, $user_id);
-
-        $allowed = config_item('auth.allowed_login_attempts');
-
-        // We're not throttling if there are 0 attempts or
-        // the number is less than or equal to the allowed free attempts
-        if ($attempts === 0 || $attempts <= $allowed)
-        {
-            // Before we can say there's nothing up here,
-            // we need to check dbrute time.
-            $time_left = $last_time + $dbrute_time - time();
-
-            if ($time_left > 0)
-            {
-                return $time_left;
-            }
-
-            return false;
-        }
-
-        // If the number of attempts is excessive (above 100) we need
-        // to check the elapsed time of all of these attacks. If they are
-        // less than 1 minute it's obvious this is a brute force attack,
-        // so we'll set a session flag and block that user for 15 minutes.
-        if ($attempts > 100 && $this->ci->login_model->isBruteForced($ip_address, $user_id))
-        {
-            $this->error = lang('auth.bruteBan_notice');
-
-            $ban_time = 60 * 15;    // 15 minutes
-            $_SESSION['bruteBan'] = time() + $ban_time;
-            return $ban_time;
-        }
-
-        // Get our allowed attempts out of the picture.
-        $attempts = $attempts - $allowed;
-
-        $max_time = config_item('auth.max_throttle_time');
-
-        $add_time = 5 * pow(2, $attempts - 1);
-
-        if ($add_time > $max_time)
-        {
-            $add_time = $max_time;
-        }
-
-        $next_time = $last_time + $add_time + $dbrute_time;
-
-        $current = time();
-
-        // We are NOT throttled if we are already
-        // past the allowed time.
-        if ($current > $next_time)
-        {
-            return false;
-        }
-
-        return $next_time - $current;
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Sends a password reset link email to the user associated with
-     * the passed in $email.
-     *
-     * @param $email
-     * @return mixed
-     */
-    public function remindUser($email)
-    {
-        // Emails should NOT be case sensitive.
-        $email = strtolower($email);
-
-        // Is it a valid user?
-        $user = $this->user_model->find_by('email', $email);
-
-        if (! $user)
-        {
-            $this->error = lang('auth.invalid_email');
-            return false;
-        }
-
-        // Generate/store our codes
-        $this->ci->load->helper('string');
-        $token = random_string('alnum', 24);
-        $hash = hash('sha1', config_item('auth.salt') .$token);
-
-        $result = $this->user_model->update($user->id, ['reset_hash' => $hash]);
-
-        if (! $result)
-        {
-            $this->error = $this->user_model->error();
-            return false;
-        }
-
-        Events::trigger('didRemindUser', [(array)$user, $token]);
-
-        return true;
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Validates the credentials provided and, if valid, resets the password.
-     *
-     * The $credentials array MUST contain a 'code' key with the string to
-     * hash and check against the reset_hash.
-     *
-     * @param $credentials
-     * @param $password
-     * @param $passConfirm
-     * @return mixed
-     */
-    public function resetPassword($credentials, $password, $passConfirm)
-    {
-        if (empty($credentials['code']))
-        {
-            $this->error = lang('auth.need_reset_code');
-            return false;
-        }
-
-        // Generate a hash to match against the table.
-        $reset_hash = hash('sha1', config_item('auth.salt') .$credentials['code']);
-        unset($credentials['code']);
-
-        if (! empty($credentials['email']))
-        {
-            $credentials['email'] = strtolower($credentials['email']);
-        }
-
-        // Is there a matching user?
-        $user = $this->user_model->as_array()
-                                 ->where($credentials)
-                                 ->first();
-
-        // If throttling time is above zero, we can't allow
-        // logins now.
-        $time = (int)$this->isThrottled($user);
-        if ($time > 0)
-        {
-            $this->error = sprintf(lang('auth.throttled'), $time);
-            return false;
-        }
-
-        // Get ip address
-        $ip_address = $this->ci->input->ip_address();
-
-        if (! $user)
-        {
-            $this->error = lang('auth.reset_no_user');
-            $this->ci->login_model->recordLoginAttempt($ip_address);
-            return false;
-        }
-
-        // Is generated reset_hash string matches one from the table?
-        if ($reset_hash !== $user['reset_hash'])
-        {
-            $this->error = lang('auth.reset_no_user');
-            $this->ci->login_model->recordLoginAttempt($ip_address, $user['id']);
-            return false;
-        }
-
-        // Update their password and reset their reset_hash
-        $data = [
-            'password'     => $password,
-            'pass_confirm' => $passConfirm,
-            'reset_hash'   => null
-        ];
-
-        if (! $this->user_model->update($user['id'], $data))
-        {
-            $this->error = $this->user_model->error();
-            return false;
-        }
-
-        // Clear our login attempts
-        $this->ci->login_model->purgeLoginAttempts($ip_address, $user['id']);
-
-        Events::trigger('didResetPassword', [$user]);
-
-        return true;
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Provides a way for implementations to allow new statuses to be set
-     * on the user. The details will vary based upon implementation, but
-     * will often allow for banning or suspending users.
-     *
-     * @param $newStatus
-     * @param null $message
-     * @return mixed
-     */
-    public function changeStatus($newStatus, $message=null)
-    {
-        // todo actually record new users status!
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Allows the consuming application to pass in a reference to the
-     * model that should be used.
-     *
-     * The model MUST extend Myth\Models\CIDbModel.
-     *
-     * @param $model
-     * @param bool $allow_any_parent
-     * @return mixed
-     */
-    public function useModel($model, $allow_any_parent=false)
-    {
-        if (! $allow_any_parent && get_parent_class($model) != 'Myth\Models\CIDbModel')
-        {
-            throw new \RuntimeException('Models passed into LocalAuthenticate MUST extend Myth\Models\CIDbModel');
-        }
-
-        $this->user_model =& $model;
-
-        return $this;
-    }
-
-    //--------------------------------------------------------------------
-
-    public function error()
-    {
-        if (validation_errors())
-        {
-            return validation_errors();
-        }
-
-        return $this->error;
-    }
-
-    //--------------------------------------------------------------------
-
-    //--------------------------------------------------------------------
-    // Login Records
-    //--------------------------------------------------------------------
-
-    /**
-     * Purges all login attempt records from the database.
-     *
-     * @param null $ip_address
-     * @param null $user_id
-     */
-    public function purgeLoginAttempts($ip_address = null, $user_id = null)
-    {
-        $this->ci->login_model->purgeLoginAttempts($ip_address, $user_id);
-
-        // @todo record activity of login attempts purge.
-        Events::trigger('didPurgeLoginAttempts', [$email]);
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Purges all remember tokens for a single user. Effectively logs
-     * a user out of all devices. Intended to allow users to log themselves
-     * out of all devices as a security measure.
-     *
-     * @param $email
-     */
-    public function purgeRememberTokens($email)
-    {
-        // Emails should NOT be case sensitive.
-        $email = strtolower($email);
-
-        $this->ci->login_model->purgeRememberTokens($email);
-
-        // todo record activity of remember me purges.
-        Events::trigger('didPurgeRememberTokens', [$email]);
-    }
-
-    //--------------------------------------------------------------------
-
-    //--------------------------------------------------------------------
-    // Protected Methods
-    //--------------------------------------------------------------------
-
-    /**
-     * Check if Allow Persistent Login Cookies is enable
-     *
-     * @param $user
-     */
-    protected function rememberUser($user)
-    {
-        if (! config_item('auth.allow_remembering'))
-        {
-            log_message('debug', 'Auth library set to refuse "Remember Me" functionality.');
-            return false;
-        }
-
-        $this->refreshRememberCookie($user);
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Invalidates the current rememberme cookie/database entry, creates
-     * a new one, stores it and returns the new value.
-     *
-     * @param $user
-     * @param null $token
-     * @return mixed
-     */
-    protected function refreshRememberCookie($user, $token=null)
-    {
-        $this->ci->load->helper('cookie');
-
-        // If a token is passed in, we know we're removing the
-        // old one.
-        if (! empty($token))
-        {
-            $this->invalidateRememberCookie($user['email'], $token);
-        }
-
-        $new_token = $this->ci->login_model->generateRememberToken($user);
-
-        // Save the token to the database.
-        $data = [
-            'email'   => $user['email'],
-            'hash'    => sha1(config_item('auth.salt') . $new_token),
-            'created' => date('Y-m-d H:i:s')
-        ];
-
-        $this->ci->db->insert('auth_tokens', $data);
-
-        // Create the cookie
-        set_cookie(
-            'remember',                             // Cookie Name
-            $new_token,                             // Value
-            config_item('auth.remember_length'),    // # Seconds until it expires
-            config_item('cookie_domain'),
-            config_item('cookie_path'),
-            config_item('cookie_prefix'),
-            false,                                  // Only send over HTTPS?
-            true                                    // Hide from Javascript?
-        );
-
-        return $new_token;
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Deletes any current remember me cookies and database entries.
-     *
-     * @param $email
-     * @param $token
-     * @return string The new token (not the hash).
-     */
-    protected function invalidateRememberCookie($email, $token)
-    {
-        // Emails should NOT be case sensitive.
-        $email = strtolower($email);
-
-        // Remove from the database
-        $this->ci->login_model->deleteRememberToken($email, $token);
-
-        // Remove the cookie
-        delete_cookie(
-            'remember',
-            config_item('cookie_domain'),
-            config_item('cookie_path'),
-            config_item('cookie_prefix')
-        );
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Handles the nitty gritty of actually logging our user into the system.
-     * Does NOT perform the authentication, just sets the system up so that
-     * it knows we're here.
-     *
-     * @param $user
-     */
-    protected function loginUser($user)
-    {
-        // Save the user for later access
-        $this->user = $user;
-
-        // Get ip address
-        $ip_address = $this->ci->input->ip_address();
-
-        // Regenerate the session ID to help protect
-        // against session fixation
-        $this->ci->session->sess_regenerate();
-
-        // Let the session know that we're logged in.
-        $this->ci->session->set_userdata('logged_in', $user['id']);
-
-        // Clear our login attempts
-        $this->ci->login_model->purgeLoginAttempts($ip_address, $user['id']);
-
-        // Record a new Login
-        $this->ci->login_model->recordLogin($user);
-
-        // If logged in, ensure cache control
-        // headers are in place
-        $this->setHeaders();
-
-        // We'll give a 20% chance to need to do a purge since we
-        // don't need to purge THAT often, it's just a maintenance issue.
-        // to keep the table from getting out of control.
-        if (mt_rand(1, 100) < 20)
-        {
-            $this->ci->login_model->purgeOldRememberTokens();
-        }
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Sets the headers to ensure that pages are not cached when a user
-     * is logged in, helping to protect against logging out and then
-     * simply hitting the Back button on the browser and getting private
-     * information because the page was loaded from cache.
-     */
-    protected function setHeaders()
-    {
-        $this->ci->output->set_header('Cache-Control: no-store, no-cache, must-revalidate');
-        $this->ci->output->set_header('Cache-Control: post-check=0, pre-check=0');
-        $this->ci->output->set_header('Pragma: no-cache');
-    }
-
-    //--------------------------------------------------------------------
+		// Get ip address
+		$ip_address = $this->ci->input->ip_address();
+
+		// Have any attempts been made?
+		$attempts = $this->ci->login_model->countLoginAttempts($ip_address, $user_id);
+
+		// Grab the amount of time to add if the system thinks we're
+		// under a distributed brute force attack.
+		// Affect users that have at least 1 failure login attempt
+		$dbrute_time = ($attempts === 0) ? 0 : $this->ci->login_model->distributedBruteForceTime();
+
+		// If this user was found to possibly be under a brute
+		// force attack, their account would have been banned
+		// for 15 minutes.
+		if ($time = isset($_SESSION['bruteBan']) ? $_SESSION['bruteBan'] : false)
+		{
+			// If the current time is less than the
+			// the ban expiration, plus any distributed time
+			// then the user can't login just yet.
+			if ($time + $dbrute_time > time())
+			{
+				// The user is banned still...
+				$this->error = lang('auth.bruteBan_notice');
+				return ($time + $dbrute_time) - time();
+			}
+
+			// Still here? The the ban time is over...
+			unset($_SESSION['bruteBan']);
+		}
+
+		// Grab the time of last attempt and
+		// determine if we're throttled by amount of time passed.
+		$last_time = $this->ci->login_model->lastLoginAttemptTime($ip_address, $user_id);
+
+		$allowed = config_item('auth.allowed_login_attempts');
+
+		// We're not throttling if there are 0 attempts or
+		// the number is less than or equal to the allowed free attempts
+		if ($attempts === 0 || $attempts <= $allowed)
+		{
+			// Before we can say there's nothing up here,
+			// we need to check dbrute time.
+			$time_left = $last_time + $dbrute_time - time();
+
+			if ($time_left > 0)
+			{
+				return $time_left;
+			}
+
+			return false;
+		}
+
+		// If the number of attempts is excessive (above 100) we need
+		// to check the elapsed time of all of these attacks. If they are
+		// less than 1 minute it's obvious this is a brute force attack,
+		// so we'll set a session flag and block that user for 15 minutes.
+		if ($attempts > 100 && $this->ci->login_model->isBruteForced($ip_address, $user_id))
+		{
+			$this->error = lang('auth.bruteBan_notice');
+
+			$ban_time = 60 * 15;    // 15 minutes
+			$_SESSION['bruteBan'] = time() + $ban_time;
+			return $ban_time;
+		}
+
+		// Get our allowed attempts out of the picture.
+		$attempts = $attempts - $allowed;
+
+		$max_time = config_item('auth.max_throttle_time');
+
+		$add_time = 5 * pow(2, $attempts - 1);
+
+		if ($add_time > $max_time)
+		{
+			$add_time = $max_time;
+		}
+
+		$next_time = $last_time + $add_time + $dbrute_time;
+
+		$current = time();
+
+		// We are NOT throttled if we are already
+		// past the allowed time.
+		if ($current > $next_time)
+		{
+			return false;
+		}
+
+		return $next_time - $current;
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Sends a password reset link email to the user associated with
+	 * the passed in $email.
+	 *
+	 * @param $email
+	 * @return mixed
+	 */
+	public function remindUser($email)
+	{
+		// Emails should NOT be case sensitive.
+		$email = strtolower($email);
+
+		// Is it a valid user?
+		$user = $this->user_model->find_by('email', $email);
+
+		if (! $user)
+		{
+			$this->error = lang('auth.invalid_email');
+			return false;
+		}
+
+		// Generate/store our codes
+		$this->ci->load->helper('string');
+		$token = random_string('alnum', 24);
+		$hash = hash('sha1', config_item('auth.salt') .$token);
+
+		$result = $this->user_model->update($user->id, ['reset_hash' => $hash]);
+
+		if (! $result)
+		{
+			$this->error = $this->user_model->error();
+			return false;
+		}
+
+		Events::trigger('didRemindUser', [(array)$user, $token]);
+
+		return true;
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Validates the credentials provided and, if valid, resets the password.
+	 *
+	 * The $credentials array MUST contain a 'code' key with the string to
+	 * hash and check against the reset_hash.
+	 *
+	 * @param $credentials
+	 * @param $password
+	 * @param $passConfirm
+	 * @return mixed
+	 */
+	public function resetPassword($credentials, $password, $passConfirm)
+	{
+		if (empty($credentials['code']))
+		{
+			$this->error = lang('auth.need_reset_code');
+			return false;
+		}
+
+		// Generate a hash to match against the table.
+		$reset_hash = hash('sha1', config_item('auth.salt') .$credentials['code']);
+		unset($credentials['code']);
+
+		if (! empty($credentials['email']))
+		{
+			$credentials['email'] = strtolower($credentials['email']);
+		}
+
+		// Is there a matching user?
+		$user = $this->user_model->as_array()
+								 ->where($credentials)
+								 ->first();
+
+		// If throttling time is above zero, we can't allow
+		// logins now.
+		$time = (int)$this->isThrottled($user);
+		if ($time > 0)
+		{
+			$this->error = sprintf(lang('auth.throttled'), $time);
+			return false;
+		}
+
+		// Get ip address
+		$ip_address = $this->ci->input->ip_address();
+
+		if (! $user)
+		{
+			$this->error = lang('auth.reset_no_user');
+			$this->ci->login_model->recordLoginAttempt($ip_address);
+			return false;
+		}
+
+		// Is generated reset_hash string matches one from the table?
+		if ($reset_hash !== $user['reset_hash'])
+		{
+			$this->error = lang('auth.reset_no_user');
+			$this->ci->login_model->recordLoginAttempt($ip_address, $user['id']);
+			return false;
+		}
+
+		// Update their password and reset their reset_hash
+		$data = [
+			'password'     => $password,
+			'pass_confirm' => $passConfirm,
+			'reset_hash'   => null
+		];
+
+		if (! $this->user_model->update($user['id'], $data))
+		{
+			$this->error = $this->user_model->error();
+			return false;
+		}
+
+		// Clear our login attempts
+		$this->ci->login_model->purgeLoginAttempts($ip_address, $user['id']);
+
+		Events::trigger('didResetPassword', [$user]);
+
+		return true;
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Provides a way for implementations to allow new statuses to be set
+	 * on the user. The details will vary based upon implementation, but
+	 * will often allow for banning or suspending users.
+	 *
+	 * @param $newStatus
+	 * @param null $message
+	 * @return mixed
+	 */
+	public function changeStatus($newStatus, $message=null)
+	{
+		// todo actually record new users status!
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Allows the consuming application to pass in a reference to the
+	 * model that should be used.
+	 *
+	 * The model MUST extend Myth\Models\CIDbModel.
+	 *
+	 * @param $model
+	 * @param bool $allow_any_parent
+	 * @return mixed
+	 */
+	public function useModel($model, $allow_any_parent=false)
+	{
+		if (! $allow_any_parent && get_parent_class($model) != 'Myth\Models\CIDbModel')
+		{
+			throw new \RuntimeException('Models passed into LocalAuthenticate MUST extend Myth\Models\CIDbModel');
+		}
+
+		$this->user_model =& $model;
+
+		return $this;
+	}
+
+	//--------------------------------------------------------------------
+
+	public function error()
+	{
+		if (validation_errors())
+		{
+			return validation_errors();
+		}
+
+		return $this->error;
+	}
+
+	//--------------------------------------------------------------------
+
+	//--------------------------------------------------------------------
+	// Login Records
+	//--------------------------------------------------------------------
+
+	/**
+	 * Purges all login attempt records from the database.
+	 *
+	 * @param null $ip_address
+	 * @param null $user_id
+	 */
+	public function purgeLoginAttempts($ip_address = null, $user_id = null)
+	{
+		$this->ci->login_model->purgeLoginAttempts($ip_address, $user_id);
+
+		// @todo record activity of login attempts purge.
+		Events::trigger('didPurgeLoginAttempts', [$email]);
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Purges all remember tokens for a single user. Effectively logs
+	 * a user out of all devices. Intended to allow users to log themselves
+	 * out of all devices as a security measure.
+	 *
+	 * @param $email
+	 */
+	public function purgeRememberTokens($email)
+	{
+		// Emails should NOT be case sensitive.
+		$email = strtolower($email);
+
+		$this->ci->login_model->purgeRememberTokens($email);
+
+		// todo record activity of remember me purges.
+		Events::trigger('didPurgeRememberTokens', [$email]);
+	}
+
+	//--------------------------------------------------------------------
+
+	//--------------------------------------------------------------------
+	// Protected Methods
+	//--------------------------------------------------------------------
+
+	/**
+	 * Check if Allow Persistent Login Cookies is enable
+	 *
+	 * @param $user
+	 */
+	protected function rememberUser($user)
+	{
+		if (! config_item('auth.allow_remembering'))
+		{
+			log_message('debug', 'Auth library set to refuse "Remember Me" functionality.');
+			return false;
+		}
+
+		$this->refreshRememberCookie($user);
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Invalidates the current rememberme cookie/database entry, creates
+	 * a new one, stores it and returns the new value.
+	 *
+	 * @param $user
+	 * @param null $token
+	 * @return mixed
+	 */
+	protected function refreshRememberCookie($user, $token=null)
+	{
+		$this->ci->load->helper('cookie');
+
+		// If a token is passed in, we know we're removing the
+		// old one.
+		if (! empty($token))
+		{
+			$this->invalidateRememberCookie($user['email'], $token);
+		}
+
+		$new_token = $this->ci->login_model->generateRememberToken($user);
+
+		// Save the token to the database.
+		$data = [
+			'email'   => $user['email'],
+			'hash'    => sha1(config_item('auth.salt') . $new_token),
+			'created' => date('Y-m-d H:i:s')
+		];
+
+		$this->ci->db->insert('auth_tokens', $data);
+
+		// Create the cookie
+		set_cookie(
+			'remember',                             // Cookie Name
+			$new_token,                             // Value
+			config_item('auth.remember_length'),    // # Seconds until it expires
+			config_item('cookie_domain'),
+			config_item('cookie_path'),
+			config_item('cookie_prefix'),
+			false,                                  // Only send over HTTPS?
+			true                                    // Hide from Javascript?
+		);
+
+		return $new_token;
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Deletes any current remember me cookies and database entries.
+	 *
+	 * @param $email
+	 * @param $token
+	 * @return string The new token (not the hash).
+	 */
+	protected function invalidateRememberCookie($email, $token)
+	{
+		// Emails should NOT be case sensitive.
+		$email = strtolower($email);
+
+		// Remove from the database
+		$this->ci->login_model->deleteRememberToken($email, $token);
+
+		// Remove the cookie
+		delete_cookie(
+			'remember',
+			config_item('cookie_domain'),
+			config_item('cookie_path'),
+			config_item('cookie_prefix')
+		);
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Handles the nitty gritty of actually logging our user into the system.
+	 * Does NOT perform the authentication, just sets the system up so that
+	 * it knows we're here.
+	 *
+	 * @param $user
+	 */
+	protected function loginUser($user)
+	{
+		// Save the user for later access
+		$this->user = $user;
+
+		// Get ip address
+		$ip_address = $this->ci->input->ip_address();
+
+		// Regenerate the session ID to help protect
+		// against session fixation
+		$this->ci->session->sess_regenerate();
+
+		// Let the session know that we're logged in.
+		$this->ci->session->set_userdata('logged_in', $user['id']);
+
+		// Clear our login attempts
+		$this->ci->login_model->purgeLoginAttempts($ip_address, $user['id']);
+
+		// Record a new Login
+		$this->ci->login_model->recordLogin($user);
+
+		// If logged in, ensure cache control
+		// headers are in place
+		$this->setHeaders();
+
+		// We'll give a 20% chance to need to do a purge since we
+		// don't need to purge THAT often, it's just a maintenance issue.
+		// to keep the table from getting out of control.
+		if (mt_rand(1, 100) < 20)
+		{
+			$this->ci->login_model->purgeOldRememberTokens();
+		}
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Sets the headers to ensure that pages are not cached when a user
+	 * is logged in, helping to protect against logging out and then
+	 * simply hitting the Back button on the browser and getting private
+	 * information because the page was loaded from cache.
+	 */
+	protected function setHeaders()
+	{
+		$this->ci->output->set_header('Cache-Control: no-store, no-cache, must-revalidate');
+		$this->ci->output->set_header('Cache-Control: post-check=0, pre-check=0');
+		$this->ci->output->set_header('Pragma: no-cache');
+	}
+
+	//--------------------------------------------------------------------
 
 
 }

Please login to merge, or discard this patch.

myth/Auth/AuthenticateInterface.php 1 patch

Indentation +192 added lines, -192 removed lines patch added patch discarded remove patch

@@ -42,197 +42,197 @@
 block discarded – undo
  */
 interface AuthenticateInterface {
 
-    /**
-     * Attempt to log a user into the system.
-     *
-     * $credentials is an array of key/value pairs needed to log the user in.
-     * This is often email/password, or username/password.
-     *
-     * @param $credentials
-     * @param bool $remember
-     */
-    public function login($credentials, $remember=false);
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Validates user login information without logging them in.
-     *
-     * $credentials is an array of key/value pairs needed to log the user in.
-     * This is often email/password, or username/password.
-     *
-     * @param $credentials
-     * @param bool $return_user
-     * @return mixed
-     */
-    public function validate($credentials, $return_user=false);
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Logs a user out and removes all session information.
-     *
-     * @return mixed
-     */
-    public function logout();
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Checks whether a user is logged in or not.
-     *
-     * @return bool
-     */
-    public function isLoggedIn();
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Attempts to log a user in based on the "remember me" cookie.
-     *
-     * @return bool
-     */
-    public function viaRemember();
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Registers a new user and handles activation method.
-     *
-     * @param $user_data
-     * @return bool
-     */
-    public function registerUser($user_data);
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Used to verify the user values and activate a user so they can
-     * visit the site.
-     *
-     * @param $data
-     * @return bool
-     */
-    public function activateUser($data);
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Used to allow manual activation of a user with a known ID.
-     *
-     * @param $id
-     * @return bool
-     */
-    public function activateUserById($id);
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Grabs the current user object. Returns NULL if nothing found.
-     *
-     * @return array|null
-     */
-    public function user();
-
-    //--------------------------------------------------------------------
-
-    /**
-     * A convenience method to grab the current user's ID.
-     *
-     * @return int|null
-     */
-    public function id();
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Tells the system to start throttling a user. This may vary by implementation,
-     * but will often add additional time before another login is allowed.
-     *
-     * @param $email
-     * @return mixed
-     */
-    public function isThrottled($email);
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Sends a password reminder email to the user associated with
-     * the passed in $email.
-     *
-     * @param $email
-     * @return mixed
-     */
-    public function remindUser($email);
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Validates the credentials provided and, if valid, resets the password.
-     *
-     * @param $credentials
-     * @param $password
-     * @param $passConfirm
-     * @return mixed
-     */
-    public function resetPassword($credentials, $password, $passConfirm);
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Provides a way for implementations to allow new statuses to be set
-     * on the user. The details will vary based upon implementation, but
-     * will often allow for banning or suspending users.
-     *
-     * @param $newStatus
-     * @param null $message
-     * @return mixed
-     */
-    public function changeStatus($newStatus, $message=null);
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Allows the consuming application to pass in a reference to the
-     * model that should be used.
-     *
-     * The model MUST extend Myth\Models\CIDbModel.
-     *
-     * @param $model
-     * @return mixed
-     */
-    public function useModel($model);
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Returns the current error string.
-     *
-     * @return mixed
-     */
-    public function error();
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Purges all login attempt records from the database.
-     *
-     * @param null $ip_address
-     * @param null $user_id
-     */
-    public function purgeLoginAttempts($ip_address = null, $user_id = null);
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Purges all remember tokens for a single user. Effectively logs
-     * a user out of all devices. Intended to allow users to log themselves
-     * out of all devices as a security measure.
-     *
-     * @param $email
-     */
-    public function purgeRememberTokens($email);
-
-    //--------------------------------------------------------------------
+	/**
+	 * Attempt to log a user into the system.
+	 *
+	 * $credentials is an array of key/value pairs needed to log the user in.
+	 * This is often email/password, or username/password.
+	 *
+	 * @param $credentials
+	 * @param bool $remember
+	 */
+	public function login($credentials, $remember=false);
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Validates user login information without logging them in.
+	 *
+	 * $credentials is an array of key/value pairs needed to log the user in.
+	 * This is often email/password, or username/password.
+	 *
+	 * @param $credentials
+	 * @param bool $return_user
+	 * @return mixed
+	 */
+	public function validate($credentials, $return_user=false);
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Logs a user out and removes all session information.
+	 *
+	 * @return mixed
+	 */
+	public function logout();
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Checks whether a user is logged in or not.
+	 *
+	 * @return bool
+	 */
+	public function isLoggedIn();
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Attempts to log a user in based on the "remember me" cookie.
+	 *
+	 * @return bool
+	 */
+	public function viaRemember();
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Registers a new user and handles activation method.
+	 *
+	 * @param $user_data
+	 * @return bool
+	 */
+	public function registerUser($user_data);
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Used to verify the user values and activate a user so they can
+	 * visit the site.
+	 *
+	 * @param $data
+	 * @return bool
+	 */
+	public function activateUser($data);
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Used to allow manual activation of a user with a known ID.
+	 *
+	 * @param $id
+	 * @return bool
+	 */
+	public function activateUserById($id);
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Grabs the current user object. Returns NULL if nothing found.
+	 *
+	 * @return array|null
+	 */
+	public function user();
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * A convenience method to grab the current user's ID.
+	 *
+	 * @return int|null
+	 */
+	public function id();
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Tells the system to start throttling a user. This may vary by implementation,
+	 * but will often add additional time before another login is allowed.
+	 *
+	 * @param $email
+	 * @return mixed
+	 */
+	public function isThrottled($email);
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Sends a password reminder email to the user associated with
+	 * the passed in $email.
+	 *
+	 * @param $email
+	 * @return mixed
+	 */
+	public function remindUser($email);
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Validates the credentials provided and, if valid, resets the password.
+	 *
+	 * @param $credentials
+	 * @param $password
+	 * @param $passConfirm
+	 * @return mixed
+	 */
+	public function resetPassword($credentials, $password, $passConfirm);
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Provides a way for implementations to allow new statuses to be set
+	 * on the user. The details will vary based upon implementation, but
+	 * will often allow for banning or suspending users.
+	 *
+	 * @param $newStatus
+	 * @param null $message
+	 * @return mixed
+	 */
+	public function changeStatus($newStatus, $message=null);
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Allows the consuming application to pass in a reference to the
+	 * model that should be used.
+	 *
+	 * The model MUST extend Myth\Models\CIDbModel.
+	 *
+	 * @param $model
+	 * @return mixed
+	 */
+	public function useModel($model);
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Returns the current error string.
+	 *
+	 * @return mixed
+	 */
+	public function error();
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Purges all login attempt records from the database.
+	 *
+	 * @param null $ip_address
+	 * @param null $user_id
+	 */
+	public function purgeLoginAttempts($ip_address = null, $user_id = null);
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Purges all remember tokens for a single user. Effectively logs
+	 * a user out of all devices. Intended to allow users to log themselves
+	 * out of all devices as a security measure.
+	 *
+	 * @param $email
+	 */
+	public function purgeRememberTokens($email);
+
+	//--------------------------------------------------------------------
 
 }

Please login to merge, or discard this patch.

myth/CIModules/auth/models/Login_model.php 1 patch

Indentation +381 added lines, -381 removed lines patch added patch discarded remove patch

@@ -1,34 +1,34 @@  discard block
 block discarded – undo
 <?php
 /**
- * Sprint
- *
- * A set of power tools to enhance the CodeIgniter framework and provide consistent workflow.
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- *
- * @package     Sprint
- * @author      Lonnie Ezell
- * @copyright   Copyright 2014-2015, New Myth Media, LLC (http://newmythmedia.com)
- * @license     http://opensource.org/licenses/MIT  (MIT)
- * @link        http://sprintphp.com
- * @since       Version 1.0
- */
+	 * Sprint
+	 *
+	 * A set of power tools to enhance the CodeIgniter framework and provide consistent workflow.
+	 *
+	 * Permission is hereby granted, free of charge, to any person obtaining a copy
+	 * of this software and associated documentation files (the "Software"), to deal
+	 * in the Software without restriction, including without limitation the rights
+	 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+	 * copies of the Software, and to permit persons to whom the Software is
+	 * furnished to do so, subject to the following conditions:
+	 *
+	 * The above copyright notice and this permission notice shall be included in
+	 * all copies or substantial portions of the Software.
+	 *
+	 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+	 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+	 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+	 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+	 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+	 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+	 * THE SOFTWARE.
+	 *
+	 * @package     Sprint
+	 * @author      Lonnie Ezell
+	 * @copyright   Copyright 2014-2015, New Myth Media, LLC (http://newmythmedia.com)
+	 * @license     http://opensource.org/licenses/MIT  (MIT)
+	 * @link        http://sprintphp.com
+	 * @since       Version 1.0
+	 */
 
 /**
  * Class Login_model
@@ -41,357 +41,357 @@  discard block
 block discarded – undo
  */
 class Login_model extends \Myth\Models\CIDbModel {
 
-    protected $table_name = 'auth_logins';
-
-    protected $set_created = false;
-    protected $set_modified = false;
-
-    //--------------------------------------------------------------------
-
-    //--------------------------------------------------------------------
-    // Login Attempts
-    //--------------------------------------------------------------------
-
-    /**
-     * Records a login attempt. This is used to implement
-     * throttling of application, ip address and user login attempts.
-     *
-     * @param $ip_address
-     * @param $user_id
-     * @return void
-     */
-    public function recordLoginAttempt($ip_address, $user_id = null)
-    {
-        $datetime = date('Y-m-d H:i:s');
-
-        // log attempt for app
-        $data = [
-            'type' => 'app',
-            'datetime' => $datetime
-        ];
-
-        $this->db->insert('auth_login_attempts', $data);
-
-        // log attempt for ip address
-        if (! empty($ip_address))
-        {
-            $data = [
-                'type' => 'ip',
-                'ip_address' => $ip_address,
-                'datetime' => $datetime
-            ];
-
-            $this->db->insert('auth_login_attempts', $data);
-        }
-
-        // log attempt for user
-        if ($user_id)
-        {
-            $data = [
-                'type' => 'user',
-                'user_id' => $user_id,
-                'datetime' => $datetime
-            ];
-
-            $this->db->insert('auth_login_attempts', $data);
-        }
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Purges all login attempt records from the database.
-     *
-     * @param $ip_address
-     * @param $user_id
-     * @return mixed
-     */
-    public function purgeLoginAttempts($ip_address, $user_id)
-    {
-        if ($ip_address)
-        {
-            $this->db->where('ip_address', $ip_address);
-        }
-
-        if ($user_id)
-        {
-            $this->db->or_where('user_id', $user_id);
-        }
-
-        return $this->db->delete('auth_login_attempts');
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Checks to see if how many login attempts have been attempted in the
-     * last 60 seconds. If over 100, it is considered to be under a
-     * brute force attempt.
-     *
-     * @param $ip_address
-     * @param $user_id
-     * @return bool
-     */
-    public function isBruteForced($ip_address, $user_id)
-    {
-        $start_time = date('Y-m-d H:i:s', time() - 60);
-
-        $attempts_ip = $this->db->where('type', 'ip')
-                                ->where('ip_address', $ip_address)
-                                ->where('datetime >=', $start_time)
-                                ->count_all_results('auth_login_attempts');
-
-        if (! $user_id)
-        {
-            return $attempts_ip > 100;
-        }
-
-        $attempts_user = $this->db->where('type', 'user')
-                                  ->where('user_id', $user_id)
-                                  ->where('datetime >=', $start_time)
-                                  ->count_all_results('auth_login_attempts');
-
-        if ($attempts_user > $attempts_ip) 
-        {
-            return $attempts_user > 100;
-        }
-        else
-        {
-            return $attempts_ip > 100;
-        }
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Attempts to determine if the system is under a distributed
-     * brute force attack.
-     *
-     * To determine if we are in under a brute force attack, we first
-     * find the average number of bad logins per day that never converted to
-     * successful logins over the last 3 months. Then we compare
-     * that to the the average number of logins in the past 24 hours.
-     *
-     * If the number of attempts in the last 24 hours is more than X (see config)
-     * times the average, then institute additional throttling.
-     *
-     * @return int The time to add to any throttling.
-     */
-    public function distributedBruteForceTime()
-    {
-        if (! $time = $this->cache->get('dbrutetime'))
-        {
-            $time = 0;
-
-            // Compute our daily average over the last 3 months.
-            $avg_start_time = date('Y-m-d 00:00:00', strtotime('-3 months'));
-
-            $query = $this->db->query("SELECT COUNT(*) / COUNT(DISTINCT DATE(`datetime`)) as num_rows FROM `auth_login_attempts` WHERE `type` = 'app' AND `datetime` >= ?", $avg_start_time);
-
-            if (! $query->num_rows())
-            {
-                $average = 0;
-            }
-            else
-            {
-                $average = $query->row()->num_rows;
-            }
-
-            // Get the total in the last 24 hours
-            $today_start_time = date('Y-m-d H:i:s', strtotime('-24 hours'));
-
-            $attempts = $this->db->where('type', 'app')
-                                 ->where('datetime >=', $today_start_time)
-                                 ->count_all_results('auth_login_attempts');
-
-            if ($attempts > (config_item('auth.dbrute_multiplier') * $average))
-            {
-                $time = config_item('auth.distributed_brute_add_time');
-            }
-
-            // Cache it for 3 hours.
-            $this->cache->save('dbrutetime', $time, 60*60*3);
-        }
-
-        return $time;
-    }
-
-    //--------------------------------------------------------------------
-
-    //--------------------------------------------------------------------
-    // Logins
-    //--------------------------------------------------------------------
-
-    /**
-     * Records a successful login. This stores in a table so that a
-     * history can be pulled up later if needed for security analyses.
-     *
-     * @param $user
-     */
-    public function recordLogin($user)
-    {
-        $data = [
-            'user_id'    => (int)$user['id'],
-            'datetime'   => date('Y-m-d H:i:s'),
-            'ip_address' => $this->input->ip_address()
-        ];
-
-        return $this->db->insert('auth_logins', $data);
-    }
-
-    //--------------------------------------------------------------------
-
-    //--------------------------------------------------------------------
-    // Tokens
-    //--------------------------------------------------------------------
-
-    /**
-     * Generates a new token for the rememberme cookie.
-     *
-     * The token is based on the user's email address (since everyone will have one)
-     * with the '@' turned to a '.', followed by a pipe (|) and a random 128-character
-     * string with letters and numbers.
-     *
-     * @param $user
-     * @return mixed
-     */
-    public function generateRememberToken($user)
-    {
-        $this->load->helper('string');
-
-        return str_replace('@', '.', $user['email']) .'|' . random_string('alnum', 128);
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Hashes the token for the Remember Me Functionality.
-     *
-     * @param $token
-     * @return string
-     */
-    public function hashRememberToken($token)
-    {
-        return sha1(config_item('auth.salt') . $token);
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Deletes a single token that matches the email/token combo.
-     *
-     * @param $email
-     * @param $token
-     * @return mixed
-     */
-    public function deleteRememberToken($email, $token)
-    {
-        $where = [
-            'email' => $email,
-            'hash'  => $this->hashRememberToken($token)
-        ];
-
-        $this->db->delete('auth_tokens', $where);
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Removes all persistent login tokens (RememberMe) for a single user
-     * across all devices they may have logged in with.
-     *
-     * @param $email
-     * @return mixed
-     */
-    public function purgeRememberTokens($email)
-    {
-        return $this->db->delete('auth_tokens', ['email' => $email]);
-    }
-
-    //--------------------------------------------------------------------
-
-
-    /**
-     * Purges the 'auth_tokens' table of any records that are too old
-     * to be of any use anymore. This equates to 1 week older than
-     * the remember_length set in the config file.
-     */
-    public function purgeOldRememberTokens()
-    {
-        if (! config_item('auth.allow_remembering'))
-        {
-            return;
-        }
-
-        $date = time() - config_item('auth.remember_length') - 604800; // 1 week
-        $date = date('Y-m-d 00:00:00', $date);
-
-        $this->db->where('created <=', $date)
-                 ->delete('auth_tokens');
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Gets the timestamp of the last attempted login for this user.
-     *
-     * @param $ip_address
-     * @param $user_id
-     * @return int|null
-     */
-    public function lastLoginAttemptTime($ip_address, $user_id)
-    {
-        $query = $this->db->where('type', 'ip')
-                          ->where('ip_address', $ip_address)
-                          ->order_by('datetime', 'desc')
-                          ->limit(1)
-                          ->get('auth_login_attempts');
-
-        $last_ip = ! $query->num_rows() ? 0 : strtotime($query->row()->datetime);
-
-        if (! $user_id)
-        {
-            return $last_ip;
-        }
-
-        $query = $this->db->where('type', 'user')
-                          ->where('user_id', $user_id)
-                          ->order_by('datetime', 'desc')
-                          ->limit(1)
-                          ->get('auth_login_attempts');
-
-        $last_user = ! $query->num_rows() ? 0 : strtotime($query->row()->datetime);
-
-        return ($last_user > $last_ip) ? $last_user : $last_ip;
-    }
-
-    //--------------------------------------------------------------------
-
-    /**
-     * Returns the number of failed login attempts for a given type.
-     *
-     * @param $ip_address
-     * @param $user_id
-     * @return int
-     */
-    public function countLoginAttempts($ip_address, $user_id)
-    {
-        $count_ip = $this->db->where('type', 'ip')
-                             ->where('ip_address', $ip_address)
-                             ->count_all_results('auth_login_attempts');
-
-        if (! $user_id)
-        {
-            return $count_ip;
-        }
-
-        $count_user = $this->db->where('type', 'user')
-                               ->where('user_id', $user_id)
-                               ->count_all_results('auth_login_attempts');
-
-        return ($count_user > $count_ip) ? $count_user : $count_ip;
-    }
-
-    //--------------------------------------------------------------------
+	protected $table_name = 'auth_logins';
+
+	protected $set_created = false;
+	protected $set_modified = false;
+
+	//--------------------------------------------------------------------
+
+	//--------------------------------------------------------------------
+	// Login Attempts
+	//--------------------------------------------------------------------
+
+	/**
+	 * Records a login attempt. This is used to implement
+	 * throttling of application, ip address and user login attempts.
+	 *
+	 * @param $ip_address
+	 * @param $user_id
+	 * @return void
+	 */
+	public function recordLoginAttempt($ip_address, $user_id = null)
+	{
+		$datetime = date('Y-m-d H:i:s');
+
+		// log attempt for app
+		$data = [
+			'type' => 'app',
+			'datetime' => $datetime
+		];
+
+		$this->db->insert('auth_login_attempts', $data);
+
+		// log attempt for ip address
+		if (! empty($ip_address))
+		{
+			$data = [
+				'type' => 'ip',
+				'ip_address' => $ip_address,
+				'datetime' => $datetime
+			];
+
+			$this->db->insert('auth_login_attempts', $data);
+		}
+
+		// log attempt for user
+		if ($user_id)
+		{
+			$data = [
+				'type' => 'user',
+				'user_id' => $user_id,
+				'datetime' => $datetime
+			];
+
+			$this->db->insert('auth_login_attempts', $data);
+		}
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Purges all login attempt records from the database.
+	 *
+	 * @param $ip_address
+	 * @param $user_id
+	 * @return mixed
+	 */
+	public function purgeLoginAttempts($ip_address, $user_id)
+	{
+		if ($ip_address)
+		{
+			$this->db->where('ip_address', $ip_address);
+		}
+
+		if ($user_id)
+		{
+			$this->db->or_where('user_id', $user_id);
+		}
+
+		return $this->db->delete('auth_login_attempts');
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Checks to see if how many login attempts have been attempted in the
+	 * last 60 seconds. If over 100, it is considered to be under a
+	 * brute force attempt.
+	 *
+	 * @param $ip_address
+	 * @param $user_id
+	 * @return bool
+	 */
+	public function isBruteForced($ip_address, $user_id)
+	{
+		$start_time = date('Y-m-d H:i:s', time() - 60);
+
+		$attempts_ip = $this->db->where('type', 'ip')
+								->where('ip_address', $ip_address)
+								->where('datetime >=', $start_time)
+								->count_all_results('auth_login_attempts');
+
+		if (! $user_id)
+		{
+			return $attempts_ip > 100;
+		}
+
+		$attempts_user = $this->db->where('type', 'user')
+								  ->where('user_id', $user_id)
+								  ->where('datetime >=', $start_time)
+								  ->count_all_results('auth_login_attempts');
+
+		if ($attempts_user > $attempts_ip) 
+		{
+			return $attempts_user > 100;
+		}
+		else
+		{
+			return $attempts_ip > 100;
+		}
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Attempts to determine if the system is under a distributed
+	 * brute force attack.
+	 *
+	 * To determine if we are in under a brute force attack, we first
+	 * find the average number of bad logins per day that never converted to
+	 * successful logins over the last 3 months. Then we compare
+	 * that to the the average number of logins in the past 24 hours.
+	 *
+	 * If the number of attempts in the last 24 hours is more than X (see config)
+	 * times the average, then institute additional throttling.
+	 *
+	 * @return int The time to add to any throttling.
+	 */
+	public function distributedBruteForceTime()
+	{
+		if (! $time = $this->cache->get('dbrutetime'))
+		{
+			$time = 0;
+
+			// Compute our daily average over the last 3 months.
+			$avg_start_time = date('Y-m-d 00:00:00', strtotime('-3 months'));
+
+			$query = $this->db->query("SELECT COUNT(*) / COUNT(DISTINCT DATE(`datetime`)) as num_rows FROM `auth_login_attempts` WHERE `type` = 'app' AND `datetime` >= ?", $avg_start_time);
+
+			if (! $query->num_rows())
+			{
+				$average = 0;
+			}
+			else
+			{
+				$average = $query->row()->num_rows;
+			}
+
+			// Get the total in the last 24 hours
+			$today_start_time = date('Y-m-d H:i:s', strtotime('-24 hours'));
+
+			$attempts = $this->db->where('type', 'app')
+								 ->where('datetime >=', $today_start_time)
+								 ->count_all_results('auth_login_attempts');
+
+			if ($attempts > (config_item('auth.dbrute_multiplier') * $average))
+			{
+				$time = config_item('auth.distributed_brute_add_time');
+			}
+
+			// Cache it for 3 hours.
+			$this->cache->save('dbrutetime', $time, 60*60*3);
+		}
+
+		return $time;
+	}
+
+	//--------------------------------------------------------------------
+
+	//--------------------------------------------------------------------
+	// Logins
+	//--------------------------------------------------------------------
+
+	/**
+	 * Records a successful login. This stores in a table so that a
+	 * history can be pulled up later if needed for security analyses.
+	 *
+	 * @param $user
+	 */
+	public function recordLogin($user)
+	{
+		$data = [
+			'user_id'    => (int)$user['id'],
+			'datetime'   => date('Y-m-d H:i:s'),
+			'ip_address' => $this->input->ip_address()
+		];
+
+		return $this->db->insert('auth_logins', $data);
+	}
+
+	//--------------------------------------------------------------------
+
+	//--------------------------------------------------------------------
+	// Tokens
+	//--------------------------------------------------------------------
+
+	/**
+	 * Generates a new token for the rememberme cookie.
+	 *
+	 * The token is based on the user's email address (since everyone will have one)
+	 * with the '@' turned to a '.', followed by a pipe (|) and a random 128-character
+	 * string with letters and numbers.
+	 *
+	 * @param $user
+	 * @return mixed
+	 */
+	public function generateRememberToken($user)
+	{
+		$this->load->helper('string');
+
+		return str_replace('@', '.', $user['email']) .'|' . random_string('alnum', 128);
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Hashes the token for the Remember Me Functionality.
+	 *
+	 * @param $token
+	 * @return string
+	 */
+	public function hashRememberToken($token)
+	{
+		return sha1(config_item('auth.salt') . $token);
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Deletes a single token that matches the email/token combo.
+	 *
+	 * @param $email
+	 * @param $token
+	 * @return mixed
+	 */
+	public function deleteRememberToken($email, $token)
+	{
+		$where = [
+			'email' => $email,
+			'hash'  => $this->hashRememberToken($token)
+		];
+
+		$this->db->delete('auth_tokens', $where);
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Removes all persistent login tokens (RememberMe) for a single user
+	 * across all devices they may have logged in with.
+	 *
+	 * @param $email
+	 * @return mixed
+	 */
+	public function purgeRememberTokens($email)
+	{
+		return $this->db->delete('auth_tokens', ['email' => $email]);
+	}
+
+	//--------------------------------------------------------------------
+
+
+	/**
+	 * Purges the 'auth_tokens' table of any records that are too old
+	 * to be of any use anymore. This equates to 1 week older than
+	 * the remember_length set in the config file.
+	 */
+	public function purgeOldRememberTokens()
+	{
+		if (! config_item('auth.allow_remembering'))
+		{
+			return;
+		}
+
+		$date = time() - config_item('auth.remember_length') - 604800; // 1 week
+		$date = date('Y-m-d 00:00:00', $date);
+
+		$this->db->where('created <=', $date)
+				 ->delete('auth_tokens');
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Gets the timestamp of the last attempted login for this user.
+	 *
+	 * @param $ip_address
+	 * @param $user_id
+	 * @return int|null
+	 */
+	public function lastLoginAttemptTime($ip_address, $user_id)
+	{
+		$query = $this->db->where('type', 'ip')
+						  ->where('ip_address', $ip_address)
+						  ->order_by('datetime', 'desc')
+						  ->limit(1)
+						  ->get('auth_login_attempts');
+
+		$last_ip = ! $query->num_rows() ? 0 : strtotime($query->row()->datetime);
+
+		if (! $user_id)
+		{
+			return $last_ip;
+		}
+
+		$query = $this->db->where('type', 'user')
+						  ->where('user_id', $user_id)
+						  ->order_by('datetime', 'desc')
+						  ->limit(1)
+						  ->get('auth_login_attempts');
+
+		$last_user = ! $query->num_rows() ? 0 : strtotime($query->row()->datetime);
+
+		return ($last_user > $last_ip) ? $last_user : $last_ip;
+	}
+
+	//--------------------------------------------------------------------
+
+	/**
+	 * Returns the number of failed login attempts for a given type.
+	 *
+	 * @param $ip_address
+	 * @param $user_id
+	 * @return int
+	 */
+	public function countLoginAttempts($ip_address, $user_id)
+	{
+		$count_ip = $this->db->where('type', 'ip')
+							 ->where('ip_address', $ip_address)
+							 ->count_all_results('auth_login_attempts');
+
+		if (! $user_id)
+		{
+			return $count_ip;
+		}
+
+		$count_user = $this->db->where('type', 'user')
+							   ->where('user_id', $user_id)
+							   ->count_all_results('auth_login_attempts');
+
+		return ($count_user > $count_ip) ? $count_user : $count_ip;
+	}
+
+	//--------------------------------------------------------------------
 
 }

Please login to merge, or discard this patch.

		@@ -242,7 +242,7 @@ discard block
		block discarded – undo
242	242	/**
243	243	* Logs a user out and removes all session information.
244	244	*
245		- * @return mixed
	245	+ * @return false\|null
246	246	*/
247	247	public function logout()
248	248	{
		@@ -608,7 +608,7 @@ discard block
		block discarded – undo
608	608	* the passed in $email.
609	609	*
610	610	* @param $email
611		- * @return mixed
	611	+ * @return boolean
612	612	*/
613	613	public function remindUser($email)
614	614	{
		@@ -653,7 +653,7 @@ discard block
		block discarded – undo
653	653	* @param $credentials
654	654	* @param $password
655	655	* @param $passConfirm
656		- * @return mixed
	656	+ * @return boolean
657	657	*/
658	658	public function resetPassword($credentials, $password, $passConfirm)
659	659	{
		@@ -751,7 +751,7 @@ discard block
		block discarded – undo
751	751	*
752	752	* @param $model
753	753	* @param bool $allow_any_parent
754		- * @return mixed
	754	+ * @return LocalAuthentication
755	755	*/
756	756	public function useModel($model, $allow_any_parent=false)
757	757	{

GitHub Access Token became invalid

Push — develop ( 154c58...727d1c )

Status

Category

Doc Comments +4 added lines, -4 removed lines patch added patch discarded remove patch

Indentation +918 added lines, -918 removed lines patch added patch discarded remove patch

Indentation +192 added lines, -192 removed lines patch added patch discarded remove patch

Indentation +381 added lines, -381 removed lines patch added patch discarded remove patch

		@@ -42,197 +42,197 @@
		block discarded – undo
42	42	*/
43	43	interface AuthenticateInterface {
44	44
45		- /**
46		- * Attempt to log a user into the system.
47		- *
48		- * $credentials is an array of key/value pairs needed to log the user in.
49		- * This is often email/password, or username/password.
50		- *
51		- * @param $credentials
52		- * @param bool $remember
53		- */
54		- public function login($credentials, $remember=false);
55		-
56		- //--------------------------------------------------------------------
57		-
58		- /**
59		- * Validates user login information without logging them in.
60		- *
61		- * $credentials is an array of key/value pairs needed to log the user in.
62		- * This is often email/password, or username/password.
63		- *
64		- * @param $credentials
65		- * @param bool $return_user
66		- * @return mixed
67		- */
68		- public function validate($credentials, $return_user=false);
69		-
70		- //--------------------------------------------------------------------
71		-
72		- /**
73		- * Logs a user out and removes all session information.
74		- *
75		- * @return mixed
76		- */
77		- public function logout();
78		-
79		- //--------------------------------------------------------------------
80		-
81		- /**
82		- * Checks whether a user is logged in or not.
83		- *
84		- * @return bool
85		- */
86		- public function isLoggedIn();
87		-
88		- //--------------------------------------------------------------------
89		-
90		- /**
91		- * Attempts to log a user in based on the "remember me" cookie.
92		- *
93		- * @return bool
94		- */
95		- public function viaRemember();
96		-
97		- //--------------------------------------------------------------------
98		-
99		- /**
100		- * Registers a new user and handles activation method.
101		- *
102		- * @param $user_data
103		- * @return bool
104		- */
105		- public function registerUser($user_data);
106		-
107		- //--------------------------------------------------------------------
108		-
109		- /**
110		- * Used to verify the user values and activate a user so they can
111		- * visit the site.
112		- *
113		- * @param $data
114		- * @return bool
115		- */
116		- public function activateUser($data);
117		-
118		- //--------------------------------------------------------------------
119		-
120		- /**
121		- * Used to allow manual activation of a user with a known ID.
122		- *
123		- * @param $id
124		- * @return bool
125		- */
126		- public function activateUserById($id);
127		-
128		- //--------------------------------------------------------------------
129		-
130		- /**
131		- * Grabs the current user object. Returns NULL if nothing found.
132		- *
133		- * @return array\|null
134		- */
135		- public function user();
136		-
137		- //--------------------------------------------------------------------
138		-
139		- /**
140		- * A convenience method to grab the current user's ID.
141		- *
142		- * @return int\|null
143		- */
144		- public function id();
145		-
146		- //--------------------------------------------------------------------
147		-
148		- /**
149		- * Tells the system to start throttling a user. This may vary by implementation,
150		- * but will often add additional time before another login is allowed.
151		- *
152		- * @param $email
153		- * @return mixed
154		- */
155		- public function isThrottled($email);
156		-
157		- //--------------------------------------------------------------------
158		-
159		- /**
160		- * Sends a password reminder email to the user associated with
161		- * the passed in $email.
162		- *
163		- * @param $email
164		- * @return mixed
165		- */
166		- public function remindUser($email);
167		-
168		- //--------------------------------------------------------------------
169		-
170		- /**
171		- * Validates the credentials provided and, if valid, resets the password.
172		- *
173		- * @param $credentials
174		- * @param $password
175		- * @param $passConfirm
176		- * @return mixed
177		- */
178		- public function resetPassword($credentials, $password, $passConfirm);
179		-
180		- //--------------------------------------------------------------------
181		-
182		- /**
183		- * Provides a way for implementations to allow new statuses to be set
184		- * on the user. The details will vary based upon implementation, but
185		- * will often allow for banning or suspending users.
186		- *
187		- * @param $newStatus
188		- * @param null $message
189		- * @return mixed
190		- */
191		- public function changeStatus($newStatus, $message=null);
192		-
193		- //--------------------------------------------------------------------
194		-
195		- /**
196		- * Allows the consuming application to pass in a reference to the
197		- * model that should be used.
198		- *
199		- * The model MUST extend Myth\Models\CIDbModel.
200		- *
201		- * @param $model
202		- * @return mixed
203		- */
204		- public function useModel($model);
205		-
206		- //--------------------------------------------------------------------
207		-
208		- /**
209		- * Returns the current error string.
210		- *
211		- * @return mixed
212		- */
213		- public function error();
214		-
215		- //--------------------------------------------------------------------
216		-
217		- /**
218		- * Purges all login attempt records from the database.
219		- *
220		- * @param null $ip_address
221		- * @param null $user_id
222		- */
223		- public function purgeLoginAttempts($ip_address = null, $user_id = null);
224		-
225		- //--------------------------------------------------------------------
226		-
227		- /**
228		- * Purges all remember tokens for a single user. Effectively logs
229		- * a user out of all devices. Intended to allow users to log themselves
230		- * out of all devices as a security measure.
231		- *
232		- * @param $email
233		- */
234		- public function purgeRememberTokens($email);
235		-
236		- //--------------------------------------------------------------------
	45	+ /**
	46	+ * Attempt to log a user into the system.
	47	+ *
	48	+ * $credentials is an array of key/value pairs needed to log the user in.
	49	+ * This is often email/password, or username/password.
	50	+ *
	51	+ * @param $credentials
	52	+ * @param bool $remember
	53	+ */
	54	+ public function login($credentials, $remember=false);
	55	+
	56	+ //--------------------------------------------------------------------
	57	+
	58	+ /**
	59	+ * Validates user login information without logging them in.
	60	+ *
	61	+ * $credentials is an array of key/value pairs needed to log the user in.
	62	+ * This is often email/password, or username/password.
	63	+ *
	64	+ * @param $credentials
	65	+ * @param bool $return_user
	66	+ * @return mixed
	67	+ */
	68	+ public function validate($credentials, $return_user=false);
	69	+
	70	+ //--------------------------------------------------------------------
	71	+
	72	+ /**
	73	+ * Logs a user out and removes all session information.
	74	+ *
	75	+ * @return mixed
	76	+ */
	77	+ public function logout();
	78	+
	79	+ //--------------------------------------------------------------------
	80	+
	81	+ /**
	82	+ * Checks whether a user is logged in or not.
	83	+ *
	84	+ * @return bool
	85	+ */
	86	+ public function isLoggedIn();
	87	+
	88	+ //--------------------------------------------------------------------
	89	+
	90	+ /**
	91	+ * Attempts to log a user in based on the "remember me" cookie.
	92	+ *
	93	+ * @return bool
	94	+ */
	95	+ public function viaRemember();
	96	+
	97	+ //--------------------------------------------------------------------
	98	+
	99	+ /**
	100	+ * Registers a new user and handles activation method.
	101	+ *
	102	+ * @param $user_data
	103	+ * @return bool
	104	+ */
	105	+ public function registerUser($user_data);
	106	+
	107	+ //--------------------------------------------------------------------
	108	+
	109	+ /**
	110	+ * Used to verify the user values and activate a user so they can
	111	+ * visit the site.
	112	+ *
	113	+ * @param $data
	114	+ * @return bool
	115	+ */
	116	+ public function activateUser($data);
	117	+
	118	+ //--------------------------------------------------------------------
	119	+
	120	+ /**
	121	+ * Used to allow manual activation of a user with a known ID.
	122	+ *
	123	+ * @param $id
	124	+ * @return bool
	125	+ */
	126	+ public function activateUserById($id);
	127	+
	128	+ //--------------------------------------------------------------------
	129	+
	130	+ /**
	131	+ * Grabs the current user object. Returns NULL if nothing found.
	132	+ *
	133	+ * @return array\|null
	134	+ */
	135	+ public function user();
	136	+
	137	+ //--------------------------------------------------------------------
	138	+
	139	+ /**
	140	+ * A convenience method to grab the current user's ID.
	141	+ *
	142	+ * @return int\|null
	143	+ */
	144	+ public function id();
	145	+
	146	+ //--------------------------------------------------------------------
	147	+
	148	+ /**
	149	+ * Tells the system to start throttling a user. This may vary by implementation,
	150	+ * but will often add additional time before another login is allowed.
	151	+ *
	152	+ * @param $email
	153	+ * @return mixed
	154	+ */
	155	+ public function isThrottled($email);
	156	+
	157	+ //--------------------------------------------------------------------
	158	+
	159	+ /**
	160	+ * Sends a password reminder email to the user associated with
	161	+ * the passed in $email.
	162	+ *
	163	+ * @param $email
	164	+ * @return mixed
	165	+ */
	166	+ public function remindUser($email);
	167	+
	168	+ //--------------------------------------------------------------------
	169	+
	170	+ /**
	171	+ * Validates the credentials provided and, if valid, resets the password.
	172	+ *
	173	+ * @param $credentials
	174	+ * @param $password
	175	+ * @param $passConfirm
	176	+ * @return mixed
	177	+ */
	178	+ public function resetPassword($credentials, $password, $passConfirm);
	179	+
	180	+ //--------------------------------------------------------------------
	181	+
	182	+ /**
	183	+ * Provides a way for implementations to allow new statuses to be set
	184	+ * on the user. The details will vary based upon implementation, but
	185	+ * will often allow for banning or suspending users.
	186	+ *
	187	+ * @param $newStatus
	188	+ * @param null $message
	189	+ * @return mixed
	190	+ */
	191	+ public function changeStatus($newStatus, $message=null);
	192	+
	193	+ //--------------------------------------------------------------------
	194	+
	195	+ /**
	196	+ * Allows the consuming application to pass in a reference to the
	197	+ * model that should be used.
	198	+ *
	199	+ * The model MUST extend Myth\Models\CIDbModel.
	200	+ *
	201	+ * @param $model
	202	+ * @return mixed
	203	+ */
	204	+ public function useModel($model);
	205	+
	206	+ //--------------------------------------------------------------------
	207	+
	208	+ /**
	209	+ * Returns the current error string.
	210	+ *
	211	+ * @return mixed
	212	+ */
	213	+ public function error();
	214	+
	215	+ //--------------------------------------------------------------------
	216	+
	217	+ /**
	218	+ * Purges all login attempt records from the database.
	219	+ *
	220	+ * @param null $ip_address
	221	+ * @param null $user_id
	222	+ */
	223	+ public function purgeLoginAttempts($ip_address = null, $user_id = null);
	224	+
	225	+ //--------------------------------------------------------------------
	226	+
	227	+ /**
	228	+ * Purges all remember tokens for a single user. Effectively logs
	229	+ * a user out of all devices. Intended to allow users to log themselves
	230	+ * out of all devices as a security measure.
	231	+ *
	232	+ * @param $email
	233	+ */
	234	+ public function purgeRememberTokens($email);
	235	+
	236	+ //--------------------------------------------------------------------
237	237
238	238	}

ci-bonfire / Sprint

GitHub Access Token became invalid

Push — develop ( 154c58...727d1c )

Status

Category

Doc Comments +4 added lines, -4 removed lines patch added patch discarded remove patch

Indentation +918 added lines, -918 removed lines patch added patch discarded remove patch

Indentation +192 added lines, -192 removed lines patch added patch discarded remove patch

Indentation +381 added lines, -381 removed lines patch added patch discarded remove patch