enwikipedia-acc / waca

includes/Pages/UserAuth/MultiFactor/PageMultiFactor.php

Indentation +372 added lines, -372 removed lines

@@ -26,239 +26,239 @@ 
 
 class PageMultiFactor extends InternalPageBase
 {
-    /**
-     * Main function for this page, when no specific actions are called.
-     * @return void
-     */
-    protected function main()
-    {
-        $database = $this->getDatabase();
-        $currentUser = User::getCurrent($database);
-
-        $yubikeyOtpCredentialProvider = new YubikeyOtpCredentialProvider($database, $this->getSiteConfiguration(),
-            $this->getHttpHelper());
-        $this->assign('yubikeyOtpIdentity', $yubikeyOtpCredentialProvider->getYubikeyData($currentUser->getId()));
-        $this->assign('yubikeyOtpEnrolled', $yubikeyOtpCredentialProvider->userIsEnrolled($currentUser->getId()));
-
-        $totpCredentialProvider = new TotpCredentialProvider($database, $this->getSiteConfiguration());
-        $this->assign('totpEnrolled', $totpCredentialProvider->userIsEnrolled($currentUser->getId()));
-
-        $u2fCredentialProvider = new U2FCredentialProvider($database, $this->getSiteConfiguration());
-        $this->assign('u2fEnrolled', $u2fCredentialProvider->userIsEnrolled($currentUser->getId()));
-
-        $scratchCredentialProvider = new ScratchTokenCredentialProvider($database, $this->getSiteConfiguration());
-        $this->assign('scratchEnrolled', $scratchCredentialProvider->userIsEnrolled($currentUser->getId()));
-        $this->assign('scratchRemaining', $scratchCredentialProvider->getRemaining($currentUser->getId()));
-
-        $this->setTemplate('mfa/mfa.tpl');
-    }
-
-    protected function enableYubikeyOtp()
-    {
-        $database = $this->getDatabase();
-        $currentUser = User::getCurrent($database);
-
-        $otpCredentialProvider = new YubikeyOtpCredentialProvider($database,
-            $this->getSiteConfiguration(), $this->getHttpHelper());
-
-        if (WebRequest::wasPosted()) {
-            $this->validateCSRFToken();
-
-            $passwordCredentialProvider = new PasswordCredentialProvider($database,
-                $this->getSiteConfiguration());
-
-            $password = WebRequest::postString('password');
-            $otp = WebRequest::postString('otp');
-
-            $result = $passwordCredentialProvider->authenticate($currentUser, $password);
-
-            if ($result) {
-                try {
-                    $otpCredentialProvider->setCredential($currentUser, 2, $otp);
-                    SessionAlert::success('Enabled YubiKey OTP.');
-
-                    $scratchProvider = new ScratchTokenCredentialProvider($database, $this->getSiteConfiguration());
-                    if($scratchProvider->getRemaining($currentUser->getId()) < 3) {
-                        $scratchProvider->setCredential($currentUser, 2, null);
-                        $tokens = $scratchProvider->getTokens($currentUser->getId());
-                        $this->assign('tokens', $tokens);
-                        $this->setTemplate('mfa/regenScratchTokens.tpl');
-                        return;
-                    }
-                }
-                catch (ApplicationLogicException $ex) {
-                    SessionAlert::error('Error enabling YubiKey OTP: ' . $ex->getMessage());
-                }
-
-                $this->redirect('multiFactor');
-            }
-            else {
-                SessionAlert::error('Error enabling YubiKey OTP - invalid credentials.');
-                $this->redirect('multiFactor');
-            }
-        }
-        else {
-            if ($otpCredentialProvider->userIsEnrolled($currentUser->getId())) {
-                // user is not enrolled, we shouldn't have got here.
-                throw new ApplicationLogicException('User is already enrolled in the selected MFA mechanism');
-            }
-
-            $this->assignCSRFToken();
-            $this->setTemplate('mfa/enableYubikey.tpl');
-        }
-    }
-
-    protected function disableYubikeyOtp()
-    {
-        $database = $this->getDatabase();
-        $currentUser = User::getCurrent($database);
-
-        $otpCredentialProvider = new YubikeyOtpCredentialProvider($database,
-            $this->getSiteConfiguration(), $this->getHttpHelper());
-
-        $factorType = 'YubiKey OTP';
-
-        $this->deleteCredential($database, $currentUser, $otpCredentialProvider, $factorType);
-    }
-
-    protected function enableTotp()
-    {
-        $database = $this->getDatabase();
-        $currentUser = User::getCurrent($database);
-
-        $otpCredentialProvider = new TotpCredentialProvider($database, $this->getSiteConfiguration());
-
-        if (WebRequest::wasPosted()) {
-            $this->validateCSRFToken();
-
-            // used for routing only, not security
-            $stage = WebRequest::postString('stage');
-
-            if ($stage === "auth") {
-                $password = WebRequest::postString('password');
-
-                $passwordCredentialProvider = new PasswordCredentialProvider($database,
-                    $this->getSiteConfiguration());
-                $result = $passwordCredentialProvider->authenticate($currentUser, $password);
-
-                if ($result) {
-                    $otpCredentialProvider->setCredential($currentUser, 2, null);
-
-                    $provisioningUrl = $otpCredentialProvider->getProvisioningUrl($currentUser);
-
-                    $renderer = new Svg();
-                    $renderer->setHeight(256);
-                    $renderer->setWidth(256);
-                    $writer = new Writer($renderer);
-                    $svg = $writer->writeString($provisioningUrl);
-
-                    $this->assign('svg', $svg);
-                    $this->assign('secret', $otpCredentialProvider->getSecret($currentUser));
-
-                    $this->assignCSRFToken();
-                    $this->setTemplate('mfa/enableTotpEnroll.tpl');
-
-                    return;
-                }
-                else {
-                    SessionAlert::error('Error enabling TOTP - invalid credentials.');
-                    $this->redirect('multiFactor');
-
-                    return;
-                }
-            }
-
-            if ($stage === "enroll") {
-                // we *must* have a defined credential already here,
-                if ($otpCredentialProvider->isPartiallyEnrolled($currentUser)) {
-                    $otp = WebRequest::postString('otp');
-                    $result = $otpCredentialProvider->verifyEnable($currentUser, $otp);
-
-                    if ($result) {
-                        SessionAlert::success('Enabled TOTP.');
-
-                        $scratchProvider = new ScratchTokenCredentialProvider($database, $this->getSiteConfiguration());
-                        if($scratchProvider->getRemaining($currentUser->getId()) < 3) {
-                            $scratchProvider->setCredential($currentUser, 2, null);
-                            $tokens = $scratchProvider->getTokens($currentUser->getId());
-                            $this->assign('tokens', $tokens);
-                            $this->setTemplate('mfa/regenScratchTokens.tpl');
-                            return;
-                        }
-                    }
-                    else {
-                        $otpCredentialProvider->deleteCredential($currentUser);
-                        SessionAlert::error('Error enabling TOTP: invalid token provided');
-                    }
-
-
-                    $this->redirect('multiFactor');
-                    return;
-                }
-                else {
-                    SessionAlert::error('Error enabling TOTP - no enrollment found or enrollment expired.');
-                    $this->redirect('multiFactor');
+	/**
+	 * Main function for this page, when no specific actions are called.
+	 * @return void
+	 */
+	protected function main()
+	{
+		$database = $this->getDatabase();
+		$currentUser = User::getCurrent($database);
+
+		$yubikeyOtpCredentialProvider = new YubikeyOtpCredentialProvider($database, $this->getSiteConfiguration(),
+			$this->getHttpHelper());
+		$this->assign('yubikeyOtpIdentity', $yubikeyOtpCredentialProvider->getYubikeyData($currentUser->getId()));
+		$this->assign('yubikeyOtpEnrolled', $yubikeyOtpCredentialProvider->userIsEnrolled($currentUser->getId()));
+
+		$totpCredentialProvider = new TotpCredentialProvider($database, $this->getSiteConfiguration());
+		$this->assign('totpEnrolled', $totpCredentialProvider->userIsEnrolled($currentUser->getId()));
+
+		$u2fCredentialProvider = new U2FCredentialProvider($database, $this->getSiteConfiguration());
+		$this->assign('u2fEnrolled', $u2fCredentialProvider->userIsEnrolled($currentUser->getId()));
+
+		$scratchCredentialProvider = new ScratchTokenCredentialProvider($database, $this->getSiteConfiguration());
+		$this->assign('scratchEnrolled', $scratchCredentialProvider->userIsEnrolled($currentUser->getId()));
+		$this->assign('scratchRemaining', $scratchCredentialProvider->getRemaining($currentUser->getId()));
+
+		$this->setTemplate('mfa/mfa.tpl');
+	}
+
+	protected function enableYubikeyOtp()
+	{
+		$database = $this->getDatabase();
+		$currentUser = User::getCurrent($database);
+
+		$otpCredentialProvider = new YubikeyOtpCredentialProvider($database,
+			$this->getSiteConfiguration(), $this->getHttpHelper());
+
+		if (WebRequest::wasPosted()) {
+			$this->validateCSRFToken();
+
+			$passwordCredentialProvider = new PasswordCredentialProvider($database,
+				$this->getSiteConfiguration());
+
+			$password = WebRequest::postString('password');
+			$otp = WebRequest::postString('otp');
+
+			$result = $passwordCredentialProvider->authenticate($currentUser, $password);
+
+			if ($result) {
+				try {
+					$otpCredentialProvider->setCredential($currentUser, 2, $otp);
+					SessionAlert::success('Enabled YubiKey OTP.');
+
+					$scratchProvider = new ScratchTokenCredentialProvider($database, $this->getSiteConfiguration());
+					if($scratchProvider->getRemaining($currentUser->getId()) < 3) {
+						$scratchProvider->setCredential($currentUser, 2, null);
+						$tokens = $scratchProvider->getTokens($currentUser->getId());
+						$this->assign('tokens', $tokens);
+						$this->setTemplate('mfa/regenScratchTokens.tpl');
+						return;
+					}
+				}
+				catch (ApplicationLogicException $ex) {
+					SessionAlert::error('Error enabling YubiKey OTP: ' . $ex->getMessage());
+				}
+
+				$this->redirect('multiFactor');
+			}
+			else {
+				SessionAlert::error('Error enabling YubiKey OTP - invalid credentials.');
+				$this->redirect('multiFactor');
+			}
+		}
+		else {
+			if ($otpCredentialProvider->userIsEnrolled($currentUser->getId())) {
+				// user is not enrolled, we shouldn't have got here.
+				throw new ApplicationLogicException('User is already enrolled in the selected MFA mechanism');
+			}
+
+			$this->assignCSRFToken();
+			$this->setTemplate('mfa/enableYubikey.tpl');
+		}
+	}
+
+	protected function disableYubikeyOtp()
+	{
+		$database = $this->getDatabase();
+		$currentUser = User::getCurrent($database);
 
-                    return;
-                }
-            }
+		$otpCredentialProvider = new YubikeyOtpCredentialProvider($database,
+			$this->getSiteConfiguration(), $this->getHttpHelper());
+
+		$factorType = 'YubiKey OTP';
+
+		$this->deleteCredential($database, $currentUser, $otpCredentialProvider, $factorType);
+	}
 
-            // urgh, dunno what happened, but it's not something expected.
-            throw new ApplicationLogicException();
-        }
-        else {
-            if ($otpCredentialProvider->userIsEnrolled($currentUser->getId())) {
-                // user is not enrolled, we shouldn't have got here.
-                throw new ApplicationLogicException('User is already enrolled in the selected MFA mechanism');
-            }
+	protected function enableTotp()
+	{
+		$database = $this->getDatabase();
+		$currentUser = User::getCurrent($database);
+
+		$otpCredentialProvider = new TotpCredentialProvider($database, $this->getSiteConfiguration());
+
+		if (WebRequest::wasPosted()) {
+			$this->validateCSRFToken();
+
+			// used for routing only, not security
+			$stage = WebRequest::postString('stage');
+
+			if ($stage === "auth") {
+				$password = WebRequest::postString('password');
+
+				$passwordCredentialProvider = new PasswordCredentialProvider($database,
+					$this->getSiteConfiguration());
+				$result = $passwordCredentialProvider->authenticate($currentUser, $password);
+
+				if ($result) {
+					$otpCredentialProvider->setCredential($currentUser, 2, null);
+
+					$provisioningUrl = $otpCredentialProvider->getProvisioningUrl($currentUser);
+
+					$renderer = new Svg();
+					$renderer->setHeight(256);
+					$renderer->setWidth(256);
+					$writer = new Writer($renderer);
+					$svg = $writer->writeString($provisioningUrl);
+
+					$this->assign('svg', $svg);
+					$this->assign('secret', $otpCredentialProvider->getSecret($currentUser));
+
+					$this->assignCSRFToken();
+					$this->setTemplate('mfa/enableTotpEnroll.tpl');
+
+					return;
+				}
+				else {
+					SessionAlert::error('Error enabling TOTP - invalid credentials.');
+					$this->redirect('multiFactor');
+
+					return;
+				}
+			}
+
+			if ($stage === "enroll") {
+				// we *must* have a defined credential already here,
+				if ($otpCredentialProvider->isPartiallyEnrolled($currentUser)) {
+					$otp = WebRequest::postString('otp');
+					$result = $otpCredentialProvider->verifyEnable($currentUser, $otp);
+
+					if ($result) {
+						SessionAlert::success('Enabled TOTP.');
+
+						$scratchProvider = new ScratchTokenCredentialProvider($database, $this->getSiteConfiguration());
+						if($scratchProvider->getRemaining($currentUser->getId()) < 3) {
+							$scratchProvider->setCredential($currentUser, 2, null);
+							$tokens = $scratchProvider->getTokens($currentUser->getId());
+							$this->assign('tokens', $tokens);
+							$this->setTemplate('mfa/regenScratchTokens.tpl');
+							return;
+						}
+					}
+					else {
+						$otpCredentialProvider->deleteCredential($currentUser);
+						SessionAlert::error('Error enabling TOTP: invalid token provided');
+					}
+
+
+					$this->redirect('multiFactor');
+					return;
+				}
+				else {
+					SessionAlert::error('Error enabling TOTP - no enrollment found or enrollment expired.');
+					$this->redirect('multiFactor');
+
+					return;
+				}
+			}
+
+			// urgh, dunno what happened, but it's not something expected.
+			throw new ApplicationLogicException();
+		}
+		else {
+			if ($otpCredentialProvider->userIsEnrolled($currentUser->getId())) {
+				// user is not enrolled, we shouldn't have got here.
+				throw new ApplicationLogicException('User is already enrolled in the selected MFA mechanism');
+			}
+
+			$this->assignCSRFToken();
+			$this->setTemplate('mfa/enableTotpAuth.tpl');
+		}
+	}
+
+	protected function disableTotp()
+	{
+		$database = $this->getDatabase();
+		$currentUser = User::getCurrent($database);
+
+		$otpCredentialProvider = new TotpCredentialProvider($database, $this->getSiteConfiguration());
+
+		$factorType = 'TOTP';
+
+		$this->deleteCredential($database, $currentUser, $otpCredentialProvider, $factorType);
+	}
 
-            $this->assignCSRFToken();
-            $this->setTemplate('mfa/enableTotpAuth.tpl');
-        }
-    }
+	protected function enableU2F() {
+		$database = $this->getDatabase();
+		$currentUser = User::getCurrent($database);
 
-    protected function disableTotp()
-    {
-        $database = $this->getDatabase();
-        $currentUser = User::getCurrent($database);
+		$otpCredentialProvider = new U2FCredentialProvider($database, $this->getSiteConfiguration());
 
-        $otpCredentialProvider = new TotpCredentialProvider($database, $this->getSiteConfiguration());
+		if (WebRequest::wasPosted()) {
+			$this->validateCSRFToken();
 
-        $factorType = 'TOTP';
+			// used for routing only, not security
+			$stage = WebRequest::postString('stage');
 
-        $this->deleteCredential($database, $currentUser, $otpCredentialProvider, $factorType);
-    }
+			if ($stage === "auth") {
+				$password = WebRequest::postString('password');
 
-    protected function enableU2F() {
-        $database = $this->getDatabase();
-        $currentUser = User::getCurrent($database);
+				$passwordCredentialProvider = new PasswordCredentialProvider($database,
+					$this->getSiteConfiguration());
+				$result = $passwordCredentialProvider->authenticate($currentUser, $password);
 
-        $otpCredentialProvider = new U2FCredentialProvider($database, $this->getSiteConfiguration());
-
-        if (WebRequest::wasPosted()) {
-            $this->validateCSRFToken();
-
-            // used for routing only, not security
-            $stage = WebRequest::postString('stage');
+				if ($result) {
+					$otpCredentialProvider->setCredential($currentUser, 2, null);
+					$this->assignCSRFToken();
 
-            if ($stage === "auth") {
-                $password = WebRequest::postString('password');
-
-                $passwordCredentialProvider = new PasswordCredentialProvider($database,
-                    $this->getSiteConfiguration());
-                $result = $passwordCredentialProvider->authenticate($currentUser, $password);
-
-                if ($result) {
-                    $otpCredentialProvider->setCredential($currentUser, 2, null);
-                    $this->assignCSRFToken();
-
-                    list($data, $reqs) = $otpCredentialProvider->getRegistrationData();
-
-                    $u2fRequest =json_encode($data);
-                    $u2fSigns = json_encode($reqs);
-
-                    $this->addJs('/vendor/yubico/u2flib-server/examples/assets/u2f-api.js');
-                    $this->setTailScript(<<<JS
+					list($data, $reqs) = $otpCredentialProvider->getRegistrationData();
+
+					$u2fRequest =json_encode($data);
+					$u2fSigns = json_encode($reqs);
+
+					$this->addJs('/vendor/yubico/u2flib-server/examples/assets/u2f-api.js');
+					$this->setTailScript(<<<JS
 var request = ${u2fRequest};
 var signs = ${u2fSigns};
 
@@ -277,153 +277,153 @@ 
 	form.submit();
 });
 JS
-                    );
-
-                    $this->setTemplate('mfa/enableU2FEnroll.tpl');
-
-                    return;
-                }
-                else {
-                    SessionAlert::error('Error enabling TOTP - invalid credentials.');
-                    $this->redirect('multiFactor');
-
-                    return;
-                }
-            }
-
-            if ($stage === "enroll") {
-                // we *must* have a defined credential already here,
-                if ($otpCredentialProvider->isPartiallyEnrolled($currentUser)) {
-
-                    $request = json_decode(WebRequest::postString('u2fRequest'));
-                    $u2fData = json_decode(WebRequest::postString('u2fData'));
-
-                    $otpCredentialProvider->enable($currentUser, $request, $u2fData);
-
-                    SessionAlert::success('Enabled TOTP.');
-
-                    $scratchProvider = new ScratchTokenCredentialProvider($database, $this->getSiteConfiguration());
-                    if($scratchProvider->getRemaining($currentUser->getId()) < 3) {
-                        $scratchProvider->setCredential($currentUser, 2, null);
-                        $tokens = $scratchProvider->getTokens($currentUser->getId());
-                        $this->assign('tokens', $tokens);
-                        $this->setTemplate('mfa/regenScratchTokens.tpl');
-                        return;
-                    }
-
-                    $this->redirect('multiFactor');
-                    return;
-                }
-                else {
-                    SessionAlert::error('Error enabling TOTP - no enrollment found or enrollment expired.');
-                    $this->redirect('multiFactor');
-
-                    return;
-                }
-            }
-
-            // urgh, dunno what happened, but it's not something expected.
-            throw new ApplicationLogicException();
-        }
-        else {
-            if ($otpCredentialProvider->userIsEnrolled($currentUser->getId())) {
-                // user is not enrolled, we shouldn't have got here.
-                throw new ApplicationLogicException('User is already enrolled in the selected MFA mechanism');
-            }
-
-            $this->assignCSRFToken();
-            $this->setTemplate('mfa/enableU2FAuth.tpl');
-        }
-    }
-
-    protected function disableU2F() {
-        $database = $this->getDatabase();
-        $currentUser = User::getCurrent($database);
-
-        $otpCredentialProvider = new U2FCredentialProvider($database, $this->getSiteConfiguration());
-
-        $factorType = 'U2F';
-
-        $this->deleteCredential($database, $currentUser, $otpCredentialProvider, $factorType);
-    }
-
-    protected function scratch()
-    {
-        $database = $this->getDatabase();
-        $currentUser = User::getCurrent($database);
-
-        if (WebRequest::wasPosted()) {
-            $this->validateCSRFToken();
-
-            $passwordCredentialProvider = new PasswordCredentialProvider($database,
-                $this->getSiteConfiguration());
-
-            $otpCredentialProvider = new ScratchTokenCredentialProvider($database,
-                $this->getSiteConfiguration());
-
-            $password = WebRequest::postString('password');
-
-            $result = $passwordCredentialProvider->authenticate($currentUser, $password);
-
-            if ($result) {
-                $otpCredentialProvider->setCredential($currentUser, 2, null);
-                $tokens = $otpCredentialProvider->getTokens($currentUser->getId());
-                $this->assign('tokens', $tokens);
-                $this->setTemplate('mfa/regenScratchTokens.tpl');
-            }
-            else {
-                SessionAlert::error('Error refreshing scratch tokens - invalid credentials.');
-                $this->redirect('multiFactor');
-            }
-        }
-        else {
-            $this->assignCSRFToken();
-            $this->setTemplate('mfa/regenScratchAuth.tpl');
-        }
-    }
-
-    /**
-     * @param PdoDatabase         $database
-     * @param User                $currentUser
-     * @param ICredentialProvider $otpCredentialProvider
-     * @param string              $factorType
-     *
-     * @throws ApplicationLogicException
-     */
-    private function deleteCredential(
-        PdoDatabase $database,
-        User $currentUser,
-        ICredentialProvider $otpCredentialProvider,
-        $factorType
-    ) {
-        if (WebRequest::wasPosted()) {
-            $passwordCredentialProvider = new PasswordCredentialProvider($database,
-                $this->getSiteConfiguration());
-
-            $this->validateCSRFToken();
-
-            $password = WebRequest::postString('password');
-            $result = $passwordCredentialProvider->authenticate($currentUser, $password);
-
-            if ($result) {
-                $otpCredentialProvider->deleteCredential($currentUser);
-                SessionAlert::success('Disabled ' . $factorType . '.');
-                $this->redirect('multiFactor');
-            }
-            else {
-                SessionAlert::error('Error disabling ' . $factorType . ' - invalid credentials.');
-                $this->redirect('multiFactor');
-            }
-        }
-        else {
-            if (!$otpCredentialProvider->userIsEnrolled($currentUser->getId())) {
-                // user is not enrolled, we shouldn't have got here.
-                throw new ApplicationLogicException('User is not enrolled in the selected MFA mechanism');
-            }
-
-            $this->assignCSRFToken();
-            $this->assign('otpType', $factorType);
-            $this->setTemplate('mfa/disableOtp.tpl');
-        }
-    }
+					);
+
+					$this->setTemplate('mfa/enableU2FEnroll.tpl');
+
+					return;
+				}
+				else {
+					SessionAlert::error('Error enabling TOTP - invalid credentials.');
+					$this->redirect('multiFactor');
+
+					return;
+				}
+			}
+
+			if ($stage === "enroll") {
+				// we *must* have a defined credential already here,
+				if ($otpCredentialProvider->isPartiallyEnrolled($currentUser)) {
+
+					$request = json_decode(WebRequest::postString('u2fRequest'));
+					$u2fData = json_decode(WebRequest::postString('u2fData'));
+
+					$otpCredentialProvider->enable($currentUser, $request, $u2fData);
+
+					SessionAlert::success('Enabled TOTP.');
+
+					$scratchProvider = new ScratchTokenCredentialProvider($database, $this->getSiteConfiguration());
+					if($scratchProvider->getRemaining($currentUser->getId()) < 3) {
+						$scratchProvider->setCredential($currentUser, 2, null);
+						$tokens = $scratchProvider->getTokens($currentUser->getId());
+						$this->assign('tokens', $tokens);
+						$this->setTemplate('mfa/regenScratchTokens.tpl');
+						return;
+					}
+
+					$this->redirect('multiFactor');
+					return;
+				}
+				else {
+					SessionAlert::error('Error enabling TOTP - no enrollment found or enrollment expired.');
+					$this->redirect('multiFactor');
+
+					return;
+				}
+			}
+
+			// urgh, dunno what happened, but it's not something expected.
+			throw new ApplicationLogicException();
+		}
+		else {
+			if ($otpCredentialProvider->userIsEnrolled($currentUser->getId())) {
+				// user is not enrolled, we shouldn't have got here.
+				throw new ApplicationLogicException('User is already enrolled in the selected MFA mechanism');
+			}
+
+			$this->assignCSRFToken();
+			$this->setTemplate('mfa/enableU2FAuth.tpl');
+		}
+	}
+
+	protected function disableU2F() {
+		$database = $this->getDatabase();
+		$currentUser = User::getCurrent($database);
+
+		$otpCredentialProvider = new U2FCredentialProvider($database, $this->getSiteConfiguration());
+
+		$factorType = 'U2F';
+
+		$this->deleteCredential($database, $currentUser, $otpCredentialProvider, $factorType);
+	}
+
+	protected function scratch()
+	{
+		$database = $this->getDatabase();
+		$currentUser = User::getCurrent($database);
+
+		if (WebRequest::wasPosted()) {
+			$this->validateCSRFToken();
+
+			$passwordCredentialProvider = new PasswordCredentialProvider($database,
+				$this->getSiteConfiguration());
+
+			$otpCredentialProvider = new ScratchTokenCredentialProvider($database,
+				$this->getSiteConfiguration());
+
+			$password = WebRequest::postString('password');
+
+			$result = $passwordCredentialProvider->authenticate($currentUser, $password);
+
+			if ($result) {
+				$otpCredentialProvider->setCredential($currentUser, 2, null);
+				$tokens = $otpCredentialProvider->getTokens($currentUser->getId());
+				$this->assign('tokens', $tokens);
+				$this->setTemplate('mfa/regenScratchTokens.tpl');
+			}
+			else {
+				SessionAlert::error('Error refreshing scratch tokens - invalid credentials.');
+				$this->redirect('multiFactor');
+			}
+		}
+		else {
+			$this->assignCSRFToken();
+			$this->setTemplate('mfa/regenScratchAuth.tpl');
+		}
+	}
+
+	/**
+	 * @param PdoDatabase         $database
+	 * @param User                $currentUser
+	 * @param ICredentialProvider $otpCredentialProvider
+	 * @param string              $factorType
+	 *
+	 * @throws ApplicationLogicException
+	 */
+	private function deleteCredential(
+		PdoDatabase $database,
+		User $currentUser,
+		ICredentialProvider $otpCredentialProvider,
+		$factorType
+	) {
+		if (WebRequest::wasPosted()) {
+			$passwordCredentialProvider = new PasswordCredentialProvider($database,
+				$this->getSiteConfiguration());
+
+			$this->validateCSRFToken();
+
+			$password = WebRequest::postString('password');
+			$result = $passwordCredentialProvider->authenticate($currentUser, $password);
+
+			if ($result) {
+				$otpCredentialProvider->deleteCredential($currentUser);
+				SessionAlert::success('Disabled ' . $factorType . '.');
+				$this->redirect('multiFactor');
+			}
+			else {
+				SessionAlert::error('Error disabling ' . $factorType . ' - invalid credentials.');
+				$this->redirect('multiFactor');
+			}
+		}
+		else {
+			if (!$otpCredentialProvider->userIsEnrolled($currentUser->getId())) {
+				// user is not enrolled, we shouldn't have got here.
+				throw new ApplicationLogicException('User is not enrolled in the selected MFA mechanism');
+			}
+
+			$this->assignCSRFToken();
+			$this->assign('otpType', $factorType);
+			$this->setTemplate('mfa/disableOtp.tpl');
+		}
+	}
 }
\ No newline at end of file

Spacing +7 added lines, -7 removed lines

@@ -78,7 +78,7 @@ 
                     SessionAlert::success('Enabled YubiKey OTP.');
 
                     $scratchProvider = new ScratchTokenCredentialProvider($database, $this->getSiteConfiguration());
-                    if($scratchProvider->getRemaining($currentUser->getId()) < 3) {
+                    if ($scratchProvider->getRemaining($currentUser->getId()) < 3) {
                         $scratchProvider->setCredential($currentUser, 2, null);
                         $tokens = $scratchProvider->getTokens($currentUser->getId());
                         $this->assign('tokens', $tokens);
@@ -87,7 +87,7 @@ 
                     }
                 }
                 catch (ApplicationLogicException $ex) {
-                    SessionAlert::error('Error enabling YubiKey OTP: ' . $ex->getMessage());
+                    SessionAlert::error('Error enabling YubiKey OTP: '.$ex->getMessage());
                 }
 
                 $this->redirect('multiFactor');
@@ -178,7 +178,7 @@ 
                         SessionAlert::success('Enabled TOTP.');
 
                         $scratchProvider = new ScratchTokenCredentialProvider($database, $this->getSiteConfiguration());
-                        if($scratchProvider->getRemaining($currentUser->getId()) < 3) {
+                        if ($scratchProvider->getRemaining($currentUser->getId()) < 3) {
                             $scratchProvider->setCredential($currentUser, 2, null);
                             $tokens = $scratchProvider->getTokens($currentUser->getId());
                             $this->assign('tokens', $tokens);
@@ -254,7 +254,7 @@ 
 
                     list($data, $reqs) = $otpCredentialProvider->getRegistrationData();
 
-                    $u2fRequest =json_encode($data);
+                    $u2fRequest = json_encode($data);
                     $u2fSigns = json_encode($reqs);
 
                     $this->addJs('/vendor/yubico/u2flib-server/examples/assets/u2f-api.js');
@@ -303,7 +303,7 @@ 
                     SessionAlert::success('Enabled TOTP.');
 
                     $scratchProvider = new ScratchTokenCredentialProvider($database, $this->getSiteConfiguration());
-                    if($scratchProvider->getRemaining($currentUser->getId()) < 3) {
+                    if ($scratchProvider->getRemaining($currentUser->getId()) < 3) {
                         $scratchProvider->setCredential($currentUser, 2, null);
                         $tokens = $scratchProvider->getTokens($currentUser->getId());
                         $this->assign('tokens', $tokens);
@@ -407,11 +407,11 @@ 
 
             if ($result) {
                 $otpCredentialProvider->deleteCredential($currentUser);
-                SessionAlert::success('Disabled ' . $factorType . '.');
+                SessionAlert::success('Disabled '.$factorType.'.');
                 $this->redirect('multiFactor');
             }
             else {
-                SessionAlert::error('Error disabling ' . $factorType . ' - invalid credentials.');
+                SessionAlert::error('Error disabling '.$factorType.' - invalid credentials.');
                 $this->redirect('multiFactor');
             }
         }

Braces +4 added lines, -2 removed lines

@@ -229,7 +229,8 @@ 
         $this->deleteCredential($database, $currentUser, $otpCredentialProvider, $factorType);
     }
 
-    protected function enableU2F() {
+    protected function enableU2F()
+    {
         $database = $this->getDatabase();
         $currentUser = User::getCurrent($database);
 
@@ -336,7 +337,8 @@ 
         }
     }
 
-    protected function disableU2F() {
+    protected function disableU2F()
+    {
         $database = $this->getDatabase();
         $currentUser = User::getCurrent($database);
 

includes/Pages/UserAuth/PageOAuthCallback.php

Indentation +75 added lines, -75 removed lines

@@ -17,90 +17,90 @@
 
 class PageOAuthCallback extends InternalPageBase
 {
-    /**
-     * @return bool
-     */
-    protected function isProtectedPage()
-    {
-        // This page is critical to ensuring OAuth functionality is operational.
-        return false;
-    }
+	/**
+	 * @return bool
+	 */
+	protected function isProtectedPage()
+	{
+		// This page is critical to ensuring OAuth functionality is operational.
+		return false;
+	}
 
-    /**
-     * Main function for this page, when no specific actions are called.
-     * @return void
-     */
-    protected function main()
-    {
-        // This should never get hit except by URL manipulation.
-        $this->redirect('');
-    }
+	/**
+	 * Main function for this page, when no specific actions are called.
+	 * @return void
+	 */
+	protected function main()
+	{
+		// This should never get hit except by URL manipulation.
+		$this->redirect('');
+	}
 
-    /**
-     * Registered endpoint for the account creation callback.
-     *
-     * If this ever gets hit, something is wrong somewhere.
-     */
-    protected function create()
-    {
-        throw new Exception('OAuth account creation endpoint triggered.');
-    }
+	/**
+	 * Registered endpoint for the account creation callback.
+	 *
+	 * If this ever gets hit, something is wrong somewhere.
+	 */
+	protected function create()
+	{
+		throw new Exception('OAuth account creation endpoint triggered.');
+	}
 
-    /**
-     * Callback entry point
-     */
-    protected function authorise()
-    {
-        $oauthToken = WebRequest::getString('oauth_token');
-        $oauthVerifier = WebRequest::getString('oauth_verifier');
+	/**
+	 * Callback entry point
+	 */
+	protected function authorise()
+	{
+		$oauthToken = WebRequest::getString('oauth_token');
+		$oauthVerifier = WebRequest::getString('oauth_verifier');
 
-        $this->doCallbackValidation($oauthToken, $oauthVerifier);
+		$this->doCallbackValidation($oauthToken, $oauthVerifier);
 
-        $database = $this->getDatabase();
+		$database = $this->getDatabase();
 
-        $user = OAuthUserHelper::findUserByRequestToken($oauthToken, $database);
-        $oauth = new OAuthUserHelper($user, $database, $this->getOAuthProtocolHelper(), $this->getSiteConfiguration());
+		$user = OAuthUserHelper::findUserByRequestToken($oauthToken, $database);
+		$oauth = new OAuthUserHelper($user, $database, $this->getOAuthProtocolHelper(), $this->getSiteConfiguration());
 
-        try {
-            $oauth->completeHandshake($oauthVerifier);
-        }
-        catch (CurlException $ex) {
-            throw new ApplicationLogicException($ex->getMessage(), 0, $ex);
-        }
+		try {
+			$oauth->completeHandshake($oauthVerifier);
+		}
+		catch (CurlException $ex) {
+			throw new ApplicationLogicException($ex->getMessage(), 0, $ex);
+		}
 
-        // OK, we're the same session that just did a partial login that was redirected to OAuth. Let's upgrade the
-        // login to a full login
-        if (WebRequest::getOAuthPartialLogin() === $user->getId()) {
-            WebRequest::setLoggedInUser($user);
-        }
+		// OK, we're the same session that just did a partial login that was redirected to OAuth. Let's upgrade the
+		// login to a full login
+		if (WebRequest::getOAuthPartialLogin() === $user->getId()) {
+			WebRequest::setLoggedInUser($user);
+		}
 
-        // My thinking is there are three cases here:
-        //   a) new user => redirect to prefs - it's the only thing they can access other than stats
-        //   b) existing user hit the connect button in prefs => redirect to prefs since it's where they were
-        //   c) existing user logging in => redirect to wherever they came from
-        $redirectDestination = WebRequest::clearPostLoginRedirect();
-        if ($redirectDestination !== null && !$user->isNewUser()) {
-            $this->redirectUrl($redirectDestination);
-        }
-        else {
-            $this->redirect('preferences', null, null, 'internal.php');
-        }
-    }
+		// My thinking is there are three cases here:
+		//   a) new user => redirect to prefs - it's the only thing they can access other than stats
+		//   b) existing user hit the connect button in prefs => redirect to prefs since it's where they were
+		//   c) existing user logging in => redirect to wherever they came from
+		$redirectDestination = WebRequest::clearPostLoginRedirect();
+		if ($redirectDestination !== null && !$user->isNewUser()) {
+			$this->redirectUrl($redirectDestination);
+		}
+		else {
+			$this->redirect('preferences', null, null, 'internal.php');
+		}
+	}
 
-    /**
-     * @param string $oauthToken
-     * @param string $oauthVerifier
-     *
-     * @throws ApplicationLogicException
-     */
-    private function doCallbackValidation($oauthToken, $oauthVerifier)
-    {
-        if ($oauthToken === null) {
-            throw new ApplicationLogicException('No token provided');
-        }
+	/**
+	 * @param string $oauthToken
+	 * @param string $oauthVerifier
+	 *
+	 * @throws ApplicationLogicException
+	 */
+	private function doCallbackValidation($oauthToken, $oauthVerifier)
+	{
+		if ($oauthToken === null) {
+			throw new ApplicationLogicException('No token provided');
+		}
 
-        if ($oauthVerifier === null) {
-            throw new ApplicationLogicException('No oauth verifier provided.');
-        }
-    }
+		if ($oauthVerifier === null) {
+			throw new ApplicationLogicException('No oauth verifier provided.');
+		}
+	}
 }
\ No newline at end of file

includes/Pages/UserAuth/Login/PagePasswordLogin.php

Indentation +27 added lines, -27 removed lines

@@ -13,31 +13,31 @@
 
 class PagePasswordLogin extends LoginCredentialPageBase
 {
-    protected function providerSpecificSetup()
-    {
-        list($partialId, $partialStage) = WebRequest::getAuthPartialLogin();
-
-        if($partialId !== null && $partialStage > 1) {
-            $sql = 'SELECT type FROM credential WHERE user = :user AND factor = :stage AND disabled = 0 ORDER BY priority';
-            $statement = $this->getDatabase()->prepare($sql);
-            $statement->execute(array(':user' => $partialId, ':stage' => $partialStage));
-            $nextStage = $statement->fetchColumn();
-            $statement->closeCursor();
-
-            $this->redirect("login/" . $this->nextPageMap[$nextStage]);
-            return;
-        }
-
-        $this->setTemplate('login/password.tpl');
-    }
-
-    protected function getProviderCredentials()
-    {
-        $password = WebRequest::postString("password");
-        if ($password === null || $password === "") {
-            throw new ApplicationLogicException("No password specified");
-        }
-
-        return $password;
-    }
+	protected function providerSpecificSetup()
+	{
+		list($partialId, $partialStage) = WebRequest::getAuthPartialLogin();
+
+		if($partialId !== null && $partialStage > 1) {
+			$sql = 'SELECT type FROM credential WHERE user = :user AND factor = :stage AND disabled = 0 ORDER BY priority';
+			$statement = $this->getDatabase()->prepare($sql);
+			$statement->execute(array(':user' => $partialId, ':stage' => $partialStage));
+			$nextStage = $statement->fetchColumn();
+			$statement->closeCursor();
+
+			$this->redirect("login/" . $this->nextPageMap[$nextStage]);
+			return;
+		}
+
+		$this->setTemplate('login/password.tpl');
+	}
+
+	protected function getProviderCredentials()
+	{
+		$password = WebRequest::postString("password");
+		if ($password === null || $password === "") {
+			throw new ApplicationLogicException("No password specified");
+		}
+
+		return $password;
+	}
 }
\ No newline at end of file

Spacing +2 added lines, -2 removed lines

@@ -17,14 +17,14 @@
     {
         list($partialId, $partialStage) = WebRequest::getAuthPartialLogin();
 
-        if($partialId !== null && $partialStage > 1) {
+        if ($partialId !== null && $partialStage > 1) {
             $sql = 'SELECT type FROM credential WHERE user = :user AND factor = :stage AND disabled = 0 ORDER BY priority';
             $statement = $this->getDatabase()->prepare($sql);
             $statement->execute(array(':user' => $partialId, ':stage' => $partialStage));
             $nextStage = $statement->fetchColumn();
             $statement->closeCursor();
 
-            $this->redirect("login/" . $this->nextPageMap[$nextStage]);
+            $this->redirect("login/".$this->nextPageMap[$nextStage]);
             return;
         }
 

includes/Pages/UserAuth/Login/PageU2FLogin.php

Indentation +22 added lines, -22 removed lines

@@ -14,20 +14,20 @@ 
 
 class PageU2FLogin extends LoginCredentialPageBase
 {
-    protected function providerSpecificSetup()
-    {
-        $this->assign('showSignIn', false);
-        $this->setTemplate('login/u2f.tpl');
+	protected function providerSpecificSetup()
+	{
+		$this->assign('showSignIn', false);
+		$this->setTemplate('login/u2f.tpl');
 
-        if ($this->partialUser === null) {
-            throw new ApplicationLogicException("U2F cannot be first-stage authentication");
-        }
+		if ($this->partialUser === null) {
+			throw new ApplicationLogicException("U2F cannot be first-stage authentication");
+		}
 
-        $u2f = new U2FCredentialProvider($this->getDatabase(), $this->getSiteConfiguration());
-        $authData = json_encode($u2f->getAuthenticationData($this->partialUser));
+		$u2f = new U2FCredentialProvider($this->getDatabase(), $this->getSiteConfiguration());
+		$authData = json_encode($u2f->getAuthenticationData($this->partialUser));
 
-        $this->addJs('/vendor/yubico/u2flib-server/examples/assets/u2f-api.js');
-        $this->setTailScript(<<<JS
+		$this->addJs('/vendor/yubico/u2flib-server/examples/assets/u2f-api.js');
+		$this->setTailScript(<<<JS
 var request = ${authData};
 console.log("starting sign");
 u2f.sign(request, function(data) {
@@ -44,19 +44,19 @@ 
                 form.submit();
             });
 JS
-        );
+		);
 
-    }
+	}
 
-    protected function getProviderCredentials()
-    {
-        $authenticate = WebRequest::postString("authenticate");
-        $request = WebRequest::postString("request");
+	protected function getProviderCredentials()
+	{
+		$authenticate = WebRequest::postString("authenticate");
+		$request = WebRequest::postString("request");
 
-        if ($authenticate === null || $authenticate === "" || $request === null || $request === "") {
-              throw new ApplicationLogicException("No authentication specified");
-        }
+		if ($authenticate === null || $authenticate === "" || $request === null || $request === "") {
+			  throw new ApplicationLogicException("No authentication specified");
+		}
 
-        return array(json_decode($authenticate), json_decode($request), 'u2f');
-    }
+		return array(json_decode($authenticate), json_decode($request), 'u2f');
+	}
 }
\ No newline at end of file

includes/Pages/UserAuth/Login/PageOtpLogin.php

Indentation +12 added lines, -12 removed lines

@@ -13,18 +13,18 @@
 
 class PageOtpLogin extends LoginCredentialPageBase
 {
-    protected function providerSpecificSetup()
-    {
-        $this->setTemplate('login/otp.tpl');
-    }
+	protected function providerSpecificSetup()
+	{
+		$this->setTemplate('login/otp.tpl');
+	}
 
-    protected function getProviderCredentials()
-    {
-        $otp = WebRequest::postString("otp");
-        if ($otp === null || $otp === "") {
-            throw new ApplicationLogicException("No one-time code specified");
-        }
+	protected function getProviderCredentials()
+	{
+		$otp = WebRequest::postString("otp");
+		if ($otp === null || $otp === "") {
+			throw new ApplicationLogicException("No one-time code specified");
+		}
 
-        return $otp;
-    }
+		return $otp;
+	}
 }
\ No newline at end of file

includes/Pages/Registration/PageRegisterBase.php

Indentation +196 added lines, -196 removed lines

@@ -20,200 +20,200 @@
 
 abstract class PageRegisterBase extends InternalPageBase
 {
-    /**
-     * Main function for this page, when no specific actions are called.
-     */
-    protected function main()
-    {
-        $useOAuthSignup = $this->getSiteConfiguration()->getUseOAuthSignup();
-
-        // Dual-mode page
-        if (WebRequest::wasPosted()) {
-            $this->validateCSRFToken();
-
-            try {
-                $this->handlePost($useOAuthSignup);
-            }
-            catch (ApplicationLogicException $ex) {
-                SessionAlert::error($ex->getMessage());
-                $this->redirect('register');
-            }
-        }
-        else {
-            $this->assignCSRFToken();
-            $this->assign("useOAuthSignup", $useOAuthSignup);
-            $this->setTemplate($this->getRegistrationTemplate());
-        }
-    }
-
-    protected abstract function getRegistrationTemplate();
-
-    protected function isProtectedPage()
-    {
-        return false;
-    }
-
-    /**
-     * @param string $emailAddress
-     *
-     * @throws ApplicationLogicException
-     */
-    protected function validateUniqueEmail($emailAddress)
-    {
-        $query = 'SELECT COUNT(id) FROM user WHERE email = :email';
-        $statement = $this->getDatabase()->prepare($query);
-        $statement->execute(array(':email' => $emailAddress));
-
-        if ($statement->fetchColumn() > 0) {
-            throw new ApplicationLogicException('That email address is already in use on this system.');
-        }
-
-        $statement->closeCursor();
-    }
-
-    /**
-     * @param $emailAddress
-     * @param $password
-     * @param $username
-     * @param $useOAuthSignup
-     * @param $confirmationId
-     * @param $onwikiUsername
-     *
-     * @throws ApplicationLogicException
-     */
-    protected function validateRequest(
-        $emailAddress,
-        $password,
-        $username,
-        $useOAuthSignup,
-        $confirmationId,
-        $onwikiUsername
-    ) {
-        if (!WebRequest::postBoolean('guidelines')) {
-            throw new ApplicationLogicException('You must read the interface guidelines before your request may be submitted.');
-        }
-
-        $this->validateGeneralInformation($emailAddress, $password, $username);
-        $this->validateUniqueEmail($emailAddress);
-        $this->validateNonOAuthFields($useOAuthSignup, $confirmationId, $onwikiUsername);
-    }
-
-    /**
-     * @param $useOAuthSignup
-     * @param $confirmationId
-     * @param $onwikiUsername
-     *
-     * @throws ApplicationLogicException
-     */
-    protected function validateNonOAuthFields($useOAuthSignup, $confirmationId, $onwikiUsername)
-    {
-        if (!$useOAuthSignup) {
-            if ($confirmationId === null || $confirmationId <= 0) {
-                throw new ApplicationLogicException('Please enter the revision id of your confirmation edit.');
-            }
-
-            if ($onwikiUsername === null) {
-                throw new ApplicationLogicException('Please specify your on-wiki username.');
-            }
-        }
-    }
-
-    /**
-     * @param $emailAddress
-     * @param $password
-     * @param $username
-     *
-     * @throws ApplicationLogicException
-     */
-    protected function validateGeneralInformation($emailAddress, $password, $username)
-    {
-        if ($emailAddress === null) {
-            throw new ApplicationLogicException('Your email address appears to be invalid!');
-        }
-
-        if ($password !== WebRequest::postString('pass2')) {
-            throw new ApplicationLogicException('Your passwords did not match, please try again.');
-        }
-
-        if (User::getByUsername($username, $this->getDatabase()) !== false) {
-            throw new ApplicationLogicException('That username is already in use on this system.');
-        }
-    }
-
-    /**
-     * @param $useOAuthSignup
-     *
-     * @throws ApplicationLogicException
-     * @throws \Exception
-     */
-    protected function handlePost($useOAuthSignup)
-    {
-        // Get the data
-        $emailAddress = WebRequest::postEmail('email');
-        $password = WebRequest::postString('pass');
-        $username = WebRequest::postString('name');
-
-        // Only set if OAuth is disabled
-        $confirmationId = WebRequest::postInt('conf_revid');
-        $onwikiUsername = WebRequest::postString('wname');
-
-        // Do some validation
-        $this->validateRequest($emailAddress, $password, $username, $useOAuthSignup, $confirmationId,
-            $onwikiUsername);
-
-        $database = $this->getDatabase();
-
-        $user = new User();
-        $user->setDatabase($database);
-
-        $user->setUsername($username);
-        $user->setEmail($emailAddress);
-
-        if (!$useOAuthSignup) {
-            $user->setOnWikiName($onwikiUsername);
-            $user->setConfirmationDiff($confirmationId);
-        }
-
-        $user->save();
-
-        $passwordCredentialProvider = new PasswordCredentialProvider($database, $this->getSiteConfiguration());
-        $passwordCredentialProvider->setCredential($user, 1, $password);
-
-        $defaultRole = $this->getDefaultRole();
-
-        $role = new UserRole();
-        $role->setDatabase($database);
-        $role->setUser($user->getId());
-        $role->setRole($defaultRole);
-        $role->save();
-
-        // Log now to get the signup date.
-        Logger::newUser($database, $user);
-        Logger::userRolesEdited($database, $user, 'Registration', array($defaultRole), array());
-
-        if ($useOAuthSignup) {
-            $oauthProtocolHelper = $this->getOAuthProtocolHelper();
-            $oauth = new OAuthUserHelper($user, $database, $oauthProtocolHelper, $this->getSiteConfiguration());
-
-            $authoriseUrl = $oauth->getRequestToken();
-            WebRequest::setOAuthPartialLogin($user);
-            $this->redirectUrl($authoriseUrl);
-        }
-        else {
-            // only notify if we're not using the oauth signup.
-            $this->getNotificationHelper()->userNew($user);
-            WebRequest::setLoggedInUser($user);
-            $this->redirect('preferences');
-        }
-    }
-
-    protected abstract function getDefaultRole();
-
-    /**
-     * Entry point for registration complete
-     */
-    protected function done()
-    {
-        $this->setTemplate('registration/alert-registrationcomplete.tpl');
-    }
+	/**
+	 * Main function for this page, when no specific actions are called.
+	 */
+	protected function main()
+	{
+		$useOAuthSignup = $this->getSiteConfiguration()->getUseOAuthSignup();
+
+		// Dual-mode page
+		if (WebRequest::wasPosted()) {
+			$this->validateCSRFToken();
+
+			try {
+				$this->handlePost($useOAuthSignup);
+			}
+			catch (ApplicationLogicException $ex) {
+				SessionAlert::error($ex->getMessage());
+				$this->redirect('register');
+			}
+		}
+		else {
+			$this->assignCSRFToken();
+			$this->assign("useOAuthSignup", $useOAuthSignup);
+			$this->setTemplate($this->getRegistrationTemplate());
+		}
+	}
+
+	protected abstract function getRegistrationTemplate();
+
+	protected function isProtectedPage()
+	{
+		return false;
+	}
+
+	/**
+	 * @param string $emailAddress
+	 *
+	 * @throws ApplicationLogicException
+	 */
+	protected function validateUniqueEmail($emailAddress)
+	{
+		$query = 'SELECT COUNT(id) FROM user WHERE email = :email';
+		$statement = $this->getDatabase()->prepare($query);
+		$statement->execute(array(':email' => $emailAddress));
+
+		if ($statement->fetchColumn() > 0) {
+			throw new ApplicationLogicException('That email address is already in use on this system.');
+		}
+
+		$statement->closeCursor();
+	}
+
+	/**
+	 * @param $emailAddress
+	 * @param $password
+	 * @param $username
+	 * @param $useOAuthSignup
+	 * @param $confirmationId
+	 * @param $onwikiUsername
+	 *
+	 * @throws ApplicationLogicException
+	 */
+	protected function validateRequest(
+		$emailAddress,
+		$password,
+		$username,
+		$useOAuthSignup,
+		$confirmationId,
+		$onwikiUsername
+	) {
+		if (!WebRequest::postBoolean('guidelines')) {
+			throw new ApplicationLogicException('You must read the interface guidelines before your request may be submitted.');
+		}
+
+		$this->validateGeneralInformation($emailAddress, $password, $username);
+		$this->validateUniqueEmail($emailAddress);
+		$this->validateNonOAuthFields($useOAuthSignup, $confirmationId, $onwikiUsername);
+	}
+
+	/**
+	 * @param $useOAuthSignup
+	 * @param $confirmationId
+	 * @param $onwikiUsername
+	 *
+	 * @throws ApplicationLogicException
+	 */
+	protected function validateNonOAuthFields($useOAuthSignup, $confirmationId, $onwikiUsername)
+	{
+		if (!$useOAuthSignup) {
+			if ($confirmationId === null || $confirmationId <= 0) {
+				throw new ApplicationLogicException('Please enter the revision id of your confirmation edit.');
+			}
+
+			if ($onwikiUsername === null) {
+				throw new ApplicationLogicException('Please specify your on-wiki username.');
+			}
+		}
+	}
+
+	/**
+	 * @param $emailAddress
+	 * @param $password
+	 * @param $username
+	 *
+	 * @throws ApplicationLogicException
+	 */
+	protected function validateGeneralInformation($emailAddress, $password, $username)
+	{
+		if ($emailAddress === null) {
+			throw new ApplicationLogicException('Your email address appears to be invalid!');
+		}
+
+		if ($password !== WebRequest::postString('pass2')) {
+			throw new ApplicationLogicException('Your passwords did not match, please try again.');
+		}
+
+		if (User::getByUsername($username, $this->getDatabase()) !== false) {
+			throw new ApplicationLogicException('That username is already in use on this system.');
+		}
+	}
+
+	/**
+	 * @param $useOAuthSignup
+	 *
+	 * @throws ApplicationLogicException
+	 * @throws \Exception
+	 */
+	protected function handlePost($useOAuthSignup)
+	{
+		// Get the data
+		$emailAddress = WebRequest::postEmail('email');
+		$password = WebRequest::postString('pass');
+		$username = WebRequest::postString('name');
+
+		// Only set if OAuth is disabled
+		$confirmationId = WebRequest::postInt('conf_revid');
+		$onwikiUsername = WebRequest::postString('wname');
+
+		// Do some validation
+		$this->validateRequest($emailAddress, $password, $username, $useOAuthSignup, $confirmationId,
+			$onwikiUsername);
+
+		$database = $this->getDatabase();
+
+		$user = new User();
+		$user->setDatabase($database);
+
+		$user->setUsername($username);
+		$user->setEmail($emailAddress);
+
+		if (!$useOAuthSignup) {
+			$user->setOnWikiName($onwikiUsername);
+			$user->setConfirmationDiff($confirmationId);
+		}
+
+		$user->save();
+
+		$passwordCredentialProvider = new PasswordCredentialProvider($database, $this->getSiteConfiguration());
+		$passwordCredentialProvider->setCredential($user, 1, $password);
+
+		$defaultRole = $this->getDefaultRole();
+
+		$role = new UserRole();
+		$role->setDatabase($database);
+		$role->setUser($user->getId());
+		$role->setRole($defaultRole);
+		$role->save();
+
+		// Log now to get the signup date.
+		Logger::newUser($database, $user);
+		Logger::userRolesEdited($database, $user, 'Registration', array($defaultRole), array());
+
+		if ($useOAuthSignup) {
+			$oauthProtocolHelper = $this->getOAuthProtocolHelper();
+			$oauth = new OAuthUserHelper($user, $database, $oauthProtocolHelper, $this->getSiteConfiguration());
+
+			$authoriseUrl = $oauth->getRequestToken();
+			WebRequest::setOAuthPartialLogin($user);
+			$this->redirectUrl($authoriseUrl);
+		}
+		else {
+			// only notify if we're not using the oauth signup.
+			$this->getNotificationHelper()->userNew($user);
+			WebRequest::setLoggedInUser($user);
+			$this->redirect('preferences');
+		}
+	}
+
+	protected abstract function getDefaultRole();
+
+	/**
+	 * Entry point for registration complete
+	 */
+	protected function done()
+	{
+		$this->setTemplate('registration/alert-registrationcomplete.tpl');
+	}
 }

includes/Security/CredentialProviders/CredentialProviderBase.php

Indentation +133 added lines, -133 removed lines

@@ -15,137 +15,137 @@
 
 abstract class CredentialProviderBase implements ICredentialProvider
 {
-    /**
-     * @var PdoDatabase
-     */
-    private $database;
-    /**
-     * @var SiteConfiguration
-     */
-    private $configuration;
-    /** @var string */
-    private $type;
-
-    /**
-     * CredentialProviderBase constructor.
-     *
-     * @param PdoDatabase       $database
-     * @param SiteConfiguration $configuration
-     * @param string            $type
-     */
-    public function __construct(PdoDatabase $database, SiteConfiguration $configuration, $type)
-    {
-        $this->database = $database;
-        $this->configuration = $configuration;
-        $this->type = $type;
-    }
-
-    /**
-     * @param int  $userId
-     *
-     * @param bool $disabled
-     *
-     * @return Credential
-     */
-    protected function getCredentialData($userId, $disabled = false)
-    {
-        $sql = 'SELECT * FROM credential WHERE type = :t AND user = :u';
-        $parameters = array(
-            ':u' => $userId,
-            ':t' => $this->type
-        );
-
-        if($disabled !== null) {
-            $sql .= ' AND disabled = :d';
-            $parameters[':d'] = $disabled ? 1 : 0;
-        }
-
-        $statement = $this->database->prepare($sql);
-        $statement->execute($parameters);
-
-        /** @var Credential $obj */
-        $obj = $statement->fetchObject(Credential::class);
-
-        if ($obj === false) {
-            return null;
-        }
-
-        $obj->setDatabase($this->database);
-
-        $statement->closeCursor();
-
-        return $obj;
-    }
-
-    /**
-     * @return PdoDatabase
-     */
-    public function getDatabase()
-    {
-        return $this->database;
-    }
-
-    /**
-     * @return SiteConfiguration
-     */
-    public function getConfiguration()
-    {
-        return $this->configuration;
-    }
-
-    public function deleteCredential(User $user) {
-        // get this factor
-        $statement = $this->database->prepare('SELECT * FROM credential WHERE user = :user AND type = :type');
-        $statement->execute(array(':user' => $user->getId(), ':type' => $this->type));
-        /** @var Credential $credential */
-        $credential = $statement->fetchObject(Credential::class);
-        $credential->setDatabase($this->database);
-        $statement->closeCursor();
-
-        $stage = $credential->getFactor();
-
-        $statement = $this->database->prepare('SELECT COUNT(*) FROM credential WHERE user = :user AND factor = :factor');
-        $statement->execute(array(':user' => $user->getId(), ':factor' => $stage));
-        $alternates = $statement->fetchColumn();
-        $statement->closeCursor();
-
-        if($alternates <= 1) {
-            // decrement the factor for every stage above this
-            $sql = 'UPDATE credential SET factor = factor - 1 WHERE user = :user AND factor > :factor';
-            $statement = $this->database->prepare($sql);
-            $statement->execute(array(':user' => $user->getId(), ':factor' => $stage));
-        }
-        else {
-            // There are other auth factors at this point. Don't renumber the factors just yet.
-        }
-
-        // delete this credential.
-        $credential->delete();
-    }
-
-    /**
-     * @param User $user
-     *
-     * @return Credential
-     */
-    protected function createNewCredential(User $user)
-    {
-        $credential = new Credential();
-        $credential->setDatabase($this->getDatabase());
-        $credential->setUserId($user->getId());
-        $credential->setType($this->type);
-
-        return $credential;
-    }
-
-    /**
-     * @param int $userId
-     *
-     * @return bool
-     */
-    public function userIsEnrolled($userId) {
-        $cred = $this->getCredentialData($userId);
-
-        return $cred !== null;
-    }
+	/**
+	 * @var PdoDatabase
+	 */
+	private $database;
+	/**
+	 * @var SiteConfiguration
+	 */
+	private $configuration;
+	/** @var string */
+	private $type;
+
+	/**
+	 * CredentialProviderBase constructor.
+	 *
+	 * @param PdoDatabase       $database
+	 * @param SiteConfiguration $configuration
+	 * @param string            $type
+	 */
+	public function __construct(PdoDatabase $database, SiteConfiguration $configuration, $type)
+	{
+		$this->database = $database;
+		$this->configuration = $configuration;
+		$this->type = $type;
+	}
+
+	/**
+	 * @param int  $userId
+	 *
+	 * @param bool $disabled
+	 *
+	 * @return Credential
+	 */
+	protected function getCredentialData($userId, $disabled = false)
+	{
+		$sql = 'SELECT * FROM credential WHERE type = :t AND user = :u';
+		$parameters = array(
+			':u' => $userId,
+			':t' => $this->type
+		);
+
+		if($disabled !== null) {
+			$sql .= ' AND disabled = :d';
+			$parameters[':d'] = $disabled ? 1 : 0;
+		}
+
+		$statement = $this->database->prepare($sql);
+		$statement->execute($parameters);
+
+		/** @var Credential $obj */
+		$obj = $statement->fetchObject(Credential::class);
+
+		if ($obj === false) {
+			return null;
+		}
+
+		$obj->setDatabase($this->database);
+
+		$statement->closeCursor();
+
+		return $obj;
+	}
+
+	/**
+	 * @return PdoDatabase
+	 */
+	public function getDatabase()
+	{
+		return $this->database;
+	}
+
+	/**
+	 * @return SiteConfiguration
+	 */
+	public function getConfiguration()
+	{
+		return $this->configuration;
+	}
+
+	public function deleteCredential(User $user) {
+		// get this factor
+		$statement = $this->database->prepare('SELECT * FROM credential WHERE user = :user AND type = :type');
+		$statement->execute(array(':user' => $user->getId(), ':type' => $this->type));
+		/** @var Credential $credential */
+		$credential = $statement->fetchObject(Credential::class);
+		$credential->setDatabase($this->database);
+		$statement->closeCursor();
+
+		$stage = $credential->getFactor();
+
+		$statement = $this->database->prepare('SELECT COUNT(*) FROM credential WHERE user = :user AND factor = :factor');
+		$statement->execute(array(':user' => $user->getId(), ':factor' => $stage));
+		$alternates = $statement->fetchColumn();
+		$statement->closeCursor();
+
+		if($alternates <= 1) {
+			// decrement the factor for every stage above this
+			$sql = 'UPDATE credential SET factor = factor - 1 WHERE user = :user AND factor > :factor';
+			$statement = $this->database->prepare($sql);
+			$statement->execute(array(':user' => $user->getId(), ':factor' => $stage));
+		}
+		else {
+			// There are other auth factors at this point. Don't renumber the factors just yet.
+		}
+
+		// delete this credential.
+		$credential->delete();
+	}
+
+	/**
+	 * @param User $user
+	 *
+	 * @return Credential
+	 */
+	protected function createNewCredential(User $user)
+	{
+		$credential = new Credential();
+		$credential->setDatabase($this->getDatabase());
+		$credential->setUserId($user->getId());
+		$credential->setType($this->type);
+
+		return $credential;
+	}
+
+	/**
+	 * @param int $userId
+	 *
+	 * @return bool
+	 */
+	public function userIsEnrolled($userId) {
+		$cred = $this->getCredentialData($userId);
+
+		return $cred !== null;
+	}
 }
\ No newline at end of file

Spacing +2 added lines, -2 removed lines

@@ -55,7 +55,7 @@ 
             ':t' => $this->type
         );
 
-        if($disabled !== null) {
+        if ($disabled !== null) {
             $sql .= ' AND disabled = :d';
             $parameters[':d'] = $disabled ? 1 : 0;
         }
@@ -109,7 +109,7 @@ 
         $alternates = $statement->fetchColumn();
         $statement->closeCursor();
 
-        if($alternates <= 1) {
+        if ($alternates <= 1) {
             // decrement the factor for every stage above this
             $sql = 'UPDATE credential SET factor = factor - 1 WHERE user = :user AND factor > :factor';
             $statement = $this->database->prepare($sql);

Braces +4 added lines, -2 removed lines

@@ -93,7 +93,8 @@ 
         return $this->configuration;
     }
 
-    public function deleteCredential(User $user) {
+    public function deleteCredential(User $user)
+    {
         // get this factor
         $statement = $this->database->prepare('SELECT * FROM credential WHERE user = :user AND type = :type');
         $statement->execute(array(':user' => $user->getId(), ':type' => $this->type));
@@ -143,7 +144,8 @@ 
      *
      * @return bool
      */
-    public function userIsEnrolled($userId) {
+    public function userIsEnrolled($userId)
+    {
         $cred = $this->getCredentialData($userId);
 
         return $cred !== null;

includes/Security/CredentialProviders/ScratchTokenCredentialProvider.php

Indentation +117 added lines, -117 removed lines

@@ -17,121 +17,121 @@
 
 class ScratchTokenCredentialProvider extends CredentialProviderBase
 {
-    /** @var EncryptionHelper */
-    private $encryptionHelper;
-
-    /**
-     * ScratchTokenCredentialProvider constructor.
-     *
-     * @param PdoDatabase       $database
-     * @param SiteConfiguration $configuration
-     */
-    public function __construct(PdoDatabase $database, SiteConfiguration $configuration)
-    {
-        parent::__construct($database, $configuration, 'scratch');
-        $this->encryptionHelper = new EncryptionHelper($configuration);
-    }
-
-    /**
-     * Validates a user-provided credential
-     *
-     * @param User   $user The user to test the authentication against
-     * @param string $data The raw credential data to be validated
-     *
-     * @return bool
-     * @throws ApplicationLogicException
-     */
-    public function authenticate(User $user, $data)
-    {
-        if (is_array($data)) {
-            return false;
-        }
-
-        $storedData = $this->getCredentialData($user->getId());
-
-        if ($storedData === null) {
-            throw new ApplicationLogicException('Credential data not found');
-        }
-
-        $scratchTokens = unserialize($this->encryptionHelper->decryptData($storedData->getData()));
-
-        $i = array_search($data, $scratchTokens);
-
-        if($i === false) {
-            return false;
-        }
-
-        unset($scratchTokens[$i]);
-
-        $storedData->setData($this->encryptionHelper->encryptData(serialize($scratchTokens)));
-        $storedData->save();
-
-        return true;
-    }
-
-    /**
-     * @param User   $user   The user the credential belongs to
-     * @param int    $factor The factor this credential provides
-     * @param string $data   Unused.
-     */
-    public function setCredential(User $user, $factor, $data)
-    {
-        $scratch = array();
-        for ($i = 0; $i < 5; $i++) {
-            $scratch[] = Base32::encode(openssl_random_pseudo_bytes(10));
-        }
-
-        $storedData = $this->getCredentialData($user->getId(), null);
-
-        if ($storedData !== null) {
-            $storedData->delete();
-        }
-
-        $storedData = $this->createNewCredential($user);
-
-        $storedData->setData($this->encryptionHelper->encryptData(serialize($scratch)));
-        $storedData->setFactor($factor);
-        $storedData->setVersion(1);
-        $storedData->setPriority(9);
-
-        $storedData->save();
-    }
-
-    /**
-     * @param int $userId
-     *
-     * @return int
-     * @throws ApplicationLogicException
-     */
-    public function getRemaining($userId)
-    {
-        $storedData = $this->getCredentialData($userId);
-
-        if ($storedData === null) {
-            return 0;
-        }
-
-        $scratchTokens = unserialize($this->encryptionHelper->decryptData($storedData->getData()));
-
-        return count($scratchTokens);
-    }
-
-    /**
-     * @param int $userId
-     *
-     * @return int
-     * @throws ApplicationLogicException
-     */
-    public function getTokens($userId)
-    {
-        $storedData = $this->getCredentialData($userId);
-
-        if ($storedData === null) {
-            return 0;
-        }
-
-        $scratchTokens = unserialize($this->encryptionHelper->decryptData($storedData->getData()));
-
-        return $scratchTokens;
-    }
+	/** @var EncryptionHelper */
+	private $encryptionHelper;
+
+	/**
+	 * ScratchTokenCredentialProvider constructor.
+	 *
+	 * @param PdoDatabase       $database
+	 * @param SiteConfiguration $configuration
+	 */
+	public function __construct(PdoDatabase $database, SiteConfiguration $configuration)
+	{
+		parent::__construct($database, $configuration, 'scratch');
+		$this->encryptionHelper = new EncryptionHelper($configuration);
+	}
+
+	/**
+	 * Validates a user-provided credential
+	 *
+	 * @param User   $user The user to test the authentication against
+	 * @param string $data The raw credential data to be validated
+	 *
+	 * @return bool
+	 * @throws ApplicationLogicException
+	 */
+	public function authenticate(User $user, $data)
+	{
+		if (is_array($data)) {
+			return false;
+		}
+
+		$storedData = $this->getCredentialData($user->getId());
+
+		if ($storedData === null) {
+			throw new ApplicationLogicException('Credential data not found');
+		}
+
+		$scratchTokens = unserialize($this->encryptionHelper->decryptData($storedData->getData()));
+
+		$i = array_search($data, $scratchTokens);
+
+		if($i === false) {
+			return false;
+		}
+
+		unset($scratchTokens[$i]);
+
+		$storedData->setData($this->encryptionHelper->encryptData(serialize($scratchTokens)));
+		$storedData->save();
+
+		return true;
+	}
+
+	/**
+	 * @param User   $user   The user the credential belongs to
+	 * @param int    $factor The factor this credential provides
+	 * @param string $data   Unused.
+	 */
+	public function setCredential(User $user, $factor, $data)
+	{
+		$scratch = array();
+		for ($i = 0; $i < 5; $i++) {
+			$scratch[] = Base32::encode(openssl_random_pseudo_bytes(10));
+		}
+
+		$storedData = $this->getCredentialData($user->getId(), null);
+
+		if ($storedData !== null) {
+			$storedData->delete();
+		}
+
+		$storedData = $this->createNewCredential($user);
+
+		$storedData->setData($this->encryptionHelper->encryptData(serialize($scratch)));
+		$storedData->setFactor($factor);
+		$storedData->setVersion(1);
+		$storedData->setPriority(9);
+
+		$storedData->save();
+	}
+
+	/**
+	 * @param int $userId
+	 *
+	 * @return int
+	 * @throws ApplicationLogicException
+	 */
+	public function getRemaining($userId)
+	{
+		$storedData = $this->getCredentialData($userId);
+
+		if ($storedData === null) {
+			return 0;
+		}
+
+		$scratchTokens = unserialize($this->encryptionHelper->decryptData($storedData->getData()));
+
+		return count($scratchTokens);
+	}
+
+	/**
+	 * @param int $userId
+	 *
+	 * @return int
+	 * @throws ApplicationLogicException
+	 */
+	public function getTokens($userId)
+	{
+		$storedData = $this->getCredentialData($userId);
+
+		if ($storedData === null) {
+			return 0;
+		}
+
+		$scratchTokens = unserialize($this->encryptionHelper->decryptData($storedData->getData()));
+
+		return $scratchTokens;
+	}
 }
\ No newline at end of file

Spacing +1 added lines, -1 removed lines

@@ -57,7 +57,7 @@
 
         $i = array_search($data, $scratchTokens);
 
-        if($i === false) {
+        if ($i === false) {
             return false;
         }
 

includes/Security/CredentialProviders/PasswordCredentialProvider.php

Indentation +40 added lines, -40 removed lines

@@ -15,55 +15,55 @@
 
 class PasswordCredentialProvider extends CredentialProviderBase
 {
-    const PASSWORD_COST = 10;
+	const PASSWORD_COST = 10;
 
-    public function __construct(PdoDatabase $database, SiteConfiguration $configuration)
-    {
-        parent::__construct($database, $configuration, 'password');
-    }
+	public function __construct(PdoDatabase $database, SiteConfiguration $configuration)
+	{
+		parent::__construct($database, $configuration, 'password');
+	}
 
-    public function authenticate(User $user, $data)
-    {
-        $storedData = $this->getCredentialData($user->getId());
-        if($storedData === null)
-        {
-            // No available credential matching these parameters
-            return false;
-        }
+	public function authenticate(User $user, $data)
+	{
+		$storedData = $this->getCredentialData($user->getId());
+		if($storedData === null)
+		{
+			// No available credential matching these parameters
+			return false;
+		}
 
-        if($storedData->getVersion() !== 2) {
-            // Non-2 versions are not supported.
-            return false;
-        }
+		if($storedData->getVersion() !== 2) {
+			// Non-2 versions are not supported.
+			return false;
+		}
 
-        if(password_verify($data, $storedData->getData())) {
-            if(password_needs_rehash($storedData->getData(), PASSWORD_BCRYPT, array('cost' => self::PASSWORD_COST))){
-                $this->setCredential($user, $storedData->getFactor(), $data);
-            }
+		if(password_verify($data, $storedData->getData())) {
+			if(password_needs_rehash($storedData->getData(), PASSWORD_BCRYPT, array('cost' => self::PASSWORD_COST))){
+				$this->setCredential($user, $storedData->getFactor(), $data);
+			}
 
-            return true;
-        }
+			return true;
+		}
 
-        return false;
-    }
+		return false;
+	}
 
-    public function setCredential(User $user, $factor, $password)
-    {
-        $storedData = $this->getCredentialData($user->getId());
+	public function setCredential(User $user, $factor, $password)
+	{
+		$storedData = $this->getCredentialData($user->getId());
 
-        if($storedData === null){
-            $storedData = $this->createNewCredential($user);
-        }
+		if($storedData === null){
+			$storedData = $this->createNewCredential($user);
+		}
 
-        $storedData->setData(password_hash($password, PASSWORD_BCRYPT, array('cost' => self::PASSWORD_COST)));
-        $storedData->setFactor($factor);
-        $storedData->setVersion(2);
+		$storedData->setData(password_hash($password, PASSWORD_BCRYPT, array('cost' => self::PASSWORD_COST)));
+		$storedData->setFactor($factor);
+		$storedData->setVersion(2);
 
-        $storedData->save();
-    }
+		$storedData->save();
+	}
 
-    public function deleteCredential(User $user)
-    {
-        throw new ApplicationLogicException('Deletion of password credential is not allowed.');
-    }
+	public function deleteCredential(User $user)
+	{
+		throw new ApplicationLogicException('Deletion of password credential is not allowed.');
+	}
 }
\ No newline at end of file