mdaniels5757 / waca

includes/Security/CredentialProviders/U2FCredentialProvider.php

Indentation +127 added lines, -127 removed lines

@@ -20,131 +20,131 @@
 
 class U2FCredentialProvider extends CredentialProviderBase
 {
-    /** @var U2F */
-    private $u2f;
-
-    /**
-     * U2FCredentialProvider constructor.
-     *
-     * @param PdoDatabase       $database
-     * @param SiteConfiguration $configuration
-     */
-    public function __construct(PdoDatabase $database, SiteConfiguration $configuration)
-    {
-        parent::__construct($database, $configuration, 'u2f');
-
-        $appId = 'https://' . WebRequest::httpHost();
-        $this->u2f = new U2F($appId);
-    }
-
-    /**
-     * Validates a user-provided credential
-     *
-     * @param User   $user The user to test the authentication against
-     * @param string $data The raw credential data to be validated
-     *
-     * @return bool
-     * @throws OptimisticLockFailedException
-     */
-    public function authenticate(User $user, $data)
-    {
-        if (!is_array($data)) {
-            return false;
-        }
-
-        list($authenticate, $request, $isU2F) = $data;
-
-        if ($isU2F !== 'u2f') {
-            return false;
-        }
-
-        $storedData = $this->getCredentialData($user->getId(), false);
-        $registrations = json_decode($storedData->getData());
-
-        try {
-            $updatedRegistration = $this->u2f->doAuthenticate($request, array($registrations), $authenticate);
-            $storedData->setData(json_encode($updatedRegistration));
-            $storedData->save();
-        }
-        catch (Error $ex) {
-            return false;
-        }
-
-        return true;
-    }
-
-    public function enable(User $user, $request, $u2fData)
-    {
-        $registrationData = $this->u2f->doRegister($request, $u2fData);
-
-        $storedData = $this->getCredentialData($user->getId(), true);
-
-        if ($storedData === null) {
-            throw new ApplicationLogicException('Credential data not found');
-        }
-
-        if ($storedData->getTimeout() > new DateTimeImmutable()) {
-            $storedData->setData(json_encode($registrationData));
-            $storedData->setDisabled(0);
-            $storedData->setTimeout(null);
-            $storedData->save();
-        }
-    }
-
-    /**
-     * @param User   $user   The user the credential belongs to
-     * @param int    $factor The factor this credential provides
-     * @param string $data   Unused here, due to multi-stage enrollment
-     */
-    public function setCredential(User $user, $factor, $data)
-    {
-        $storedData = $this->getCredentialData($user->getId(), null);
-
-        if ($storedData !== null) {
-            $storedData->delete();
-        }
-
-        $storedData = $this->createNewCredential($user);
-
-        $storedData->setData(null);
-        $storedData->setFactor($factor);
-        $storedData->setTimeout(new DateTimeImmutable('+ 1 hour'));
-        $storedData->setDisabled(1);
-        $storedData->setPriority(4);
-        $storedData->setVersion(1);
-
-        $storedData->save();
-    }
-
-    public function isPartiallyEnrolled(User $user)
-    {
-        $storedData = $this->getCredentialData($user->getId(), true);
-
-        if ($storedData->getTimeout() < new DateTimeImmutable()) {
-            $storedData->delete();
-
-            return false;
-        }
-
-        if ($storedData === null) {
-            return false;
-        }
-
-        return true;
-    }
-
-    public function getRegistrationData()
-    {
-        return $this->u2f->getRegisterData();
-    }
-
-    public function getAuthenticationData(User $user)
-    {
-        $storedData = $this->getCredentialData($user->getId(), false);
-        $registrations = json_decode($storedData->getData());
-
-        $authenticateData = $this->u2f->getAuthenticateData(array($registrations));
-
-        return $authenticateData;
-    }
+	/** @var U2F */
+	private $u2f;
+
+	/**
+	 * U2FCredentialProvider constructor.
+	 *
+	 * @param PdoDatabase       $database
+	 * @param SiteConfiguration $configuration
+	 */
+	public function __construct(PdoDatabase $database, SiteConfiguration $configuration)
+	{
+		parent::__construct($database, $configuration, 'u2f');
+
+		$appId = 'https://' . WebRequest::httpHost();
+		$this->u2f = new U2F($appId);
+	}
+
+	/**
+	 * Validates a user-provided credential
+	 *
+	 * @param User   $user The user to test the authentication against
+	 * @param string $data The raw credential data to be validated
+	 *
+	 * @return bool
+	 * @throws OptimisticLockFailedException
+	 */
+	public function authenticate(User $user, $data)
+	{
+		if (!is_array($data)) {
+			return false;
+		}
+
+		list($authenticate, $request, $isU2F) = $data;
+
+		if ($isU2F !== 'u2f') {
+			return false;
+		}
+
+		$storedData = $this->getCredentialData($user->getId(), false);
+		$registrations = json_decode($storedData->getData());
+
+		try {
+			$updatedRegistration = $this->u2f->doAuthenticate($request, array($registrations), $authenticate);
+			$storedData->setData(json_encode($updatedRegistration));
+			$storedData->save();
+		}
+		catch (Error $ex) {
+			return false;
+		}
+
+		return true;
+	}
+
+	public function enable(User $user, $request, $u2fData)
+	{
+		$registrationData = $this->u2f->doRegister($request, $u2fData);
+
+		$storedData = $this->getCredentialData($user->getId(), true);
+
+		if ($storedData === null) {
+			throw new ApplicationLogicException('Credential data not found');
+		}
+
+		if ($storedData->getTimeout() > new DateTimeImmutable()) {
+			$storedData->setData(json_encode($registrationData));
+			$storedData->setDisabled(0);
+			$storedData->setTimeout(null);
+			$storedData->save();
+		}
+	}
+
+	/**
+	 * @param User   $user   The user the credential belongs to
+	 * @param int    $factor The factor this credential provides
+	 * @param string $data   Unused here, due to multi-stage enrollment
+	 */
+	public function setCredential(User $user, $factor, $data)
+	{
+		$storedData = $this->getCredentialData($user->getId(), null);
+
+		if ($storedData !== null) {
+			$storedData->delete();
+		}
+
+		$storedData = $this->createNewCredential($user);
+
+		$storedData->setData(null);
+		$storedData->setFactor($factor);
+		$storedData->setTimeout(new DateTimeImmutable('+ 1 hour'));
+		$storedData->setDisabled(1);
+		$storedData->setPriority(4);
+		$storedData->setVersion(1);
+
+		$storedData->save();
+	}
+
+	public function isPartiallyEnrolled(User $user)
+	{
+		$storedData = $this->getCredentialData($user->getId(), true);
+
+		if ($storedData->getTimeout() < new DateTimeImmutable()) {
+			$storedData->delete();
+
+			return false;
+		}
+
+		if ($storedData === null) {
+			return false;
+		}
+
+		return true;
+	}
+
+	public function getRegistrationData()
+	{
+		return $this->u2f->getRegisterData();
+	}
+
+	public function getAuthenticationData(User $user)
+	{
+		$storedData = $this->getCredentialData($user->getId(), false);
+		$registrations = json_decode($storedData->getData());
+
+		$authenticateData = $this->u2f->getAuthenticateData(array($registrations));
+
+		return $authenticateData;
+	}
 }

includes/Security/CredentialProviders/CredentialProviderBase.php

Indentation +133 added lines, -133 removed lines

@@ -15,137 +15,137 @@
 
 abstract class CredentialProviderBase implements ICredentialProvider
 {
-    /**
-     * @var PdoDatabase
-     */
-    private $database;
-    /**
-     * @var SiteConfiguration
-     */
-    private $configuration;
-    /** @var string */
-    private $type;
-
-    /**
-     * CredentialProviderBase constructor.
-     *
-     * @param PdoDatabase       $database
-     * @param SiteConfiguration $configuration
-     * @param string            $type
-     */
-    public function __construct(PdoDatabase $database, SiteConfiguration $configuration, $type)
-    {
-        $this->database = $database;
-        $this->configuration = $configuration;
-        $this->type = $type;
-    }
-
-    /**
-     * @param int  $userId
-     *
-     * @param bool $disabled
-     *
-     * @return Credential
-     */
-    protected function getCredentialData($userId, $disabled = false)
-    {
-        $sql = 'SELECT * FROM credential WHERE type = :t AND user = :u';
-        $parameters = array(
-            ':u' => $userId,
-            ':t' => $this->type
-        );
-
-        if($disabled !== null) {
-            $sql .= ' AND disabled = :d';
-            $parameters[':d'] = $disabled ? 1 : 0;
-        }
-
-        $statement = $this->database->prepare($sql);
-        $statement->execute($parameters);
-
-        /** @var Credential $obj */
-        $obj = $statement->fetchObject(Credential::class);
-
-        if ($obj === false) {
-            return null;
-        }
-
-        $obj->setDatabase($this->database);
-
-        $statement->closeCursor();
-
-        return $obj;
-    }
-
-    /**
-     * @return PdoDatabase
-     */
-    public function getDatabase()
-    {
-        return $this->database;
-    }
-
-    /**
-     * @return SiteConfiguration
-     */
-    public function getConfiguration()
-    {
-        return $this->configuration;
-    }
-
-    public function deleteCredential(User $user) {
-        // get this factor
-        $statement = $this->database->prepare('SELECT * FROM credential WHERE user = :user AND type = :type');
-        $statement->execute(array(':user' => $user->getId(), ':type' => $this->type));
-        /** @var Credential $credential */
-        $credential = $statement->fetchObject(Credential::class);
-        $credential->setDatabase($this->database);
-        $statement->closeCursor();
-
-        $stage = $credential->getFactor();
-
-        $statement = $this->database->prepare('SELECT COUNT(*) FROM credential WHERE user = :user AND factor = :factor');
-        $statement->execute(array(':user' => $user->getId(), ':factor' => $stage));
-        $alternates = $statement->fetchColumn();
-        $statement->closeCursor();
-
-        if($alternates <= 1) {
-            // decrement the factor for every stage above this
-            $sql = 'UPDATE credential SET factor = factor - 1 WHERE user = :user AND factor > :factor';
-            $statement = $this->database->prepare($sql);
-            $statement->execute(array(':user' => $user->getId(), ':factor' => $stage));
-        }
-        else {
-            // There are other auth factors at this point. Don't renumber the factors just yet.
-        }
-
-        // delete this credential.
-        $credential->delete();
-    }
-
-    /**
-     * @param User $user
-     *
-     * @return Credential
-     */
-    protected function createNewCredential(User $user)
-    {
-        $credential = new Credential();
-        $credential->setDatabase($this->getDatabase());
-        $credential->setUserId($user->getId());
-        $credential->setType($this->type);
-
-        return $credential;
-    }
-
-    /**
-     * @param int $userId
-     *
-     * @return bool
-     */
-    public function userIsEnrolled($userId) {
-        $cred = $this->getCredentialData($userId);
-
-        return $cred !== null;
-    }
+	/**
+	 * @var PdoDatabase
+	 */
+	private $database;
+	/**
+	 * @var SiteConfiguration
+	 */
+	private $configuration;
+	/** @var string */
+	private $type;
+
+	/**
+	 * CredentialProviderBase constructor.
+	 *
+	 * @param PdoDatabase       $database
+	 * @param SiteConfiguration $configuration
+	 * @param string            $type
+	 */
+	public function __construct(PdoDatabase $database, SiteConfiguration $configuration, $type)
+	{
+		$this->database = $database;
+		$this->configuration = $configuration;
+		$this->type = $type;
+	}
+
+	/**
+	 * @param int  $userId
+	 *
+	 * @param bool $disabled
+	 *
+	 * @return Credential
+	 */
+	protected function getCredentialData($userId, $disabled = false)
+	{
+		$sql = 'SELECT * FROM credential WHERE type = :t AND user = :u';
+		$parameters = array(
+			':u' => $userId,
+			':t' => $this->type
+		);
+
+		if($disabled !== null) {
+			$sql .= ' AND disabled = :d';
+			$parameters[':d'] = $disabled ? 1 : 0;
+		}
+
+		$statement = $this->database->prepare($sql);
+		$statement->execute($parameters);
+
+		/** @var Credential $obj */
+		$obj = $statement->fetchObject(Credential::class);
+
+		if ($obj === false) {
+			return null;
+		}
+
+		$obj->setDatabase($this->database);
+
+		$statement->closeCursor();
+
+		return $obj;
+	}
+
+	/**
+	 * @return PdoDatabase
+	 */
+	public function getDatabase()
+	{
+		return $this->database;
+	}
+
+	/**
+	 * @return SiteConfiguration
+	 */
+	public function getConfiguration()
+	{
+		return $this->configuration;
+	}
+
+	public function deleteCredential(User $user) {
+		// get this factor
+		$statement = $this->database->prepare('SELECT * FROM credential WHERE user = :user AND type = :type');
+		$statement->execute(array(':user' => $user->getId(), ':type' => $this->type));
+		/** @var Credential $credential */
+		$credential = $statement->fetchObject(Credential::class);
+		$credential->setDatabase($this->database);
+		$statement->closeCursor();
+
+		$stage = $credential->getFactor();
+
+		$statement = $this->database->prepare('SELECT COUNT(*) FROM credential WHERE user = :user AND factor = :factor');
+		$statement->execute(array(':user' => $user->getId(), ':factor' => $stage));
+		$alternates = $statement->fetchColumn();
+		$statement->closeCursor();
+
+		if($alternates <= 1) {
+			// decrement the factor for every stage above this
+			$sql = 'UPDATE credential SET factor = factor - 1 WHERE user = :user AND factor > :factor';
+			$statement = $this->database->prepare($sql);
+			$statement->execute(array(':user' => $user->getId(), ':factor' => $stage));
+		}
+		else {
+			// There are other auth factors at this point. Don't renumber the factors just yet.
+		}
+
+		// delete this credential.
+		$credential->delete();
+	}
+
+	/**
+	 * @param User $user
+	 *
+	 * @return Credential
+	 */
+	protected function createNewCredential(User $user)
+	{
+		$credential = new Credential();
+		$credential->setDatabase($this->getDatabase());
+		$credential->setUserId($user->getId());
+		$credential->setType($this->type);
+
+		return $credential;
+	}
+
+	/**
+	 * @param int $userId
+	 *
+	 * @return bool
+	 */
+	public function userIsEnrolled($userId) {
+		$cred = $this->getCredentialData($userId);
+
+		return $cred !== null;
+	}
 }
\ No newline at end of file

Spacing +2 added lines, -2 removed lines

@@ -55,7 +55,7 @@ 
             ':t' => $this->type
         );
 
-        if($disabled !== null) {
+        if ($disabled !== null) {
             $sql .= ' AND disabled = :d';
             $parameters[':d'] = $disabled ? 1 : 0;
         }
@@ -109,7 +109,7 @@ 
         $alternates = $statement->fetchColumn();
         $statement->closeCursor();
 
-        if($alternates <= 1) {
+        if ($alternates <= 1) {
             // decrement the factor for every stage above this
             $sql = 'UPDATE credential SET factor = factor - 1 WHERE user = :user AND factor > :factor';
             $statement = $this->database->prepare($sql);

Braces +5 added lines, -4 removed lines

@@ -93,7 +93,8 @@ 
         return $this->configuration;
     }
 
-    public function deleteCredential(User $user) {
+    public function deleteCredential(User $user)
+    {
         // get this factor
         $statement = $this->database->prepare('SELECT * FROM credential WHERE user = :user AND type = :type');
         $statement->execute(array(':user' => $user->getId(), ':type' => $this->type));
@@ -114,8 +115,7 @@ 
             $sql = 'UPDATE credential SET factor = factor - 1 WHERE user = :user AND factor > :factor';
             $statement = $this->database->prepare($sql);
             $statement->execute(array(':user' => $user->getId(), ':factor' => $stage));
-        }
-        else {
+        } else {
             // There are other auth factors at this point. Don't renumber the factors just yet.
         }
 
@@ -143,7 +143,8 @@ 
      *
      * @return bool
      */
-    public function userIsEnrolled($userId) {
+    public function userIsEnrolled($userId)
+    {
         $cred = $this->getCredentialData($userId);
 
         return $cred !== null;

includes/Security/CredentialProviders/TotpCredentialProvider.php

Indentation +130 added lines, -130 removed lines

@@ -19,137 +19,137 @@
 
 class TotpCredentialProvider extends CredentialProviderBase
 {
-    /** @var EncryptionHelper */
-    private $encryptionHelper;
-
-    /**
-     * TotpCredentialProvider constructor.
-     *
-     * @param PdoDatabase       $database
-     * @param SiteConfiguration $configuration
-     */
-    public function __construct(PdoDatabase $database, SiteConfiguration $configuration)
-    {
-        parent::__construct($database, $configuration, 'totp');
-        $this->encryptionHelper = new EncryptionHelper($configuration);
-    }
-
-    /**
-     * Validates a user-provided credential
-     *
-     * @param User   $user The user to test the authentication against
-     * @param string $data The raw credential data to be validated
-     *
-     * @return bool
-     * @throws ApplicationLogicException
-     */
-    public function authenticate(User $user, $data)
-    {
-        if (is_array($data)) {
-            return false;
-        }
-
-        $storedData = $this->getCredentialData($user->getId());
-
-        if ($storedData === null) {
-            throw new ApplicationLogicException('Credential data not found');
-        }
-
-        $provisioningUrl = $this->encryptionHelper->decryptData($storedData->getData());
-        $totp = Factory::loadFromProvisioningUri($provisioningUrl);
-
-        return $totp->verify($data, null, 2);
-    }
-
-    public function verifyEnable(User $user, $data)
-    {
-        $storedData = $this->getCredentialData($user->getId(), true);
-
-        if ($storedData === null) {
-            throw new ApplicationLogicException('Credential data not found');
-        }
-
-        $provisioningUrl = $this->encryptionHelper->decryptData($storedData->getData());
-        $totp = Factory::loadFromProvisioningUri($provisioningUrl);
-
-        $result = $totp->verify($data, null, 2);
-
-        if ($result && $storedData->getTimeout() > new DateTimeImmutable()) {
-            $storedData->setDisabled(0);
-            $storedData->setPriority(5);
-            $storedData->setTimeout(null);
-            $storedData->save();
-        }
-
-        return $result;
-    }
-
-    /**
-     * @param User   $user   The user the credential belongs to
-     * @param int    $factor The factor this credential provides
-     * @param string $data   Unused here, due to there being no user-provided data. We provide the user with the secret.
-     */
-    public function setCredential(User $user, $factor, $data)
-    {
-        $issuer = 'ACC - ' . $this->getConfiguration()->getIrcNotificationsInstance();
-        $totp = TOTP::create();
-        $totp->setLabel($user->getUsername());
-        $totp->setIssuer($issuer);
-
-        $storedData = $this->getCredentialData($user->getId(), null);
-
-        if ($storedData !== null) {
-            $storedData->delete();
-        }
-
-        $storedData = $this->createNewCredential($user);
-
-        $storedData->setData($this->encryptionHelper->encryptData($totp->getProvisioningUri()));
-        $storedData->setFactor($factor);
-        $storedData->setTimeout(new DateTimeImmutable('+ 1 hour'));
-        $storedData->setDisabled(1);
-        $storedData->setVersion(1);
-
-        $storedData->save();
-    }
-
-    public function getProvisioningUrl(User $user)
-    {
-        $storedData = $this->getCredentialData($user->getId(), true);
-
-        if ($storedData->getTimeout() < new DateTimeImmutable()) {
-            $storedData->delete();
-            $storedData = null;
-        }
-
-        if ($storedData === null) {
-            throw new ApplicationLogicException('Credential data not found');
-        }
-
-        return $this->encryptionHelper->decryptData($storedData->getData());
-    }
-
-    public function isPartiallyEnrolled(User $user)
-    {
-        $storedData = $this->getCredentialData($user->getId(), true);
-
-        if ($storedData->getTimeout() < new DateTimeImmutable()) {
-            $storedData->delete();
-
-            return false;
-        }
-
-        if ($storedData === null) {
-            return false;
-        }
+	/** @var EncryptionHelper */
+	private $encryptionHelper;
+
+	/**
+	 * TotpCredentialProvider constructor.
+	 *
+	 * @param PdoDatabase       $database
+	 * @param SiteConfiguration $configuration
+	 */
+	public function __construct(PdoDatabase $database, SiteConfiguration $configuration)
+	{
+		parent::__construct($database, $configuration, 'totp');
+		$this->encryptionHelper = new EncryptionHelper($configuration);
+	}
+
+	/**
+	 * Validates a user-provided credential
+	 *
+	 * @param User   $user The user to test the authentication against
+	 * @param string $data The raw credential data to be validated
+	 *
+	 * @return bool
+	 * @throws ApplicationLogicException
+	 */
+	public function authenticate(User $user, $data)
+	{
+		if (is_array($data)) {
+			return false;
+		}
+
+		$storedData = $this->getCredentialData($user->getId());
+
+		if ($storedData === null) {
+			throw new ApplicationLogicException('Credential data not found');
+		}
+
+		$provisioningUrl = $this->encryptionHelper->decryptData($storedData->getData());
+		$totp = Factory::loadFromProvisioningUri($provisioningUrl);
+
+		return $totp->verify($data, null, 2);
+	}
+
+	public function verifyEnable(User $user, $data)
+	{
+		$storedData = $this->getCredentialData($user->getId(), true);
+
+		if ($storedData === null) {
+			throw new ApplicationLogicException('Credential data not found');
+		}
+
+		$provisioningUrl = $this->encryptionHelper->decryptData($storedData->getData());
+		$totp = Factory::loadFromProvisioningUri($provisioningUrl);
+
+		$result = $totp->verify($data, null, 2);
+
+		if ($result && $storedData->getTimeout() > new DateTimeImmutable()) {
+			$storedData->setDisabled(0);
+			$storedData->setPriority(5);
+			$storedData->setTimeout(null);
+			$storedData->save();
+		}
+
+		return $result;
+	}
+
+	/**
+	 * @param User   $user   The user the credential belongs to
+	 * @param int    $factor The factor this credential provides
+	 * @param string $data   Unused here, due to there being no user-provided data. We provide the user with the secret.
+	 */
+	public function setCredential(User $user, $factor, $data)
+	{
+		$issuer = 'ACC - ' . $this->getConfiguration()->getIrcNotificationsInstance();
+		$totp = TOTP::create();
+		$totp->setLabel($user->getUsername());
+		$totp->setIssuer($issuer);
+
+		$storedData = $this->getCredentialData($user->getId(), null);
+
+		if ($storedData !== null) {
+			$storedData->delete();
+		}
+
+		$storedData = $this->createNewCredential($user);
+
+		$storedData->setData($this->encryptionHelper->encryptData($totp->getProvisioningUri()));
+		$storedData->setFactor($factor);
+		$storedData->setTimeout(new DateTimeImmutable('+ 1 hour'));
+		$storedData->setDisabled(1);
+		$storedData->setVersion(1);
+
+		$storedData->save();
+	}
+
+	public function getProvisioningUrl(User $user)
+	{
+		$storedData = $this->getCredentialData($user->getId(), true);
+
+		if ($storedData->getTimeout() < new DateTimeImmutable()) {
+			$storedData->delete();
+			$storedData = null;
+		}
+
+		if ($storedData === null) {
+			throw new ApplicationLogicException('Credential data not found');
+		}
+
+		return $this->encryptionHelper->decryptData($storedData->getData());
+	}
+
+	public function isPartiallyEnrolled(User $user)
+	{
+		$storedData = $this->getCredentialData($user->getId(), true);
+
+		if ($storedData->getTimeout() < new DateTimeImmutable()) {
+			$storedData->delete();
+
+			return false;
+		}
+
+		if ($storedData === null) {
+			return false;
+		}
 
-        return true;
-    }
+		return true;
+	}
 
-    public function getSecret(User $user)
-    {
-        $totp = Factory::loadFromProvisioningUri($this->getProvisioningUrl($user));
+	public function getSecret(User $user)
+	{
+		$totp = Factory::loadFromProvisioningUri($this->getProvisioningUrl($user));
 
-        return $totp->getSecret();
-    }
+		return $totp->getSecret();
+	}
 }

includes/Security/CredentialProviders/PasswordCredentialProvider.php

Indentation +109 added lines, -109 removed lines

@@ -19,123 +19,123 @@
 
 class PasswordCredentialProvider extends CredentialProviderBase
 {
-    const PASSWORD_COST = 10;
-    const PASSWORD_ALGO = PASSWORD_BCRYPT;
-
-    public function __construct(PdoDatabase $database, SiteConfiguration $configuration)
-    {
-        parent::__construct($database, $configuration, 'password');
-    }
-
-    public function authenticate(User $user, $data)
-    {
-        $storedData = $this->getCredentialData($user->getId());
-        if($storedData === null)
-        {
-            // No available credential matching these parameters
-            return false;
-        }
-
-        if($storedData->getVersion() !== 2) {
-            // Non-2 versions are not supported.
-            return false;
-        }
-
-        if (!password_verify($data, $storedData->getData())) {
-            return false;
-        }
-
-        if (password_needs_rehash($storedData->getData(), self::PASSWORD_ALGO,
-            array('cost' => self::PASSWORD_COST))) {
-            try {
-                $this->reallySetCredential($user, $storedData->getFactor(), $data);
-            }
-            catch (OptimisticLockFailedException $e) {
-                // optimistic lock failed, but no biggie. We'll catch it on the next login.
-            }
-        }
-
-        $strengthTester = new Zxcvbn();
-        $strength = $strengthTester->passwordStrength($data, [$user->getUsername(), $user->getOnWikiName(), $user->getEmail()]);
-
-        /*  0 means the password is extremely guessable (within 10^3 guesses), dictionary words like 'password' or 'mother' score a 0
+	const PASSWORD_COST = 10;
+	const PASSWORD_ALGO = PASSWORD_BCRYPT;
+
+	public function __construct(PdoDatabase $database, SiteConfiguration $configuration)
+	{
+		parent::__construct($database, $configuration, 'password');
+	}
+
+	public function authenticate(User $user, $data)
+	{
+		$storedData = $this->getCredentialData($user->getId());
+		if($storedData === null)
+		{
+			// No available credential matching these parameters
+			return false;
+		}
+
+		if($storedData->getVersion() !== 2) {
+			// Non-2 versions are not supported.
+			return false;
+		}
+
+		if (!password_verify($data, $storedData->getData())) {
+			return false;
+		}
+
+		if (password_needs_rehash($storedData->getData(), self::PASSWORD_ALGO,
+			array('cost' => self::PASSWORD_COST))) {
+			try {
+				$this->reallySetCredential($user, $storedData->getFactor(), $data);
+			}
+			catch (OptimisticLockFailedException $e) {
+				// optimistic lock failed, but no biggie. We'll catch it on the next login.
+			}
+		}
+
+		$strengthTester = new Zxcvbn();
+		$strength = $strengthTester->passwordStrength($data, [$user->getUsername(), $user->getOnWikiName(), $user->getEmail()]);
+
+		/*  0 means the password is extremely guessable (within 10^3 guesses), dictionary words like 'password' or 'mother' score a 0
             1 is still very guessable (guesses < 10^6), an extra character on a dictionary word can score a 1
             2 is somewhat guessable (guesses < 10^8), provides some protection from unthrottled online attacks
             3 is safely unguessable (guesses < 10^10), offers moderate protection from offline slow-hash scenario
             4 is very unguessable (guesses >= 10^10) and provides strong protection from offline slow-hash scenario         */
 
-        if ($strength['score'] <= 1 || PasswordBlacklist::isBlacklisted($data) || mb_strlen($data) < 8) {
-            // prevent login for extremely weak passwords
-            // at this point the user has authenticated via password, so they *know* it's weak.
-            SessionAlert::error('Your password is too weak to permit login. Please choose the "forgotten your password" option below and set a new one.', null);
-            return false;
-        }
-
-        return true;
-    }
-
-    /**
-     * @param User   $user
-     * @param int    $factor
-     * @param string $password
-     *
-     * @throws OptimisticLockFailedException
-     */
-    private function reallySetCredential(User $user, int $factor, string $password) : void {
-        $storedData = $this->getCredentialData($user->getId());
-
-        if ($storedData === null) {
-            $storedData = $this->createNewCredential($user);
-        }
-
-        $storedData->setData(password_hash($password, self::PASSWORD_ALGO, array('cost' => self::PASSWORD_COST)));
-        $storedData->setFactor($factor);
-        $storedData->setVersion(2);
-
-        $storedData->save();
-    }
-
-    /**
-     * @param User   $user
-     * @param int    $factor
-     * @param string $password
-     *
-     * @throws ApplicationLogicException
-     * @throws OptimisticLockFailedException
-     */
-    public function setCredential(User $user, $factor, $password)
-    {
-        if (PasswordBlacklist::isBlacklisted($password)) {
-            throw new ApplicationLogicException("Your new password is listed in the top 100,000 passwords. Please choose a stronger one.", null);
-        }
-
-        $strengthTester = new Zxcvbn();
-        $strength = $strengthTester->passwordStrength($password, [$user->getUsername(), $user->getOnWikiName(), $user->getEmail()]);
-
-        /*  0 means the password is extremely guessable (within 10^3 guesses), dictionary words like 'password' or 'mother' score a 0
+		if ($strength['score'] <= 1 || PasswordBlacklist::isBlacklisted($data) || mb_strlen($data) < 8) {
+			// prevent login for extremely weak passwords
+			// at this point the user has authenticated via password, so they *know* it's weak.
+			SessionAlert::error('Your password is too weak to permit login. Please choose the "forgotten your password" option below and set a new one.', null);
+			return false;
+		}
+
+		return true;
+	}
+
+	/**
+	 * @param User   $user
+	 * @param int    $factor
+	 * @param string $password
+	 *
+	 * @throws OptimisticLockFailedException
+	 */
+	private function reallySetCredential(User $user, int $factor, string $password) : void {
+		$storedData = $this->getCredentialData($user->getId());
+
+		if ($storedData === null) {
+			$storedData = $this->createNewCredential($user);
+		}
+
+		$storedData->setData(password_hash($password, self::PASSWORD_ALGO, array('cost' => self::PASSWORD_COST)));
+		$storedData->setFactor($factor);
+		$storedData->setVersion(2);
+
+		$storedData->save();
+	}
+
+	/**
+	 * @param User   $user
+	 * @param int    $factor
+	 * @param string $password
+	 *
+	 * @throws ApplicationLogicException
+	 * @throws OptimisticLockFailedException
+	 */
+	public function setCredential(User $user, $factor, $password)
+	{
+		if (PasswordBlacklist::isBlacklisted($password)) {
+			throw new ApplicationLogicException("Your new password is listed in the top 100,000 passwords. Please choose a stronger one.", null);
+		}
+
+		$strengthTester = new Zxcvbn();
+		$strength = $strengthTester->passwordStrength($password, [$user->getUsername(), $user->getOnWikiName(), $user->getEmail()]);
+
+		/*  0 means the password is extremely guessable (within 10^3 guesses), dictionary words like 'password' or 'mother' score a 0
             1 is still very guessable (guesses < 10^6), an extra character on a dictionary word can score a 1
             2 is somewhat guessable (guesses < 10^8), provides some protection from unthrottled online attacks
             3 is safely unguessable (guesses < 10^10), offers moderate protection from offline slow-hash scenario
             4 is very unguessable (guesses >= 10^10) and provides strong protection from offline slow-hash scenario         */
 
-        if ($strength['score'] <= 2 || mb_strlen($password) < 8) {
-            throw new ApplicationLogicException("Your new password is too weak. Please choose a stronger one.", null);
-        }
-
-        if ($strength['score'] <= 3) {
-            SessionAlert::warning("Your new password is not as strong as it could be. Consider replacing it with a stronger password.", null);
-        }
-
-        $this->reallySetCredential($user, $factor, $password);
-    }
-
-    /**
-     * @param User $user
-     *
-     * @throws ApplicationLogicException
-     */
-    public function deleteCredential(User $user)
-    {
-        throw new ApplicationLogicException('Deletion of password credential is not allowed.');
-    }
+		if ($strength['score'] <= 2 || mb_strlen($password) < 8) {
+			throw new ApplicationLogicException("Your new password is too weak. Please choose a stronger one.", null);
+		}
+
+		if ($strength['score'] <= 3) {
+			SessionAlert::warning("Your new password is not as strong as it could be. Consider replacing it with a stronger password.", null);
+		}
+
+		$this->reallySetCredential($user, $factor, $password);
+	}
+
+	/**
+	 * @param User $user
+	 *
+	 * @throws ApplicationLogicException
+	 */
+	public function deleteCredential(User $user)
+	{
+		throw new ApplicationLogicException('Deletion of password credential is not allowed.');
+	}
 }

Spacing +2 added lines, -2 removed lines

@@ -30,13 +30,13 @@
     public function authenticate(User $user, $data)
     {
         $storedData = $this->getCredentialData($user->getId());
-        if($storedData === null)
+        if ($storedData === null)
         {
             // No available credential matching these parameters
             return false;
         }
 
-        if($storedData->getVersion() !== 2) {
+        if ($storedData->getVersion() !== 2) {
             // Non-2 versions are not supported.
             return false;
         }

Braces +1 added lines, -2 removed lines

@@ -30,8 +30,7 @@
     public function authenticate(User $user, $data)
     {
         $storedData = $this->getCredentialData($user->getId());
-        if($storedData === null)
-        {
+        if($storedData === null) {
             // No available credential matching these parameters
             return false;
         }

includes/Security/CredentialProviders/ICredentialProvider.php

Indentation +25 added lines, -25 removed lines

@@ -12,32 +12,32 @@
 
 interface ICredentialProvider
 {
-    /**
-     * Validates a user-provided credential
-     *
-     * @param User $user The user to test the authentication against
-     * @param string $data The raw credential data to be validated
-     *
-     * @return bool
-     */
-    public function authenticate(User $user, $data);
+	/**
+	 * Validates a user-provided credential
+	 *
+	 * @param User $user The user to test the authentication against
+	 * @param string $data The raw credential data to be validated
+	 *
+	 * @return bool
+	 */
+	public function authenticate(User $user, $data);
 
-    /**
-     * @param User $user The user the credential belongs to
-     * @param int $factor The factor this credential provides
-     * @param string $data
-     */
-    public function setCredential(User $user, $factor, $data);
+	/**
+	 * @param User $user The user the credential belongs to
+	 * @param int $factor The factor this credential provides
+	 * @param string $data
+	 */
+	public function setCredential(User $user, $factor, $data);
 
-    /**
-     * @param User $user
-     */
-    public function deleteCredential(User $user);
+	/**
+	 * @param User $user
+	 */
+	public function deleteCredential(User $user);
 
-    /**
-     * @param int $userId
-     *
-     * @return bool
-     */
-    public function userIsEnrolled($userId);
+	/**
+	 * @param int $userId
+	 *
+	 * @return bool
+	 */
+	public function userIsEnrolled($userId);
 }
\ No newline at end of file

includes/Security/CredentialProviders/YubikeyOtpCredentialProvider.php

Indentation +150 added lines, -150 removed lines

@@ -16,154 +16,154 @@
 
 class YubikeyOtpCredentialProvider extends CredentialProviderBase
 {
-    /** @var HttpHelper */
-    private $httpHelper;
-    /**
-     * @var SiteConfiguration
-     */
-    private $configuration;
-
-    public function __construct(PdoDatabase $database, SiteConfiguration $configuration, HttpHelper $httpHelper)
-    {
-        parent::__construct($database, $configuration, 'yubikeyotp');
-        $this->httpHelper = $httpHelper;
-        $this->configuration = $configuration;
-    }
-
-    public function authenticate(User $user, $data)
-    {
-        if (is_array($data)) {
-            return false;
-        }
-
-        $credentialData = $this->getCredentialData($user->getId());
-
-        if ($credentialData === null) {
-            return false;
-        }
-
-        if ($credentialData->getData() !== $this->getYubikeyId($data)) {
-            // different device
-            return false;
-        }
-
-        return $this->verifyToken($data);
-    }
-
-    public function setCredential(User $user, $factor, $data)
-    {
-        $keyId = $this->getYubikeyId($data);
-        $valid = $this->verifyToken($data);
-
-        if (!$valid) {
-            throw new ApplicationLogicException("Provided token is not valid.");
-        }
-
-        $storedData = $this->getCredentialData($user->getId());
-
-        if ($storedData === null) {
-            $storedData = $this->createNewCredential($user);
-        }
-
-        $storedData->setData($keyId);
-        $storedData->setFactor($factor);
-        $storedData->setVersion(1);
-        $storedData->setPriority(8);
-
-        $storedData->save();
-    }
-
-    /**
-     * Get the Yubikey ID.
-     *
-     * This looks like it's just dumping the "password" that's stored in the database, but it's actually fine.
-     *
-     * We only store the "serial number" of the Yubikey - if we get a validated (by webservice) token prefixed with the
-     * serial number, that's a successful OTP authentication. Thus, retrieving the stored data is just retrieving the
-     * yubikey's serial number (in modhex format), since the actual security credentials are stored on the device.
-     *
-     * Note that the serial number is actually the credential serial number - it's possible to regenerate the keys on
-     * the device, and that will change the serial number too.
-     *
-     * More information about the structure of OTPs can be found here:
-     * https://developers.yubico.com/OTP/OTPs_Explained.html
-     *
-     * @param int $userId
-     *
-     * @return null|string
-     */
-    public function getYubikeyData($userId)
-    {
-        $credential = $this->getCredentialData($userId);
-
-        if ($credential === null) {
-            return null;
-        }
-
-        return $credential->getData();
-    }
-
-    /**
-     * @param $result
-     *
-     * @return array
-     */
-    private function parseYubicoApiResult($result)
-    {
-        $data = array();
-        foreach (explode("\r\n", $result) as $line) {
-            $pos = strpos($line, '=');
-            if ($pos === false) {
-                continue;
-            }
-
-            $data[substr($line, 0, $pos)] = substr($line, $pos + 1);
-        }
-
-        return $data;
-    }
-
-    private function getYubikeyId($data)
-    {
-        return substr($data, 0, -32);
-    }
-
-    private function verifyHmac($apiResponse, $apiKey)
-    {
-        ksort($apiResponse);
-        $signature = $apiResponse['h'];
-        unset($apiResponse['h']);
-
-        $data = array();
-        foreach ($apiResponse as $key => $value) {
-            $data[] = $key . "=" . $value;
-        }
-        $dataString = implode('&', $data);
-
-        $hmac = base64_encode(hash_hmac('sha1', $dataString, base64_decode($apiKey), true));
-
-        return $hmac === $signature;
-    }
-
-    /**
-     * @param $data
-     *
-     * @return bool
-     */
-    private function verifyToken($data)
-    {
-        $result = $this->httpHelper->get('https://api.yubico.com/wsapi/2.0/verify', array(
-            'id'    => $this->configuration->getYubicoApiId(),
-            'otp'   => $data,
-            'nonce' => md5(openssl_random_pseudo_bytes(64)),
-        ));
-
-        $apiResponse = $this->parseYubicoApiResult($result);
-
-        if (!$this->verifyHmac($apiResponse, $this->configuration->getYubicoApiKey())) {
-            return false;
-        }
-
-        return $apiResponse['status'] == 'OK';
-    }
+	/** @var HttpHelper */
+	private $httpHelper;
+	/**
+	 * @var SiteConfiguration
+	 */
+	private $configuration;
+
+	public function __construct(PdoDatabase $database, SiteConfiguration $configuration, HttpHelper $httpHelper)
+	{
+		parent::__construct($database, $configuration, 'yubikeyotp');
+		$this->httpHelper = $httpHelper;
+		$this->configuration = $configuration;
+	}
+
+	public function authenticate(User $user, $data)
+	{
+		if (is_array($data)) {
+			return false;
+		}
+
+		$credentialData = $this->getCredentialData($user->getId());
+
+		if ($credentialData === null) {
+			return false;
+		}
+
+		if ($credentialData->getData() !== $this->getYubikeyId($data)) {
+			// different device
+			return false;
+		}
+
+		return $this->verifyToken($data);
+	}
+
+	public function setCredential(User $user, $factor, $data)
+	{
+		$keyId = $this->getYubikeyId($data);
+		$valid = $this->verifyToken($data);
+
+		if (!$valid) {
+			throw new ApplicationLogicException("Provided token is not valid.");
+		}
+
+		$storedData = $this->getCredentialData($user->getId());
+
+		if ($storedData === null) {
+			$storedData = $this->createNewCredential($user);
+		}
+
+		$storedData->setData($keyId);
+		$storedData->setFactor($factor);
+		$storedData->setVersion(1);
+		$storedData->setPriority(8);
+
+		$storedData->save();
+	}
+
+	/**
+	 * Get the Yubikey ID.
+	 *
+	 * This looks like it's just dumping the "password" that's stored in the database, but it's actually fine.
+	 *
+	 * We only store the "serial number" of the Yubikey - if we get a validated (by webservice) token prefixed with the
+	 * serial number, that's a successful OTP authentication. Thus, retrieving the stored data is just retrieving the
+	 * yubikey's serial number (in modhex format), since the actual security credentials are stored on the device.
+	 *
+	 * Note that the serial number is actually the credential serial number - it's possible to regenerate the keys on
+	 * the device, and that will change the serial number too.
+	 *
+	 * More information about the structure of OTPs can be found here:
+	 * https://developers.yubico.com/OTP/OTPs_Explained.html
+	 *
+	 * @param int $userId
+	 *
+	 * @return null|string
+	 */
+	public function getYubikeyData($userId)
+	{
+		$credential = $this->getCredentialData($userId);
+
+		if ($credential === null) {
+			return null;
+		}
+
+		return $credential->getData();
+	}
+
+	/**
+	 * @param $result
+	 *
+	 * @return array
+	 */
+	private function parseYubicoApiResult($result)
+	{
+		$data = array();
+		foreach (explode("\r\n", $result) as $line) {
+			$pos = strpos($line, '=');
+			if ($pos === false) {
+				continue;
+			}
+
+			$data[substr($line, 0, $pos)] = substr($line, $pos + 1);
+		}
+
+		return $data;
+	}
+
+	private function getYubikeyId($data)
+	{
+		return substr($data, 0, -32);
+	}
+
+	private function verifyHmac($apiResponse, $apiKey)
+	{
+		ksort($apiResponse);
+		$signature = $apiResponse['h'];
+		unset($apiResponse['h']);
+
+		$data = array();
+		foreach ($apiResponse as $key => $value) {
+			$data[] = $key . "=" . $value;
+		}
+		$dataString = implode('&', $data);
+
+		$hmac = base64_encode(hash_hmac('sha1', $dataString, base64_decode($apiKey), true));
+
+		return $hmac === $signature;
+	}
+
+	/**
+	 * @param $data
+	 *
+	 * @return bool
+	 */
+	private function verifyToken($data)
+	{
+		$result = $this->httpHelper->get('https://api.yubico.com/wsapi/2.0/verify', array(
+			'id'    => $this->configuration->getYubicoApiId(),
+			'otp'   => $data,
+			'nonce' => md5(openssl_random_pseudo_bytes(64)),
+		));
+
+		$apiResponse = $this->parseYubicoApiResult($result);
+
+		if (!$this->verifyHmac($apiResponse, $this->configuration->getYubicoApiKey())) {
+			return false;
+		}
+
+		return $apiResponse['status'] == 'OK';
+	}
 }

includes/Security/RoleConfiguration.php

Indentation +360 added lines, -360 removed lines

@@ -47,391 +47,391 @@
 
 class RoleConfiguration
 {
-    const ACCESS_ALLOW = 1;
-    const ACCESS_DENY = -1;
-    const ACCESS_DEFAULT = 0;
-    const MAIN = 'main';
-    const ALL = '*';
-    /**
-     * A map of roles to rights
-     *
-     * For example:
-     *
-     * array(
-     *   'myrole' => array(
-     *       PageMyPage::class => array(
-     *           'edit' => self::ACCESS_ALLOW,
-     *           'create' => self::ACCESS_DENY,
-     *       )
-     *   )
-     * )
-     *
-     * Note that DENY takes precedence over everything else when roles are combined, followed by ALLOW, followed by
-     * DEFAULT. Thus, if you have the following ([A]llow, [D]eny, [-] (default)) grants in different roles, this should
-     * be the expected result:
-     *
-     * - (-,-,-) = - (default because nothing to explicitly say allowed or denied equates to a denial)
-     * - (A,-,-) = A
-     * - (D,-,-) = D
-     * - (A,D,-) = D (deny takes precedence over allow)
-     * - (A,A,A) = A (repetition has no effect)
-     *
-     * The public role is special, and is applied to all users automatically. Avoid using deny on this role.
-     *
-     * @var array
-     */
-    private $roleConfig = array(
-        'public'            => array(
-            /*
+	const ACCESS_ALLOW = 1;
+	const ACCESS_DENY = -1;
+	const ACCESS_DEFAULT = 0;
+	const MAIN = 'main';
+	const ALL = '*';
+	/**
+	 * A map of roles to rights
+	 *
+	 * For example:
+	 *
+	 * array(
+	 *   'myrole' => array(
+	 *       PageMyPage::class => array(
+	 *           'edit' => self::ACCESS_ALLOW,
+	 *           'create' => self::ACCESS_DENY,
+	 *       )
+	 *   )
+	 * )
+	 *
+	 * Note that DENY takes precedence over everything else when roles are combined, followed by ALLOW, followed by
+	 * DEFAULT. Thus, if you have the following ([A]llow, [D]eny, [-] (default)) grants in different roles, this should
+	 * be the expected result:
+	 *
+	 * - (-,-,-) = - (default because nothing to explicitly say allowed or denied equates to a denial)
+	 * - (A,-,-) = A
+	 * - (D,-,-) = D
+	 * - (A,D,-) = D (deny takes precedence over allow)
+	 * - (A,A,A) = A (repetition has no effect)
+	 *
+	 * The public role is special, and is applied to all users automatically. Avoid using deny on this role.
+	 *
+	 * @var array
+	 */
+	private $roleConfig = array(
+		'public'            => array(
+			/*
              * THIS ROLE IS GRANTED TO ALL LOGGED *OUT* USERS IMPLICITLY.
              *
              * USERS IN THIS ROLE DO NOT HAVE TO BE IDENTIFIED TO GET THE RIGHTS CONFERRED HERE.
              * DO NOT ADD ANY SECURITY-SENSITIVE RIGHTS HERE.
              */
-            '_childRoles'   => array(
-                'publicStats',
-            ),
-            PageTeam::class => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            PageXffDemo::class        => array(
-                self::MAIN  => self::ACCESS_ALLOW,
-            )
-        ),
-        'loggedIn'          => array(
-            /*
+			'_childRoles'   => array(
+				'publicStats',
+			),
+			PageTeam::class => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			PageXffDemo::class        => array(
+				self::MAIN  => self::ACCESS_ALLOW,
+			)
+		),
+		'loggedIn'          => array(
+			/*
              * THIS ROLE IS GRANTED TO ALL LOGGED IN USERS IMPLICITLY.
              *
              * USERS IN THIS ROLE DO NOT HAVE TO BE IDENTIFIED TO GET THE RIGHTS CONFERRED HERE.
              * DO NOT ADD ANY SECURITY-SENSITIVE RIGHTS HERE.
              */
-            '_childRoles'             => array(
-                'public',
-            ),
-            PagePreferences::class    => array(
-                self::MAIN => self::ACCESS_ALLOW,
-                'refreshOAuth' => self::ACCESS_ALLOW,
-            ),
-            PageChangePassword::class => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            PageMultiFactor::class    => array(
-                self::MAIN          => self::ACCESS_ALLOW,
-                'scratch'           => self::ACCESS_ALLOW,
-                'enableYubikeyOtp'  => self::ACCESS_ALLOW,
-                'disableYubikeyOtp' => self::ACCESS_ALLOW,
-                'enableTotp'        => self::ACCESS_ALLOW,
-                'disableTotp'       => self::ACCESS_ALLOW,
-            ),
-            PageOAuth::class          => array(
-                'attach' => self::ACCESS_ALLOW,
-                'detach' => self::ACCESS_ALLOW,
-            ),
-        ),
-        'user'              => array(
-            '_description'                       => 'A standard tool user.',
-            '_editableBy'                        => array('admin', 'toolRoot'),
-            '_childRoles'                        => array(
-                'internalStats',
-            ),
-            PageMain::class                      => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            PageBan::class                       => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            PageEditComment::class               => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            PageEmailManagement::class           => array(
-                self::MAIN => self::ACCESS_ALLOW,
-                'view'     => self::ACCESS_ALLOW,
-            ),
-            PageExpandedRequestList::class       => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            PageLog::class                       => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            PageSearch::class                    => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            PageWelcomeTemplateManagement::class => array(
-                self::MAIN => self::ACCESS_ALLOW,
-                'select'   => self::ACCESS_ALLOW,
-                'view'     => self::ACCESS_ALLOW,
-            ),
-            PageViewRequest::class               => array(
-                self::MAIN       => self::ACCESS_ALLOW,
-                'seeAllRequests' => self::ACCESS_ALLOW,
-            ),
-            'RequestData'                        => array(
-                'seePrivateDataWhenReserved' => self::ACCESS_ALLOW,
-                'seePrivateDataWithHash'     => self::ACCESS_ALLOW,
-            ),
-            PageCustomClose::class               => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            PageComment::class                   => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            PageCloseRequest::class              => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            PageCreateRequest::class             => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            PageDeferRequest::class              => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            PageDropRequest::class               => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            PageReservation::class               => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            PageSendToUser::class                => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            PageBreakReservation::class          => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            PageJobQueue::class                  => array(
-                self::MAIN => self::ACCESS_ALLOW,
-                'view'     => self::ACCESS_ALLOW,
-                'all'      => self::ACCESS_ALLOW,
-            ),
-            'RequestCreation'                    => array(
-                User::CREATION_MANUAL => self::ACCESS_ALLOW,
-            ),
-            'GlobalInfo'                         => array(
-                'viewSiteNotice' => self::ACCESS_ALLOW,
-                'viewOnlineUsers' => self::ACCESS_ALLOW,
-            ),
-        ),
-        'admin'             => array(
-            '_description'                       => 'A tool administrator.',
-            '_editableBy'                        => array('admin', 'toolRoot'),
-            '_childRoles'                        => array(
-                'user',
-                'requestAdminTools',
-            ),
-            PageEmailManagement::class           => array(
-                'edit'   => self::ACCESS_ALLOW,
-                'create' => self::ACCESS_ALLOW,
-            ),
-            PageSiteNotice::class                => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            PageUserManagement::class            => array(
-                self::MAIN  => self::ACCESS_ALLOW,
-                'approve'   => self::ACCESS_ALLOW,
-                'decline'   => self::ACCESS_ALLOW,
-                'rename'    => self::ACCESS_ALLOW,
-                'editUser'  => self::ACCESS_ALLOW,
-                'suspend'   => self::ACCESS_ALLOW,
-                'editRoles' => self::ACCESS_ALLOW,
-            ),
-            PageWelcomeTemplateManagement::class => array(
-                'edit'   => self::ACCESS_ALLOW,
-                'delete' => self::ACCESS_ALLOW,
-                'add'    => self::ACCESS_ALLOW,
-            ),
-            PageJobQueue::class                  => array(
-                'acknowledge' => self::ACCESS_ALLOW,
-                'requeue'     => self::ACCESS_ALLOW,
-            ),
-        ),
-        'checkuser'         => array(
-            '_description'            => 'A user with CheckUser access',
-            '_editableBy'             => array('checkuser', 'toolRoot'),
-            '_childRoles'             => array(
-                'user',
-                'requestAdminTools',
-            ),
-            PageUserManagement::class => array(
-                self::MAIN  => self::ACCESS_ALLOW,
-                'suspend'   => self::ACCESS_ALLOW,
-                'editRoles' => self::ACCESS_ALLOW,
-            ),
-            'RequestData'             => array(
-                'seeUserAgentData' => self::ACCESS_ALLOW,
-            ),
-        ),
-        'toolRoot'          => array(
-            '_description' => 'A user with shell access to the servers running the tool',
-            '_editableBy'  => array('toolRoot'),
-            '_childRoles'  => array(
-                'admin',
-            ),
-            PageMultiFactor::class => array(
-                'enableU2F'         => self::ACCESS_ALLOW,
-                'disableU2F'        => self::ACCESS_ALLOW,
-            )
-        ),
-        'botCreation'       => array(
-            '_description'    => 'A user allowed to use the bot to perform account creations',
-            '_editableBy'     => array('admin', 'toolRoot'),
-            '_childRoles'     => array(),
-            'RequestCreation' => array(
-                User::CREATION_BOT => self::ACCESS_ALLOW,
-            ),
-        ),
-        'oauthCreation'       => array(
-            '_description'    => 'A user allowed to use the OAuth to perform account creations',
-            '_editableBy'     => array('admin', 'toolRoot'),
-            '_childRoles'     => array(),
-            'RequestCreation'                    => array(
-                User::CREATION_OAUTH  => self::ACCESS_ALLOW,
-            ),
-        ),
+			'_childRoles'             => array(
+				'public',
+			),
+			PagePreferences::class    => array(
+				self::MAIN => self::ACCESS_ALLOW,
+				'refreshOAuth' => self::ACCESS_ALLOW,
+			),
+			PageChangePassword::class => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			PageMultiFactor::class    => array(
+				self::MAIN          => self::ACCESS_ALLOW,
+				'scratch'           => self::ACCESS_ALLOW,
+				'enableYubikeyOtp'  => self::ACCESS_ALLOW,
+				'disableYubikeyOtp' => self::ACCESS_ALLOW,
+				'enableTotp'        => self::ACCESS_ALLOW,
+				'disableTotp'       => self::ACCESS_ALLOW,
+			),
+			PageOAuth::class          => array(
+				'attach' => self::ACCESS_ALLOW,
+				'detach' => self::ACCESS_ALLOW,
+			),
+		),
+		'user'              => array(
+			'_description'                       => 'A standard tool user.',
+			'_editableBy'                        => array('admin', 'toolRoot'),
+			'_childRoles'                        => array(
+				'internalStats',
+			),
+			PageMain::class                      => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			PageBan::class                       => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			PageEditComment::class               => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			PageEmailManagement::class           => array(
+				self::MAIN => self::ACCESS_ALLOW,
+				'view'     => self::ACCESS_ALLOW,
+			),
+			PageExpandedRequestList::class       => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			PageLog::class                       => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			PageSearch::class                    => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			PageWelcomeTemplateManagement::class => array(
+				self::MAIN => self::ACCESS_ALLOW,
+				'select'   => self::ACCESS_ALLOW,
+				'view'     => self::ACCESS_ALLOW,
+			),
+			PageViewRequest::class               => array(
+				self::MAIN       => self::ACCESS_ALLOW,
+				'seeAllRequests' => self::ACCESS_ALLOW,
+			),
+			'RequestData'                        => array(
+				'seePrivateDataWhenReserved' => self::ACCESS_ALLOW,
+				'seePrivateDataWithHash'     => self::ACCESS_ALLOW,
+			),
+			PageCustomClose::class               => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			PageComment::class                   => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			PageCloseRequest::class              => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			PageCreateRequest::class             => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			PageDeferRequest::class              => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			PageDropRequest::class               => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			PageReservation::class               => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			PageSendToUser::class                => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			PageBreakReservation::class          => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			PageJobQueue::class                  => array(
+				self::MAIN => self::ACCESS_ALLOW,
+				'view'     => self::ACCESS_ALLOW,
+				'all'      => self::ACCESS_ALLOW,
+			),
+			'RequestCreation'                    => array(
+				User::CREATION_MANUAL => self::ACCESS_ALLOW,
+			),
+			'GlobalInfo'                         => array(
+				'viewSiteNotice' => self::ACCESS_ALLOW,
+				'viewOnlineUsers' => self::ACCESS_ALLOW,
+			),
+		),
+		'admin'             => array(
+			'_description'                       => 'A tool administrator.',
+			'_editableBy'                        => array('admin', 'toolRoot'),
+			'_childRoles'                        => array(
+				'user',
+				'requestAdminTools',
+			),
+			PageEmailManagement::class           => array(
+				'edit'   => self::ACCESS_ALLOW,
+				'create' => self::ACCESS_ALLOW,
+			),
+			PageSiteNotice::class                => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			PageUserManagement::class            => array(
+				self::MAIN  => self::ACCESS_ALLOW,
+				'approve'   => self::ACCESS_ALLOW,
+				'decline'   => self::ACCESS_ALLOW,
+				'rename'    => self::ACCESS_ALLOW,
+				'editUser'  => self::ACCESS_ALLOW,
+				'suspend'   => self::ACCESS_ALLOW,
+				'editRoles' => self::ACCESS_ALLOW,
+			),
+			PageWelcomeTemplateManagement::class => array(
+				'edit'   => self::ACCESS_ALLOW,
+				'delete' => self::ACCESS_ALLOW,
+				'add'    => self::ACCESS_ALLOW,
+			),
+			PageJobQueue::class                  => array(
+				'acknowledge' => self::ACCESS_ALLOW,
+				'requeue'     => self::ACCESS_ALLOW,
+			),
+		),
+		'checkuser'         => array(
+			'_description'            => 'A user with CheckUser access',
+			'_editableBy'             => array('checkuser', 'toolRoot'),
+			'_childRoles'             => array(
+				'user',
+				'requestAdminTools',
+			),
+			PageUserManagement::class => array(
+				self::MAIN  => self::ACCESS_ALLOW,
+				'suspend'   => self::ACCESS_ALLOW,
+				'editRoles' => self::ACCESS_ALLOW,
+			),
+			'RequestData'             => array(
+				'seeUserAgentData' => self::ACCESS_ALLOW,
+			),
+		),
+		'toolRoot'          => array(
+			'_description' => 'A user with shell access to the servers running the tool',
+			'_editableBy'  => array('toolRoot'),
+			'_childRoles'  => array(
+				'admin',
+			),
+			PageMultiFactor::class => array(
+				'enableU2F'         => self::ACCESS_ALLOW,
+				'disableU2F'        => self::ACCESS_ALLOW,
+			)
+		),
+		'botCreation'       => array(
+			'_description'    => 'A user allowed to use the bot to perform account creations',
+			'_editableBy'     => array('admin', 'toolRoot'),
+			'_childRoles'     => array(),
+			'RequestCreation' => array(
+				User::CREATION_BOT => self::ACCESS_ALLOW,
+			),
+		),
+		'oauthCreation'       => array(
+			'_description'    => 'A user allowed to use the OAuth to perform account creations',
+			'_editableBy'     => array('admin', 'toolRoot'),
+			'_childRoles'     => array(),
+			'RequestCreation'                    => array(
+				User::CREATION_OAUTH  => self::ACCESS_ALLOW,
+			),
+		),
 
 
-        // Child roles go below this point
-        'publicStats'       => array(
-            '_hidden'               => true,
-            StatsUsers::class       => array(
-                self::MAIN => self::ACCESS_ALLOW,
-                'detail'   => self::ACCESS_ALLOW,
-            ),
-            StatsTopCreators::class => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-        ),
-        'internalStats'     => array(
-            '_hidden'                    => true,
-            StatsMain::class             => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            StatsFastCloses::class       => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            StatsInactiveUsers::class    => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            StatsMonthlyStats::class     => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            StatsReservedRequests::class => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            StatsTemplateStats::class    => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-        ),
-        'requestAdminTools' => array(
-            '_hidden'                   => true,
-            PageBan::class              => array(
-                self::MAIN => self::ACCESS_ALLOW,
-                'set'      => self::ACCESS_ALLOW,
-                'remove'   => self::ACCESS_ALLOW,
-            ),
-            PageEditComment::class      => array(
-                'editOthers' => self::ACCESS_ALLOW,
-            ),
-            PageBreakReservation::class => array(
-                'force' => self::ACCESS_ALLOW,
-            ),
-            PageCustomClose::class      => array(
-                'skipCcMailingList' => self::ACCESS_ALLOW,
-            ),
-            'RequestData'               => array(
-                'reopenOldRequest'      => self::ACCESS_ALLOW,
-                'alwaysSeePrivateData'  => self::ACCESS_ALLOW,
-                'alwaysSeeHash'         => self::ACCESS_ALLOW,
-                'seeRestrictedComments' => self::ACCESS_ALLOW,
-            ),
-        ),
-    );
-    /** @var array
-     * List of roles which are *exempt* from the identification requirements
-     *
-     * Think twice about adding roles to this list.
-     *
-     * @category Security-Critical
-     */
-    private $identificationExempt = array('public', 'loggedIn');
+		// Child roles go below this point
+		'publicStats'       => array(
+			'_hidden'               => true,
+			StatsUsers::class       => array(
+				self::MAIN => self::ACCESS_ALLOW,
+				'detail'   => self::ACCESS_ALLOW,
+			),
+			StatsTopCreators::class => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+		),
+		'internalStats'     => array(
+			'_hidden'                    => true,
+			StatsMain::class             => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			StatsFastCloses::class       => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			StatsInactiveUsers::class    => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			StatsMonthlyStats::class     => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			StatsReservedRequests::class => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			StatsTemplateStats::class    => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+		),
+		'requestAdminTools' => array(
+			'_hidden'                   => true,
+			PageBan::class              => array(
+				self::MAIN => self::ACCESS_ALLOW,
+				'set'      => self::ACCESS_ALLOW,
+				'remove'   => self::ACCESS_ALLOW,
+			),
+			PageEditComment::class      => array(
+				'editOthers' => self::ACCESS_ALLOW,
+			),
+			PageBreakReservation::class => array(
+				'force' => self::ACCESS_ALLOW,
+			),
+			PageCustomClose::class      => array(
+				'skipCcMailingList' => self::ACCESS_ALLOW,
+			),
+			'RequestData'               => array(
+				'reopenOldRequest'      => self::ACCESS_ALLOW,
+				'alwaysSeePrivateData'  => self::ACCESS_ALLOW,
+				'alwaysSeeHash'         => self::ACCESS_ALLOW,
+				'seeRestrictedComments' => self::ACCESS_ALLOW,
+			),
+		),
+	);
+	/** @var array
+	 * List of roles which are *exempt* from the identification requirements
+	 *
+	 * Think twice about adding roles to this list.
+	 *
+	 * @category Security-Critical
+	 */
+	private $identificationExempt = array('public', 'loggedIn');
 
-    /**
-     * RoleConfiguration constructor.
-     *
-     * @param array $roleConfig           Set to non-null to override the default configuration.
-     * @param array $identificationExempt Set to non-null to override the default configuration.
-     */
-    public function __construct(array $roleConfig = null, array $identificationExempt = null)
-    {
-        if ($roleConfig !== null) {
-            $this->roleConfig = $roleConfig;
-        }
+	/**
+	 * RoleConfiguration constructor.
+	 *
+	 * @param array $roleConfig           Set to non-null to override the default configuration.
+	 * @param array $identificationExempt Set to non-null to override the default configuration.
+	 */
+	public function __construct(array $roleConfig = null, array $identificationExempt = null)
+	{
+		if ($roleConfig !== null) {
+			$this->roleConfig = $roleConfig;
+		}
 
-        if ($identificationExempt !== null) {
-            $this->identificationExempt = $identificationExempt;
-        }
-    }
+		if ($identificationExempt !== null) {
+			$this->identificationExempt = $identificationExempt;
+		}
+	}
 
-    /**
-     * @param array $roles The roles to check
-     *
-     * @return array
-     */
-    public function getApplicableRoles(array $roles)
-    {
-        $available = array();
+	/**
+	 * @param array $roles The roles to check
+	 *
+	 * @return array
+	 */
+	public function getApplicableRoles(array $roles)
+	{
+		$available = array();
 
-        foreach ($roles as $role) {
-            if (!isset($this->roleConfig[$role])) {
-                // wat
-                continue;
-            }
+		foreach ($roles as $role) {
+			if (!isset($this->roleConfig[$role])) {
+				// wat
+				continue;
+			}
 
-            $available[$role] = $this->roleConfig[$role];
+			$available[$role] = $this->roleConfig[$role];
 
-            if (isset($available[$role]['_childRoles'])) {
-                $childRoles = $this->getApplicableRoles($available[$role]['_childRoles']);
-                $available = array_merge($available, $childRoles);
+			if (isset($available[$role]['_childRoles'])) {
+				$childRoles = $this->getApplicableRoles($available[$role]['_childRoles']);
+				$available = array_merge($available, $childRoles);
 
-                unset($available[$role]['_childRoles']);
-            }
+				unset($available[$role]['_childRoles']);
+			}
 
-            foreach (array('_hidden', '_editableBy', '_description') as $item) {
-                if (isset($available[$role][$item])) {
-                    unset($available[$role][$item]);
-                }
-            }
-        }
+			foreach (array('_hidden', '_editableBy', '_description') as $item) {
+				if (isset($available[$role][$item])) {
+					unset($available[$role][$item]);
+				}
+			}
+		}
 
-        return $available;
-    }
+		return $available;
+	}
 
-    public function getAvailableRoles()
-    {
-        $possible = array_diff(array_keys($this->roleConfig), array('public', 'loggedIn'));
+	public function getAvailableRoles()
+	{
+		$possible = array_diff(array_keys($this->roleConfig), array('public', 'loggedIn'));
 
-        $actual = array();
+		$actual = array();
 
-        foreach ($possible as $role) {
-            if (!isset($this->roleConfig[$role]['_hidden'])) {
-                $actual[$role] = array(
-                    'description' => $this->roleConfig[$role]['_description'],
-                    'editableBy'  => $this->roleConfig[$role]['_editableBy'],
-                );
-            }
-        }
+		foreach ($possible as $role) {
+			if (!isset($this->roleConfig[$role]['_hidden'])) {
+				$actual[$role] = array(
+					'description' => $this->roleConfig[$role]['_description'],
+					'editableBy'  => $this->roleConfig[$role]['_editableBy'],
+				);
+			}
+		}
 
-        return $actual;
-    }
+		return $actual;
+	}
 
-    /**
-     * @param string $role
-     *
-     * @return bool
-     */
-    public function roleNeedsIdentification($role)
-    {
-        if (in_array($role, $this->identificationExempt)) {
-            return false;
-        }
+	/**
+	 * @param string $role
+	 *
+	 * @return bool
+	 */
+	public function roleNeedsIdentification($role)
+	{
+		if (in_array($role, $this->identificationExempt)) {
+			return false;
+		}
 
-        return true;
-    }
+		return true;
+	}
 }

includes/Security/AuthenticationManager.php

Indentation +56 added lines, -56 removed lines

@@ -22,67 +22,67 @@
 
 class AuthenticationManager
 {
-    const AUTH_OK = 1;
-    const AUTH_FAIL = 2;
-    const AUTH_REQUIRE_NEXT_STAGE = 3;
-    private $typeMap = array();
-    /**
-     * @var PdoDatabase
-     */
-    private $database;
+	const AUTH_OK = 1;
+	const AUTH_FAIL = 2;
+	const AUTH_REQUIRE_NEXT_STAGE = 3;
+	private $typeMap = array();
+	/**
+	 * @var PdoDatabase
+	 */
+	private $database;
 
-    /**
-     * AuthenticationManager constructor.
-     *
-     * @param PdoDatabase       $database
-     * @param SiteConfiguration $siteConfiguration
-     * @param HttpHelper        $httpHelper
-     */
-    public function __construct(PdoDatabase $database, SiteConfiguration $siteConfiguration, HttpHelper $httpHelper)
-    {
-        // setup providers
-        // note on type map: this *must* be the value in the database, as this is what it maps.
-        $this->typeMap['password'] = new PasswordCredentialProvider($database, $siteConfiguration);
-        $this->typeMap['yubikeyotp'] = new YubikeyOtpCredentialProvider($database, $siteConfiguration, $httpHelper);
-        $this->typeMap['totp'] = new TotpCredentialProvider($database, $siteConfiguration);
-        $this->typeMap['scratch'] = new ScratchTokenCredentialProvider($database, $siteConfiguration);
-        $this->typeMap['u2f'] = new U2FCredentialProvider($database, $siteConfiguration);
-        $this->database = $database;
-    }
+	/**
+	 * AuthenticationManager constructor.
+	 *
+	 * @param PdoDatabase       $database
+	 * @param SiteConfiguration $siteConfiguration
+	 * @param HttpHelper        $httpHelper
+	 */
+	public function __construct(PdoDatabase $database, SiteConfiguration $siteConfiguration, HttpHelper $httpHelper)
+	{
+		// setup providers
+		// note on type map: this *must* be the value in the database, as this is what it maps.
+		$this->typeMap['password'] = new PasswordCredentialProvider($database, $siteConfiguration);
+		$this->typeMap['yubikeyotp'] = new YubikeyOtpCredentialProvider($database, $siteConfiguration, $httpHelper);
+		$this->typeMap['totp'] = new TotpCredentialProvider($database, $siteConfiguration);
+		$this->typeMap['scratch'] = new ScratchTokenCredentialProvider($database, $siteConfiguration);
+		$this->typeMap['u2f'] = new U2FCredentialProvider($database, $siteConfiguration);
+		$this->database = $database;
+	}
 
-    public function authenticate(User $user, $data, $stage)
-    {
-        $sql = 'SELECT type FROM credential WHERE user = :user AND factor = :stage AND disabled = 0 ORDER BY priority ASC';
-        $statement = $this->database->prepare($sql);
-        $statement->execute(array(':user' => $user->getId(), ':stage' => $stage));
-        $options = $statement->fetchAll(PDO::FETCH_COLUMN);
+	public function authenticate(User $user, $data, $stage)
+	{
+		$sql = 'SELECT type FROM credential WHERE user = :user AND factor = :stage AND disabled = 0 ORDER BY priority ASC';
+		$statement = $this->database->prepare($sql);
+		$statement->execute(array(':user' => $user->getId(), ':stage' => $stage));
+		$options = $statement->fetchAll(PDO::FETCH_COLUMN);
 
-        $sql = 'SELECT count(DISTINCT factor) FROM credential WHERE user = :user AND factor > :stage AND disabled = 0 AND type <> :scratch';
-        $statement = $this->database->prepare($sql);
-        $statement->execute(array(':user' => $user->getId(), ':stage' => $stage, ':scratch' => 'scratch'));
-        $requiredFactors = $statement->fetchColumn();
+		$sql = 'SELECT count(DISTINCT factor) FROM credential WHERE user = :user AND factor > :stage AND disabled = 0 AND type <> :scratch';
+		$statement = $this->database->prepare($sql);
+		$statement->execute(array(':user' => $user->getId(), ':stage' => $stage, ':scratch' => 'scratch'));
+		$requiredFactors = $statement->fetchColumn();
 
-        // prep the correct OK response based on how many factors are ahead of this one
-        $success = self::AUTH_OK;
-        if ($requiredFactors > 0) {
-            $success = self::AUTH_REQUIRE_NEXT_STAGE;
-        }
+		// prep the correct OK response based on how many factors are ahead of this one
+		$success = self::AUTH_OK;
+		if ($requiredFactors > 0) {
+			$success = self::AUTH_REQUIRE_NEXT_STAGE;
+		}
 
-        foreach ($options as $type) {
-            if (!isset($this->typeMap[$type])) {
-                // does this type have a credentialProvider registered?
-                continue;
-            }
+		foreach ($options as $type) {
+			if (!isset($this->typeMap[$type])) {
+				// does this type have a credentialProvider registered?
+				continue;
+			}
 
-            /** @var ICredentialProvider $credentialProvider */
-            $credentialProvider = $this->typeMap[$type];
-            if ($credentialProvider->authenticate($user, $data)) {
-                return $success;
-            }
-        }
+			/** @var ICredentialProvider $credentialProvider */
+			$credentialProvider = $this->typeMap[$type];
+			if ($credentialProvider->authenticate($user, $data)) {
+				return $success;
+			}
+		}
 
-        // We've iterated over all the available providers for this stage.
-        // They all hate you.
-        return self::AUTH_FAIL;
-    }
+		// We've iterated over all the available providers for this stage.
+		// They all hate you.
+		return self::AUTH_FAIL;
+	}
 }
\ No newline at end of file

includes/Providers/GlobalState/GlobalStateProvider.php

Indentation +35 added lines, -35 removed lines

@@ -18,43 +18,43 @@
  */
 class GlobalStateProvider implements IGlobalStateProvider
 {
-    /**
-     * @return array
-     */
-    public function &getServerSuperGlobal()
-    {
-        return $_SERVER;
-    }
+	/**
+	 * @return array
+	 */
+	public function &getServerSuperGlobal()
+	{
+		return $_SERVER;
+	}
 
-    /**
-     * @return array
-     */
-    public function &getGetSuperGlobal()
-    {
-        return $_GET;
-    }
+	/**
+	 * @return array
+	 */
+	public function &getGetSuperGlobal()
+	{
+		return $_GET;
+	}
 
-    /**
-     * @return array
-     */
-    public function &getPostSuperGlobal()
-    {
-        return $_POST;
-    }
+	/**
+	 * @return array
+	 */
+	public function &getPostSuperGlobal()
+	{
+		return $_POST;
+	}
 
-    /**
-     * @return array
-     */
-    public function &getSessionSuperGlobal()
-    {
-        return $_SESSION;
-    }
+	/**
+	 * @return array
+	 */
+	public function &getSessionSuperGlobal()
+	{
+		return $_SESSION;
+	}
 
-    /**
-     * @return array
-     */
-    public function &getCookieSuperGlobal()
-    {
-        return $_COOKIE;
-    }
+	/**
+	 * @return array
+	 */
+	public function &getCookieSuperGlobal()
+	{
+		return $_COOKIE;
+	}
 }
\ No newline at end of file