Issues in DigestAuthentication.php (master) - Issues in master - knut7/framework - Measure and Improve Code Quality continuously with Scrutinizer

Issues (363)

src/Ballybran/Core/Http/DigestAuthentication.php (4 issues)

Labels

Severity

<?php

namespace Ballybran\Core\Http;



class DigestAuthentication
{
    private $username;
    private $password;
    private $realm = 'Restricted area';

    /**
     * @return string
     */
    public function getRealm(): string
    {
        return $this->realm;
    }

    /**
     * @param string $realm
     */
    public function setRealm(string $realm): void
    {
        $this->realm = $realm;
    }

    public function __construct()
    {
    }

    /**
     * @return mixed
     */
    public function getUsername()
    {
        return $this->username;
    }

    /**
     * @param mixed $username
     */
    public function setUsername($username): void
    {
        $this->username = $username;
    }

    /**
     * @return mixed
     */
    public function getPassword()
    {
        return $this->password;
    }

    /**
     * @param mixed $password
     */
    public function setPassword($password): void
    {
        $this->password = $password;
    }

    public function __invoke()
    {


//user => password
        $users = array('zebedeu' => '1234' , 'guest' => 'guest');


        if (empty($_SERVER['PHP_AUTH_DIGEST'])) {
            header('HTTP/1.1 401 Unauthorized');
            header('WWW-Authenticate: Digest realm="' . $this->getRealm() .
                '",qop="auth",nonce="' . uniqid() . '",opaque="' . md5($this->getRealm()) . '"');

            die('Text to send if user hits Cancel button');
        }



    $data = $this->checkUserPassword($users);
// generate the valid response
        $A1 = md5($data['username'] . ':' . $this->getRealm() . ':' . $users[$data['username']] . ':' . $users[$data['password']]);
        $A2 = md5($_SERVER['REQUEST_METHOD'] . ':' . $data['uri']);
        $valid_response = md5($A1 . ':' . $data['nonce'] . ':' . $data['nc'] . ':' . $data['cnonce'] . ':' . $data['qop'] . ':' . $A2);

        if ($data['response'] != $valid_response) {
            die('Wrong Credentials!');


        }
        echo 'You are logged in as: ' . $data['username'];


    }

// function to parse the http auth header
    function http_digest_parse($txt)

    {
        // protect against missing data
        $needed_parts = array('nonce' => 1 , 'nc' => 1 , 'cnonce' => 1 , 'qop' => 1 , 'username' => 1 , 'uri' => 1 , 'response' => 1);
        $data = array();
        $keys = implode('|' , array_keys($needed_parts));

        preg_match_all('@(' . $keys . ')=(?:([\'"])([^\2]+?)\2|([^\s,]+))@' , $txt , $matches , PREG_SET_ORDER);

        foreach ($matches as $m) {
            $data[$m[1]] = $m[3] ? $m[3] : $m[4];
            unset($needed_parts[$m[1]]);
        }

        return !empty($needed_parts) ? false : $data;
    }

    /*
     * analyze the PHP_AUTH_DIGEST variable
     *
     */

    public function checkUserPassword($users){
        $data = $this->http_digest_parse($_SERVER['PHP_AUTH_DIGEST']);
        var_dump($data);

        if (!($data) || ! isset($users[$data['username']])) {
            die('Wrong Credentials!');

        }
        return $data;

    }

}

1			<?php
2
3			namespace Ballybran\Core\Http;
4
5
6
7			class DigestAuthentication
8			{
9			private $username;
10			private $password;
11			private $realm = 'Restricted area';
12
13			/**
14			* @return string
15			*/
16			public function getRealm(): string
17			{
18			return $this->realm;
19			}
20
21			/**
22			* @param string $realm
23			*/
24			public function setRealm(string $realm): void
25			{
26			$this->realm = $realm;
27			}
28
29			public function __construct()
30			{
31			}
32
33			/**
34			* @return mixed
35			*/
36			public function getUsername()
37			{
38			return $this->username;
39			}
40
41			/**
42			* @param mixed $username
43			*/
44			public function setUsername($username): void
45			{
46			$this->username = $username;
47			}
48
49			/**
50			* @return mixed
51			*/
52			public function getPassword()
53			{
54			return $this->password;
55			}
56
57			/**
58			* @param mixed $password
59			*/
60			public function setPassword($password): void
61			{
62			$this->password = $password;
63			}
64
65			public function __invoke()
66			{
67
68
69			//user => password
70			$users = array('zebedeu' => '1234' , 'guest' => 'guest');
71
72
73			if (empty($_SERVER['PHP_AUTH_DIGEST'])) {
74			header('HTTP/1.1 401 Unauthorized');
75			header('WWW-Authenticate: Digest realm="' . $this->getRealm() .
76			'",qop="auth",nonce="' . uniqid() . '",opaque="' . md5($this->getRealm()) . '"');
77
78			die('Text to send if user hits Cancel button');
79			}
80
81
82
83			$data = $this->checkUserPassword($users);
84			// generate the valid response
85			$A1 = md5($data['username'] . ':' . $this->getRealm() . ':' . $users[$data['username']] . ':' . $users[$data['password']]);
86			$A2 = md5($_SERVER['REQUEST_METHOD'] . ':' . $data['uri']);
87			$valid_response = md5($A1 . ':' . $data['nonce'] . ':' . $data['nc'] . ':' . $data['cnonce'] . ':' . $data['qop'] . ':' . $A2);
88
89			if ($data['response'] != $valid_response) {
90			die('Wrong Credentials!');
			0 ignored issues – show Best Practice introduced 2020-10-12 21:33 UTC by Report Bug Copy Issue Report Show Similar Issues like this Using `exit` here is not recommended. In general, usage of exit should be done with care and only when running in a scripting context like a CLI script. Loading history...
91
92			}
93			echo 'You are logged in as: ' . $data['username'];
94
95
96			}
97
98			// function to parse the http auth header
99			function http_digest_parse($txt)
			0 ignored issues – show Best Practice introduced 2020-10-12 21:33 UTC by Report Bug Copy Issue Report Show Similar Issues like this It is generally recommended to explicitly declare the visibility for methods. Adding explicit visibility (`private`, `protected`, or `public`) is generally recommend to communicate to other developers how, and from where this method is intended to be used. Loading history...
100			{
101			// protect against missing data
102			$needed_parts = array('nonce' => 1 , 'nc' => 1 , 'cnonce' => 1 , 'qop' => 1 , 'username' => 1 , 'uri' => 1 , 'response' => 1);
103			$data = array();
104			$keys = implode('\|' , array_keys($needed_parts));
105
106			preg_match_all('@(' . $keys . ')=(?:([\'"])([^\2]+?)\2\|([^\s,]+))@' , $txt , $matches , PREG_SET_ORDER);
107
108			foreach ($matches as $m) {
109			$data[$m[1]] = $m[3] ? $m[3] : $m[4];
110			unset($needed_parts[$m[1]]);
111			}
112
113			return !empty($needed_parts) ? false : $data;
114			}
115
116			/*
117			* analyze the PHP_AUTH_DIGEST variable
118			*
119			*/
120
121			public function checkUserPassword($users){
122			$data = $this->http_digest_parse($_SERVER['PHP_AUTH_DIGEST']);
123			var_dump($data);
			0 ignored issues – show Security Debugging Code introduced 2020-10-12 21:33 UTC by Report Bug Copy Issue Report Show Similar Issues like this `var_dump($data)` looks like debug code. Are you sure you do not want to remove it? Loading history...
124			if (!($data) \|\| ! isset($users[$data['username']])) {
125			die('Wrong Credentials!');
			0 ignored issues – show Best Practice introduced 2020-10-12 21:33 UTC by Report Bug Copy Issue Report Show Similar Issues like this Using `exit` here is not recommended. In general, usage of exit should be done with care and only when running in a scripting context like a CLI script. Loading history...
126			}
127			return $data;
128
129			}
130
131			}

knut7 / framework

Issues (363)

src/Ballybran/Core/Http/DigestAuthentication.php (4 issues)

Labels

Severity

Introduced By

Duplication Side-by-Side

Filter issues like