enwikipedia-acc / waca

includes/Pages/UserAuth/PageForgotPassword.php

Indentation +145 added lines, -145 removed lines

@@ -18,149 +18,149 @@
 
 class PageForgotPassword extends InternalPageBase
 {
-    /**
-     * Main function for this page, when no specific actions are called.
-     *
-     * This is the forgotten password reset form
-     * @category Security-Critical
-     */
-    protected function main()
-    {
-        if (WebRequest::wasPosted()) {
-            $this->validateCSRFToken();
-            $username = WebRequest::postString('username');
-            $email = WebRequest::postEmail('email');
-            $database = $this->getDatabase();
-
-            if ($username === null || trim($username) === "" || $email === null || trim($email) === "") {
-                throw new ApplicationLogicException("Both username and email address must be specified!");
-            }
-
-            $user = User::getByUsername($username, $database);
-            $this->sendResetMail($user, $email);
-
-            SessionAlert::success('<strong>Your password reset request has been completed.</strong> Please check your e-mail.');
-
-            $this->redirect('login');
-        }
-        else {
-            $this->assignCSRFToken();
-            $this->setTemplate('forgot-password/forgotpw.tpl');
-        }
-    }
-
-    /**
-     * Sends a reset email if the user is authenticated
-     *
-     * @param User|boolean $user  The user located from the database, or false. Doesn't really matter, since we do the
-     *                            check anyway within this method and silently skip if we don't have a user.
-     * @param string       $email The provided email address
-     */
-    private function sendResetMail($user, $email)
-    {
-        // If the user isn't found, or the email address is wrong, skip sending the details silently.
-        if (!$user instanceof User) {
-            return;
-        }
-
-        if (strtolower($user->getEmail()) === strtolower($email)) {
-            $clientIp = $this->getXffTrustProvider()
-                ->getTrustedClientIp(WebRequest::remoteAddress(), WebRequest::forwardedAddress());
-
-            $this->assign("user", $user);
-            $this->assign("hash", $user->getForgottenPasswordHash());
-            $this->assign("remoteAddress", $clientIp);
-
-            $emailContent = $this->fetchTemplate('forgot-password/reset-mail.tpl');
-
-            $this->getEmailHelper()->sendMail($user->getEmail(), "", $emailContent);
-        }
-    }
-
-    /**
-     * Entry point for the reset action
-     *
-     * This is the reset password part of the form.
-     * @category Security-Critical
-     */
-    protected function reset()
-    {
-        $si = WebRequest::getString('si');
-        $id = WebRequest::getString('id');
-
-        if ($si === null || trim($si) === "" || $id === null || trim($id) === "") {
-            throw new ApplicationLogicException("Link not valid, please ensure it has copied correctly");
-        }
-
-        $database = $this->getDatabase();
-        $user = $this->getResettingUser($id, $database, $si);
-
-        // Dual mode
-        if (WebRequest::wasPosted()) {
-            $this->validateCSRFToken();
-            try {
-                $this->doReset($user);
-            }
-            catch (ApplicationLogicException $ex) {
-                SessionAlert::error($ex->getMessage());
-                $this->redirect('forgotPassword', 'reset', array('si' => $si, 'id' => $id));
-
-                return;
-            }
-        }
-        else {
-            $this->assignCSRFToken();
-            $this->assign('user', $user);
-            $this->setTemplate('forgot-password/forgotpwreset.tpl');
-        }
-    }
-
-    /**
-     * Gets the user resetting their password from the database, or throwing an exception if that is not possible.
-     *
-     * @param integer     $id       The ID of the user to retrieve
-     * @param PdoDatabase $database The database object to use
-     * @param string      $si       The reset hash provided
-     *
-     * @return User
-     * @throws ApplicationLogicException
-     */
-    private function getResettingUser($id, $database, $si)
-    {
-        $user = User::getById($id, $database);
-
-        if ($user === false || $user->getForgottenPasswordHash() !== $si || $user->isCommunityUser()) {
-            throw new ApplicationLogicException("User not found");
-        }
-
-        return $user;
-    }
-
-    /**
-     * Performs the setting of the new password
-     *
-     * @param User $user The user to set the password for
-     *
-     * @throws ApplicationLogicException
-     */
-    private function doReset(User $user)
-    {
-        $pw = WebRequest::postString('pw');
-        $pw2 = WebRequest::postString('pw2');
-
-        if ($pw !== $pw2) {
-            throw new ApplicationLogicException('Passwords do not match!');
-        }
-
-        $passwordCredentialProvider = new PasswordCredentialProvider($user->getDatabase(), $this->getSiteConfiguration());
-        $passwordCredentialProvider->setCredential($user, 1, $pw);
-
-        SessionAlert::success('You may now log in!');
-        $this->redirect('login');
-    }
-
-    protected function isProtectedPage()
-    {
-        return false;
-    }
+	/**
+	 * Main function for this page, when no specific actions are called.
+	 *
+	 * This is the forgotten password reset form
+	 * @category Security-Critical
+	 */
+	protected function main()
+	{
+		if (WebRequest::wasPosted()) {
+			$this->validateCSRFToken();
+			$username = WebRequest::postString('username');
+			$email = WebRequest::postEmail('email');
+			$database = $this->getDatabase();
+
+			if ($username === null || trim($username) === "" || $email === null || trim($email) === "") {
+				throw new ApplicationLogicException("Both username and email address must be specified!");
+			}
+
+			$user = User::getByUsername($username, $database);
+			$this->sendResetMail($user, $email);
+
+			SessionAlert::success('<strong>Your password reset request has been completed.</strong> Please check your e-mail.');
+
+			$this->redirect('login');
+		}
+		else {
+			$this->assignCSRFToken();
+			$this->setTemplate('forgot-password/forgotpw.tpl');
+		}
+	}
+
+	/**
+	 * Sends a reset email if the user is authenticated
+	 *
+	 * @param User|boolean $user  The user located from the database, or false. Doesn't really matter, since we do the
+	 *                            check anyway within this method and silently skip if we don't have a user.
+	 * @param string       $email The provided email address
+	 */
+	private function sendResetMail($user, $email)
+	{
+		// If the user isn't found, or the email address is wrong, skip sending the details silently.
+		if (!$user instanceof User) {
+			return;
+		}
+
+		if (strtolower($user->getEmail()) === strtolower($email)) {
+			$clientIp = $this->getXffTrustProvider()
+				->getTrustedClientIp(WebRequest::remoteAddress(), WebRequest::forwardedAddress());
+
+			$this->assign("user", $user);
+			$this->assign("hash", $user->getForgottenPasswordHash());
+			$this->assign("remoteAddress", $clientIp);
+
+			$emailContent = $this->fetchTemplate('forgot-password/reset-mail.tpl');
+
+			$this->getEmailHelper()->sendMail($user->getEmail(), "", $emailContent);
+		}
+	}
+
+	/**
+	 * Entry point for the reset action
+	 *
+	 * This is the reset password part of the form.
+	 * @category Security-Critical
+	 */
+	protected function reset()
+	{
+		$si = WebRequest::getString('si');
+		$id = WebRequest::getString('id');
+
+		if ($si === null || trim($si) === "" || $id === null || trim($id) === "") {
+			throw new ApplicationLogicException("Link not valid, please ensure it has copied correctly");
+		}
+
+		$database = $this->getDatabase();
+		$user = $this->getResettingUser($id, $database, $si);
+
+		// Dual mode
+		if (WebRequest::wasPosted()) {
+			$this->validateCSRFToken();
+			try {
+				$this->doReset($user);
+			}
+			catch (ApplicationLogicException $ex) {
+				SessionAlert::error($ex->getMessage());
+				$this->redirect('forgotPassword', 'reset', array('si' => $si, 'id' => $id));
+
+				return;
+			}
+		}
+		else {
+			$this->assignCSRFToken();
+			$this->assign('user', $user);
+			$this->setTemplate('forgot-password/forgotpwreset.tpl');
+		}
+	}
+
+	/**
+	 * Gets the user resetting their password from the database, or throwing an exception if that is not possible.
+	 *
+	 * @param integer     $id       The ID of the user to retrieve
+	 * @param PdoDatabase $database The database object to use
+	 * @param string      $si       The reset hash provided
+	 *
+	 * @return User
+	 * @throws ApplicationLogicException
+	 */
+	private function getResettingUser($id, $database, $si)
+	{
+		$user = User::getById($id, $database);
+
+		if ($user === false || $user->getForgottenPasswordHash() !== $si || $user->isCommunityUser()) {
+			throw new ApplicationLogicException("User not found");
+		}
+
+		return $user;
+	}
+
+	/**
+	 * Performs the setting of the new password
+	 *
+	 * @param User $user The user to set the password for
+	 *
+	 * @throws ApplicationLogicException
+	 */
+	private function doReset(User $user)
+	{
+		$pw = WebRequest::postString('pw');
+		$pw2 = WebRequest::postString('pw2');
+
+		if ($pw !== $pw2) {
+			throw new ApplicationLogicException('Passwords do not match!');
+		}
+
+		$passwordCredentialProvider = new PasswordCredentialProvider($user->getDatabase(), $this->getSiteConfiguration());
+		$passwordCredentialProvider->setCredential($user, 1, $pw);
+
+		SessionAlert::success('You may now log in!');
+		$this->redirect('login');
+	}
+
+	protected function isProtectedPage()
+	{
+		return false;
+	}
 }

includes/DataObjects/Credential.php

Indentation +196 added lines, -196 removed lines

@@ -15,187 +15,187 @@ 
 
 class Credential extends DataObject
 {
-    /** @var int */
-    private $user;
-    /** @var int */
-    private $factor;
-    /** @var string */
-    private $type;
-    /** @var string */
-    private $data;
-    /** @var int */
-    private $version;
-    private $timeout;
-    /** @var int */
-    private $disabled = 0;
-    /** @var int */
-    private $priority;
-
-    /**
-     * @return int
-     */
-    public function getUserId()
-    {
-        return $this->user;
-    }
-
-    /**
-     * @param int $user
-     */
-    public function setUserId($user)
-    {
-        $this->user = $user;
-    }
-
-    /**
-     * @return int
-     */
-    public function getFactor()
-    {
-        return $this->factor;
-    }
-
-    /**
-     * @param int $factor
-     */
-    public function setFactor($factor)
-    {
-        $this->factor = $factor;
-    }
-
-    /**
-     * @return string
-     */
-    public function getType()
-    {
-        return $this->type;
-    }
-
-    /**
-     * @param string $type
-     */
-    public function setType($type)
-    {
-        $this->type = $type;
-    }
-
-    /**
-     * @return string
-     */
-    public function getData()
-    {
-        return $this->data;
-    }
-
-    /**
-     * @param string $data
-     */
-    public function setData($data)
-    {
-        $this->data = $data;
-    }
-
-    /**
-     * @return int
-     */
-    public function getVersion()
-    {
-        return $this->version;
-    }
-
-    /**
-     * @param int $version
-     */
-    public function setVersion($version)
-    {
-        $this->version = $version;
-    }
-
-    /**
-     * @return mixed
-     */
-    public function getTimeout()
-    {
-        if ($this->timeout === null) {
-            return null;
-        }
-
-        return new DateTimeImmutable($this->timeout);
-    }
-
-    /**
-     * @param mixed $timeout
-     */
-    public function setTimeout(DateTimeImmutable $timeout = null)
-    {
-        if ($timeout === null) {
-            $this->timeout = null;
-        }
-        else {
-            $this->timeout = $timeout->format('Y-m-d H:i:s');
-        }
-    }
-
-    /**
-     * @return int
-     */
-    public function getDisabled()
-    {
-        return $this->disabled;
-    }
-
-    /**
-     * @param int $disabled
-     */
-    public function setDisabled($disabled)
-    {
-        $this->disabled = $disabled;
-    }
-
-    /**
-     * @return int
-     */
-    public function getPriority()
-    {
-        return $this->priority;
-    }
-
-    /**
-     * @param int $priority
-     */
-    public function setPriority($priority)
-    {
-        $this->priority = $priority;
-    }
-
-    public function save()
-    {
-        if ($this->isNew()) {
-            // insert
-            $statement = $this->dbObject->prepare(<<<SQL
+	/** @var int */
+	private $user;
+	/** @var int */
+	private $factor;
+	/** @var string */
+	private $type;
+	/** @var string */
+	private $data;
+	/** @var int */
+	private $version;
+	private $timeout;
+	/** @var int */
+	private $disabled = 0;
+	/** @var int */
+	private $priority;
+
+	/**
+	 * @return int
+	 */
+	public function getUserId()
+	{
+		return $this->user;
+	}
+
+	/**
+	 * @param int $user
+	 */
+	public function setUserId($user)
+	{
+		$this->user = $user;
+	}
+
+	/**
+	 * @return int
+	 */
+	public function getFactor()
+	{
+		return $this->factor;
+	}
+
+	/**
+	 * @param int $factor
+	 */
+	public function setFactor($factor)
+	{
+		$this->factor = $factor;
+	}
+
+	/**
+	 * @return string
+	 */
+	public function getType()
+	{
+		return $this->type;
+	}
+
+	/**
+	 * @param string $type
+	 */
+	public function setType($type)
+	{
+		$this->type = $type;
+	}
+
+	/**
+	 * @return string
+	 */
+	public function getData()
+	{
+		return $this->data;
+	}
+
+	/**
+	 * @param string $data
+	 */
+	public function setData($data)
+	{
+		$this->data = $data;
+	}
+
+	/**
+	 * @return int
+	 */
+	public function getVersion()
+	{
+		return $this->version;
+	}
+
+	/**
+	 * @param int $version
+	 */
+	public function setVersion($version)
+	{
+		$this->version = $version;
+	}
+
+	/**
+	 * @return mixed
+	 */
+	public function getTimeout()
+	{
+		if ($this->timeout === null) {
+			return null;
+		}
+
+		return new DateTimeImmutable($this->timeout);
+	}
+
+	/**
+	 * @param mixed $timeout
+	 */
+	public function setTimeout(DateTimeImmutable $timeout = null)
+	{
+		if ($timeout === null) {
+			$this->timeout = null;
+		}
+		else {
+			$this->timeout = $timeout->format('Y-m-d H:i:s');
+		}
+	}
+
+	/**
+	 * @return int
+	 */
+	public function getDisabled()
+	{
+		return $this->disabled;
+	}
+
+	/**
+	 * @param int $disabled
+	 */
+	public function setDisabled($disabled)
+	{
+		$this->disabled = $disabled;
+	}
+
+	/**
+	 * @return int
+	 */
+	public function getPriority()
+	{
+		return $this->priority;
+	}
+
+	/**
+	 * @param int $priority
+	 */
+	public function setPriority($priority)
+	{
+		$this->priority = $priority;
+	}
+
+	public function save()
+	{
+		if ($this->isNew()) {
+			// insert
+			$statement = $this->dbObject->prepare(<<<SQL
 INSERT INTO credential ( updateversion, user, factor, type, data, version, timeout, disabled, priority )
 VALUES ( 0, :user, :factor, :type, :data, :version, :timeout, :disabled, :priority );
 SQL
-            );
-            $statement->bindValue(":user", $this->user);
-            $statement->bindValue(":factor", $this->factor);
-            $statement->bindValue(":type", $this->type);
-            $statement->bindValue(":data", $this->data);
-            $statement->bindValue(":version", $this->version);
-            $statement->bindValue(":timeout", $this->timeout);
-            $statement->bindValue(":disabled", $this->disabled);
-            $statement->bindValue(":priority", $this->priority);
-
-            if ($statement->execute()) {
-                $this->id = (int)$this->dbObject->lastInsertId();
-            }
-            else {
-                throw new Exception($statement->errorInfo());
-            }
-        }
-        else {
-            // update
-            $statement = $this->dbObject->prepare(<<<SQL
+			);
+			$statement->bindValue(":user", $this->user);
+			$statement->bindValue(":factor", $this->factor);
+			$statement->bindValue(":type", $this->type);
+			$statement->bindValue(":data", $this->data);
+			$statement->bindValue(":version", $this->version);
+			$statement->bindValue(":timeout", $this->timeout);
+			$statement->bindValue(":disabled", $this->disabled);
+			$statement->bindValue(":priority", $this->priority);
+
+			if ($statement->execute()) {
+				$this->id = (int)$this->dbObject->lastInsertId();
+			}
+			else {
+				throw new Exception($statement->errorInfo());
+			}
+		}
+		else {
+			// update
+			$statement = $this->dbObject->prepare(<<<SQL
                 UPDATE credential
                 SET   factor = :factor
                     , data = :data
@@ -206,27 +206,27 @@ 
                     , updateversion = updateversion + 1
                 WHERE id = :id AND updateversion = :updateversion;
 SQL
-            );
+			);
 
-            $statement->bindValue(':id', $this->id);
-            $statement->bindValue(':updateversion', $this->updateversion);
+			$statement->bindValue(':id', $this->id);
+			$statement->bindValue(':updateversion', $this->updateversion);
 
-            $statement->bindValue(":factor", $this->factor);
-            $statement->bindValue(":data", $this->data);
-            $statement->bindValue(":version", $this->version);
-            $statement->bindValue(":timeout", $this->timeout);
-            $statement->bindValue(":disabled", $this->disabled);
-            $statement->bindValue(":priority", $this->priority);
+			$statement->bindValue(":factor", $this->factor);
+			$statement->bindValue(":data", $this->data);
+			$statement->bindValue(":version", $this->version);
+			$statement->bindValue(":timeout", $this->timeout);
+			$statement->bindValue(":disabled", $this->disabled);
+			$statement->bindValue(":priority", $this->priority);
 
-            if (!$statement->execute()) {
-                throw new Exception($statement->errorInfo());
-            }
+			if (!$statement->execute()) {
+				throw new Exception($statement->errorInfo());
+			}
 
-            if ($statement->rowCount() !== 1) {
-                throw new OptimisticLockFailedException();
-            }
+			if ($statement->rowCount() !== 1) {
+				throw new OptimisticLockFailedException();
+			}
 
-            $this->updateversion++;
-        }
-    }
+			$this->updateversion++;
+		}
+	}
 }
\ No newline at end of file

includes/WebRequest.php

Indentation +556 added lines, -556 removed lines

@@ -22,560 +22,560 @@
  */
 class WebRequest
 {
-    /**
-     * @var \Waca\Providers\GlobalState\IGlobalStateProvider Provides access to the global state.
-     */
-    private static $globalStateProvider;
-
-    /**
-     * Returns a boolean value if the request was submitted with the HTTP POST method.
-     * @return bool
-     */
-    public static function wasPosted()
-    {
-        return self::method() === 'POST';
-    }
-
-    /**
-     * Gets the HTTP Method used
-     * @return string|null
-     */
-    public static function method()
-    {
-        $server = &self::$globalStateProvider->getServerSuperGlobal();
-
-        if (isset($server['REQUEST_METHOD'])) {
-            return $server['REQUEST_METHOD'];
-        }
-
-        return null;
-    }
-
-    /**
-     * Gets a boolean value stating whether the request was served over HTTPS or not.
-     * @return bool
-     */
-    public static function isHttps()
-    {
-        $server = &self::$globalStateProvider->getServerSuperGlobal();
-
-        if (isset($server['HTTP_X_FORWARDED_PROTO'])) {
-            if ($server['HTTP_X_FORWARDED_PROTO'] === 'https') {
-                // Client <=> Proxy is encrypted
-                return true;
-            }
-            else {
-                // Proxy <=> Server link unknown, Client <=> Proxy is not encrypted.
-                return false;
-            }
-        }
-
-        if (isset($server['HTTPS'])) {
-            if ($server['HTTPS'] === 'off') {
-                // ISAPI on IIS breaks the spec. :(
-                return false;
-            }
-
-            if ($server['HTTPS'] !== '') {
-                // Set to a non-empty value
-                return true;
-            }
-        }
-
-        return false;
-    }
-
-    /**
-     * Gets the path info
-     *
-     * @return array Array of path info segments
-     */
-    public static function pathInfo()
-    {
-        $server = &self::$globalStateProvider->getServerSuperGlobal();
-        if (!isset($server['PATH_INFO'])) {
-            return array();
-        }
-
-        $exploded = explode('/', $server['PATH_INFO']);
-
-        // filter out empty values, and reindex from zero. Notably, the first element is always zero, since it starts
-        // with a /
-        return array_values(array_filter($exploded));
-    }
-
-    /**
-     * Gets the remote address of the web request
-     * @return null|string
-     */
-    public static function remoteAddress()
-    {
-        $server = &self::$globalStateProvider->getServerSuperGlobal();
-
-        if (isset($server['REMOTE_ADDR'])) {
-            return $server['REMOTE_ADDR'];
-        }
-
-        return null;
-    }
-
-    /**
-     * Gets the remote address of the web request
-     * @return null|string
-     */
-    public static function httpHost()
-    {
-        $server = &self::$globalStateProvider->getServerSuperGlobal();
-
-        if (isset($server['HTTP_HOST'])) {
-            return $server['HTTP_HOST'];
-        }
-
-        return null;
-    }
-
-    /**
-     * Gets the XFF header contents for the web request
-     * @return null|string
-     */
-    public static function forwardedAddress()
-    {
-        $server = &self::$globalStateProvider->getServerSuperGlobal();
-
-        if (isset($server['HTTP_X_FORWARDED_FOR'])) {
-            return $server['HTTP_X_FORWARDED_FOR'];
-        }
-
-        return null;
-    }
-
-    /**
-     * Sets the global state provider.
-     *
-     * Almost guaranteed this is not the method you want in production code.
-     *
-     * @param \Waca\Providers\GlobalState\IGlobalStateProvider $globalState
-     */
-    public static function setGlobalStateProvider($globalState)
-    {
-        self::$globalStateProvider = $globalState;
-    }
-
-    #region POST variables
-
-    /**
-     * @param string $key
-     *
-     * @return null|string
-     */
-    public static function postString($key)
-    {
-        $post = &self::$globalStateProvider->getPostSuperGlobal();
-        if (!array_key_exists($key, $post)) {
-            return null;
-        }
-
-        if ($post[$key] === "") {
-            return null;
-        }
-
-        return (string)$post[$key];
-    }
-
-    /**
-     * @param string $key
-     *
-     * @return null|string
-     */
-    public static function postEmail($key)
-    {
-        $post = &self::$globalStateProvider->getPostSuperGlobal();
-        if (!array_key_exists($key, $post)) {
-            return null;
-        }
-
-        $filteredValue = filter_var($post[$key], FILTER_SANITIZE_EMAIL);
-
-        if ($filteredValue === false) {
-            return null;
-        }
-
-        return (string)$filteredValue;
-    }
-
-    /**
-     * @param string $key
-     *
-     * @return int|null
-     */
-    public static function postInt($key)
-    {
-        $post = &self::$globalStateProvider->getPostSuperGlobal();
-        if (!array_key_exists($key, $post)) {
-            return null;
-        }
-
-        $filteredValue = filter_var($post[$key], FILTER_VALIDATE_INT, FILTER_NULL_ON_FAILURE);
-
-        if ($filteredValue === null) {
-            return null;
-        }
-
-        return (int)$filteredValue;
-    }
-
-    /**
-     * @param string $key
-     *
-     * @return bool
-     */
-    public static function postBoolean($key)
-    {
-        $get = &self::$globalStateProvider->getPostSuperGlobal();
-        if (!array_key_exists($key, $get)) {
-            return false;
-        }
-
-        // presence of parameter only
-        if ($get[$key] === "") {
-            return true;
-        }
-
-        if (in_array($get[$key], array(false, 'no', 'off', 0, 'false'), true)) {
-            return false;
-        }
-
-        return true;
-    }
-
-    #endregion
-
-    #region GET variables
-
-    /**
-     * @param string $key
-     *
-     * @return bool
-     */
-    public static function getBoolean($key)
-    {
-        $get = &self::$globalStateProvider->getGetSuperGlobal();
-        if (!array_key_exists($key, $get)) {
-            return false;
-        }
-
-        // presence of parameter only
-        if ($get[$key] === "") {
-            return true;
-        }
-
-        if (in_array($get[$key], array(false, 'no', 'off', 0, 'false'), true)) {
-            return false;
-        }
-
-        return true;
-    }
-
-    /**
-     * @param string $key
-     *
-     * @return int|null
-     */
-    public static function getInt($key)
-    {
-        $get = &self::$globalStateProvider->getGetSuperGlobal();
-        if (!array_key_exists($key, $get)) {
-            return null;
-        }
-
-        $filteredValue = filter_var($get[$key], FILTER_VALIDATE_INT, FILTER_NULL_ON_FAILURE);
-
-        if ($filteredValue === null) {
-            return null;
-        }
-
-        return (int)$filteredValue;
-    }
-
-    /**
-     * @param string $key
-     *
-     * @return null|string
-     */
-    public static function getString($key)
-    {
-        $get = &self::$globalStateProvider->getGetSuperGlobal();
-        if (!array_key_exists($key, $get)) {
-            return null;
-        }
-
-        if ($get[$key] === "") {
-            return null;
-        }
-
-        return (string)$get[$key];
-    }
-
-    #endregion
-
-    /**
-     * Sets the logged-in user to the specified user.
-     *
-     * @param User $user
-     */
-    public static function setLoggedInUser(User $user)
-    {
-        $session = &self::$globalStateProvider->getSessionSuperGlobal();
-
-        $session['userID'] = $user->getId();
-        unset($session['partialLogin']);
-    }
-
-    /**
-     * Sets the post-login redirect
-     */
-    public static function setPostLoginRedirect()
-    {
-        $session = &self::$globalStateProvider->getSessionSuperGlobal();
-        $session['returnTo'] = self::requestUri();
-    }
-
-    /**
-     * @return string|null
-     */
-    public static function requestUri()
-    {
-        $server = &self::$globalStateProvider->getServerSuperGlobal();
-
-        if (isset($server['REQUEST_URI'])) {
-            return $server['REQUEST_URI'];
-        }
-
-        return null;
-    }
-
-    /**
-     * Clears the post-login redirect
-     * @return string
-     */
-    public static function clearPostLoginRedirect()
-    {
-        $session = &self::$globalStateProvider->getSessionSuperGlobal();
-        if (array_key_exists('returnTo', $session)) {
-            $path = $session['returnTo'];
-            unset($session['returnTo']);
-
-            return $path;
-        }
-
-        return null;
-    }
-
-    /**
-     * @return string|null
-     */
-    public static function serverName()
-    {
-        $server = &self::$globalStateProvider->getServerSuperGlobal();
-
-        if (isset($server['SERVER_NAME'])) {
-            return $server['SERVER_NAME'];
-        }
-
-        return null;
-    }
-
-    /**
-     * You probably only want to deal with this through SessionAlert.
-     * @return void
-     */
-    public static function clearSessionAlertData()
-    {
-        $session = &self::$globalStateProvider->getSessionSuperGlobal();
-        if (array_key_exists('alerts', $session)) {
-            unset($session['alerts']);
-        }
-    }
-
-    /**
-     * You probably only want to deal with this through SessionAlert.
-     *
-     * @return string[]
-     */
-    public static function getSessionAlertData()
-    {
-        $session = &self::$globalStateProvider->getSessionSuperGlobal();
-        if (array_key_exists('alerts', $session)) {
-            return $session['alerts'];
-        }
-
-        return array();
-    }
-
-    /**
-     * You probably only want to deal with this through SessionAlert.
-     *
-     * @param string[] $data
-     */
-    public static function setSessionAlertData($data)
-    {
-        $session = &self::$globalStateProvider->getSessionSuperGlobal();
-        $session['alerts'] = $data;
-    }
-
-    /**
-     * You probably only want to deal with this through TokenManager.
-     *
-     * @return string[]
-     */
-    public static function getSessionTokenData()
-    {
-        $session = &self::$globalStateProvider->getSessionSuperGlobal();
-        if (array_key_exists('tokens', $session)) {
-            return $session['tokens'];
-        }
-
-        return array();
-    }
-
-    /**
-     * You probably only want to deal with this through TokenManager.
-     *
-     * @param string[] $data
-     */
-    public static function setSessionTokenData($data)
-    {
-        $session = &self::$globalStateProvider->getSessionSuperGlobal();
-        $session['tokens'] = $data;
-    }
-
-    /**
-     * @param string $key
-     *
-     * @return mixed
-     */
-    public static function getSessionContext($key)
-    {
-        $session = &self::$globalStateProvider->getSessionSuperGlobal();
-
-        if (!isset($session['context'])) {
-            $session['context'] = array();
-        }
-
-        if (!isset($session['context'][$key])) {
-            return null;
-        }
-
-        return $session['context'][$key];
-    }
-
-    /**
-     * @param string $key
-     * @param mixed  $data
-     */
-    public static function setSessionContext($key, $data)
-    {
-        $session = &self::$globalStateProvider->getSessionSuperGlobal();
-
-        if (!isset($session['context'])) {
-            $session['context'] = array();
-        }
-
-        $session['context'][$key] = $data;
-    }
-
-    /**
-     * @return int|null
-     */
-    public static function getSessionUserId()
-    {
-        $session = &self::$globalStateProvider->getSessionSuperGlobal();
-
-        return isset($session['userID']) ? (int)$session['userID'] : null;
-    }
-
-    /**
-     * @param User $user
-     */
-    public static function setOAuthPartialLogin(User $user)
-    {
-        $session = &self::$globalStateProvider->getSessionSuperGlobal();
-        $session['oauthPartialLogin'] = $user->getId();
-    }
-
-    /**
-     * @return int|null
-     */
-    public static function getOAuthPartialLogin()
-    {
-        $session = &self::$globalStateProvider->getSessionSuperGlobal();
-
-        return isset($session['oauthPartialLogin']) ? (int)$session['oauthPartialLogin'] : null;
-    }
-
-    public static function setAuthPartialLogin($userId, $stage)
-    {
-        $session = &self::$globalStateProvider->getSessionSuperGlobal();
-        $session['authPartialLoginId'] = $userId;
-        $session['authPartialLoginStage'] = $stage;
-    }
-
-    public static function getAuthPartialLogin()
-    {
-        $session = &self::$globalStateProvider->getSessionSuperGlobal();
-
-        $userId = isset($session['authPartialLoginId']) ? (int)$session['authPartialLoginId'] : null;
-        $stage = isset($session['authPartialLoginStage']) ? (int)$session['authPartialLoginStage'] : null;
-
-        return array($userId, $stage);
-    }
-
-    public static function clearAuthPartialLogin()
-    {
-        $session = &self::$globalStateProvider->getSessionSuperGlobal();
-        unset($session['authPartialLoginId']);
-        unset($session['authPartialLoginStage']);
-    }
-
-    /**
-     * @return null|string
-     */
-    public static function userAgent()
-    {
-        $server = &self::$globalStateProvider->getServerSuperGlobal();
-
-        if (isset($server['HTTP_USER_AGENT'])) {
-            return $server['HTTP_USER_AGENT'];
-        }
-
-        return null;
-    }
-
-    /**
-     * @return null|string
-     */
-    public static function scriptName()
-    {
-        $server = &self::$globalStateProvider->getServerSuperGlobal();
-
-        if (isset($server['SCRIPT_NAME'])) {
-            return $server['SCRIPT_NAME'];
-        }
-
-        return null;
-    }
-
-    /**
-     * @return null|string
-     */
-    public static function origin()
-    {
-        $server = &self::$globalStateProvider->getServerSuperGlobal();
-
-        if (isset($server['HTTP_ORIGIN'])) {
-            return $server['HTTP_ORIGIN'];
-        }
-
-        return null;
-    }
+	/**
+	 * @var \Waca\Providers\GlobalState\IGlobalStateProvider Provides access to the global state.
+	 */
+	private static $globalStateProvider;
+
+	/**
+	 * Returns a boolean value if the request was submitted with the HTTP POST method.
+	 * @return bool
+	 */
+	public static function wasPosted()
+	{
+		return self::method() === 'POST';
+	}
+
+	/**
+	 * Gets the HTTP Method used
+	 * @return string|null
+	 */
+	public static function method()
+	{
+		$server = &self::$globalStateProvider->getServerSuperGlobal();
+
+		if (isset($server['REQUEST_METHOD'])) {
+			return $server['REQUEST_METHOD'];
+		}
+
+		return null;
+	}
+
+	/**
+	 * Gets a boolean value stating whether the request was served over HTTPS or not.
+	 * @return bool
+	 */
+	public static function isHttps()
+	{
+		$server = &self::$globalStateProvider->getServerSuperGlobal();
+
+		if (isset($server['HTTP_X_FORWARDED_PROTO'])) {
+			if ($server['HTTP_X_FORWARDED_PROTO'] === 'https') {
+				// Client <=> Proxy is encrypted
+				return true;
+			}
+			else {
+				// Proxy <=> Server link unknown, Client <=> Proxy is not encrypted.
+				return false;
+			}
+		}
+
+		if (isset($server['HTTPS'])) {
+			if ($server['HTTPS'] === 'off') {
+				// ISAPI on IIS breaks the spec. :(
+				return false;
+			}
+
+			if ($server['HTTPS'] !== '') {
+				// Set to a non-empty value
+				return true;
+			}
+		}
+
+		return false;
+	}
+
+	/**
+	 * Gets the path info
+	 *
+	 * @return array Array of path info segments
+	 */
+	public static function pathInfo()
+	{
+		$server = &self::$globalStateProvider->getServerSuperGlobal();
+		if (!isset($server['PATH_INFO'])) {
+			return array();
+		}
+
+		$exploded = explode('/', $server['PATH_INFO']);
+
+		// filter out empty values, and reindex from zero. Notably, the first element is always zero, since it starts
+		// with a /
+		return array_values(array_filter($exploded));
+	}
+
+	/**
+	 * Gets the remote address of the web request
+	 * @return null|string
+	 */
+	public static function remoteAddress()
+	{
+		$server = &self::$globalStateProvider->getServerSuperGlobal();
+
+		if (isset($server['REMOTE_ADDR'])) {
+			return $server['REMOTE_ADDR'];
+		}
+
+		return null;
+	}
+
+	/**
+	 * Gets the remote address of the web request
+	 * @return null|string
+	 */
+	public static function httpHost()
+	{
+		$server = &self::$globalStateProvider->getServerSuperGlobal();
+
+		if (isset($server['HTTP_HOST'])) {
+			return $server['HTTP_HOST'];
+		}
+
+		return null;
+	}
+
+	/**
+	 * Gets the XFF header contents for the web request
+	 * @return null|string
+	 */
+	public static function forwardedAddress()
+	{
+		$server = &self::$globalStateProvider->getServerSuperGlobal();
+
+		if (isset($server['HTTP_X_FORWARDED_FOR'])) {
+			return $server['HTTP_X_FORWARDED_FOR'];
+		}
+
+		return null;
+	}
+
+	/**
+	 * Sets the global state provider.
+	 *
+	 * Almost guaranteed this is not the method you want in production code.
+	 *
+	 * @param \Waca\Providers\GlobalState\IGlobalStateProvider $globalState
+	 */
+	public static function setGlobalStateProvider($globalState)
+	{
+		self::$globalStateProvider = $globalState;
+	}
+
+	#region POST variables
+
+	/**
+	 * @param string $key
+	 *
+	 * @return null|string
+	 */
+	public static function postString($key)
+	{
+		$post = &self::$globalStateProvider->getPostSuperGlobal();
+		if (!array_key_exists($key, $post)) {
+			return null;
+		}
+
+		if ($post[$key] === "") {
+			return null;
+		}
+
+		return (string)$post[$key];
+	}
+
+	/**
+	 * @param string $key
+	 *
+	 * @return null|string
+	 */
+	public static function postEmail($key)
+	{
+		$post = &self::$globalStateProvider->getPostSuperGlobal();
+		if (!array_key_exists($key, $post)) {
+			return null;
+		}
+
+		$filteredValue = filter_var($post[$key], FILTER_SANITIZE_EMAIL);
+
+		if ($filteredValue === false) {
+			return null;
+		}
+
+		return (string)$filteredValue;
+	}
+
+	/**
+	 * @param string $key
+	 *
+	 * @return int|null
+	 */
+	public static function postInt($key)
+	{
+		$post = &self::$globalStateProvider->getPostSuperGlobal();
+		if (!array_key_exists($key, $post)) {
+			return null;
+		}
+
+		$filteredValue = filter_var($post[$key], FILTER_VALIDATE_INT, FILTER_NULL_ON_FAILURE);
+
+		if ($filteredValue === null) {
+			return null;
+		}
+
+		return (int)$filteredValue;
+	}
+
+	/**
+	 * @param string $key
+	 *
+	 * @return bool
+	 */
+	public static function postBoolean($key)
+	{
+		$get = &self::$globalStateProvider->getPostSuperGlobal();
+		if (!array_key_exists($key, $get)) {
+			return false;
+		}
+
+		// presence of parameter only
+		if ($get[$key] === "") {
+			return true;
+		}
+
+		if (in_array($get[$key], array(false, 'no', 'off', 0, 'false'), true)) {
+			return false;
+		}
+
+		return true;
+	}
+
+	#endregion
+
+	#region GET variables
+
+	/**
+	 * @param string $key
+	 *
+	 * @return bool
+	 */
+	public static function getBoolean($key)
+	{
+		$get = &self::$globalStateProvider->getGetSuperGlobal();
+		if (!array_key_exists($key, $get)) {
+			return false;
+		}
+
+		// presence of parameter only
+		if ($get[$key] === "") {
+			return true;
+		}
+
+		if (in_array($get[$key], array(false, 'no', 'off', 0, 'false'), true)) {
+			return false;
+		}
+
+		return true;
+	}
+
+	/**
+	 * @param string $key
+	 *
+	 * @return int|null
+	 */
+	public static function getInt($key)
+	{
+		$get = &self::$globalStateProvider->getGetSuperGlobal();
+		if (!array_key_exists($key, $get)) {
+			return null;
+		}
+
+		$filteredValue = filter_var($get[$key], FILTER_VALIDATE_INT, FILTER_NULL_ON_FAILURE);
+
+		if ($filteredValue === null) {
+			return null;
+		}
+
+		return (int)$filteredValue;
+	}
+
+	/**
+	 * @param string $key
+	 *
+	 * @return null|string
+	 */
+	public static function getString($key)
+	{
+		$get = &self::$globalStateProvider->getGetSuperGlobal();
+		if (!array_key_exists($key, $get)) {
+			return null;
+		}
+
+		if ($get[$key] === "") {
+			return null;
+		}
+
+		return (string)$get[$key];
+	}
+
+	#endregion
+
+	/**
+	 * Sets the logged-in user to the specified user.
+	 *
+	 * @param User $user
+	 */
+	public static function setLoggedInUser(User $user)
+	{
+		$session = &self::$globalStateProvider->getSessionSuperGlobal();
+
+		$session['userID'] = $user->getId();
+		unset($session['partialLogin']);
+	}
+
+	/**
+	 * Sets the post-login redirect
+	 */
+	public static function setPostLoginRedirect()
+	{
+		$session = &self::$globalStateProvider->getSessionSuperGlobal();
+		$session['returnTo'] = self::requestUri();
+	}
+
+	/**
+	 * @return string|null
+	 */
+	public static function requestUri()
+	{
+		$server = &self::$globalStateProvider->getServerSuperGlobal();
+
+		if (isset($server['REQUEST_URI'])) {
+			return $server['REQUEST_URI'];
+		}
+
+		return null;
+	}
+
+	/**
+	 * Clears the post-login redirect
+	 * @return string
+	 */
+	public static function clearPostLoginRedirect()
+	{
+		$session = &self::$globalStateProvider->getSessionSuperGlobal();
+		if (array_key_exists('returnTo', $session)) {
+			$path = $session['returnTo'];
+			unset($session['returnTo']);
+
+			return $path;
+		}
+
+		return null;
+	}
+
+	/**
+	 * @return string|null
+	 */
+	public static function serverName()
+	{
+		$server = &self::$globalStateProvider->getServerSuperGlobal();
+
+		if (isset($server['SERVER_NAME'])) {
+			return $server['SERVER_NAME'];
+		}
+
+		return null;
+	}
+
+	/**
+	 * You probably only want to deal with this through SessionAlert.
+	 * @return void
+	 */
+	public static function clearSessionAlertData()
+	{
+		$session = &self::$globalStateProvider->getSessionSuperGlobal();
+		if (array_key_exists('alerts', $session)) {
+			unset($session['alerts']);
+		}
+	}
+
+	/**
+	 * You probably only want to deal with this through SessionAlert.
+	 *
+	 * @return string[]
+	 */
+	public static function getSessionAlertData()
+	{
+		$session = &self::$globalStateProvider->getSessionSuperGlobal();
+		if (array_key_exists('alerts', $session)) {
+			return $session['alerts'];
+		}
+
+		return array();
+	}
+
+	/**
+	 * You probably only want to deal with this through SessionAlert.
+	 *
+	 * @param string[] $data
+	 */
+	public static function setSessionAlertData($data)
+	{
+		$session = &self::$globalStateProvider->getSessionSuperGlobal();
+		$session['alerts'] = $data;
+	}
+
+	/**
+	 * You probably only want to deal with this through TokenManager.
+	 *
+	 * @return string[]
+	 */
+	public static function getSessionTokenData()
+	{
+		$session = &self::$globalStateProvider->getSessionSuperGlobal();
+		if (array_key_exists('tokens', $session)) {
+			return $session['tokens'];
+		}
+
+		return array();
+	}
+
+	/**
+	 * You probably only want to deal with this through TokenManager.
+	 *
+	 * @param string[] $data
+	 */
+	public static function setSessionTokenData($data)
+	{
+		$session = &self::$globalStateProvider->getSessionSuperGlobal();
+		$session['tokens'] = $data;
+	}
+
+	/**
+	 * @param string $key
+	 *
+	 * @return mixed
+	 */
+	public static function getSessionContext($key)
+	{
+		$session = &self::$globalStateProvider->getSessionSuperGlobal();
+
+		if (!isset($session['context'])) {
+			$session['context'] = array();
+		}
+
+		if (!isset($session['context'][$key])) {
+			return null;
+		}
+
+		return $session['context'][$key];
+	}
+
+	/**
+	 * @param string $key
+	 * @param mixed  $data
+	 */
+	public static function setSessionContext($key, $data)
+	{
+		$session = &self::$globalStateProvider->getSessionSuperGlobal();
+
+		if (!isset($session['context'])) {
+			$session['context'] = array();
+		}
+
+		$session['context'][$key] = $data;
+	}
+
+	/**
+	 * @return int|null
+	 */
+	public static function getSessionUserId()
+	{
+		$session = &self::$globalStateProvider->getSessionSuperGlobal();
+
+		return isset($session['userID']) ? (int)$session['userID'] : null;
+	}
+
+	/**
+	 * @param User $user
+	 */
+	public static function setOAuthPartialLogin(User $user)
+	{
+		$session = &self::$globalStateProvider->getSessionSuperGlobal();
+		$session['oauthPartialLogin'] = $user->getId();
+	}
+
+	/**
+	 * @return int|null
+	 */
+	public static function getOAuthPartialLogin()
+	{
+		$session = &self::$globalStateProvider->getSessionSuperGlobal();
+
+		return isset($session['oauthPartialLogin']) ? (int)$session['oauthPartialLogin'] : null;
+	}
+
+	public static function setAuthPartialLogin($userId, $stage)
+	{
+		$session = &self::$globalStateProvider->getSessionSuperGlobal();
+		$session['authPartialLoginId'] = $userId;
+		$session['authPartialLoginStage'] = $stage;
+	}
+
+	public static function getAuthPartialLogin()
+	{
+		$session = &self::$globalStateProvider->getSessionSuperGlobal();
+
+		$userId = isset($session['authPartialLoginId']) ? (int)$session['authPartialLoginId'] : null;
+		$stage = isset($session['authPartialLoginStage']) ? (int)$session['authPartialLoginStage'] : null;
+
+		return array($userId, $stage);
+	}
+
+	public static function clearAuthPartialLogin()
+	{
+		$session = &self::$globalStateProvider->getSessionSuperGlobal();
+		unset($session['authPartialLoginId']);
+		unset($session['authPartialLoginStage']);
+	}
+
+	/**
+	 * @return null|string
+	 */
+	public static function userAgent()
+	{
+		$server = &self::$globalStateProvider->getServerSuperGlobal();
+
+		if (isset($server['HTTP_USER_AGENT'])) {
+			return $server['HTTP_USER_AGENT'];
+		}
+
+		return null;
+	}
+
+	/**
+	 * @return null|string
+	 */
+	public static function scriptName()
+	{
+		$server = &self::$globalStateProvider->getServerSuperGlobal();
+
+		if (isset($server['SCRIPT_NAME'])) {
+			return $server['SCRIPT_NAME'];
+		}
+
+		return null;
+	}
+
+	/**
+	 * @return null|string
+	 */
+	public static function origin()
+	{
+		$server = &self::$globalStateProvider->getServerSuperGlobal();
+
+		if (isset($server['HTTP_ORIGIN'])) {
+			return $server['HTTP_ORIGIN'];
+		}
+
+		return null;
+	}
 }
\ No newline at end of file

includes/Pages/UserAuth/MultiFactor/PageMultiFactor.php

Braces +4 added lines, -2 removed lines

@@ -229,7 +229,8 @@ 
         $this->deleteCredential($database, $currentUser, $otpCredentialProvider, $factorType);
     }
 
-    protected function enableU2F() {
+    protected function enableU2F()
+    {
         $database = $this->getDatabase();
         $currentUser = User::getCurrent($database);
 
@@ -336,7 +337,8 @@ 
         }
     }
 
-    protected function disableU2F() {
+    protected function disableU2F()
+    {
         $database = $this->getDatabase();
         $currentUser = User::getCurrent($database);
 

Indentation +372 added lines, -372 removed lines

@@ -26,239 +26,239 @@ 
 
 class PageMultiFactor extends InternalPageBase
 {
-    /**
-     * Main function for this page, when no specific actions are called.
-     * @return void
-     */
-    protected function main()
-    {
-        $database = $this->getDatabase();
-        $currentUser = User::getCurrent($database);
-
-        $yubikeyOtpCredentialProvider = new YubikeyOtpCredentialProvider($database, $this->getSiteConfiguration(),
-            $this->getHttpHelper());
-        $this->assign('yubikeyOtpIdentity', $yubikeyOtpCredentialProvider->getYubikeyData($currentUser->getId()));
-        $this->assign('yubikeyOtpEnrolled', $yubikeyOtpCredentialProvider->userIsEnrolled($currentUser->getId()));
-
-        $totpCredentialProvider = new TotpCredentialProvider($database, $this->getSiteConfiguration());
-        $this->assign('totpEnrolled', $totpCredentialProvider->userIsEnrolled($currentUser->getId()));
-
-        $u2fCredentialProvider = new U2FCredentialProvider($database, $this->getSiteConfiguration());
-        $this->assign('u2fEnrolled', $u2fCredentialProvider->userIsEnrolled($currentUser->getId()));
-
-        $scratchCredentialProvider = new ScratchTokenCredentialProvider($database, $this->getSiteConfiguration());
-        $this->assign('scratchEnrolled', $scratchCredentialProvider->userIsEnrolled($currentUser->getId()));
-        $this->assign('scratchRemaining', $scratchCredentialProvider->getRemaining($currentUser->getId()));
-
-        $this->setTemplate('mfa/mfa.tpl');
-    }
-
-    protected function enableYubikeyOtp()
-    {
-        $database = $this->getDatabase();
-        $currentUser = User::getCurrent($database);
-
-        $otpCredentialProvider = new YubikeyOtpCredentialProvider($database,
-            $this->getSiteConfiguration(), $this->getHttpHelper());
-
-        if (WebRequest::wasPosted()) {
-            $this->validateCSRFToken();
-
-            $passwordCredentialProvider = new PasswordCredentialProvider($database,
-                $this->getSiteConfiguration());
-
-            $password = WebRequest::postString('password');
-            $otp = WebRequest::postString('otp');
-
-            $result = $passwordCredentialProvider->authenticate($currentUser, $password);
-
-            if ($result) {
-                try {
-                    $otpCredentialProvider->setCredential($currentUser, 2, $otp);
-                    SessionAlert::success('Enabled YubiKey OTP.');
-
-                    $scratchProvider = new ScratchTokenCredentialProvider($database, $this->getSiteConfiguration());
-                    if($scratchProvider->getRemaining($currentUser->getId()) < 3) {
-                        $scratchProvider->setCredential($currentUser, 2, null);
-                        $tokens = $scratchProvider->getTokens();
-                        $this->assign('tokens', $tokens);
-                        $this->setTemplate('mfa/regenScratchTokens.tpl');
-                        return;
-                    }
-                }
-                catch (ApplicationLogicException $ex) {
-                    SessionAlert::error('Error enabling YubiKey OTP: ' . $ex->getMessage());
-                }
-
-                $this->redirect('multiFactor');
-            }
-            else {
-                SessionAlert::error('Error enabling YubiKey OTP - invalid credentials.');
-                $this->redirect('multiFactor');
-            }
-        }
-        else {
-            if ($otpCredentialProvider->userIsEnrolled($currentUser->getId())) {
-                // user is not enrolled, we shouldn't have got here.
-                throw new ApplicationLogicException('User is already enrolled in the selected MFA mechanism');
-            }
-
-            $this->assignCSRFToken();
-            $this->setTemplate('mfa/enableYubikey.tpl');
-        }
-    }
-
-    protected function disableYubikeyOtp()
-    {
-        $database = $this->getDatabase();
-        $currentUser = User::getCurrent($database);
-
-        $otpCredentialProvider = new YubikeyOtpCredentialProvider($database,
-            $this->getSiteConfiguration(), $this->getHttpHelper());
-
-        $factorType = 'YubiKey OTP';
-
-        $this->deleteCredential($database, $currentUser, $otpCredentialProvider, $factorType);
-    }
-
-    protected function enableTotp()
-    {
-        $database = $this->getDatabase();
-        $currentUser = User::getCurrent($database);
-
-        $otpCredentialProvider = new TotpCredentialProvider($database, $this->getSiteConfiguration());
-
-        if (WebRequest::wasPosted()) {
-            $this->validateCSRFToken();
-
-            // used for routing only, not security
-            $stage = WebRequest::postString('stage');
-
-            if ($stage === "auth") {
-                $password = WebRequest::postString('password');
-
-                $passwordCredentialProvider = new PasswordCredentialProvider($database,
-                    $this->getSiteConfiguration());
-                $result = $passwordCredentialProvider->authenticate($currentUser, $password);
-
-                if ($result) {
-                    $otpCredentialProvider->setCredential($currentUser, 2, null);
-
-                    $provisioningUrl = $otpCredentialProvider->getProvisioningUrl($currentUser);
-
-                    $renderer = new Svg();
-                    $renderer->setHeight(256);
-                    $renderer->setWidth(256);
-                    $writer = new Writer($renderer);
-                    $svg = $writer->writeString($provisioningUrl);
-
-                    $this->assign('svg', $svg);
-                    $this->assign('secret', $otpCredentialProvider->getSecret($currentUser));
-
-                    $this->assignCSRFToken();
-                    $this->setTemplate('mfa/enableTotpEnroll.tpl');
-
-                    return;
-                }
-                else {
-                    SessionAlert::error('Error enabling TOTP - invalid credentials.');
-                    $this->redirect('multiFactor');
-
-                    return;
-                }
-            }
-
-            if ($stage === "enroll") {
-                // we *must* have a defined credential already here,
-                if ($otpCredentialProvider->isPartiallyEnrolled($currentUser)) {
-                    $otp = WebRequest::postString('otp');
-                    $result = $otpCredentialProvider->verifyEnable($currentUser, $otp);
-
-                    if ($result) {
-                        SessionAlert::success('Enabled TOTP.');
-
-                        $scratchProvider = new ScratchTokenCredentialProvider($database, $this->getSiteConfiguration());
-                        if($scratchProvider->getRemaining($currentUser->getId()) < 3) {
-                            $scratchProvider->setCredential($currentUser, 2, null);
-                            $tokens = $scratchProvider->getTokens();
-                            $this->assign('tokens', $tokens);
-                            $this->setTemplate('mfa/regenScratchTokens.tpl');
-                            return;
-                        }
-                    }
-                    else {
-                        $otpCredentialProvider->deleteCredential($currentUser);
-                        SessionAlert::error('Error enabling TOTP: invalid token provided');
-                    }
-
-
-                    $this->redirect('multiFactor');
-                    return;
-                }
-                else {
-                    SessionAlert::error('Error enabling TOTP - no enrollment found or enrollment expired.');
-                    $this->redirect('multiFactor');
+	/**
+	 * Main function for this page, when no specific actions are called.
+	 * @return void
+	 */
+	protected function main()
+	{
+		$database = $this->getDatabase();
+		$currentUser = User::getCurrent($database);
+
+		$yubikeyOtpCredentialProvider = new YubikeyOtpCredentialProvider($database, $this->getSiteConfiguration(),
+			$this->getHttpHelper());
+		$this->assign('yubikeyOtpIdentity', $yubikeyOtpCredentialProvider->getYubikeyData($currentUser->getId()));
+		$this->assign('yubikeyOtpEnrolled', $yubikeyOtpCredentialProvider->userIsEnrolled($currentUser->getId()));
+
+		$totpCredentialProvider = new TotpCredentialProvider($database, $this->getSiteConfiguration());
+		$this->assign('totpEnrolled', $totpCredentialProvider->userIsEnrolled($currentUser->getId()));
+
+		$u2fCredentialProvider = new U2FCredentialProvider($database, $this->getSiteConfiguration());
+		$this->assign('u2fEnrolled', $u2fCredentialProvider->userIsEnrolled($currentUser->getId()));
+
+		$scratchCredentialProvider = new ScratchTokenCredentialProvider($database, $this->getSiteConfiguration());
+		$this->assign('scratchEnrolled', $scratchCredentialProvider->userIsEnrolled($currentUser->getId()));
+		$this->assign('scratchRemaining', $scratchCredentialProvider->getRemaining($currentUser->getId()));
+
+		$this->setTemplate('mfa/mfa.tpl');
+	}
+
+	protected function enableYubikeyOtp()
+	{
+		$database = $this->getDatabase();
+		$currentUser = User::getCurrent($database);
+
+		$otpCredentialProvider = new YubikeyOtpCredentialProvider($database,
+			$this->getSiteConfiguration(), $this->getHttpHelper());
+
+		if (WebRequest::wasPosted()) {
+			$this->validateCSRFToken();
+
+			$passwordCredentialProvider = new PasswordCredentialProvider($database,
+				$this->getSiteConfiguration());
+
+			$password = WebRequest::postString('password');
+			$otp = WebRequest::postString('otp');
+
+			$result = $passwordCredentialProvider->authenticate($currentUser, $password);
+
+			if ($result) {
+				try {
+					$otpCredentialProvider->setCredential($currentUser, 2, $otp);
+					SessionAlert::success('Enabled YubiKey OTP.');
+
+					$scratchProvider = new ScratchTokenCredentialProvider($database, $this->getSiteConfiguration());
+					if($scratchProvider->getRemaining($currentUser->getId()) < 3) {
+						$scratchProvider->setCredential($currentUser, 2, null);
+						$tokens = $scratchProvider->getTokens();
+						$this->assign('tokens', $tokens);
+						$this->setTemplate('mfa/regenScratchTokens.tpl');
+						return;
+					}
+				}
+				catch (ApplicationLogicException $ex) {
+					SessionAlert::error('Error enabling YubiKey OTP: ' . $ex->getMessage());
+				}
+
+				$this->redirect('multiFactor');
+			}
+			else {
+				SessionAlert::error('Error enabling YubiKey OTP - invalid credentials.');
+				$this->redirect('multiFactor');
+			}
+		}
+		else {
+			if ($otpCredentialProvider->userIsEnrolled($currentUser->getId())) {
+				// user is not enrolled, we shouldn't have got here.
+				throw new ApplicationLogicException('User is already enrolled in the selected MFA mechanism');
+			}
+
+			$this->assignCSRFToken();
+			$this->setTemplate('mfa/enableYubikey.tpl');
+		}
+	}
+
+	protected function disableYubikeyOtp()
+	{
+		$database = $this->getDatabase();
+		$currentUser = User::getCurrent($database);
 
-                    return;
-                }
-            }
+		$otpCredentialProvider = new YubikeyOtpCredentialProvider($database,
+			$this->getSiteConfiguration(), $this->getHttpHelper());
+
+		$factorType = 'YubiKey OTP';
+
+		$this->deleteCredential($database, $currentUser, $otpCredentialProvider, $factorType);
+	}
 
-            // urgh, dunno what happened, but it's not something expected.
-            throw new ApplicationLogicException();
-        }
-        else {
-            if ($otpCredentialProvider->userIsEnrolled($currentUser->getId())) {
-                // user is not enrolled, we shouldn't have got here.
-                throw new ApplicationLogicException('User is already enrolled in the selected MFA mechanism');
-            }
+	protected function enableTotp()
+	{
+		$database = $this->getDatabase();
+		$currentUser = User::getCurrent($database);
+
+		$otpCredentialProvider = new TotpCredentialProvider($database, $this->getSiteConfiguration());
+
+		if (WebRequest::wasPosted()) {
+			$this->validateCSRFToken();
+
+			// used for routing only, not security
+			$stage = WebRequest::postString('stage');
+
+			if ($stage === "auth") {
+				$password = WebRequest::postString('password');
+
+				$passwordCredentialProvider = new PasswordCredentialProvider($database,
+					$this->getSiteConfiguration());
+				$result = $passwordCredentialProvider->authenticate($currentUser, $password);
+
+				if ($result) {
+					$otpCredentialProvider->setCredential($currentUser, 2, null);
+
+					$provisioningUrl = $otpCredentialProvider->getProvisioningUrl($currentUser);
+
+					$renderer = new Svg();
+					$renderer->setHeight(256);
+					$renderer->setWidth(256);
+					$writer = new Writer($renderer);
+					$svg = $writer->writeString($provisioningUrl);
+
+					$this->assign('svg', $svg);
+					$this->assign('secret', $otpCredentialProvider->getSecret($currentUser));
+
+					$this->assignCSRFToken();
+					$this->setTemplate('mfa/enableTotpEnroll.tpl');
+
+					return;
+				}
+				else {
+					SessionAlert::error('Error enabling TOTP - invalid credentials.');
+					$this->redirect('multiFactor');
+
+					return;
+				}
+			}
+
+			if ($stage === "enroll") {
+				// we *must* have a defined credential already here,
+				if ($otpCredentialProvider->isPartiallyEnrolled($currentUser)) {
+					$otp = WebRequest::postString('otp');
+					$result = $otpCredentialProvider->verifyEnable($currentUser, $otp);
+
+					if ($result) {
+						SessionAlert::success('Enabled TOTP.');
+
+						$scratchProvider = new ScratchTokenCredentialProvider($database, $this->getSiteConfiguration());
+						if($scratchProvider->getRemaining($currentUser->getId()) < 3) {
+							$scratchProvider->setCredential($currentUser, 2, null);
+							$tokens = $scratchProvider->getTokens();
+							$this->assign('tokens', $tokens);
+							$this->setTemplate('mfa/regenScratchTokens.tpl');
+							return;
+						}
+					}
+					else {
+						$otpCredentialProvider->deleteCredential($currentUser);
+						SessionAlert::error('Error enabling TOTP: invalid token provided');
+					}
+
+
+					$this->redirect('multiFactor');
+					return;
+				}
+				else {
+					SessionAlert::error('Error enabling TOTP - no enrollment found or enrollment expired.');
+					$this->redirect('multiFactor');
+
+					return;
+				}
+			}
+
+			// urgh, dunno what happened, but it's not something expected.
+			throw new ApplicationLogicException();
+		}
+		else {
+			if ($otpCredentialProvider->userIsEnrolled($currentUser->getId())) {
+				// user is not enrolled, we shouldn't have got here.
+				throw new ApplicationLogicException('User is already enrolled in the selected MFA mechanism');
+			}
+
+			$this->assignCSRFToken();
+			$this->setTemplate('mfa/enableTotpAuth.tpl');
+		}
+	}
+
+	protected function disableTotp()
+	{
+		$database = $this->getDatabase();
+		$currentUser = User::getCurrent($database);
+
+		$otpCredentialProvider = new TotpCredentialProvider($database, $this->getSiteConfiguration());
+
+		$factorType = 'TOTP';
+
+		$this->deleteCredential($database, $currentUser, $otpCredentialProvider, $factorType);
+	}
 
-            $this->assignCSRFToken();
-            $this->setTemplate('mfa/enableTotpAuth.tpl');
-        }
-    }
+	protected function enableU2F() {
+		$database = $this->getDatabase();
+		$currentUser = User::getCurrent($database);
 
-    protected function disableTotp()
-    {
-        $database = $this->getDatabase();
-        $currentUser = User::getCurrent($database);
+		$otpCredentialProvider = new U2FCredentialProvider($database, $this->getSiteConfiguration());
 
-        $otpCredentialProvider = new TotpCredentialProvider($database, $this->getSiteConfiguration());
+		if (WebRequest::wasPosted()) {
+			$this->validateCSRFToken();
 
-        $factorType = 'TOTP';
+			// used for routing only, not security
+			$stage = WebRequest::postString('stage');
 
-        $this->deleteCredential($database, $currentUser, $otpCredentialProvider, $factorType);
-    }
+			if ($stage === "auth") {
+				$password = WebRequest::postString('password');
 
-    protected function enableU2F() {
-        $database = $this->getDatabase();
-        $currentUser = User::getCurrent($database);
+				$passwordCredentialProvider = new PasswordCredentialProvider($database,
+					$this->getSiteConfiguration());
+				$result = $passwordCredentialProvider->authenticate($currentUser, $password);
 
-        $otpCredentialProvider = new U2FCredentialProvider($database, $this->getSiteConfiguration());
-
-        if (WebRequest::wasPosted()) {
-            $this->validateCSRFToken();
-
-            // used for routing only, not security
-            $stage = WebRequest::postString('stage');
+				if ($result) {
+					$otpCredentialProvider->setCredential($currentUser, 2, null);
+					$this->assignCSRFToken();
 
-            if ($stage === "auth") {
-                $password = WebRequest::postString('password');
-
-                $passwordCredentialProvider = new PasswordCredentialProvider($database,
-                    $this->getSiteConfiguration());
-                $result = $passwordCredentialProvider->authenticate($currentUser, $password);
-
-                if ($result) {
-                    $otpCredentialProvider->setCredential($currentUser, 2, null);
-                    $this->assignCSRFToken();
-
-                    list($data, $reqs) = $otpCredentialProvider->getRegistrationData();
-
-                    $u2fRequest =json_encode($data);
-                    $u2fSigns = json_encode($reqs);
-
-                    $this->addJs('/vendor/yubico/u2flib-server/examples/assets/u2f-api.js');
-                    $this->setTailScript(<<<JS
+					list($data, $reqs) = $otpCredentialProvider->getRegistrationData();
+
+					$u2fRequest =json_encode($data);
+					$u2fSigns = json_encode($reqs);
+
+					$this->addJs('/vendor/yubico/u2flib-server/examples/assets/u2f-api.js');
+					$this->setTailScript(<<<JS
 var request = ${u2fRequest};
 var signs = ${u2fSigns};
 
@@ -277,153 +277,153 @@ 
 	form.submit();
 });
 JS
-                    );
-
-                    $this->setTemplate('mfa/enableU2FEnroll.tpl');
-
-                    return;
-                }
-                else {
-                    SessionAlert::error('Error enabling TOTP - invalid credentials.');
-                    $this->redirect('multiFactor');
-
-                    return;
-                }
-            }
-
-            if ($stage === "enroll") {
-                // we *must* have a defined credential already here,
-                if ($otpCredentialProvider->isPartiallyEnrolled($currentUser)) {
-
-                    $request = json_decode(WebRequest::postString('u2fRequest'));
-                    $u2fData = json_decode(WebRequest::postString('u2fData'));
-
-                    $otpCredentialProvider->enable($currentUser, $request, $u2fData);
-
-                    SessionAlert::success('Enabled TOTP.');
-
-                    $scratchProvider = new ScratchTokenCredentialProvider($database, $this->getSiteConfiguration());
-                    if($scratchProvider->getRemaining($currentUser->getId()) < 3) {
-                        $scratchProvider->setCredential($currentUser, 2, null);
-                        $tokens = $scratchProvider->getTokens();
-                        $this->assign('tokens', $tokens);
-                        $this->setTemplate('mfa/regenScratchTokens.tpl');
-                        return;
-                    }
-
-                    $this->redirect('multiFactor');
-                    return;
-                }
-                else {
-                    SessionAlert::error('Error enabling TOTP - no enrollment found or enrollment expired.');
-                    $this->redirect('multiFactor');
-
-                    return;
-                }
-            }
-
-            // urgh, dunno what happened, but it's not something expected.
-            throw new ApplicationLogicException();
-        }
-        else {
-            if ($otpCredentialProvider->userIsEnrolled($currentUser->getId())) {
-                // user is not enrolled, we shouldn't have got here.
-                throw new ApplicationLogicException('User is already enrolled in the selected MFA mechanism');
-            }
-
-            $this->assignCSRFToken();
-            $this->setTemplate('mfa/enableU2FAuth.tpl');
-        }
-    }
-
-    protected function disableU2F() {
-        $database = $this->getDatabase();
-        $currentUser = User::getCurrent($database);
-
-        $otpCredentialProvider = new U2FCredentialProvider($database, $this->getSiteConfiguration());
-
-        $factorType = 'U2F';
-
-        $this->deleteCredential($database, $currentUser, $otpCredentialProvider, $factorType);
-    }
-
-    protected function scratch()
-    {
-        $database = $this->getDatabase();
-        $currentUser = User::getCurrent($database);
-
-        if (WebRequest::wasPosted()) {
-            $this->validateCSRFToken();
-
-            $passwordCredentialProvider = new PasswordCredentialProvider($database,
-                $this->getSiteConfiguration());
-
-            $otpCredentialProvider = new ScratchTokenCredentialProvider($database,
-                $this->getSiteConfiguration());
-
-            $password = WebRequest::postString('password');
-
-            $result = $passwordCredentialProvider->authenticate($currentUser, $password);
-
-            if ($result) {
-                $otpCredentialProvider->setCredential($currentUser, 2, null);
-                $tokens = $otpCredentialProvider->getTokens();
-                $this->assign('tokens', $tokens);
-                $this->setTemplate('mfa/regenScratchTokens.tpl');
-            }
-            else {
-                SessionAlert::error('Error refreshing scratch tokens - invalid credentials.');
-                $this->redirect('multiFactor');
-            }
-        }
-        else {
-            $this->assignCSRFToken();
-            $this->setTemplate('mfa/regenScratchAuth.tpl');
-        }
-    }
-
-    /**
-     * @param PdoDatabase         $database
-     * @param User                $currentUser
-     * @param ICredentialProvider $otpCredentialProvider
-     * @param string              $factorType
-     *
-     * @throws ApplicationLogicException
-     */
-    private function deleteCredential(
-        PdoDatabase $database,
-        User $currentUser,
-        ICredentialProvider $otpCredentialProvider,
-        $factorType
-    ) {
-        if (WebRequest::wasPosted()) {
-            $passwordCredentialProvider = new PasswordCredentialProvider($database,
-                $this->getSiteConfiguration());
-
-            $this->validateCSRFToken();
-
-            $password = WebRequest::postString('password');
-            $result = $passwordCredentialProvider->authenticate($currentUser, $password);
-
-            if ($result) {
-                $otpCredentialProvider->deleteCredential($currentUser);
-                SessionAlert::success('Disabled ' . $factorType . '.');
-                $this->redirect('multiFactor');
-            }
-            else {
-                SessionAlert::error('Error disabling ' . $factorType . ' - invalid credentials.');
-                $this->redirect('multiFactor');
-            }
-        }
-        else {
-            if (!$otpCredentialProvider->userIsEnrolled($currentUser->getId())) {
-                // user is not enrolled, we shouldn't have got here.
-                throw new ApplicationLogicException('User is not enrolled in the selected MFA mechanism');
-            }
-
-            $this->assignCSRFToken();
-            $this->assign('otpType', $factorType);
-            $this->setTemplate('mfa/disableOtp.tpl');
-        }
-    }
+					);
+
+					$this->setTemplate('mfa/enableU2FEnroll.tpl');
+
+					return;
+				}
+				else {
+					SessionAlert::error('Error enabling TOTP - invalid credentials.');
+					$this->redirect('multiFactor');
+
+					return;
+				}
+			}
+
+			if ($stage === "enroll") {
+				// we *must* have a defined credential already here,
+				if ($otpCredentialProvider->isPartiallyEnrolled($currentUser)) {
+
+					$request = json_decode(WebRequest::postString('u2fRequest'));
+					$u2fData = json_decode(WebRequest::postString('u2fData'));
+
+					$otpCredentialProvider->enable($currentUser, $request, $u2fData);
+
+					SessionAlert::success('Enabled TOTP.');
+
+					$scratchProvider = new ScratchTokenCredentialProvider($database, $this->getSiteConfiguration());
+					if($scratchProvider->getRemaining($currentUser->getId()) < 3) {
+						$scratchProvider->setCredential($currentUser, 2, null);
+						$tokens = $scratchProvider->getTokens();
+						$this->assign('tokens', $tokens);
+						$this->setTemplate('mfa/regenScratchTokens.tpl');
+						return;
+					}
+
+					$this->redirect('multiFactor');
+					return;
+				}
+				else {
+					SessionAlert::error('Error enabling TOTP - no enrollment found or enrollment expired.');
+					$this->redirect('multiFactor');
+
+					return;
+				}
+			}
+
+			// urgh, dunno what happened, but it's not something expected.
+			throw new ApplicationLogicException();
+		}
+		else {
+			if ($otpCredentialProvider->userIsEnrolled($currentUser->getId())) {
+				// user is not enrolled, we shouldn't have got here.
+				throw new ApplicationLogicException('User is already enrolled in the selected MFA mechanism');
+			}
+
+			$this->assignCSRFToken();
+			$this->setTemplate('mfa/enableU2FAuth.tpl');
+		}
+	}
+
+	protected function disableU2F() {
+		$database = $this->getDatabase();
+		$currentUser = User::getCurrent($database);
+
+		$otpCredentialProvider = new U2FCredentialProvider($database, $this->getSiteConfiguration());
+
+		$factorType = 'U2F';
+
+		$this->deleteCredential($database, $currentUser, $otpCredentialProvider, $factorType);
+	}
+
+	protected function scratch()
+	{
+		$database = $this->getDatabase();
+		$currentUser = User::getCurrent($database);
+
+		if (WebRequest::wasPosted()) {
+			$this->validateCSRFToken();
+
+			$passwordCredentialProvider = new PasswordCredentialProvider($database,
+				$this->getSiteConfiguration());
+
+			$otpCredentialProvider = new ScratchTokenCredentialProvider($database,
+				$this->getSiteConfiguration());
+
+			$password = WebRequest::postString('password');
+
+			$result = $passwordCredentialProvider->authenticate($currentUser, $password);
+
+			if ($result) {
+				$otpCredentialProvider->setCredential($currentUser, 2, null);
+				$tokens = $otpCredentialProvider->getTokens();
+				$this->assign('tokens', $tokens);
+				$this->setTemplate('mfa/regenScratchTokens.tpl');
+			}
+			else {
+				SessionAlert::error('Error refreshing scratch tokens - invalid credentials.');
+				$this->redirect('multiFactor');
+			}
+		}
+		else {
+			$this->assignCSRFToken();
+			$this->setTemplate('mfa/regenScratchAuth.tpl');
+		}
+	}
+
+	/**
+	 * @param PdoDatabase         $database
+	 * @param User                $currentUser
+	 * @param ICredentialProvider $otpCredentialProvider
+	 * @param string              $factorType
+	 *
+	 * @throws ApplicationLogicException
+	 */
+	private function deleteCredential(
+		PdoDatabase $database,
+		User $currentUser,
+		ICredentialProvider $otpCredentialProvider,
+		$factorType
+	) {
+		if (WebRequest::wasPosted()) {
+			$passwordCredentialProvider = new PasswordCredentialProvider($database,
+				$this->getSiteConfiguration());
+
+			$this->validateCSRFToken();
+
+			$password = WebRequest::postString('password');
+			$result = $passwordCredentialProvider->authenticate($currentUser, $password);
+
+			if ($result) {
+				$otpCredentialProvider->deleteCredential($currentUser);
+				SessionAlert::success('Disabled ' . $factorType . '.');
+				$this->redirect('multiFactor');
+			}
+			else {
+				SessionAlert::error('Error disabling ' . $factorType . ' - invalid credentials.');
+				$this->redirect('multiFactor');
+			}
+		}
+		else {
+			if (!$otpCredentialProvider->userIsEnrolled($currentUser->getId())) {
+				// user is not enrolled, we shouldn't have got here.
+				throw new ApplicationLogicException('User is not enrolled in the selected MFA mechanism');
+			}
+
+			$this->assignCSRFToken();
+			$this->assign('otpType', $factorType);
+			$this->setTemplate('mfa/disableOtp.tpl');
+		}
+	}
 }

Spacing +7 added lines, -7 removed lines

@@ -78,7 +78,7 @@ 
                     SessionAlert::success('Enabled YubiKey OTP.');
 
                     $scratchProvider = new ScratchTokenCredentialProvider($database, $this->getSiteConfiguration());
-                    if($scratchProvider->getRemaining($currentUser->getId()) < 3) {
+                    if ($scratchProvider->getRemaining($currentUser->getId()) < 3) {
                         $scratchProvider->setCredential($currentUser, 2, null);
                         $tokens = $scratchProvider->getTokens();
                         $this->assign('tokens', $tokens);
@@ -87,7 +87,7 @@ 
                     }
                 }
                 catch (ApplicationLogicException $ex) {
-                    SessionAlert::error('Error enabling YubiKey OTP: ' . $ex->getMessage());
+                    SessionAlert::error('Error enabling YubiKey OTP: '.$ex->getMessage());
                 }
 
                 $this->redirect('multiFactor');
@@ -178,7 +178,7 @@ 
                         SessionAlert::success('Enabled TOTP.');
 
                         $scratchProvider = new ScratchTokenCredentialProvider($database, $this->getSiteConfiguration());
-                        if($scratchProvider->getRemaining($currentUser->getId()) < 3) {
+                        if ($scratchProvider->getRemaining($currentUser->getId()) < 3) {
                             $scratchProvider->setCredential($currentUser, 2, null);
                             $tokens = $scratchProvider->getTokens();
                             $this->assign('tokens', $tokens);
@@ -254,7 +254,7 @@ 
 
                     list($data, $reqs) = $otpCredentialProvider->getRegistrationData();
 
-                    $u2fRequest =json_encode($data);
+                    $u2fRequest = json_encode($data);
                     $u2fSigns = json_encode($reqs);
 
                     $this->addJs('/vendor/yubico/u2flib-server/examples/assets/u2f-api.js');
@@ -303,7 +303,7 @@ 
                     SessionAlert::success('Enabled TOTP.');
 
                     $scratchProvider = new ScratchTokenCredentialProvider($database, $this->getSiteConfiguration());
-                    if($scratchProvider->getRemaining($currentUser->getId()) < 3) {
+                    if ($scratchProvider->getRemaining($currentUser->getId()) < 3) {
                         $scratchProvider->setCredential($currentUser, 2, null);
                         $tokens = $scratchProvider->getTokens();
                         $this->assign('tokens', $tokens);
@@ -407,11 +407,11 @@ 
 
             if ($result) {
                 $otpCredentialProvider->deleteCredential($currentUser);
-                SessionAlert::success('Disabled ' . $factorType . '.');
+                SessionAlert::success('Disabled '.$factorType.'.');
                 $this->redirect('multiFactor');
             }
             else {
-                SessionAlert::error('Error disabling ' . $factorType . ' - invalid credentials.');
+                SessionAlert::error('Error disabling '.$factorType.' - invalid credentials.');
                 $this->redirect('multiFactor');
             }
         }

includes/Pages/UserAuth/PageOAuthCallback.php

Indentation +75 added lines, -75 removed lines

@@ -17,90 +17,90 @@
 
 class PageOAuthCallback extends InternalPageBase
 {
-    /**
-     * @return bool
-     */
-    protected function isProtectedPage()
-    {
-        // This page is critical to ensuring OAuth functionality is operational.
-        return false;
-    }
+	/**
+	 * @return bool
+	 */
+	protected function isProtectedPage()
+	{
+		// This page is critical to ensuring OAuth functionality is operational.
+		return false;
+	}
 
-    /**
-     * Main function for this page, when no specific actions are called.
-     * @return void
-     */
-    protected function main()
-    {
-        // This should never get hit except by URL manipulation.
-        $this->redirect('');
-    }
+	/**
+	 * Main function for this page, when no specific actions are called.
+	 * @return void
+	 */
+	protected function main()
+	{
+		// This should never get hit except by URL manipulation.
+		$this->redirect('');
+	}
 
-    /**
-     * Registered endpoint for the account creation callback.
-     *
-     * If this ever gets hit, something is wrong somewhere.
-     */
-    protected function create()
-    {
-        throw new Exception('OAuth account creation endpoint triggered.');
-    }
+	/**
+	 * Registered endpoint for the account creation callback.
+	 *
+	 * If this ever gets hit, something is wrong somewhere.
+	 */
+	protected function create()
+	{
+		throw new Exception('OAuth account creation endpoint triggered.');
+	}
 
-    /**
-     * Callback entry point
-     */
-    protected function authorise()
-    {
-        $oauthToken = WebRequest::getString('oauth_token');
-        $oauthVerifier = WebRequest::getString('oauth_verifier');
+	/**
+	 * Callback entry point
+	 */
+	protected function authorise()
+	{
+		$oauthToken = WebRequest::getString('oauth_token');
+		$oauthVerifier = WebRequest::getString('oauth_verifier');
 
-        $this->doCallbackValidation($oauthToken, $oauthVerifier);
+		$this->doCallbackValidation($oauthToken, $oauthVerifier);
 
-        $database = $this->getDatabase();
+		$database = $this->getDatabase();
 
-        $user = OAuthUserHelper::findUserByRequestToken($oauthToken, $database);
-        $oauth = new OAuthUserHelper($user, $database, $this->getOAuthProtocolHelper(), $this->getSiteConfiguration());
+		$user = OAuthUserHelper::findUserByRequestToken($oauthToken, $database);
+		$oauth = new OAuthUserHelper($user, $database, $this->getOAuthProtocolHelper(), $this->getSiteConfiguration());
 
-        try {
-            $oauth->completeHandshake($oauthVerifier);
-        }
-        catch (CurlException $ex) {
-            throw new ApplicationLogicException($ex->getMessage(), 0, $ex);
-        }
+		try {
+			$oauth->completeHandshake($oauthVerifier);
+		}
+		catch (CurlException $ex) {
+			throw new ApplicationLogicException($ex->getMessage(), 0, $ex);
+		}
 
-        // OK, we're the same session that just did a partial login that was redirected to OAuth. Let's upgrade the
-        // login to a full login
-        if (WebRequest::getOAuthPartialLogin() === $user->getId()) {
-            WebRequest::setLoggedInUser($user);
-        }
+		// OK, we're the same session that just did a partial login that was redirected to OAuth. Let's upgrade the
+		// login to a full login
+		if (WebRequest::getOAuthPartialLogin() === $user->getId()) {
+			WebRequest::setLoggedInUser($user);
+		}
 
-        // My thinking is there are three cases here:
-        //   a) new user => redirect to prefs - it's the only thing they can access other than stats
-        //   b) existing user hit the connect button in prefs => redirect to prefs since it's where they were
-        //   c) existing user logging in => redirect to wherever they came from
-        $redirectDestination = WebRequest::clearPostLoginRedirect();
-        if ($redirectDestination !== null && !$user->isNewUser()) {
-            $this->redirectUrl($redirectDestination);
-        }
-        else {
-            $this->redirect('preferences', null, null, 'internal.php');
-        }
-    }
+		// My thinking is there are three cases here:
+		//   a) new user => redirect to prefs - it's the only thing they can access other than stats
+		//   b) existing user hit the connect button in prefs => redirect to prefs since it's where they were
+		//   c) existing user logging in => redirect to wherever they came from
+		$redirectDestination = WebRequest::clearPostLoginRedirect();
+		if ($redirectDestination !== null && !$user->isNewUser()) {
+			$this->redirectUrl($redirectDestination);
+		}
+		else {
+			$this->redirect('preferences', null, null, 'internal.php');
+		}
+	}
 
-    /**
-     * @param string $oauthToken
-     * @param string $oauthVerifier
-     *
-     * @throws ApplicationLogicException
-     */
-    private function doCallbackValidation($oauthToken, $oauthVerifier)
-    {
-        if ($oauthToken === null) {
-            throw new ApplicationLogicException('No token provided');
-        }
+	/**
+	 * @param string $oauthToken
+	 * @param string $oauthVerifier
+	 *
+	 * @throws ApplicationLogicException
+	 */
+	private function doCallbackValidation($oauthToken, $oauthVerifier)
+	{
+		if ($oauthToken === null) {
+			throw new ApplicationLogicException('No token provided');
+		}
 
-        if ($oauthVerifier === null) {
-            throw new ApplicationLogicException('No oauth verifier provided.');
-        }
-    }
+		if ($oauthVerifier === null) {
+			throw new ApplicationLogicException('No oauth verifier provided.');
+		}
+	}
 }
\ No newline at end of file

includes/Pages/UserAuth/Login/LoginCredentialPageBase.php

Indentation +311 added lines, -311 removed lines

@@ -21,315 +21,315 @@
 
 abstract class LoginCredentialPageBase extends InternalPageBase
 {
-    /** @var User */
-    protected $partialUser = null;
-    protected $nextPageMap = array(
-        'yubikeyotp' => 'otp',
-        'totp'       => 'otp',
-        'scratch'    => 'otp',
-        'u2f'        => 'u2f',
-    );
-    protected $names = array(
-        'yubikeyotp' => 'Yubikey OTP',
-        'totp'       => 'TOTP (phone code generator)',
-        'scratch'    => 'scratch token',
-        'u2f'        => 'U2F security token',
-    );
-
-    /**
-     * Main function for this page, when no specific actions are called.
-     * @return void
-     */
-    protected function main()
-    {
-        if (!$this->enforceHttps()) {
-            return;
-        }
-
-        if (WebRequest::wasPosted()) {
-            $this->validateCSRFToken();
-
-            $database = $this->getDatabase();
-            try {
-                list($partialId, $partialStage) = WebRequest::getAuthPartialLogin();
-
-                if ($partialStage === null) {
-                    $partialStage = 1;
-                }
-
-                if ($partialId === null) {
-                    $username = WebRequest::postString('username');
-
-                    if ($username === null || trim($username) === '') {
-                        throw new ApplicationLogicException('No username specified.');
-                    }
-
-                    $user = User::getByUsername($username, $database);
-                }
-                else {
-                    $user = User::getById($partialId, $database);
-                }
-
-                if ($user === false) {
-                    throw new ApplicationLogicException("Authentication failed");
-                }
-
-                $authMan = new AuthenticationManager($database, $this->getSiteConfiguration(),
-                    $this->getHttpHelper());
-
-                $credential = $this->getProviderCredentials();
-
-                $authResult = $authMan->authenticate($user, $credential, $partialStage);
-
-                if ($authResult === AuthenticationManager::AUTH_FAIL) {
-                    throw new ApplicationLogicException("Authentication failed");
-                }
-
-                if ($authResult === AuthenticationManager::AUTH_REQUIRE_NEXT_STAGE) {
-                    $this->processJumpNextStage($user, $partialStage, $database);
-
-                    return;
-                }
-
-                if ($authResult === AuthenticationManager::AUTH_OK) {
-                    $this->processLoginSuccess($user);
-
-                    return;
-                }
-            }
-            catch (ApplicationLogicException $ex) {
-                WebRequest::clearAuthPartialLogin();
-
-                SessionAlert::error($ex->getMessage());
-                $this->redirect('login');
-
-                return;
-            }
-        }
-        else {
-            $this->assign('showSignIn', true);
-
-            $this->setupPartial();
-            $this->assignCSRFToken();
-            $this->providerSpecificSetup();
-        }
-    }
-
-    protected function isProtectedPage()
-    {
-        return false;
-    }
-
-    /**
-     * Enforces HTTPS on the login form
-     *
-     * @return bool
-     */
-    private function enforceHttps()
-    {
-        if ($this->getSiteConfiguration()->getUseStrictTransportSecurity() !== false) {
-            if (WebRequest::isHttps()) {
-                // Client can clearly use HTTPS, so let's enforce it for all connections.
-                $this->headerQueue[] = "Strict-Transport-Security: max-age=15768000";
-            }
-            else {
-                // This is the login form, not the request form. We need protection here.
-                $this->redirectUrl('https://' . WebRequest::serverName() . WebRequest::requestUri());
-
-                return false;
-            }
-        }
-
-        return true;
-    }
-
-    protected abstract function providerSpecificSetup();
-
-    protected function setupPartial()
-    {
-        $database = $this->getDatabase();
-
-        // default stuff
-        $this->assign('alternatives', array()); // 'u2f' => array('U2F token'), 'otp' => array('TOTP', 'scratch', 'yubiotp')));
-
-        // is this stage one?
-        list($partialId, $partialStage) = WebRequest::getAuthPartialLogin();
-        if ($partialStage === null || $partialId === null) {
-            WebRequest::clearAuthPartialLogin();
-        }
-
-        // Check to see if we have a partial login in progress
-        $username = null;
-        if ($partialId !== null) {
-            // Yes, enforce this username
-            $this->partialUser = User::getById($partialId, $database);
-            $username = $this->partialUser->getUsername();
-
-            $this->setupAlternates($this->partialUser, $partialStage, $database);
-        }
-        else {
-            // No, see if we've preloaded a username
-            $preloadUsername = WebRequest::getString('tplUsername');
-            if ($preloadUsername !== null) {
-                $username = $preloadUsername;
-            }
-        }
-
-        if ($partialStage === null) {
-            $partialStage = 1;
-        }
-
-        $this->assign('partialStage', $partialStage);
-        $this->assign('username', $username);
-    }
-
-    /**
-     * Redirect the user back to wherever they came from after a successful login
-     *
-     * @param User $user
-     */
-    protected function goBackWhenceYouCame(User $user)
-    {
-        // Redirect to wherever the user came from
-        $redirectDestination = WebRequest::clearPostLoginRedirect();
-        if ($redirectDestination !== null) {
-            $this->redirectUrl($redirectDestination);
-        }
-        else {
-            if ($user->isNewUser()) {
-                // home page isn't allowed, go to preferences instead
-                $this->redirect('preferences');
-            }
-            else {
-                // go to the home page
-                $this->redirect('');
-            }
-        }
-    }
-
-    private function processLoginSuccess(User $user)
-    {
-        // Touch force logout
-        $user->setForceLogout(false);
-        $user->save();
-
-        $oauth = new OAuthUserHelper($user, $this->getDatabase(), $this->getOAuthProtocolHelper(),
-            $this->getSiteConfiguration());
-
-        if ($oauth->isFullyLinked()) {
-            try {
-                // Reload the user's identity ticket.
-                $oauth->refreshIdentity();
-
-                // Check for blocks
-                if ($oauth->getIdentity()->getBlocked()) {
-                    // blocked!
-                    SessionAlert::error("You are currently blocked on-wiki. You will not be able to log in until you are unblocked.");
-                    $this->redirect('login');
-
-                    return;
-                }
-            }
-            catch (OAuthException $ex) {
-                // Oops. Refreshing ticket failed. Force a re-auth.
-                $authoriseUrl = $oauth->getRequestToken();
-                WebRequest::setOAuthPartialLogin($user);
-                $this->redirectUrl($authoriseUrl);
-
-                return;
-            }
-        }
-
-        if (($this->getSiteConfiguration()->getEnforceOAuth() && !$oauth->isFullyLinked())
-            || $oauth->isPartiallyLinked()
-        ) {
-            $authoriseUrl = $oauth->getRequestToken();
-            WebRequest::setOAuthPartialLogin($user);
-            $this->redirectUrl($authoriseUrl);
-
-            return;
-        }
-
-        WebRequest::setLoggedInUser($user);
-
-        $this->goBackWhenceYouCame($user);
-    }
-
-    protected abstract function getProviderCredentials();
-
-    /**
-     * @param User        $user
-     * @param int         $partialStage
-     * @param PdoDatabase $database
-     *
-     * @throws ApplicationLogicException
-     */
-    private function processJumpNextStage(User $user, $partialStage, PdoDatabase $database)
-    {
-        WebRequest::setAuthPartialLogin($user->getId(), $partialStage + 1);
-
-        $sql = 'SELECT type FROM credential WHERE user = :user AND factor = :stage AND disabled = 0 ORDER BY priority';
-        $statement = $database->prepare($sql);
-        $statement->execute(array(':user' => $user->getId(), ':stage' => $partialStage + 1));
-        $nextStage = $statement->fetchColumn();
-        $statement->closeCursor();
-
-        if (!isset($this->nextPageMap[$nextStage])) {
-            throw new ApplicationLogicException('Unknown page handler for next authentication stage.');
-        }
-
-        $this->redirect("login/" . $this->nextPageMap[$nextStage]);
-    }
-
-    private function setupAlternates(User $user, $partialStage, PdoDatabase $database)
-    {
-        // get the providers available
-        $sql = 'SELECT type FROM credential WHERE user = :user AND factor = :stage AND disabled = 0';
-        $statement = $database->prepare($sql);
-        $statement->execute(array(':user' => $user->getId(), ':stage' => $partialStage));
-        $alternates = $statement->fetchAll(PDO::FETCH_COLUMN);
-
-        $types = array();
-        foreach ($alternates as $item) {
-            $type = $this->nextPageMap[$item];
-            if (!isset($types[$type])) {
-                $types[$type] = array();
-            }
-
-            $types[$type][] = $item;
-        }
-
-        $userOptions = array();
-        if (get_called_class() === PageOtpLogin::class) {
-            $userOptions = $this->setupUserOptionsForType($types, 'u2f', $userOptions);
-        }
-
-        if (get_called_class() === PageU2FLogin::class) {
-            $userOptions = $this->setupUserOptionsForType($types, 'otp', $userOptions);
-        }
-
-        $this->assign('alternatives', $userOptions);
-    }
-
-    /**
-     * @param $types
-     * @param $type
-     * @param $userOptions
-     *
-     * @return mixed
-     */
-    private function setupUserOptionsForType($types, $type, $userOptions)
-    {
-        if (isset($types[$type])) {
-            $options = $types[$type];
-
-            array_walk($options, function(&$val) {
-                $val = $this->names[$val];
-            });
-
-            $userOptions[$type] = $options;
-        }
-
-        return $userOptions;
-    }
+	/** @var User */
+	protected $partialUser = null;
+	protected $nextPageMap = array(
+		'yubikeyotp' => 'otp',
+		'totp'       => 'otp',
+		'scratch'    => 'otp',
+		'u2f'        => 'u2f',
+	);
+	protected $names = array(
+		'yubikeyotp' => 'Yubikey OTP',
+		'totp'       => 'TOTP (phone code generator)',
+		'scratch'    => 'scratch token',
+		'u2f'        => 'U2F security token',
+	);
+
+	/**
+	 * Main function for this page, when no specific actions are called.
+	 * @return void
+	 */
+	protected function main()
+	{
+		if (!$this->enforceHttps()) {
+			return;
+		}
+
+		if (WebRequest::wasPosted()) {
+			$this->validateCSRFToken();
+
+			$database = $this->getDatabase();
+			try {
+				list($partialId, $partialStage) = WebRequest::getAuthPartialLogin();
+
+				if ($partialStage === null) {
+					$partialStage = 1;
+				}
+
+				if ($partialId === null) {
+					$username = WebRequest::postString('username');
+
+					if ($username === null || trim($username) === '') {
+						throw new ApplicationLogicException('No username specified.');
+					}
+
+					$user = User::getByUsername($username, $database);
+				}
+				else {
+					$user = User::getById($partialId, $database);
+				}
+
+				if ($user === false) {
+					throw new ApplicationLogicException("Authentication failed");
+				}
+
+				$authMan = new AuthenticationManager($database, $this->getSiteConfiguration(),
+					$this->getHttpHelper());
+
+				$credential = $this->getProviderCredentials();
+
+				$authResult = $authMan->authenticate($user, $credential, $partialStage);
+
+				if ($authResult === AuthenticationManager::AUTH_FAIL) {
+					throw new ApplicationLogicException("Authentication failed");
+				}
+
+				if ($authResult === AuthenticationManager::AUTH_REQUIRE_NEXT_STAGE) {
+					$this->processJumpNextStage($user, $partialStage, $database);
+
+					return;
+				}
+
+				if ($authResult === AuthenticationManager::AUTH_OK) {
+					$this->processLoginSuccess($user);
+
+					return;
+				}
+			}
+			catch (ApplicationLogicException $ex) {
+				WebRequest::clearAuthPartialLogin();
+
+				SessionAlert::error($ex->getMessage());
+				$this->redirect('login');
+
+				return;
+			}
+		}
+		else {
+			$this->assign('showSignIn', true);
+
+			$this->setupPartial();
+			$this->assignCSRFToken();
+			$this->providerSpecificSetup();
+		}
+	}
+
+	protected function isProtectedPage()
+	{
+		return false;
+	}
+
+	/**
+	 * Enforces HTTPS on the login form
+	 *
+	 * @return bool
+	 */
+	private function enforceHttps()
+	{
+		if ($this->getSiteConfiguration()->getUseStrictTransportSecurity() !== false) {
+			if (WebRequest::isHttps()) {
+				// Client can clearly use HTTPS, so let's enforce it for all connections.
+				$this->headerQueue[] = "Strict-Transport-Security: max-age=15768000";
+			}
+			else {
+				// This is the login form, not the request form. We need protection here.
+				$this->redirectUrl('https://' . WebRequest::serverName() . WebRequest::requestUri());
+
+				return false;
+			}
+		}
+
+		return true;
+	}
+
+	protected abstract function providerSpecificSetup();
+
+	protected function setupPartial()
+	{
+		$database = $this->getDatabase();
+
+		// default stuff
+		$this->assign('alternatives', array()); // 'u2f' => array('U2F token'), 'otp' => array('TOTP', 'scratch', 'yubiotp')));
+
+		// is this stage one?
+		list($partialId, $partialStage) = WebRequest::getAuthPartialLogin();
+		if ($partialStage === null || $partialId === null) {
+			WebRequest::clearAuthPartialLogin();
+		}
+
+		// Check to see if we have a partial login in progress
+		$username = null;
+		if ($partialId !== null) {
+			// Yes, enforce this username
+			$this->partialUser = User::getById($partialId, $database);
+			$username = $this->partialUser->getUsername();
+
+			$this->setupAlternates($this->partialUser, $partialStage, $database);
+		}
+		else {
+			// No, see if we've preloaded a username
+			$preloadUsername = WebRequest::getString('tplUsername');
+			if ($preloadUsername !== null) {
+				$username = $preloadUsername;
+			}
+		}
+
+		if ($partialStage === null) {
+			$partialStage = 1;
+		}
+
+		$this->assign('partialStage', $partialStage);
+		$this->assign('username', $username);
+	}
+
+	/**
+	 * Redirect the user back to wherever they came from after a successful login
+	 *
+	 * @param User $user
+	 */
+	protected function goBackWhenceYouCame(User $user)
+	{
+		// Redirect to wherever the user came from
+		$redirectDestination = WebRequest::clearPostLoginRedirect();
+		if ($redirectDestination !== null) {
+			$this->redirectUrl($redirectDestination);
+		}
+		else {
+			if ($user->isNewUser()) {
+				// home page isn't allowed, go to preferences instead
+				$this->redirect('preferences');
+			}
+			else {
+				// go to the home page
+				$this->redirect('');
+			}
+		}
+	}
+
+	private function processLoginSuccess(User $user)
+	{
+		// Touch force logout
+		$user->setForceLogout(false);
+		$user->save();
+
+		$oauth = new OAuthUserHelper($user, $this->getDatabase(), $this->getOAuthProtocolHelper(),
+			$this->getSiteConfiguration());
+
+		if ($oauth->isFullyLinked()) {
+			try {
+				// Reload the user's identity ticket.
+				$oauth->refreshIdentity();
+
+				// Check for blocks
+				if ($oauth->getIdentity()->getBlocked()) {
+					// blocked!
+					SessionAlert::error("You are currently blocked on-wiki. You will not be able to log in until you are unblocked.");
+					$this->redirect('login');
+
+					return;
+				}
+			}
+			catch (OAuthException $ex) {
+				// Oops. Refreshing ticket failed. Force a re-auth.
+				$authoriseUrl = $oauth->getRequestToken();
+				WebRequest::setOAuthPartialLogin($user);
+				$this->redirectUrl($authoriseUrl);
+
+				return;
+			}
+		}
+
+		if (($this->getSiteConfiguration()->getEnforceOAuth() && !$oauth->isFullyLinked())
+			|| $oauth->isPartiallyLinked()
+		) {
+			$authoriseUrl = $oauth->getRequestToken();
+			WebRequest::setOAuthPartialLogin($user);
+			$this->redirectUrl($authoriseUrl);
+
+			return;
+		}
+
+		WebRequest::setLoggedInUser($user);
+
+		$this->goBackWhenceYouCame($user);
+	}
+
+	protected abstract function getProviderCredentials();
+
+	/**
+	 * @param User        $user
+	 * @param int         $partialStage
+	 * @param PdoDatabase $database
+	 *
+	 * @throws ApplicationLogicException
+	 */
+	private function processJumpNextStage(User $user, $partialStage, PdoDatabase $database)
+	{
+		WebRequest::setAuthPartialLogin($user->getId(), $partialStage + 1);
+
+		$sql = 'SELECT type FROM credential WHERE user = :user AND factor = :stage AND disabled = 0 ORDER BY priority';
+		$statement = $database->prepare($sql);
+		$statement->execute(array(':user' => $user->getId(), ':stage' => $partialStage + 1));
+		$nextStage = $statement->fetchColumn();
+		$statement->closeCursor();
+
+		if (!isset($this->nextPageMap[$nextStage])) {
+			throw new ApplicationLogicException('Unknown page handler for next authentication stage.');
+		}
+
+		$this->redirect("login/" . $this->nextPageMap[$nextStage]);
+	}
+
+	private function setupAlternates(User $user, $partialStage, PdoDatabase $database)
+	{
+		// get the providers available
+		$sql = 'SELECT type FROM credential WHERE user = :user AND factor = :stage AND disabled = 0';
+		$statement = $database->prepare($sql);
+		$statement->execute(array(':user' => $user->getId(), ':stage' => $partialStage));
+		$alternates = $statement->fetchAll(PDO::FETCH_COLUMN);
+
+		$types = array();
+		foreach ($alternates as $item) {
+			$type = $this->nextPageMap[$item];
+			if (!isset($types[$type])) {
+				$types[$type] = array();
+			}
+
+			$types[$type][] = $item;
+		}
+
+		$userOptions = array();
+		if (get_called_class() === PageOtpLogin::class) {
+			$userOptions = $this->setupUserOptionsForType($types, 'u2f', $userOptions);
+		}
+
+		if (get_called_class() === PageU2FLogin::class) {
+			$userOptions = $this->setupUserOptionsForType($types, 'otp', $userOptions);
+		}
+
+		$this->assign('alternatives', $userOptions);
+	}
+
+	/**
+	 * @param $types
+	 * @param $type
+	 * @param $userOptions
+	 *
+	 * @return mixed
+	 */
+	private function setupUserOptionsForType($types, $type, $userOptions)
+	{
+		if (isset($types[$type])) {
+			$options = $types[$type];
+
+			array_walk($options, function(&$val) {
+				$val = $this->names[$val];
+			});
+
+			$userOptions[$type] = $options;
+		}
+
+		return $userOptions;
+	}
 }

Spacing +2 added lines, -2 removed lines

@@ -134,7 +134,7 @@ 
             }
             else {
                 // This is the login form, not the request form. We need protection here.
-                $this->redirectUrl('https://' . WebRequest::serverName() . WebRequest::requestUri());
+                $this->redirectUrl('https://'.WebRequest::serverName().WebRequest::requestUri());
 
                 return false;
             }
@@ -278,7 +278,7 @@ 
             throw new ApplicationLogicException('Unknown page handler for next authentication stage.');
         }
 
-        $this->redirect("login/" . $this->nextPageMap[$nextStage]);
+        $this->redirect("login/".$this->nextPageMap[$nextStage]);
     }
 
     private function setupAlternates(User $user, $partialStage, PdoDatabase $database)

includes/Pages/UserAuth/Login/PagePasswordLogin.php

Indentation +27 added lines, -27 removed lines

@@ -13,31 +13,31 @@
 
 class PagePasswordLogin extends LoginCredentialPageBase
 {
-    protected function providerSpecificSetup()
-    {
-        list($partialId, $partialStage) = WebRequest::getAuthPartialLogin();
-
-        if($partialId !== null && $partialStage > 1) {
-            $sql = 'SELECT type FROM credential WHERE user = :user AND factor = :stage AND disabled = 0 ORDER BY priority';
-            $statement = $this->getDatabase()->prepare($sql);
-            $statement->execute(array(':user' => $partialId, ':stage' => $partialStage));
-            $nextStage = $statement->fetchColumn();
-            $statement->closeCursor();
-
-            $this->redirect("login/" . $this->nextPageMap[$nextStage]);
-            return;
-        }
-
-        $this->setTemplate('login/password.tpl');
-    }
-
-    protected function getProviderCredentials()
-    {
-        $password = WebRequest::postString("password");
-        if ($password === null || $password === "") {
-            throw new ApplicationLogicException("No password specified");
-        }
-
-        return $password;
-    }
+	protected function providerSpecificSetup()
+	{
+		list($partialId, $partialStage) = WebRequest::getAuthPartialLogin();
+
+		if($partialId !== null && $partialStage > 1) {
+			$sql = 'SELECT type FROM credential WHERE user = :user AND factor = :stage AND disabled = 0 ORDER BY priority';
+			$statement = $this->getDatabase()->prepare($sql);
+			$statement->execute(array(':user' => $partialId, ':stage' => $partialStage));
+			$nextStage = $statement->fetchColumn();
+			$statement->closeCursor();
+
+			$this->redirect("login/" . $this->nextPageMap[$nextStage]);
+			return;
+		}
+
+		$this->setTemplate('login/password.tpl');
+	}
+
+	protected function getProviderCredentials()
+	{
+		$password = WebRequest::postString("password");
+		if ($password === null || $password === "") {
+			throw new ApplicationLogicException("No password specified");
+		}
+
+		return $password;
+	}
 }
\ No newline at end of file

Spacing +2 added lines, -2 removed lines

@@ -17,14 +17,14 @@
     {
         list($partialId, $partialStage) = WebRequest::getAuthPartialLogin();
 
-        if($partialId !== null && $partialStage > 1) {
+        if ($partialId !== null && $partialStage > 1) {
             $sql = 'SELECT type FROM credential WHERE user = :user AND factor = :stage AND disabled = 0 ORDER BY priority';
             $statement = $this->getDatabase()->prepare($sql);
             $statement->execute(array(':user' => $partialId, ':stage' => $partialStage));
             $nextStage = $statement->fetchColumn();
             $statement->closeCursor();
 
-            $this->redirect("login/" . $this->nextPageMap[$nextStage]);
+            $this->redirect("login/".$this->nextPageMap[$nextStage]);
             return;
         }
 

includes/Pages/UserAuth/Login/PageU2FLogin.php

Indentation +22 added lines, -22 removed lines

@@ -14,20 +14,20 @@ 
 
 class PageU2FLogin extends LoginCredentialPageBase
 {
-    protected function providerSpecificSetup()
-    {
-        $this->assign('showSignIn', false);
-        $this->setTemplate('login/u2f.tpl');
+	protected function providerSpecificSetup()
+	{
+		$this->assign('showSignIn', false);
+		$this->setTemplate('login/u2f.tpl');
 
-        if ($this->partialUser === null) {
-            throw new ApplicationLogicException("U2F cannot be first-stage authentication");
-        }
+		if ($this->partialUser === null) {
+			throw new ApplicationLogicException("U2F cannot be first-stage authentication");
+		}
 
-        $u2f = new U2FCredentialProvider($this->getDatabase(), $this->getSiteConfiguration());
-        $authData = json_encode($u2f->getAuthenticationData($this->partialUser));
+		$u2f = new U2FCredentialProvider($this->getDatabase(), $this->getSiteConfiguration());
+		$authData = json_encode($u2f->getAuthenticationData($this->partialUser));
 
-        $this->addJs('/vendor/yubico/u2flib-server/examples/assets/u2f-api.js');
-        $this->setTailScript(<<<JS
+		$this->addJs('/vendor/yubico/u2flib-server/examples/assets/u2f-api.js');
+		$this->setTailScript(<<<JS
 var request = ${authData};
 console.log("starting sign");
 u2f.sign(request, function(data) {
@@ -44,19 +44,19 @@ 
                 form.submit();
             });
 JS
-        );
+		);
 
-    }
+	}
 
-    protected function getProviderCredentials()
-    {
-        $authenticate = WebRequest::postString("authenticate");
-        $request = WebRequest::postString("request");
+	protected function getProviderCredentials()
+	{
+		$authenticate = WebRequest::postString("authenticate");
+		$request = WebRequest::postString("request");
 
-        if ($authenticate === null || $authenticate === "" || $request === null || $request === "") {
-              throw new ApplicationLogicException("No authentication specified");
-        }
+		if ($authenticate === null || $authenticate === "" || $request === null || $request === "") {
+			  throw new ApplicationLogicException("No authentication specified");
+		}
 
-        return array(json_decode($authenticate), json_decode($request), 'u2f');
-    }
+		return array(json_decode($authenticate), json_decode($request), 'u2f');
+	}
 }
\ No newline at end of file

includes/Pages/UserAuth/Login/PageOtpLogin.php

Indentation +12 added lines, -12 removed lines

@@ -13,18 +13,18 @@
 
 class PageOtpLogin extends LoginCredentialPageBase
 {
-    protected function providerSpecificSetup()
-    {
-        $this->setTemplate('login/otp.tpl');
-    }
+	protected function providerSpecificSetup()
+	{
+		$this->setTemplate('login/otp.tpl');
+	}
 
-    protected function getProviderCredentials()
-    {
-        $otp = WebRequest::postString("otp");
-        if ($otp === null || $otp === "") {
-            throw new ApplicationLogicException("No one-time code specified");
-        }
+	protected function getProviderCredentials()
+	{
+		$otp = WebRequest::postString("otp");
+		if ($otp === null || $otp === "") {
+			throw new ApplicationLogicException("No one-time code specified");
+		}
 
-        return $otp;
-    }
+		return $otp;
+	}
 }
\ No newline at end of file