mdaniels5757 / waca

includes/Pages/UserAuth/Login/LoginCredentialPageBase.php

Indentation +311 added lines, -311 removed lines

@@ -21,315 +21,315 @@
 
 abstract class LoginCredentialPageBase extends InternalPageBase
 {
-    /** @var User */
-    protected $partialUser = null;
-    protected $nextPageMap = array(
-        'yubikeyotp' => 'otp',
-        'totp'       => 'otp',
-        'scratch'    => 'otp',
-        'u2f'        => 'u2f',
-    );
-    protected $names = array(
-        'yubikeyotp' => 'Yubikey OTP',
-        'totp'       => 'TOTP (phone code generator)',
-        'scratch'    => 'scratch token',
-        'u2f'        => 'U2F security token',
-    );
-
-    /**
-     * Main function for this page, when no specific actions are called.
-     * @return void
-     */
-    protected function main()
-    {
-        if (!$this->enforceHttps()) {
-            return;
-        }
-
-        if (WebRequest::wasPosted()) {
-            $this->validateCSRFToken();
-
-            $database = $this->getDatabase();
-            try {
-                list($partialId, $partialStage) = WebRequest::getAuthPartialLogin();
-
-                if ($partialStage === null) {
-                    $partialStage = 1;
-                }
-
-                if ($partialId === null) {
-                    $username = WebRequest::postString('username');
-
-                    if ($username === null || trim($username) === '') {
-                        throw new ApplicationLogicException('No username specified.');
-                    }
-
-                    $user = User::getByUsername($username, $database);
-                }
-                else {
-                    $user = User::getById($partialId, $database);
-                }
-
-                if ($user === false) {
-                    throw new ApplicationLogicException("Authentication failed");
-                }
-
-                $authMan = new AuthenticationManager($database, $this->getSiteConfiguration(),
-                    $this->getHttpHelper());
-
-                $credential = $this->getProviderCredentials();
-
-                $authResult = $authMan->authenticate($user, $credential, $partialStage);
-
-                if ($authResult === AuthenticationManager::AUTH_FAIL) {
-                    throw new ApplicationLogicException("Authentication failed");
-                }
-
-                if ($authResult === AuthenticationManager::AUTH_REQUIRE_NEXT_STAGE) {
-                    $this->processJumpNextStage($user, $partialStage, $database);
-
-                    return;
-                }
-
-                if ($authResult === AuthenticationManager::AUTH_OK) {
-                    $this->processLoginSuccess($user);
-
-                    return;
-                }
-            }
-            catch (ApplicationLogicException $ex) {
-                WebRequest::clearAuthPartialLogin();
-
-                SessionAlert::error($ex->getMessage());
-                $this->redirect('login');
-
-                return;
-            }
-        }
-        else {
-            $this->assign('showSignIn', true);
-
-            $this->setupPartial();
-            $this->assignCSRFToken();
-            $this->providerSpecificSetup();
-        }
-    }
-
-    protected function isProtectedPage()
-    {
-        return false;
-    }
-
-    /**
-     * Enforces HTTPS on the login form
-     *
-     * @return bool
-     */
-    private function enforceHttps()
-    {
-        if ($this->getSiteConfiguration()->getUseStrictTransportSecurity() !== false) {
-            if (WebRequest::isHttps()) {
-                // Client can clearly use HTTPS, so let's enforce it for all connections.
-                $this->headerQueue[] = "Strict-Transport-Security: max-age=15768000";
-            }
-            else {
-                // This is the login form, not the request form. We need protection here.
-                $this->redirectUrl('https://' . WebRequest::serverName() . WebRequest::requestUri());
-
-                return false;
-            }
-        }
-
-        return true;
-    }
-
-    protected abstract function providerSpecificSetup();
-
-    protected function setupPartial()
-    {
-        $database = $this->getDatabase();
-
-        // default stuff
-        $this->assign('alternatives', array()); // 'u2f' => array('U2F token'), 'otp' => array('TOTP', 'scratch', 'yubiotp')));
-
-        // is this stage one?
-        list($partialId, $partialStage) = WebRequest::getAuthPartialLogin();
-        if ($partialStage === null || $partialId === null) {
-            WebRequest::clearAuthPartialLogin();
-        }
-
-        // Check to see if we have a partial login in progress
-        $username = null;
-        if ($partialId !== null) {
-            // Yes, enforce this username
-            $this->partialUser = User::getById($partialId, $database);
-            $username = $this->partialUser->getUsername();
-
-            $this->setupAlternates($this->partialUser, $partialStage, $database);
-        }
-        else {
-            // No, see if we've preloaded a username
-            $preloadUsername = WebRequest::getString('tplUsername');
-            if ($preloadUsername !== null) {
-                $username = $preloadUsername;
-            }
-        }
-
-        if ($partialStage === null) {
-            $partialStage = 1;
-        }
-
-        $this->assign('partialStage', $partialStage);
-        $this->assign('username', $username);
-    }
-
-    /**
-     * Redirect the user back to wherever they came from after a successful login
-     *
-     * @param User $user
-     */
-    protected function goBackWhenceYouCame(User $user)
-    {
-        // Redirect to wherever the user came from
-        $redirectDestination = WebRequest::clearPostLoginRedirect();
-        if ($redirectDestination !== null) {
-            $this->redirectUrl($redirectDestination);
-        }
-        else {
-            if ($user->isNewUser()) {
-                // home page isn't allowed, go to preferences instead
-                $this->redirect('preferences');
-            }
-            else {
-                // go to the home page
-                $this->redirect('');
-            }
-        }
-    }
-
-    private function processLoginSuccess(User $user)
-    {
-        // Touch force logout
-        $user->setForceLogout(false);
-        $user->save();
-
-        $oauth = new OAuthUserHelper($user, $this->getDatabase(), $this->getOAuthProtocolHelper(),
-            $this->getSiteConfiguration());
-
-        if ($oauth->isFullyLinked()) {
-            try {
-                // Reload the user's identity ticket.
-                $oauth->refreshIdentity();
-
-                // Check for blocks
-                if ($oauth->getIdentity()->getBlocked()) {
-                    // blocked!
-                    SessionAlert::error("You are currently blocked on-wiki. You will not be able to log in until you are unblocked.");
-                    $this->redirect('login');
-
-                    return;
-                }
-            }
-            catch (OAuthException $ex) {
-                // Oops. Refreshing ticket failed. Force a re-auth.
-                $authoriseUrl = $oauth->getRequestToken();
-                WebRequest::setOAuthPartialLogin($user);
-                $this->redirectUrl($authoriseUrl);
-
-                return;
-            }
-        }
-
-        if (($this->getSiteConfiguration()->getEnforceOAuth() && !$oauth->isFullyLinked())
-            || $oauth->isPartiallyLinked()
-        ) {
-            $authoriseUrl = $oauth->getRequestToken();
-            WebRequest::setOAuthPartialLogin($user);
-            $this->redirectUrl($authoriseUrl);
-
-            return;
-        }
-
-        WebRequest::setLoggedInUser($user);
-
-        $this->goBackWhenceYouCame($user);
-    }
-
-    protected abstract function getProviderCredentials();
-
-    /**
-     * @param User        $user
-     * @param int         $partialStage
-     * @param PdoDatabase $database
-     *
-     * @throws ApplicationLogicException
-     */
-    private function processJumpNextStage(User $user, $partialStage, PdoDatabase $database)
-    {
-        WebRequest::setAuthPartialLogin($user->getId(), $partialStage + 1);
-
-        $sql = 'SELECT type FROM credential WHERE user = :user AND factor = :stage AND disabled = 0 ORDER BY priority';
-        $statement = $database->prepare($sql);
-        $statement->execute(array(':user' => $user->getId(), ':stage' => $partialStage + 1));
-        $nextStage = $statement->fetchColumn();
-        $statement->closeCursor();
-
-        if (!isset($this->nextPageMap[$nextStage])) {
-            throw new ApplicationLogicException('Unknown page handler for next authentication stage.');
-        }
-
-        $this->redirect("login/" . $this->nextPageMap[$nextStage]);
-    }
-
-    private function setupAlternates(User $user, $partialStage, PdoDatabase $database)
-    {
-        // get the providers available
-        $sql = 'SELECT type FROM credential WHERE user = :user AND factor = :stage AND disabled = 0';
-        $statement = $database->prepare($sql);
-        $statement->execute(array(':user' => $user->getId(), ':stage' => $partialStage));
-        $alternates = $statement->fetchAll(PDO::FETCH_COLUMN);
-
-        $types = array();
-        foreach ($alternates as $item) {
-            $type = $this->nextPageMap[$item];
-            if (!isset($types[$type])) {
-                $types[$type] = array();
-            }
-
-            $types[$type][] = $item;
-        }
-
-        $userOptions = array();
-        if (get_called_class() === PageOtpLogin::class) {
-            $userOptions = $this->setupUserOptionsForType($types, 'u2f', $userOptions);
-        }
-
-        if (get_called_class() === PageU2FLogin::class) {
-            $userOptions = $this->setupUserOptionsForType($types, 'otp', $userOptions);
-        }
-
-        $this->assign('alternatives', $userOptions);
-    }
-
-    /**
-     * @param $types
-     * @param $type
-     * @param $userOptions
-     *
-     * @return mixed
-     */
-    private function setupUserOptionsForType($types, $type, $userOptions)
-    {
-        if (isset($types[$type])) {
-            $options = $types[$type];
-
-            array_walk($options, function(&$val) {
-                $val = $this->names[$val];
-            });
-
-            $userOptions[$type] = $options;
-        }
-
-        return $userOptions;
-    }
+	/** @var User */
+	protected $partialUser = null;
+	protected $nextPageMap = array(
+		'yubikeyotp' => 'otp',
+		'totp'       => 'otp',
+		'scratch'    => 'otp',
+		'u2f'        => 'u2f',
+	);
+	protected $names = array(
+		'yubikeyotp' => 'Yubikey OTP',
+		'totp'       => 'TOTP (phone code generator)',
+		'scratch'    => 'scratch token',
+		'u2f'        => 'U2F security token',
+	);
+
+	/**
+	 * Main function for this page, when no specific actions are called.
+	 * @return void
+	 */
+	protected function main()
+	{
+		if (!$this->enforceHttps()) {
+			return;
+		}
+
+		if (WebRequest::wasPosted()) {
+			$this->validateCSRFToken();
+
+			$database = $this->getDatabase();
+			try {
+				list($partialId, $partialStage) = WebRequest::getAuthPartialLogin();
+
+				if ($partialStage === null) {
+					$partialStage = 1;
+				}
+
+				if ($partialId === null) {
+					$username = WebRequest::postString('username');
+
+					if ($username === null || trim($username) === '') {
+						throw new ApplicationLogicException('No username specified.');
+					}
+
+					$user = User::getByUsername($username, $database);
+				}
+				else {
+					$user = User::getById($partialId, $database);
+				}
+
+				if ($user === false) {
+					throw new ApplicationLogicException("Authentication failed");
+				}
+
+				$authMan = new AuthenticationManager($database, $this->getSiteConfiguration(),
+					$this->getHttpHelper());
+
+				$credential = $this->getProviderCredentials();
+
+				$authResult = $authMan->authenticate($user, $credential, $partialStage);
+
+				if ($authResult === AuthenticationManager::AUTH_FAIL) {
+					throw new ApplicationLogicException("Authentication failed");
+				}
+
+				if ($authResult === AuthenticationManager::AUTH_REQUIRE_NEXT_STAGE) {
+					$this->processJumpNextStage($user, $partialStage, $database);
+
+					return;
+				}
+
+				if ($authResult === AuthenticationManager::AUTH_OK) {
+					$this->processLoginSuccess($user);
+
+					return;
+				}
+			}
+			catch (ApplicationLogicException $ex) {
+				WebRequest::clearAuthPartialLogin();
+
+				SessionAlert::error($ex->getMessage());
+				$this->redirect('login');
+
+				return;
+			}
+		}
+		else {
+			$this->assign('showSignIn', true);
+
+			$this->setupPartial();
+			$this->assignCSRFToken();
+			$this->providerSpecificSetup();
+		}
+	}
+
+	protected function isProtectedPage()
+	{
+		return false;
+	}
+
+	/**
+	 * Enforces HTTPS on the login form
+	 *
+	 * @return bool
+	 */
+	private function enforceHttps()
+	{
+		if ($this->getSiteConfiguration()->getUseStrictTransportSecurity() !== false) {
+			if (WebRequest::isHttps()) {
+				// Client can clearly use HTTPS, so let's enforce it for all connections.
+				$this->headerQueue[] = "Strict-Transport-Security: max-age=15768000";
+			}
+			else {
+				// This is the login form, not the request form. We need protection here.
+				$this->redirectUrl('https://' . WebRequest::serverName() . WebRequest::requestUri());
+
+				return false;
+			}
+		}
+
+		return true;
+	}
+
+	protected abstract function providerSpecificSetup();
+
+	protected function setupPartial()
+	{
+		$database = $this->getDatabase();
+
+		// default stuff
+		$this->assign('alternatives', array()); // 'u2f' => array('U2F token'), 'otp' => array('TOTP', 'scratch', 'yubiotp')));
+
+		// is this stage one?
+		list($partialId, $partialStage) = WebRequest::getAuthPartialLogin();
+		if ($partialStage === null || $partialId === null) {
+			WebRequest::clearAuthPartialLogin();
+		}
+
+		// Check to see if we have a partial login in progress
+		$username = null;
+		if ($partialId !== null) {
+			// Yes, enforce this username
+			$this->partialUser = User::getById($partialId, $database);
+			$username = $this->partialUser->getUsername();
+
+			$this->setupAlternates($this->partialUser, $partialStage, $database);
+		}
+		else {
+			// No, see if we've preloaded a username
+			$preloadUsername = WebRequest::getString('tplUsername');
+			if ($preloadUsername !== null) {
+				$username = $preloadUsername;
+			}
+		}
+
+		if ($partialStage === null) {
+			$partialStage = 1;
+		}
+
+		$this->assign('partialStage', $partialStage);
+		$this->assign('username', $username);
+	}
+
+	/**
+	 * Redirect the user back to wherever they came from after a successful login
+	 *
+	 * @param User $user
+	 */
+	protected function goBackWhenceYouCame(User $user)
+	{
+		// Redirect to wherever the user came from
+		$redirectDestination = WebRequest::clearPostLoginRedirect();
+		if ($redirectDestination !== null) {
+			$this->redirectUrl($redirectDestination);
+		}
+		else {
+			if ($user->isNewUser()) {
+				// home page isn't allowed, go to preferences instead
+				$this->redirect('preferences');
+			}
+			else {
+				// go to the home page
+				$this->redirect('');
+			}
+		}
+	}
+
+	private function processLoginSuccess(User $user)
+	{
+		// Touch force logout
+		$user->setForceLogout(false);
+		$user->save();
+
+		$oauth = new OAuthUserHelper($user, $this->getDatabase(), $this->getOAuthProtocolHelper(),
+			$this->getSiteConfiguration());
+
+		if ($oauth->isFullyLinked()) {
+			try {
+				// Reload the user's identity ticket.
+				$oauth->refreshIdentity();
+
+				// Check for blocks
+				if ($oauth->getIdentity()->getBlocked()) {
+					// blocked!
+					SessionAlert::error("You are currently blocked on-wiki. You will not be able to log in until you are unblocked.");
+					$this->redirect('login');
+
+					return;
+				}
+			}
+			catch (OAuthException $ex) {
+				// Oops. Refreshing ticket failed. Force a re-auth.
+				$authoriseUrl = $oauth->getRequestToken();
+				WebRequest::setOAuthPartialLogin($user);
+				$this->redirectUrl($authoriseUrl);
+
+				return;
+			}
+		}
+
+		if (($this->getSiteConfiguration()->getEnforceOAuth() && !$oauth->isFullyLinked())
+			|| $oauth->isPartiallyLinked()
+		) {
+			$authoriseUrl = $oauth->getRequestToken();
+			WebRequest::setOAuthPartialLogin($user);
+			$this->redirectUrl($authoriseUrl);
+
+			return;
+		}
+
+		WebRequest::setLoggedInUser($user);
+
+		$this->goBackWhenceYouCame($user);
+	}
+
+	protected abstract function getProviderCredentials();
+
+	/**
+	 * @param User        $user
+	 * @param int         $partialStage
+	 * @param PdoDatabase $database
+	 *
+	 * @throws ApplicationLogicException
+	 */
+	private function processJumpNextStage(User $user, $partialStage, PdoDatabase $database)
+	{
+		WebRequest::setAuthPartialLogin($user->getId(), $partialStage + 1);
+
+		$sql = 'SELECT type FROM credential WHERE user = :user AND factor = :stage AND disabled = 0 ORDER BY priority';
+		$statement = $database->prepare($sql);
+		$statement->execute(array(':user' => $user->getId(), ':stage' => $partialStage + 1));
+		$nextStage = $statement->fetchColumn();
+		$statement->closeCursor();
+
+		if (!isset($this->nextPageMap[$nextStage])) {
+			throw new ApplicationLogicException('Unknown page handler for next authentication stage.');
+		}
+
+		$this->redirect("login/" . $this->nextPageMap[$nextStage]);
+	}
+
+	private function setupAlternates(User $user, $partialStage, PdoDatabase $database)
+	{
+		// get the providers available
+		$sql = 'SELECT type FROM credential WHERE user = :user AND factor = :stage AND disabled = 0';
+		$statement = $database->prepare($sql);
+		$statement->execute(array(':user' => $user->getId(), ':stage' => $partialStage));
+		$alternates = $statement->fetchAll(PDO::FETCH_COLUMN);
+
+		$types = array();
+		foreach ($alternates as $item) {
+			$type = $this->nextPageMap[$item];
+			if (!isset($types[$type])) {
+				$types[$type] = array();
+			}
+
+			$types[$type][] = $item;
+		}
+
+		$userOptions = array();
+		if (get_called_class() === PageOtpLogin::class) {
+			$userOptions = $this->setupUserOptionsForType($types, 'u2f', $userOptions);
+		}
+
+		if (get_called_class() === PageU2FLogin::class) {
+			$userOptions = $this->setupUserOptionsForType($types, 'otp', $userOptions);
+		}
+
+		$this->assign('alternatives', $userOptions);
+	}
+
+	/**
+	 * @param $types
+	 * @param $type
+	 * @param $userOptions
+	 *
+	 * @return mixed
+	 */
+	private function setupUserOptionsForType($types, $type, $userOptions)
+	{
+		if (isset($types[$type])) {
+			$options = $types[$type];
+
+			array_walk($options, function(&$val) {
+				$val = $this->names[$val];
+			});
+
+			$userOptions[$type] = $options;
+		}
+
+		return $userOptions;
+	}
 }

Braces +8 added lines, -13 removed lines

@@ -65,8 +65,7 @@ 
                     }
 
                     $user = User::getByUsername($username, $database);
-                }
-                else {
+                } else {
                     $user = User::getById($partialId, $database);
                 }
 
@@ -105,8 +104,7 @@ 
 
                 return;
             }
-        }
-        else {
+        } else {
             $this->assign('showSignIn', true);
 
             $this->setupPartial();
@@ -131,8 +129,7 @@ 
             if (WebRequest::isHttps()) {
                 // Client can clearly use HTTPS, so let's enforce it for all connections.
                 $this->headerQueue[] = "Strict-Transport-Security: max-age=15768000";
-            }
-            else {
+            } else {
                 // This is the login form, not the request form. We need protection here.
                 $this->redirectUrl('https://' . WebRequest::serverName() . WebRequest::requestUri());
 
@@ -166,8 +163,7 @@ 
             $username = $this->partialUser->getUsername();
 
             $this->setupAlternates($this->partialUser, $partialStage, $database);
-        }
-        else {
+        } else {
             // No, see if we've preloaded a username
             $preloadUsername = WebRequest::getString('tplUsername');
             if ($preloadUsername !== null) {
@@ -194,13 +190,11 @@ 
         $redirectDestination = WebRequest::clearPostLoginRedirect();
         if ($redirectDestination !== null) {
             $this->redirectUrl($redirectDestination);
-        }
-        else {
+        } else {
             if ($user->isNewUser()) {
                 // home page isn't allowed, go to preferences instead
                 $this->redirect('preferences');
-            }
-            else {
+            } else {
                 // go to the home page
                 $this->redirect('');
             }
@@ -323,7 +317,8 @@ 
         if (isset($types[$type])) {
             $options = $types[$type];
 
-            array_walk($options, function(&$val) {
+            array_walk($options, function(&$val)
+            {
                 $val = $this->names[$val];
             });
 

includes/Pages/UserAuth/Login/PageOtpLogin.php

Indentation +12 added lines, -12 removed lines

@@ -13,18 +13,18 @@
 
 class PageOtpLogin extends LoginCredentialPageBase
 {
-    protected function providerSpecificSetup()
-    {
-        $this->setTemplate('login/otp.tpl');
-    }
+	protected function providerSpecificSetup()
+	{
+		$this->setTemplate('login/otp.tpl');
+	}
 
-    protected function getProviderCredentials()
-    {
-        $otp = WebRequest::postString("otp");
-        if ($otp === null || $otp === "") {
-            throw new ApplicationLogicException("No one-time code specified");
-        }
+	protected function getProviderCredentials()
+	{
+		$otp = WebRequest::postString("otp");
+		if ($otp === null || $otp === "") {
+			throw new ApplicationLogicException("No one-time code specified");
+		}
 
-        return $otp;
-    }
+		return $otp;
+	}
 }
\ No newline at end of file

includes/Pages/UserAuth/Login/PageU2FLogin.php

Indentation +22 added lines, -22 removed lines

@@ -14,20 +14,20 @@ 
 
 class PageU2FLogin extends LoginCredentialPageBase
 {
-    protected function providerSpecificSetup()
-    {
-        $this->assign('showSignIn', false);
-        $this->setTemplate('login/u2f.tpl');
+	protected function providerSpecificSetup()
+	{
+		$this->assign('showSignIn', false);
+		$this->setTemplate('login/u2f.tpl');
 
-        if ($this->partialUser === null) {
-            throw new ApplicationLogicException("U2F cannot be first-stage authentication");
-        }
+		if ($this->partialUser === null) {
+			throw new ApplicationLogicException("U2F cannot be first-stage authentication");
+		}
 
-        $u2f = new U2FCredentialProvider($this->getDatabase(), $this->getSiteConfiguration());
-        $authData = json_encode($u2f->getAuthenticationData($this->partialUser));
+		$u2f = new U2FCredentialProvider($this->getDatabase(), $this->getSiteConfiguration());
+		$authData = json_encode($u2f->getAuthenticationData($this->partialUser));
 
-        $this->addJs('/vendor/yubico/u2flib-server/examples/assets/u2f-api.js');
-        $this->setTailScript($this->getCspManager()->getNonce(), <<<JS
+		$this->addJs('/vendor/yubico/u2flib-server/examples/assets/u2f-api.js');
+		$this->setTailScript($this->getCspManager()->getNonce(), <<<JS
 var request = {$authData};
 u2f.sign(request, function(data) {
     document.getElementById('authenticate').value=JSON.stringify(data);
@@ -35,19 +35,19 @@ 
     document.getElementById('loginForm').submit();
 });
 JS
-        );
+		);
 
-    }
+	}
 
-    protected function getProviderCredentials()
-    {
-        $authenticate = WebRequest::postString("authenticate");
-        $request = WebRequest::postString("request");
+	protected function getProviderCredentials()
+	{
+		$authenticate = WebRequest::postString("authenticate");
+		$request = WebRequest::postString("request");
 
-        if ($authenticate === null || $authenticate === "" || $request === null || $request === "") {
-              throw new ApplicationLogicException("No authentication specified");
-        }
+		if ($authenticate === null || $authenticate === "" || $request === null || $request === "") {
+			  throw new ApplicationLogicException("No authentication specified");
+		}
 
-        return array(json_decode($authenticate), json_decode($request), 'u2f');
-    }
+		return array(json_decode($authenticate), json_decode($request), 'u2f');
+	}
 }

includes/Pages/UserAuth/PageOAuthCallback.php

Indentation +77 added lines, -77 removed lines

@@ -18,92 +18,92 @@
 
 class PageOAuthCallback extends InternalPageBase
 {
-    /**
-     * @return bool
-     */
-    protected function isProtectedPage()
-    {
-        // This page is critical to ensuring OAuth functionality is operational.
-        return false;
-    }
+	/**
+	 * @return bool
+	 */
+	protected function isProtectedPage()
+	{
+		// This page is critical to ensuring OAuth functionality is operational.
+		return false;
+	}
 
-    /**
-     * Main function for this page, when no specific actions are called.
-     * @return void
-     */
-    protected function main()
-    {
-        // This should never get hit except by URL manipulation.
-        $this->redirect('');
-    }
+	/**
+	 * Main function for this page, when no specific actions are called.
+	 * @return void
+	 */
+	protected function main()
+	{
+		// This should never get hit except by URL manipulation.
+		$this->redirect('');
+	}
 
-    /**
-     * Registered endpoint for the account creation callback.
-     *
-     * If this ever gets hit, something is wrong somewhere.
-     */
-    protected function create()
-    {
-        throw new Exception('OAuth account creation endpoint triggered.');
-    }
+	/**
+	 * Registered endpoint for the account creation callback.
+	 *
+	 * If this ever gets hit, something is wrong somewhere.
+	 */
+	protected function create()
+	{
+		throw new Exception('OAuth account creation endpoint triggered.');
+	}
 
-    /**
-     * Callback entry point
-     * @throws ApplicationLogicException
-     * @throws OptimisticLockFailedException
-     */
-    protected function authorise()
-    {
-        $oauthToken = WebRequest::getString('oauth_token');
-        $oauthVerifier = WebRequest::getString('oauth_verifier');
+	/**
+	 * Callback entry point
+	 * @throws ApplicationLogicException
+	 * @throws OptimisticLockFailedException
+	 */
+	protected function authorise()
+	{
+		$oauthToken = WebRequest::getString('oauth_token');
+		$oauthVerifier = WebRequest::getString('oauth_verifier');
 
-        $this->doCallbackValidation($oauthToken, $oauthVerifier);
+		$this->doCallbackValidation($oauthToken, $oauthVerifier);
 
-        $database = $this->getDatabase();
+		$database = $this->getDatabase();
 
-        $user = OAuthUserHelper::findUserByRequestToken($oauthToken, $database);
-        $oauth = new OAuthUserHelper($user, $database, $this->getOAuthProtocolHelper(), $this->getSiteConfiguration());
+		$user = OAuthUserHelper::findUserByRequestToken($oauthToken, $database);
+		$oauth = new OAuthUserHelper($user, $database, $this->getOAuthProtocolHelper(), $this->getSiteConfiguration());
 
-        try {
-            $oauth->completeHandshake($oauthVerifier);
-        }
-        catch (CurlException $ex) {
-            throw new ApplicationLogicException($ex->getMessage(), 0, $ex);
-        }
+		try {
+			$oauth->completeHandshake($oauthVerifier);
+		}
+		catch (CurlException $ex) {
+			throw new ApplicationLogicException($ex->getMessage(), 0, $ex);
+		}
 
-        // OK, we're the same session that just did a partial login that was redirected to OAuth. Let's upgrade the
-        // login to a full login
-        if (WebRequest::getOAuthPartialLogin() === $user->getId()) {
-            WebRequest::setLoggedInUser($user);
-        }
+		// OK, we're the same session that just did a partial login that was redirected to OAuth. Let's upgrade the
+		// login to a full login
+		if (WebRequest::getOAuthPartialLogin() === $user->getId()) {
+			WebRequest::setLoggedInUser($user);
+		}
 
-        // My thinking is there are three cases here:
-        //   a) new user => redirect to prefs - it's the only thing they can access other than stats
-        //   b) existing user hit the connect button in prefs => redirect to prefs since it's where they were
-        //   c) existing user logging in => redirect to wherever they came from
-        $redirectDestination = WebRequest::clearPostLoginRedirect();
-        if ($redirectDestination !== null && !$user->isNewUser()) {
-            $this->redirectUrl($redirectDestination);
-        }
-        else {
-            $this->redirect('preferences', null, null, 'internal.php');
-        }
-    }
+		// My thinking is there are three cases here:
+		//   a) new user => redirect to prefs - it's the only thing they can access other than stats
+		//   b) existing user hit the connect button in prefs => redirect to prefs since it's where they were
+		//   c) existing user logging in => redirect to wherever they came from
+		$redirectDestination = WebRequest::clearPostLoginRedirect();
+		if ($redirectDestination !== null && !$user->isNewUser()) {
+			$this->redirectUrl($redirectDestination);
+		}
+		else {
+			$this->redirect('preferences', null, null, 'internal.php');
+		}
+	}
 
-    /**
-     * @param string $oauthToken
-     * @param string $oauthVerifier
-     *
-     * @throws ApplicationLogicException
-     */
-    private function doCallbackValidation($oauthToken, $oauthVerifier)
-    {
-        if ($oauthToken === null) {
-            throw new ApplicationLogicException('No token provided');
-        }
+	/**
+	 * @param string $oauthToken
+	 * @param string $oauthVerifier
+	 *
+	 * @throws ApplicationLogicException
+	 */
+	private function doCallbackValidation($oauthToken, $oauthVerifier)
+	{
+		if ($oauthToken === null) {
+			throw new ApplicationLogicException('No token provided');
+		}
 
-        if ($oauthVerifier === null) {
-            throw new ApplicationLogicException('No oauth verifier provided.');
-        }
-    }
+		if ($oauthVerifier === null) {
+			throw new ApplicationLogicException('No oauth verifier provided.');
+		}
+	}
 }
\ No newline at end of file

Braces +1 added lines, -2 removed lines

@@ -116,8 +116,7 @@
         $redirectDestination = WebRequest::clearPostLoginRedirect();
         if ($redirectDestination !== null && !$user->isNewUser()) {
             $this->redirectUrl($redirectDestination);
-        }
-        else {
+        } else {
             $this->redirect('preferences', null, null, 'internal.php');
         }
     }

includes/Pages/UserAuth/PageChangePassword.php

Indentation +57 added lines, -57 removed lines

@@ -17,71 +17,71 @@
 
 class PageChangePassword extends InternalPageBase
 {
-    /**
-     * Main function for this page, when no specific actions are called.
-     * @return void
-     */
-    protected function main()
-    {
-        $this->setHtmlTitle('Change Password');
+	/**
+	 * Main function for this page, when no specific actions are called.
+	 * @return void
+	 */
+	protected function main()
+	{
+		$this->setHtmlTitle('Change Password');
 
-        if (WebRequest::wasPosted()) {
-            $this->validateCSRFToken();
-            try {
-                $oldPassword = WebRequest::postString('oldpassword');
-                $newPassword = WebRequest::postString('newpassword');
-                $newPasswordConfirmation = WebRequest::postString('newpasswordconfirm');
+		if (WebRequest::wasPosted()) {
+			$this->validateCSRFToken();
+			try {
+				$oldPassword = WebRequest::postString('oldpassword');
+				$newPassword = WebRequest::postString('newpassword');
+				$newPasswordConfirmation = WebRequest::postString('newpasswordconfirm');
 
-                $user = User::getCurrent($this->getDatabase());
-                if (!$user instanceof User) {
-                    throw new ApplicationLogicException('User not found');
-                }
+				$user = User::getCurrent($this->getDatabase());
+				if (!$user instanceof User) {
+					throw new ApplicationLogicException('User not found');
+				}
 
-                $this->validateNewPassword($oldPassword, $newPassword, $newPasswordConfirmation, $user);
+				$this->validateNewPassword($oldPassword, $newPassword, $newPasswordConfirmation, $user);
 
-                $passwordProvider = new PasswordCredentialProvider($this->getDatabase(), $this->getSiteConfiguration());
-                $passwordProvider->setCredential($user, 1, $newPassword);
-            }
-            catch (ApplicationLogicException $ex) {
-                SessionAlert::error($ex->getMessage());
-                $this->redirect('changePassword');
+				$passwordProvider = new PasswordCredentialProvider($this->getDatabase(), $this->getSiteConfiguration());
+				$passwordProvider->setCredential($user, 1, $newPassword);
+			}
+			catch (ApplicationLogicException $ex) {
+				SessionAlert::error($ex->getMessage());
+				$this->redirect('changePassword');
 
-                return;
-            }
+				return;
+			}
 
-            SessionAlert::success('Password changed successfully!');
+			SessionAlert::success('Password changed successfully!');
 
-            $this->redirect('preferences');
-        }
-        else {
-            $this->assignCSRFToken();
-            $this->setTemplate('preferences/changePassword.tpl');
-            $this->addJs("/vendor/dropbox/zxcvbn/dist/zxcvbn.js");
-        }
-    }
+			$this->redirect('preferences');
+		}
+		else {
+			$this->assignCSRFToken();
+			$this->setTemplate('preferences/changePassword.tpl');
+			$this->addJs("/vendor/dropbox/zxcvbn/dist/zxcvbn.js");
+		}
+	}
 
-    /**
-     * @param string $oldPassword
-     * @param string $newPassword
-     * @param string $newPasswordConfirmation
-     * @param User   $user
-     *
-     * @throws ApplicationLogicException
-     */
-    protected function validateNewPassword($oldPassword, $newPassword, $newPasswordConfirmation, User $user)
-    {
-        if ($oldPassword === null || $newPassword === null || $newPasswordConfirmation === null) {
-            throw new ApplicationLogicException('All three fields must be completed to change your password');
-        }
+	/**
+	 * @param string $oldPassword
+	 * @param string $newPassword
+	 * @param string $newPasswordConfirmation
+	 * @param User   $user
+	 *
+	 * @throws ApplicationLogicException
+	 */
+	protected function validateNewPassword($oldPassword, $newPassword, $newPasswordConfirmation, User $user)
+	{
+		if ($oldPassword === null || $newPassword === null || $newPasswordConfirmation === null) {
+			throw new ApplicationLogicException('All three fields must be completed to change your password');
+		}
 
-        if ($newPassword !== $newPasswordConfirmation) {
-            throw new ApplicationLogicException('Your new passwords did not match!');
-        }
+		if ($newPassword !== $newPasswordConfirmation) {
+			throw new ApplicationLogicException('Your new passwords did not match!');
+		}
 
-        // TODO: adapt for MFA support
-        $passwordProvider = new PasswordCredentialProvider($this->getDatabase(), $this->getSiteConfiguration());
-        if (!$passwordProvider->authenticate($user, $oldPassword)) {
-            throw new ApplicationLogicException('The password you entered was incorrect.');
-        }
-    }
+		// TODO: adapt for MFA support
+		$passwordProvider = new PasswordCredentialProvider($this->getDatabase(), $this->getSiteConfiguration());
+		if (!$passwordProvider->authenticate($user, $oldPassword)) {
+			throw new ApplicationLogicException('The password you entered was incorrect.');
+		}
+	}
 }

Braces +1 added lines, -2 removed lines

@@ -52,8 +52,7 @@
             SessionAlert::success('Password changed successfully!');
 
             $this->redirect('preferences');
-        }
-        else {
+        } else {
             $this->assignCSRFToken();
             $this->setTemplate('preferences/changePassword.tpl');
             $this->addJs("/vendor/dropbox/zxcvbn/dist/zxcvbn.js");

includes/Pages/UserAuth/PageForgotPassword.php

Indentation +205 added lines, -205 removed lines

@@ -22,209 +22,209 @@
 
 class PageForgotPassword extends InternalPageBase
 {
-    /**
-     * Main function for this page, when no specific actions are called.
-     *
-     * This is the forgotten password reset form
-     * @category Security-Critical
-     */
-    protected function main()
-    {
-        if (WebRequest::wasPosted()) {
-            $this->validateCSRFToken();
-            $username = WebRequest::postString('username');
-            $email = WebRequest::postEmail('email');
-            $database = $this->getDatabase();
-
-            if ($username === null || trim($username) === "" || $email === null || trim($email) === "") {
-                throw new ApplicationLogicException("Both username and email address must be specified!");
-            }
-
-            $user = User::getByUsername($username, $database);
-            $this->sendResetMail($user, $email);
-
-            SessionAlert::success('<strong>Your password reset request has been completed.</strong> If the details you have provided match our records, you should receive an email shortly.');
-
-            $this->redirect('login');
-        }
-        else {
-            $this->assignCSRFToken();
-            $this->setTemplate('forgot-password/forgotpw.tpl');
-        }
-    }
-
-    /**
-     * Sends a reset email if the user is authenticated
-     *
-     * @param User|boolean $user  The user located from the database, or false. Doesn't really matter, since we do the
-     *                            check anyway within this method and silently skip if we don't have a user.
-     * @param string       $email The provided email address
-     */
-    private function sendResetMail($user, $email)
-    {
-        // If the user isn't found, or the email address is wrong, skip sending the details silently.
-        if (!$user instanceof User) {
-            return;
-        }
-
-        if (strtolower($user->getEmail()) === strtolower($email)) {
-            $clientIp = $this->getXffTrustProvider()
-                ->getTrustedClientIp(WebRequest::remoteAddress(), WebRequest::forwardedAddress());
-
-            $this->cleanExistingTokens($user);
-
-            $hash = Base32::encodeUpper(openssl_random_pseudo_bytes(30));
-
-            $encryptionHelper = new EncryptionHelper($this->getSiteConfiguration());
-
-            $cred = new Credential();
-            $cred->setDatabase($this->getDatabase());
-            $cred->setFactor(-1);
-            $cred->setUserId($user->getId());
-            $cred->setType('reset');
-            $cred->setData($encryptionHelper->encryptData($hash));
-            $cred->setVersion(0);
-            $cred->setDisabled(0);
-            $cred->setTimeout(new DateTimeImmutable('+ 1 hour'));
-            $cred->setPriority(9);
-            $cred->save();
-
-            $this->assign("user", $user);
-            $this->assign("hash", $hash);
-            $this->assign("remoteAddress", $clientIp);
-
-            $emailContent = $this->fetchTemplate('forgot-password/reset-mail.tpl');
-
-            $this->getEmailHelper()->sendMail($user->getEmail(), "WP:ACC password reset", $emailContent);
-        }
-    }
-
-    /**
-     * Entry point for the reset action
-     *
-     * This is the reset password part of the form.
-     * @category Security-Critical
-     */
-    protected function reset()
-    {
-        $si = WebRequest::getString('si');
-        $id = WebRequest::getString('id');
-
-        if ($si === null || trim($si) === "" || $id === null || trim($id) === "") {
-            throw new ApplicationLogicException("Link not valid, please ensure it has copied correctly");
-        }
-
-        $database = $this->getDatabase();
-        $user = $this->getResettingUser($id, $database, $si);
-
-        // Dual mode
-        if (WebRequest::wasPosted()) {
-            $this->validateCSRFToken();
-            try {
-                $this->doReset($user);
-                $this->cleanExistingTokens($user);
-            }
-            catch (ApplicationLogicException $ex) {
-                SessionAlert::error($ex->getMessage());
-                $this->redirect('forgotPassword', 'reset', array('si' => $si, 'id' => $id));
-
-                return;
-            }
-        }
-        else {
-            $this->assignCSRFToken();
-            $this->assign('user', $user);
-            $this->setTemplate('forgot-password/forgotpwreset.tpl');
-            $this->addJs("/vendor/dropbox/zxcvbn/dist/zxcvbn.js");
-        }
-    }
-
-    /**
-     * Gets the user resetting their password from the database, or throwing an exception if that is not possible.
-     *
-     * @param integer     $id       The ID of the user to retrieve
-     * @param PdoDatabase $database The database object to use
-     * @param string      $si       The reset hash provided
-     *
-     * @return User
-     * @throws ApplicationLogicException
-     */
-    private function getResettingUser($id, $database, $si)
-    {
-        $user = User::getById($id, $database);
-
-        if ($user === false ||  $user->isCommunityUser()) {
-            throw new ApplicationLogicException("Password reset failed. Please try again.");
-        }
-
-        $statement = $database->prepare("SELECT * FROM credential WHERE type = 'reset' AND user = :user;");
-        $statement->execute([':user' => $user->getId()]);
-
-        /** @var Credential $credential */
-        $credential = $statement->fetchObject(Credential::class);
-
-        $statement->closeCursor();
-
-        if ($credential === false) {
-            throw new ApplicationLogicException("Password reset failed. Please try again.");
-        }
-
-        $credential->setDatabase($database);
-
-        $encryptionHelper = new EncryptionHelper($this->getSiteConfiguration());
-        if ($encryptionHelper->decryptData($credential->getData()) != $si) {
-            throw new ApplicationLogicException("Password reset failed. Please try again.");
-        }
-
-        if ($credential->getTimeout() < new DateTimeImmutable()) {
-            $credential->delete();
-            throw new ApplicationLogicException("Password reset token expired. Please try again.");
-        }
-
-        return $user;
-    }
-
-    /**
-     * Performs the setting of the new password
-     *
-     * @param User $user The user to set the password for
-     *
-     * @throws ApplicationLogicException
-     */
-    private function doReset(User $user)
-    {
-        $pw = WebRequest::postString('pw');
-        $pw2 = WebRequest::postString('pw2');
-
-        if ($pw !== $pw2) {
-            throw new ApplicationLogicException('Passwords do not match!');
-        }
-
-        $passwordCredentialProvider = new PasswordCredentialProvider($user->getDatabase(), $this->getSiteConfiguration());
-        $passwordCredentialProvider->setCredential($user, 1, $pw);
-
-        SessionAlert::success('You may now log in!');
-        $this->redirect('login');
-    }
-
-    protected function isProtectedPage()
-    {
-        return false;
-    }
-
-    /**
-     * @param $user
-     */
-    private function cleanExistingTokens($user): void
-    {
-        // clean out existing reset tokens
-        $statement = $this->getDatabase()->prepare("SELECT * FROM credential WHERE type = 'reset' AND user = :user;");
-        $statement->execute([':user' => $user->getId()]);
-        $existing = $statement->fetchAll(PdoDatabase::FETCH_CLASS, Credential::class);
-
-        foreach ($existing as $c) {
-            $c->setDatabase($this->getDatabase());
-            $c->delete();
-        }
-    }
+	/**
+	 * Main function for this page, when no specific actions are called.
+	 *
+	 * This is the forgotten password reset form
+	 * @category Security-Critical
+	 */
+	protected function main()
+	{
+		if (WebRequest::wasPosted()) {
+			$this->validateCSRFToken();
+			$username = WebRequest::postString('username');
+			$email = WebRequest::postEmail('email');
+			$database = $this->getDatabase();
+
+			if ($username === null || trim($username) === "" || $email === null || trim($email) === "") {
+				throw new ApplicationLogicException("Both username and email address must be specified!");
+			}
+
+			$user = User::getByUsername($username, $database);
+			$this->sendResetMail($user, $email);
+
+			SessionAlert::success('<strong>Your password reset request has been completed.</strong> If the details you have provided match our records, you should receive an email shortly.');
+
+			$this->redirect('login');
+		}
+		else {
+			$this->assignCSRFToken();
+			$this->setTemplate('forgot-password/forgotpw.tpl');
+		}
+	}
+
+	/**
+	 * Sends a reset email if the user is authenticated
+	 *
+	 * @param User|boolean $user  The user located from the database, or false. Doesn't really matter, since we do the
+	 *                            check anyway within this method and silently skip if we don't have a user.
+	 * @param string       $email The provided email address
+	 */
+	private function sendResetMail($user, $email)
+	{
+		// If the user isn't found, or the email address is wrong, skip sending the details silently.
+		if (!$user instanceof User) {
+			return;
+		}
+
+		if (strtolower($user->getEmail()) === strtolower($email)) {
+			$clientIp = $this->getXffTrustProvider()
+				->getTrustedClientIp(WebRequest::remoteAddress(), WebRequest::forwardedAddress());
+
+			$this->cleanExistingTokens($user);
+
+			$hash = Base32::encodeUpper(openssl_random_pseudo_bytes(30));
+
+			$encryptionHelper = new EncryptionHelper($this->getSiteConfiguration());
+
+			$cred = new Credential();
+			$cred->setDatabase($this->getDatabase());
+			$cred->setFactor(-1);
+			$cred->setUserId($user->getId());
+			$cred->setType('reset');
+			$cred->setData($encryptionHelper->encryptData($hash));
+			$cred->setVersion(0);
+			$cred->setDisabled(0);
+			$cred->setTimeout(new DateTimeImmutable('+ 1 hour'));
+			$cred->setPriority(9);
+			$cred->save();
+
+			$this->assign("user", $user);
+			$this->assign("hash", $hash);
+			$this->assign("remoteAddress", $clientIp);
+
+			$emailContent = $this->fetchTemplate('forgot-password/reset-mail.tpl');
+
+			$this->getEmailHelper()->sendMail($user->getEmail(), "WP:ACC password reset", $emailContent);
+		}
+	}
+
+	/**
+	 * Entry point for the reset action
+	 *
+	 * This is the reset password part of the form.
+	 * @category Security-Critical
+	 */
+	protected function reset()
+	{
+		$si = WebRequest::getString('si');
+		$id = WebRequest::getString('id');
+
+		if ($si === null || trim($si) === "" || $id === null || trim($id) === "") {
+			throw new ApplicationLogicException("Link not valid, please ensure it has copied correctly");
+		}
+
+		$database = $this->getDatabase();
+		$user = $this->getResettingUser($id, $database, $si);
+
+		// Dual mode
+		if (WebRequest::wasPosted()) {
+			$this->validateCSRFToken();
+			try {
+				$this->doReset($user);
+				$this->cleanExistingTokens($user);
+			}
+			catch (ApplicationLogicException $ex) {
+				SessionAlert::error($ex->getMessage());
+				$this->redirect('forgotPassword', 'reset', array('si' => $si, 'id' => $id));
+
+				return;
+			}
+		}
+		else {
+			$this->assignCSRFToken();
+			$this->assign('user', $user);
+			$this->setTemplate('forgot-password/forgotpwreset.tpl');
+			$this->addJs("/vendor/dropbox/zxcvbn/dist/zxcvbn.js");
+		}
+	}
+
+	/**
+	 * Gets the user resetting their password from the database, or throwing an exception if that is not possible.
+	 *
+	 * @param integer     $id       The ID of the user to retrieve
+	 * @param PdoDatabase $database The database object to use
+	 * @param string      $si       The reset hash provided
+	 *
+	 * @return User
+	 * @throws ApplicationLogicException
+	 */
+	private function getResettingUser($id, $database, $si)
+	{
+		$user = User::getById($id, $database);
+
+		if ($user === false ||  $user->isCommunityUser()) {
+			throw new ApplicationLogicException("Password reset failed. Please try again.");
+		}
+
+		$statement = $database->prepare("SELECT * FROM credential WHERE type = 'reset' AND user = :user;");
+		$statement->execute([':user' => $user->getId()]);
+
+		/** @var Credential $credential */
+		$credential = $statement->fetchObject(Credential::class);
+
+		$statement->closeCursor();
+
+		if ($credential === false) {
+			throw new ApplicationLogicException("Password reset failed. Please try again.");
+		}
+
+		$credential->setDatabase($database);
+
+		$encryptionHelper = new EncryptionHelper($this->getSiteConfiguration());
+		if ($encryptionHelper->decryptData($credential->getData()) != $si) {
+			throw new ApplicationLogicException("Password reset failed. Please try again.");
+		}
+
+		if ($credential->getTimeout() < new DateTimeImmutable()) {
+			$credential->delete();
+			throw new ApplicationLogicException("Password reset token expired. Please try again.");
+		}
+
+		return $user;
+	}
+
+	/**
+	 * Performs the setting of the new password
+	 *
+	 * @param User $user The user to set the password for
+	 *
+	 * @throws ApplicationLogicException
+	 */
+	private function doReset(User $user)
+	{
+		$pw = WebRequest::postString('pw');
+		$pw2 = WebRequest::postString('pw2');
+
+		if ($pw !== $pw2) {
+			throw new ApplicationLogicException('Passwords do not match!');
+		}
+
+		$passwordCredentialProvider = new PasswordCredentialProvider($user->getDatabase(), $this->getSiteConfiguration());
+		$passwordCredentialProvider->setCredential($user, 1, $pw);
+
+		SessionAlert::success('You may now log in!');
+		$this->redirect('login');
+	}
+
+	protected function isProtectedPage()
+	{
+		return false;
+	}
+
+	/**
+	 * @param $user
+	 */
+	private function cleanExistingTokens($user): void
+	{
+		// clean out existing reset tokens
+		$statement = $this->getDatabase()->prepare("SELECT * FROM credential WHERE type = 'reset' AND user = :user;");
+		$statement->execute([':user' => $user->getId()]);
+		$existing = $statement->fetchAll(PdoDatabase::FETCH_CLASS, Credential::class);
+
+		foreach ($existing as $c) {
+			$c->setDatabase($this->getDatabase());
+			$c->delete();
+		}
+	}
 }

Spacing +1 added lines, -1 removed lines

@@ -153,7 +153,7 @@
     {
         $user = User::getById($id, $database);
 
-        if ($user === false ||  $user->isCommunityUser()) {
+        if ($user === false || $user->isCommunityUser()) {
             throw new ApplicationLogicException("Password reset failed. Please try again.");
         }
 

Braces +2 added lines, -4 removed lines

@@ -46,8 +46,7 @@ 
             SessionAlert::success('<strong>Your password reset request has been completed.</strong> If the details you have provided match our records, you should receive an email shortly.');
 
             $this->redirect('login');
-        }
-        else {
+        } else {
             $this->assignCSRFToken();
             $this->setTemplate('forgot-password/forgotpw.tpl');
         }
@@ -130,8 +129,7 @@ 
 
                 return;
             }
-        }
-        else {
+        } else {
             $this->assignCSRFToken();
             $this->assign('user', $user);
             $this->setTemplate('forgot-password/forgotpwreset.tpl');

includes/Pages/UserAuth/PagePreferences.php

Indentation +90 added lines, -90 removed lines

@@ -16,94 +16,94 @@
 
 class PagePreferences extends InternalPageBase
 {
-    /**
-     * Main function for this page, when no specific actions are called.
-     * @return void
-     */
-    protected function main()
-    {
-        $this->setHtmlTitle('Preferences');
-
-        $enforceOAuth = $this->getSiteConfiguration()->getEnforceOAuth();
-        $database = $this->getDatabase();
-        $user = User::getCurrent($database);
-
-        // Dual mode
-        if (WebRequest::wasPosted()) {
-            $this->validateCSRFToken();
-            $user->setWelcomeSig(WebRequest::postString('sig'));
-            $user->setEmailSig(WebRequest::postString('emailsig'));
-            $user->setAbortPref(WebRequest::postBoolean('abortpref') ? 1 : 0);
-            $this->setCreationMode($user);
-            $user->setSkin(WebRequest::postBoolean('skintype') ? 'alt' : 'main');
-
-            $email = WebRequest::postEmail('email');
-            if ($email !== null) {
-                $user->setEmail($email);
-            }
-
-            $user->save();
-            SessionAlert::success("Preferences updated!");
-
-            $this->redirect('');
-        }
-        else {
-            $this->assignCSRFToken();
-            $this->setTemplate('preferences/prefs.tpl');
-            $this->assign("enforceOAuth", $enforceOAuth);
-
-            $this->assign('canManualCreate',
-                $this->barrierTest(User::CREATION_MANUAL, $user, 'RequestCreation'));
-            $this->assign('canOauthCreate',
-                $this->barrierTest(User::CREATION_OAUTH, $user, 'RequestCreation'));
-            $this->assign('canBotCreate',
-                $this->barrierTest(User::CREATION_BOT, $user, 'RequestCreation'));
-
-            $oauth = new OAuthUserHelper($user, $database, $this->getOAuthProtocolHelper(),
-                $this->getSiteConfiguration());
-            $this->assign('oauth', $oauth);
-
-            $identity = null;
-            if ($oauth->isFullyLinked()) {
-                $identity = $oauth->getIdentity();
-            }
-
-            $this->assign('identity', $identity);
-            $this->assign('graceTime', $this->getSiteConfiguration()->getOauthIdentityGraceTime());
-        }
-    }
-
-    protected function refreshOAuth()
-    {
-        if (!WebRequest::wasPosted()) {
-            $this->redirect('preferences');
-
-            return;
-        }
-
-        $database = $this->getDatabase();
-        $oauth = new OAuthUserHelper(User::getCurrent($database), $database, $this->getOAuthProtocolHelper(),
-            $this->getSiteConfiguration());
-        if ($oauth->isFullyLinked()) {
-            $oauth->refreshIdentity();
-        }
-
-        $this->redirect('preferences');
-
-        return;
-    }
-
-    /**
-     * @param User $user
-     */
-    protected function setCreationMode(User $user)
-    {
-        // if the user is selecting a creation mode that they are not allowed, do nothing.
-        // this has the side effect of allowing them to keep a selected mode that either has been changed for them,
-        // or that they have kept from when they previously had certain access.
-        $creationMode = WebRequest::postInt('creationmode');
-        if ($this->barrierTest($creationMode, $user, 'RequestCreation')) {
-            $user->setCreationMode($creationMode);
-        }
-    }
+	/**
+	 * Main function for this page, when no specific actions are called.
+	 * @return void
+	 */
+	protected function main()
+	{
+		$this->setHtmlTitle('Preferences');
+
+		$enforceOAuth = $this->getSiteConfiguration()->getEnforceOAuth();
+		$database = $this->getDatabase();
+		$user = User::getCurrent($database);
+
+		// Dual mode
+		if (WebRequest::wasPosted()) {
+			$this->validateCSRFToken();
+			$user->setWelcomeSig(WebRequest::postString('sig'));
+			$user->setEmailSig(WebRequest::postString('emailsig'));
+			$user->setAbortPref(WebRequest::postBoolean('abortpref') ? 1 : 0);
+			$this->setCreationMode($user);
+			$user->setSkin(WebRequest::postBoolean('skintype') ? 'alt' : 'main');
+
+			$email = WebRequest::postEmail('email');
+			if ($email !== null) {
+				$user->setEmail($email);
+			}
+
+			$user->save();
+			SessionAlert::success("Preferences updated!");
+
+			$this->redirect('');
+		}
+		else {
+			$this->assignCSRFToken();
+			$this->setTemplate('preferences/prefs.tpl');
+			$this->assign("enforceOAuth", $enforceOAuth);
+
+			$this->assign('canManualCreate',
+				$this->barrierTest(User::CREATION_MANUAL, $user, 'RequestCreation'));
+			$this->assign('canOauthCreate',
+				$this->barrierTest(User::CREATION_OAUTH, $user, 'RequestCreation'));
+			$this->assign('canBotCreate',
+				$this->barrierTest(User::CREATION_BOT, $user, 'RequestCreation'));
+
+			$oauth = new OAuthUserHelper($user, $database, $this->getOAuthProtocolHelper(),
+				$this->getSiteConfiguration());
+			$this->assign('oauth', $oauth);
+
+			$identity = null;
+			if ($oauth->isFullyLinked()) {
+				$identity = $oauth->getIdentity();
+			}
+
+			$this->assign('identity', $identity);
+			$this->assign('graceTime', $this->getSiteConfiguration()->getOauthIdentityGraceTime());
+		}
+	}
+
+	protected function refreshOAuth()
+	{
+		if (!WebRequest::wasPosted()) {
+			$this->redirect('preferences');
+
+			return;
+		}
+
+		$database = $this->getDatabase();
+		$oauth = new OAuthUserHelper(User::getCurrent($database), $database, $this->getOAuthProtocolHelper(),
+			$this->getSiteConfiguration());
+		if ($oauth->isFullyLinked()) {
+			$oauth->refreshIdentity();
+		}
+
+		$this->redirect('preferences');
+
+		return;
+	}
+
+	/**
+	 * @param User $user
+	 */
+	protected function setCreationMode(User $user)
+	{
+		// if the user is selecting a creation mode that they are not allowed, do nothing.
+		// this has the side effect of allowing them to keep a selected mode that either has been changed for them,
+		// or that they have kept from when they previously had certain access.
+		$creationMode = WebRequest::postInt('creationmode');
+		if ($this->barrierTest($creationMode, $user, 'RequestCreation')) {
+			$user->setCreationMode($creationMode);
+		}
+	}
 }

Braces +1 added lines, -2 removed lines

@@ -46,8 +46,7 @@
             SessionAlert::success("Preferences updated!");
 
             $this->redirect('');
-        }
-        else {
+        } else {
             $this->assignCSRFToken();
             $this->setTemplate('preferences/prefs.tpl');
             $this->assign("enforceOAuth", $enforceOAuth);

includes/Pages/UserAuth/MultiFactor/PageMultiFactor.php

Indentation +389 added lines, -389 removed lines

@@ -25,247 +25,247 @@ 
 
 class PageMultiFactor extends InternalPageBase
 {
-    /**
-     * Main function for this page, when no specific actions are called.
-     * @return void
-     */
-    protected function main()
-    {
-        $database = $this->getDatabase();
-        $currentUser = User::getCurrent($database);
-
-        $yubikeyOtpCredentialProvider = new YubikeyOtpCredentialProvider($database, $this->getSiteConfiguration(),
-            $this->getHttpHelper());
-        $this->assign('yubikeyOtpIdentity', $yubikeyOtpCredentialProvider->getYubikeyData($currentUser->getId()));
-        $this->assign('yubikeyOtpEnrolled', $yubikeyOtpCredentialProvider->userIsEnrolled($currentUser->getId()));
-
-        $totpCredentialProvider = new TotpCredentialProvider($database, $this->getSiteConfiguration());
-        $this->assign('totpEnrolled', $totpCredentialProvider->userIsEnrolled($currentUser->getId()));
-
-        $u2fCredentialProvider = new U2FCredentialProvider($database, $this->getSiteConfiguration());
-        $this->assign('u2fEnrolled', $u2fCredentialProvider->userIsEnrolled($currentUser->getId()));
-
-        $scratchCredentialProvider = new ScratchTokenCredentialProvider($database, $this->getSiteConfiguration());
-        $this->assign('scratchEnrolled', $scratchCredentialProvider->userIsEnrolled($currentUser->getId()));
-        $this->assign('scratchRemaining', $scratchCredentialProvider->getRemaining($currentUser->getId()));
-
-        $this->assign('allowedTotp', $this->barrierTest('enableTotp', $currentUser));
-        $this->assign('allowedYubikey', $this->barrierTest('enableYubikeyOtp', $currentUser));
-        $this->assign('allowedU2f', $this->barrierTest('enableU2F', $currentUser));
-
-        $this->setTemplate('mfa/mfa.tpl');
-    }
-
-    protected function enableYubikeyOtp()
-    {
-        $database = $this->getDatabase();
-        $currentUser = User::getCurrent($database);
-
-        $otpCredentialProvider = new YubikeyOtpCredentialProvider($database,
-            $this->getSiteConfiguration(), $this->getHttpHelper());
-
-        if (WebRequest::wasPosted()) {
-            $this->validateCSRFToken();
-
-            $passwordCredentialProvider = new PasswordCredentialProvider($database,
-                $this->getSiteConfiguration());
-
-            $password = WebRequest::postString('password');
-            $otp = WebRequest::postString('otp');
-
-            $result = $passwordCredentialProvider->authenticate($currentUser, $password);
-
-            if ($result) {
-                try {
-                    $otpCredentialProvider->setCredential($currentUser, 2, $otp);
-                    SessionAlert::success('Enabled YubiKey OTP.');
-
-                    $scratchProvider = new ScratchTokenCredentialProvider($database, $this->getSiteConfiguration());
-                    if($scratchProvider->getRemaining($currentUser->getId()) < 3) {
-                        $scratchProvider->setCredential($currentUser, 2, null);
-                        $tokens = $scratchProvider->getTokens();
-                        $this->assign('tokens', $tokens);
-                        $this->setTemplate('mfa/regenScratchTokens.tpl');
-                        return;
-                    }
-                }
-                catch (ApplicationLogicException $ex) {
-                    SessionAlert::error('Error enabling YubiKey OTP: ' . $ex->getMessage());
-                }
-
-                $this->redirect('multiFactor');
-            }
-            else {
-                SessionAlert::error('Error enabling YubiKey OTP - invalid credentials.');
-                $this->redirect('multiFactor');
-            }
-        }
-        else {
-            if ($otpCredentialProvider->userIsEnrolled($currentUser->getId())) {
-                // user is not enrolled, we shouldn't have got here.
-                throw new ApplicationLogicException('User is already enrolled in the selected MFA mechanism');
-            }
-
-            $this->assignCSRFToken();
-            $this->setTemplate('mfa/enableYubikey.tpl');
-        }
-    }
-
-    protected function disableYubikeyOtp()
-    {
-        $database = $this->getDatabase();
-        $currentUser = User::getCurrent($database);
-
-        $otpCredentialProvider = new YubikeyOtpCredentialProvider($database,
-            $this->getSiteConfiguration(), $this->getHttpHelper());
-
-        $factorType = 'YubiKey OTP';
-
-        $this->deleteCredential($database, $currentUser, $otpCredentialProvider, $factorType);
-    }
-
-    protected function enableTotp()
-    {
-        $database = $this->getDatabase();
-        $currentUser = User::getCurrent($database);
-
-        $otpCredentialProvider = new TotpCredentialProvider($database, $this->getSiteConfiguration());
-
-        if (WebRequest::wasPosted()) {
-            $this->validateCSRFToken();
-
-            // used for routing only, not security
-            $stage = WebRequest::postString('stage');
-
-            if ($stage === "auth") {
-                $password = WebRequest::postString('password');
-
-                $passwordCredentialProvider = new PasswordCredentialProvider($database,
-                    $this->getSiteConfiguration());
-                $result = $passwordCredentialProvider->authenticate($currentUser, $password);
-
-                if ($result) {
-                    $otpCredentialProvider->setCredential($currentUser, 2, null);
-
-                    $provisioningUrl = $otpCredentialProvider->getProvisioningUrl($currentUser);
-
-                    $renderer = new Svg();
-                    $renderer->setHeight(256);
-                    $renderer->setWidth(256);
-                    $writer = new Writer($renderer);
-                    $svg = $writer->writeString($provisioningUrl);
-
-                    $this->assign('svg', $svg);
-                    $this->assign('secret', $otpCredentialProvider->getSecret($currentUser));
-
-                    $this->assignCSRFToken();
-                    $this->setTemplate('mfa/enableTotpEnroll.tpl');
-
-                    return;
-                }
-                else {
-                    SessionAlert::error('Error enabling TOTP - invalid credentials.');
-                    $this->redirect('multiFactor');
-
-                    return;
-                }
-            }
-
-            if ($stage === "enroll") {
-                // we *must* have a defined credential already here,
-                if ($otpCredentialProvider->isPartiallyEnrolled($currentUser)) {
-                    $otp = WebRequest::postString('otp');
-                    $result = $otpCredentialProvider->verifyEnable($currentUser, $otp);
-
-                    if ($result) {
-                        SessionAlert::success('Enabled TOTP.');
-
-                        $scratchProvider = new ScratchTokenCredentialProvider($database, $this->getSiteConfiguration());
-                        if($scratchProvider->getRemaining($currentUser->getId()) < 3) {
-                            $scratchProvider->setCredential($currentUser, 2, null);
-                            $tokens = $scratchProvider->getTokens();
-                            $this->assign('tokens', $tokens);
-                            $this->setTemplate('mfa/regenScratchTokens.tpl');
-                            return;
-                        }
-                    }
-                    else {
-                        $otpCredentialProvider->deleteCredential($currentUser);
-                        SessionAlert::error('Error enabling TOTP: invalid token provided');
-                    }
-
-
-                    $this->redirect('multiFactor');
-                    return;
-                }
-                else {
-                    SessionAlert::error('Error enabling TOTP - no enrollment found or enrollment expired.');
-                    $this->redirect('multiFactor');
+	/**
+	 * Main function for this page, when no specific actions are called.
+	 * @return void
+	 */
+	protected function main()
+	{
+		$database = $this->getDatabase();
+		$currentUser = User::getCurrent($database);
+
+		$yubikeyOtpCredentialProvider = new YubikeyOtpCredentialProvider($database, $this->getSiteConfiguration(),
+			$this->getHttpHelper());
+		$this->assign('yubikeyOtpIdentity', $yubikeyOtpCredentialProvider->getYubikeyData($currentUser->getId()));
+		$this->assign('yubikeyOtpEnrolled', $yubikeyOtpCredentialProvider->userIsEnrolled($currentUser->getId()));
+
+		$totpCredentialProvider = new TotpCredentialProvider($database, $this->getSiteConfiguration());
+		$this->assign('totpEnrolled', $totpCredentialProvider->userIsEnrolled($currentUser->getId()));
+
+		$u2fCredentialProvider = new U2FCredentialProvider($database, $this->getSiteConfiguration());
+		$this->assign('u2fEnrolled', $u2fCredentialProvider->userIsEnrolled($currentUser->getId()));
+
+		$scratchCredentialProvider = new ScratchTokenCredentialProvider($database, $this->getSiteConfiguration());
+		$this->assign('scratchEnrolled', $scratchCredentialProvider->userIsEnrolled($currentUser->getId()));
+		$this->assign('scratchRemaining', $scratchCredentialProvider->getRemaining($currentUser->getId()));
+
+		$this->assign('allowedTotp', $this->barrierTest('enableTotp', $currentUser));
+		$this->assign('allowedYubikey', $this->barrierTest('enableYubikeyOtp', $currentUser));
+		$this->assign('allowedU2f', $this->barrierTest('enableU2F', $currentUser));
+
+		$this->setTemplate('mfa/mfa.tpl');
+	}
 
-                    return;
-                }
-            }
+	protected function enableYubikeyOtp()
+	{
+		$database = $this->getDatabase();
+		$currentUser = User::getCurrent($database);
+
+		$otpCredentialProvider = new YubikeyOtpCredentialProvider($database,
+			$this->getSiteConfiguration(), $this->getHttpHelper());
+
+		if (WebRequest::wasPosted()) {
+			$this->validateCSRFToken();
+
+			$passwordCredentialProvider = new PasswordCredentialProvider($database,
+				$this->getSiteConfiguration());
+
+			$password = WebRequest::postString('password');
+			$otp = WebRequest::postString('otp');
+
+			$result = $passwordCredentialProvider->authenticate($currentUser, $password);
+
+			if ($result) {
+				try {
+					$otpCredentialProvider->setCredential($currentUser, 2, $otp);
+					SessionAlert::success('Enabled YubiKey OTP.');
+
+					$scratchProvider = new ScratchTokenCredentialProvider($database, $this->getSiteConfiguration());
+					if($scratchProvider->getRemaining($currentUser->getId()) < 3) {
+						$scratchProvider->setCredential($currentUser, 2, null);
+						$tokens = $scratchProvider->getTokens();
+						$this->assign('tokens', $tokens);
+						$this->setTemplate('mfa/regenScratchTokens.tpl');
+						return;
+					}
+				}
+				catch (ApplicationLogicException $ex) {
+					SessionAlert::error('Error enabling YubiKey OTP: ' . $ex->getMessage());
+				}
+
+				$this->redirect('multiFactor');
+			}
+			else {
+				SessionAlert::error('Error enabling YubiKey OTP - invalid credentials.');
+				$this->redirect('multiFactor');
+			}
+		}
+		else {
+			if ($otpCredentialProvider->userIsEnrolled($currentUser->getId())) {
+				// user is not enrolled, we shouldn't have got here.
+				throw new ApplicationLogicException('User is already enrolled in the selected MFA mechanism');
+			}
+
+			$this->assignCSRFToken();
+			$this->setTemplate('mfa/enableYubikey.tpl');
+		}
+	}
 
-            // urgh, dunno what happened, but it's not something expected.
-            throw new ApplicationLogicException();
-        }
-        else {
-            if ($otpCredentialProvider->userIsEnrolled($currentUser->getId())) {
-                // user is not enrolled, we shouldn't have got here.
-                throw new ApplicationLogicException('User is already enrolled in the selected MFA mechanism');
-            }
+	protected function disableYubikeyOtp()
+	{
+		$database = $this->getDatabase();
+		$currentUser = User::getCurrent($database);
 
-            $this->assignCSRFToken();
+		$otpCredentialProvider = new YubikeyOtpCredentialProvider($database,
+			$this->getSiteConfiguration(), $this->getHttpHelper());
 
-            $this->assign('alertmessage', 'To enable your multi-factor credentials, please prove you are who you say you are by providing the information below.');
-            $this->assign('alertheader', 'Provide credentials');
-            $this->assign('continueText', 'Verify password');
-            $this->setTemplate('mfa/enableAuth.tpl');
-        }
-    }
+		$factorType = 'YubiKey OTP';
 
-    protected function disableTotp()
-    {
-        $database = $this->getDatabase();
-        $currentUser = User::getCurrent($database);
+		$this->deleteCredential($database, $currentUser, $otpCredentialProvider, $factorType);
+	}
+
+	protected function enableTotp()
+	{
+		$database = $this->getDatabase();
+		$currentUser = User::getCurrent($database);
+
+		$otpCredentialProvider = new TotpCredentialProvider($database, $this->getSiteConfiguration());
+
+		if (WebRequest::wasPosted()) {
+			$this->validateCSRFToken();
+
+			// used for routing only, not security
+			$stage = WebRequest::postString('stage');
+
+			if ($stage === "auth") {
+				$password = WebRequest::postString('password');
+
+				$passwordCredentialProvider = new PasswordCredentialProvider($database,
+					$this->getSiteConfiguration());
+				$result = $passwordCredentialProvider->authenticate($currentUser, $password);
+
+				if ($result) {
+					$otpCredentialProvider->setCredential($currentUser, 2, null);
+
+					$provisioningUrl = $otpCredentialProvider->getProvisioningUrl($currentUser);
+
+					$renderer = new Svg();
+					$renderer->setHeight(256);
+					$renderer->setWidth(256);
+					$writer = new Writer($renderer);
+					$svg = $writer->writeString($provisioningUrl);
+
+					$this->assign('svg', $svg);
+					$this->assign('secret', $otpCredentialProvider->getSecret($currentUser));
+
+					$this->assignCSRFToken();
+					$this->setTemplate('mfa/enableTotpEnroll.tpl');
+
+					return;
+				}
+				else {
+					SessionAlert::error('Error enabling TOTP - invalid credentials.');
+					$this->redirect('multiFactor');
+
+					return;
+				}
+			}
+
+			if ($stage === "enroll") {
+				// we *must* have a defined credential already here,
+				if ($otpCredentialProvider->isPartiallyEnrolled($currentUser)) {
+					$otp = WebRequest::postString('otp');
+					$result = $otpCredentialProvider->verifyEnable($currentUser, $otp);
+
+					if ($result) {
+						SessionAlert::success('Enabled TOTP.');
+
+						$scratchProvider = new ScratchTokenCredentialProvider($database, $this->getSiteConfiguration());
+						if($scratchProvider->getRemaining($currentUser->getId()) < 3) {
+							$scratchProvider->setCredential($currentUser, 2, null);
+							$tokens = $scratchProvider->getTokens();
+							$this->assign('tokens', $tokens);
+							$this->setTemplate('mfa/regenScratchTokens.tpl');
+							return;
+						}
+					}
+					else {
+						$otpCredentialProvider->deleteCredential($currentUser);
+						SessionAlert::error('Error enabling TOTP: invalid token provided');
+					}
+
+
+					$this->redirect('multiFactor');
+					return;
+				}
+				else {
+					SessionAlert::error('Error enabling TOTP - no enrollment found or enrollment expired.');
+					$this->redirect('multiFactor');
+
+					return;
+				}
+			}
+
+			// urgh, dunno what happened, but it's not something expected.
+			throw new ApplicationLogicException();
+		}
+		else {
+			if ($otpCredentialProvider->userIsEnrolled($currentUser->getId())) {
+				// user is not enrolled, we shouldn't have got here.
+				throw new ApplicationLogicException('User is already enrolled in the selected MFA mechanism');
+			}
+
+			$this->assignCSRFToken();
+
+			$this->assign('alertmessage', 'To enable your multi-factor credentials, please prove you are who you say you are by providing the information below.');
+			$this->assign('alertheader', 'Provide credentials');
+			$this->assign('continueText', 'Verify password');
+			$this->setTemplate('mfa/enableAuth.tpl');
+		}
+	}
 
-        $otpCredentialProvider = new TotpCredentialProvider($database, $this->getSiteConfiguration());
+	protected function disableTotp()
+	{
+		$database = $this->getDatabase();
+		$currentUser = User::getCurrent($database);
+
+		$otpCredentialProvider = new TotpCredentialProvider($database, $this->getSiteConfiguration());
+
+		$factorType = 'TOTP';
+
+		$this->deleteCredential($database, $currentUser, $otpCredentialProvider, $factorType);
+	}
 
-        $factorType = 'TOTP';
+	protected function enableU2F() {
+		$database = $this->getDatabase();
+		$currentUser = User::getCurrent($database);
 
-        $this->deleteCredential($database, $currentUser, $otpCredentialProvider, $factorType);
-    }
+		$otpCredentialProvider = new U2FCredentialProvider($database, $this->getSiteConfiguration());
 
-    protected function enableU2F() {
-        $database = $this->getDatabase();
-        $currentUser = User::getCurrent($database);
+		if (WebRequest::wasPosted()) {
+			$this->validateCSRFToken();
 
-        $otpCredentialProvider = new U2FCredentialProvider($database, $this->getSiteConfiguration());
-
-        if (WebRequest::wasPosted()) {
-            $this->validateCSRFToken();
-
-            // used for routing only, not security
-            $stage = WebRequest::postString('stage');
-
-            if ($stage === "auth") {
-                $password = WebRequest::postString('password');
-
-                $passwordCredentialProvider = new PasswordCredentialProvider($database,
-                    $this->getSiteConfiguration());
-                $result = $passwordCredentialProvider->authenticate($currentUser, $password);
-
-                if ($result) {
-                    $otpCredentialProvider->setCredential($currentUser, 2, null);
-                    $this->assignCSRFToken();
-
-                    list($data, $reqs) = $otpCredentialProvider->getRegistrationData();
-
-                    $u2fRequest =json_encode($data);
-                    $u2fSigns = json_encode($reqs);
-
-                    $this->addJs('/vendor/yubico/u2flib-server/examples/assets/u2f-api.js');
-                    $this->setTailScript($this->getCspManager()->getNonce(), <<<JS
+			// used for routing only, not security
+			$stage = WebRequest::postString('stage');
+
+			if ($stage === "auth") {
+				$password = WebRequest::postString('password');
+
+				$passwordCredentialProvider = new PasswordCredentialProvider($database,
+					$this->getSiteConfiguration());
+				$result = $passwordCredentialProvider->authenticate($currentUser, $password);
+
+				if ($result) {
+					$otpCredentialProvider->setCredential($currentUser, 2, null);
+					$this->assignCSRFToken();
+
+					list($data, $reqs) = $otpCredentialProvider->getRegistrationData();
+
+					$u2fRequest =json_encode($data);
+					$u2fSigns = json_encode($reqs);
+
+					$this->addJs('/vendor/yubico/u2flib-server/examples/assets/u2f-api.js');
+					$this->setTailScript($this->getCspManager()->getNonce(), <<<JS
 var request = ${u2fRequest};
 var signs = ${u2fSigns};
 
@@ -284,162 +284,162 @@ 
 	form.submit();
 });
 JS
-                    );
-
-                    $this->setTemplate('mfa/enableU2FEnroll.tpl');
-
-                    return;
-                }
-                else {
-                    SessionAlert::error('Error enabling TOTP - invalid credentials.');
-                    $this->redirect('multiFactor');
-
-                    return;
-                }
-            }
-
-            if ($stage === "enroll") {
-                // we *must* have a defined credential already here,
-                if ($otpCredentialProvider->isPartiallyEnrolled($currentUser)) {
-
-                    $request = json_decode(WebRequest::postString('u2fRequest'));
-                    $u2fData = json_decode(WebRequest::postString('u2fData'));
-
-                    $otpCredentialProvider->enable($currentUser, $request, $u2fData);
-
-                    SessionAlert::success('Enabled U2F.');
-
-                    $scratchProvider = new ScratchTokenCredentialProvider($database, $this->getSiteConfiguration());
-                    if($scratchProvider->getRemaining($currentUser->getId()) < 3) {
-                        $scratchProvider->setCredential($currentUser, 2, null);
-                        $tokens = $scratchProvider->getTokens();
-                        $this->assign('tokens', $tokens);
-                        $this->setTemplate('mfa/regenScratchTokens.tpl');
-                        return;
-                    }
-
-                    $this->redirect('multiFactor');
-                    return;
-                }
-                else {
-                    SessionAlert::error('Error enabling TOTP - no enrollment found or enrollment expired.');
-                    $this->redirect('multiFactor');
-
-                    return;
-                }
-            }
-
-            // urgh, dunno what happened, but it's not something expected.
-            throw new ApplicationLogicException();
-        }
-        else {
-            if ($otpCredentialProvider->userIsEnrolled($currentUser->getId())) {
-                // user is not enrolled, we shouldn't have got here.
-                throw new ApplicationLogicException('User is already enrolled in the selected MFA mechanism');
-            }
-
-            $this->assignCSRFToken();
-
-            $this->assign('alertmessage', 'To enable your multi-factor credentials, please prove you are who you say you are by providing the information below.');
-            $this->assign('alertheader', 'Provide credentials');
-            $this->assign('continueText', 'Verify password');
-            $this->setTemplate('mfa/enableAuth.tpl');
-        }
-    }
-
-    protected function disableU2F() {
-        $database = $this->getDatabase();
-        $currentUser = User::getCurrent($database);
-
-        $otpCredentialProvider = new U2FCredentialProvider($database, $this->getSiteConfiguration());
-
-        $factorType = 'U2F';
-
-        $this->deleteCredential($database, $currentUser, $otpCredentialProvider, $factorType);
-    }
-
-    protected function scratch()
-    {
-        $database = $this->getDatabase();
-        $currentUser = User::getCurrent($database);
-
-        if (WebRequest::wasPosted()) {
-            $this->validateCSRFToken();
-
-            $passwordCredentialProvider = new PasswordCredentialProvider($database,
-                $this->getSiteConfiguration());
-
-            $otpCredentialProvider = new ScratchTokenCredentialProvider($database,
-                $this->getSiteConfiguration());
-
-            $password = WebRequest::postString('password');
-
-            $result = $passwordCredentialProvider->authenticate($currentUser, $password);
-
-            if ($result) {
-                $otpCredentialProvider->setCredential($currentUser, 2, null);
-                $tokens = $otpCredentialProvider->getTokens();
-                $this->assign('tokens', $tokens);
-                $this->setTemplate('mfa/regenScratchTokens.tpl');
-            }
-            else {
-                SessionAlert::error('Error refreshing scratch tokens - invalid credentials.');
-                $this->redirect('multiFactor');
-            }
-        }
-        else {
-            $this->assignCSRFToken();
-
-            $this->assign('alertmessage', 'To regenerate your emergency scratch tokens, please prove you are who you say you are by providing the information below. Note that continuing will invalidate all remaining scratch tokens, and provide a set of new ones.');
-            $this->assign('alertheader', 'Re-generate scratch tokens');
-            $this->assign('continueText', 'Regenerate Scratch Tokens');
-
-            $this->setTemplate('mfa/enableAuth.tpl');
-        }
-    }
-
-    /**
-     * @param PdoDatabase         $database
-     * @param User                $currentUser
-     * @param ICredentialProvider $otpCredentialProvider
-     * @param string              $factorType
-     *
-     * @throws ApplicationLogicException
-     */
-    private function deleteCredential(
-        PdoDatabase $database,
-        User $currentUser,
-        ICredentialProvider $otpCredentialProvider,
-        $factorType
-    ) {
-        if (WebRequest::wasPosted()) {
-            $passwordCredentialProvider = new PasswordCredentialProvider($database,
-                $this->getSiteConfiguration());
-
-            $this->validateCSRFToken();
-
-            $password = WebRequest::postString('password');
-            $result = $passwordCredentialProvider->authenticate($currentUser, $password);
-
-            if ($result) {
-                $otpCredentialProvider->deleteCredential($currentUser);
-                SessionAlert::success('Disabled ' . $factorType . '.');
-                $this->redirect('multiFactor');
-            }
-            else {
-                SessionAlert::error('Error disabling ' . $factorType . ' - invalid credentials.');
-                $this->redirect('multiFactor');
-            }
-        }
-        else {
-            if (!$otpCredentialProvider->userIsEnrolled($currentUser->getId())) {
-                // user is not enrolled, we shouldn't have got here.
-                throw new ApplicationLogicException('User is not enrolled in the selected MFA mechanism');
-            }
-
-            $this->assignCSRFToken();
-            $this->assign('otpType', $factorType);
-            $this->setTemplate('mfa/disableOtp.tpl');
-        }
-    }
+					);
+
+					$this->setTemplate('mfa/enableU2FEnroll.tpl');
+
+					return;
+				}
+				else {
+					SessionAlert::error('Error enabling TOTP - invalid credentials.');
+					$this->redirect('multiFactor');
+
+					return;
+				}
+			}
+
+			if ($stage === "enroll") {
+				// we *must* have a defined credential already here,
+				if ($otpCredentialProvider->isPartiallyEnrolled($currentUser)) {
+
+					$request = json_decode(WebRequest::postString('u2fRequest'));
+					$u2fData = json_decode(WebRequest::postString('u2fData'));
+
+					$otpCredentialProvider->enable($currentUser, $request, $u2fData);
+
+					SessionAlert::success('Enabled U2F.');
+
+					$scratchProvider = new ScratchTokenCredentialProvider($database, $this->getSiteConfiguration());
+					if($scratchProvider->getRemaining($currentUser->getId()) < 3) {
+						$scratchProvider->setCredential($currentUser, 2, null);
+						$tokens = $scratchProvider->getTokens();
+						$this->assign('tokens', $tokens);
+						$this->setTemplate('mfa/regenScratchTokens.tpl');
+						return;
+					}
+
+					$this->redirect('multiFactor');
+					return;
+				}
+				else {
+					SessionAlert::error('Error enabling TOTP - no enrollment found or enrollment expired.');
+					$this->redirect('multiFactor');
+
+					return;
+				}
+			}
+
+			// urgh, dunno what happened, but it's not something expected.
+			throw new ApplicationLogicException();
+		}
+		else {
+			if ($otpCredentialProvider->userIsEnrolled($currentUser->getId())) {
+				// user is not enrolled, we shouldn't have got here.
+				throw new ApplicationLogicException('User is already enrolled in the selected MFA mechanism');
+			}
+
+			$this->assignCSRFToken();
+
+			$this->assign('alertmessage', 'To enable your multi-factor credentials, please prove you are who you say you are by providing the information below.');
+			$this->assign('alertheader', 'Provide credentials');
+			$this->assign('continueText', 'Verify password');
+			$this->setTemplate('mfa/enableAuth.tpl');
+		}
+	}
+
+	protected function disableU2F() {
+		$database = $this->getDatabase();
+		$currentUser = User::getCurrent($database);
+
+		$otpCredentialProvider = new U2FCredentialProvider($database, $this->getSiteConfiguration());
+
+		$factorType = 'U2F';
+
+		$this->deleteCredential($database, $currentUser, $otpCredentialProvider, $factorType);
+	}
+
+	protected function scratch()
+	{
+		$database = $this->getDatabase();
+		$currentUser = User::getCurrent($database);
+
+		if (WebRequest::wasPosted()) {
+			$this->validateCSRFToken();
+
+			$passwordCredentialProvider = new PasswordCredentialProvider($database,
+				$this->getSiteConfiguration());
+
+			$otpCredentialProvider = new ScratchTokenCredentialProvider($database,
+				$this->getSiteConfiguration());
+
+			$password = WebRequest::postString('password');
+
+			$result = $passwordCredentialProvider->authenticate($currentUser, $password);
+
+			if ($result) {
+				$otpCredentialProvider->setCredential($currentUser, 2, null);
+				$tokens = $otpCredentialProvider->getTokens();
+				$this->assign('tokens', $tokens);
+				$this->setTemplate('mfa/regenScratchTokens.tpl');
+			}
+			else {
+				SessionAlert::error('Error refreshing scratch tokens - invalid credentials.');
+				$this->redirect('multiFactor');
+			}
+		}
+		else {
+			$this->assignCSRFToken();
+
+			$this->assign('alertmessage', 'To regenerate your emergency scratch tokens, please prove you are who you say you are by providing the information below. Note that continuing will invalidate all remaining scratch tokens, and provide a set of new ones.');
+			$this->assign('alertheader', 'Re-generate scratch tokens');
+			$this->assign('continueText', 'Regenerate Scratch Tokens');
+
+			$this->setTemplate('mfa/enableAuth.tpl');
+		}
+	}
+
+	/**
+	 * @param PdoDatabase         $database
+	 * @param User                $currentUser
+	 * @param ICredentialProvider $otpCredentialProvider
+	 * @param string              $factorType
+	 *
+	 * @throws ApplicationLogicException
+	 */
+	private function deleteCredential(
+		PdoDatabase $database,
+		User $currentUser,
+		ICredentialProvider $otpCredentialProvider,
+		$factorType
+	) {
+		if (WebRequest::wasPosted()) {
+			$passwordCredentialProvider = new PasswordCredentialProvider($database,
+				$this->getSiteConfiguration());
+
+			$this->validateCSRFToken();
+
+			$password = WebRequest::postString('password');
+			$result = $passwordCredentialProvider->authenticate($currentUser, $password);
+
+			if ($result) {
+				$otpCredentialProvider->deleteCredential($currentUser);
+				SessionAlert::success('Disabled ' . $factorType . '.');
+				$this->redirect('multiFactor');
+			}
+			else {
+				SessionAlert::error('Error disabling ' . $factorType . ' - invalid credentials.');
+				$this->redirect('multiFactor');
+			}
+		}
+		else {
+			if (!$otpCredentialProvider->userIsEnrolled($currentUser->getId())) {
+				// user is not enrolled, we shouldn't have got here.
+				throw new ApplicationLogicException('User is not enrolled in the selected MFA mechanism');
+			}
+
+			$this->assignCSRFToken();
+			$this->assign('otpType', $factorType);
+			$this->setTemplate('mfa/disableOtp.tpl');
+		}
+	}
 }

Spacing +4 added lines, -4 removed lines

@@ -81,7 +81,7 @@ 
                     SessionAlert::success('Enabled YubiKey OTP.');
 
                     $scratchProvider = new ScratchTokenCredentialProvider($database, $this->getSiteConfiguration());
-                    if($scratchProvider->getRemaining($currentUser->getId()) < 3) {
+                    if ($scratchProvider->getRemaining($currentUser->getId()) < 3) {
                         $scratchProvider->setCredential($currentUser, 2, null);
                         $tokens = $scratchProvider->getTokens();
                         $this->assign('tokens', $tokens);
@@ -181,7 +181,7 @@ 
                         SessionAlert::success('Enabled TOTP.');
 
                         $scratchProvider = new ScratchTokenCredentialProvider($database, $this->getSiteConfiguration());
-                        if($scratchProvider->getRemaining($currentUser->getId()) < 3) {
+                        if ($scratchProvider->getRemaining($currentUser->getId()) < 3) {
                             $scratchProvider->setCredential($currentUser, 2, null);
                             $tokens = $scratchProvider->getTokens();
                             $this->assign('tokens', $tokens);
@@ -261,7 +261,7 @@ 
 
                     list($data, $reqs) = $otpCredentialProvider->getRegistrationData();
 
-                    $u2fRequest =json_encode($data);
+                    $u2fRequest = json_encode($data);
                     $u2fSigns = json_encode($reqs);
 
                     $this->addJs('/vendor/yubico/u2flib-server/examples/assets/u2f-api.js');
@@ -310,7 +310,7 @@ 
                     SessionAlert::success('Enabled U2F.');
 
                     $scratchProvider = new ScratchTokenCredentialProvider($database, $this->getSiteConfiguration());
-                    if($scratchProvider->getRemaining($currentUser->getId()) < 3) {
+                    if ($scratchProvider->getRemaining($currentUser->getId()) < 3) {
                         $scratchProvider->setCredential($currentUser, 2, null);
                         $tokens = $scratchProvider->getTokens();
                         $this->assign('tokens', $tokens);

Braces +17 added lines, -28 removed lines

@@ -94,13 +94,11 @@ 
                 }
 
                 $this->redirect('multiFactor');
-            }
-            else {
+            } else {
                 SessionAlert::error('Error enabling YubiKey OTP - invalid credentials.');
                 $this->redirect('multiFactor');
             }
-        }
-        else {
+        } else {
             if ($otpCredentialProvider->userIsEnrolled($currentUser->getId())) {
                 // user is not enrolled, we shouldn't have got here.
                 throw new ApplicationLogicException('User is already enrolled in the selected MFA mechanism');
@@ -162,8 +160,7 @@ 
                     $this->setTemplate('mfa/enableTotpEnroll.tpl');
 
                     return;
-                }
-                else {
+                } else {
                     SessionAlert::error('Error enabling TOTP - invalid credentials.');
                     $this->redirect('multiFactor');
 
@@ -188,8 +185,7 @@ 
                             $this->setTemplate('mfa/regenScratchTokens.tpl');
                             return;
                         }
-                    }
-                    else {
+                    } else {
                         $otpCredentialProvider->deleteCredential($currentUser);
                         SessionAlert::error('Error enabling TOTP: invalid token provided');
                     }
@@ -197,8 +193,7 @@ 
 
                     $this->redirect('multiFactor');
                     return;
-                }
-                else {
+                } else {
                     SessionAlert::error('Error enabling TOTP - no enrollment found or enrollment expired.');
                     $this->redirect('multiFactor');
 
@@ -208,8 +203,7 @@ 
 
             // urgh, dunno what happened, but it's not something expected.
             throw new ApplicationLogicException();
-        }
-        else {
+        } else {
             if ($otpCredentialProvider->userIsEnrolled($currentUser->getId())) {
                 // user is not enrolled, we shouldn't have got here.
                 throw new ApplicationLogicException('User is already enrolled in the selected MFA mechanism');
@@ -236,7 +230,8 @@ 
         $this->deleteCredential($database, $currentUser, $otpCredentialProvider, $factorType);
     }
 
-    protected function enableU2F() {
+    protected function enableU2F()
+    {
         $database = $this->getDatabase();
         $currentUser = User::getCurrent($database);
 
@@ -289,8 +284,7 @@ 
                     $this->setTemplate('mfa/enableU2FEnroll.tpl');
 
                     return;
-                }
-                else {
+                } else {
                     SessionAlert::error('Error enabling TOTP - invalid credentials.');
                     $this->redirect('multiFactor');
 
@@ -320,8 +314,7 @@ 
 
                     $this->redirect('multiFactor');
                     return;
-                }
-                else {
+                } else {
                     SessionAlert::error('Error enabling TOTP - no enrollment found or enrollment expired.');
                     $this->redirect('multiFactor');
 
@@ -331,8 +324,7 @@ 
 
             // urgh, dunno what happened, but it's not something expected.
             throw new ApplicationLogicException();
-        }
-        else {
+        } else {
             if ($otpCredentialProvider->userIsEnrolled($currentUser->getId())) {
                 // user is not enrolled, we shouldn't have got here.
                 throw new ApplicationLogicException('User is already enrolled in the selected MFA mechanism');
@@ -347,7 +339,8 @@ 
         }
     }
 
-    protected function disableU2F() {
+    protected function disableU2F()
+    {
         $database = $this->getDatabase();
         $currentUser = User::getCurrent($database);
 
@@ -381,13 +374,11 @@ 
                 $tokens = $otpCredentialProvider->getTokens();
                 $this->assign('tokens', $tokens);
                 $this->setTemplate('mfa/regenScratchTokens.tpl');
-            }
-            else {
+            } else {
                 SessionAlert::error('Error refreshing scratch tokens - invalid credentials.');
                 $this->redirect('multiFactor');
             }
-        }
-        else {
+        } else {
             $this->assignCSRFToken();
 
             $this->assign('alertmessage', 'To regenerate your emergency scratch tokens, please prove you are who you say you are by providing the information below. Note that continuing will invalidate all remaining scratch tokens, and provide a set of new ones.');
@@ -425,13 +416,11 @@ 
                 $otpCredentialProvider->deleteCredential($currentUser);
                 SessionAlert::success('Disabled ' . $factorType . '.');
                 $this->redirect('multiFactor');
-            }
-            else {
+            } else {
                 SessionAlert::error('Error disabling ' . $factorType . ' - invalid credentials.');
                 $this->redirect('multiFactor');
             }
-        }
-        else {
+        } else {
             if (!$otpCredentialProvider->userIsEnrolled($currentUser->getId())) {
                 // user is not enrolled, we shouldn't have got here.
                 throw new ApplicationLogicException('User is not enrolled in the selected MFA mechanism');

includes/Pages/UserAuth/PageOAuth.php

Indentation +77 added lines, -77 removed lines

@@ -22,81 +22,81 @@
 
 class PageOAuth extends InternalPageBase
 {
-    /**
-     * Attach entry point
-     *
-     * must be posted, or will redirect to preferences
-     */
-    protected function attach()
-    {
-        if (!WebRequest::wasPosted()) {
-            $this->redirect('preferences');
-
-            return;
-        }
-
-        $database = $this->getDatabase();
-
-        $this->validateCSRFToken();
-
-        $oauthProtocolHelper = $this->getOAuthProtocolHelper();
-        $user = User::getCurrent($database);
-        $oauth = new OAuthUserHelper($user, $database, $oauthProtocolHelper, $this->getSiteConfiguration());
-
-        try {
-            $authoriseUrl = $oauth->getRequestToken();
-            $this->redirectUrl($authoriseUrl);
-        }
-        catch (CurlException $ex) {
-            throw new ApplicationLogicException($ex->getMessage(), 0, $ex);
-        }
-    }
-
-    /**
-     * Detach account entry point
-     * @throws Exception
-     */
-    protected function detach()
-    {
-        if ($this->getSiteConfiguration()->getEnforceOAuth()) {
-            throw new AccessDeniedException($this->getSecurityManager());
-        }
-
-        $database = $this->getDatabase();
-        $user = User::getCurrent($database);
-        $oauth = new OAuthUserHelper($user, $database, $this->getOAuthProtocolHelper(), $this->getSiteConfiguration());
-
-        try {
-            $oauth->refreshIdentity();
-        }
-        catch (CurlException $ex) {
-            // do nothing. The user's already revoked this access anyway.
-        }
-        catch (OAuthException $ex) {
-            // do nothing. The user's already revoked this access anyway.
-        }
-        catch (OptimisticLockFailedException $e) {
-            // do nothing. The user's already revoked this access anyway.
-        }
-
-        $oauth->detach();
-
-        // TODO: figure out why we need to force logout after a detach.
-        $user->setForcelogout(true);
-        $user->save();
-
-        // force the user to log out
-        Session::destroy();
-
-        $this->redirect('login');
-    }
-
-    /**
-     * Main function for this page, when no specific actions are called.
-     * @return void
-     */
-    protected function main()
-    {
-        $this->redirect('preferences');
-    }
+	/**
+	 * Attach entry point
+	 *
+	 * must be posted, or will redirect to preferences
+	 */
+	protected function attach()
+	{
+		if (!WebRequest::wasPosted()) {
+			$this->redirect('preferences');
+
+			return;
+		}
+
+		$database = $this->getDatabase();
+
+		$this->validateCSRFToken();
+
+		$oauthProtocolHelper = $this->getOAuthProtocolHelper();
+		$user = User::getCurrent($database);
+		$oauth = new OAuthUserHelper($user, $database, $oauthProtocolHelper, $this->getSiteConfiguration());
+
+		try {
+			$authoriseUrl = $oauth->getRequestToken();
+			$this->redirectUrl($authoriseUrl);
+		}
+		catch (CurlException $ex) {
+			throw new ApplicationLogicException($ex->getMessage(), 0, $ex);
+		}
+	}
+
+	/**
+	 * Detach account entry point
+	 * @throws Exception
+	 */
+	protected function detach()
+	{
+		if ($this->getSiteConfiguration()->getEnforceOAuth()) {
+			throw new AccessDeniedException($this->getSecurityManager());
+		}
+
+		$database = $this->getDatabase();
+		$user = User::getCurrent($database);
+		$oauth = new OAuthUserHelper($user, $database, $this->getOAuthProtocolHelper(), $this->getSiteConfiguration());
+
+		try {
+			$oauth->refreshIdentity();
+		}
+		catch (CurlException $ex) {
+			// do nothing. The user's already revoked this access anyway.
+		}
+		catch (OAuthException $ex) {
+			// do nothing. The user's already revoked this access anyway.
+		}
+		catch (OptimisticLockFailedException $e) {
+			// do nothing. The user's already revoked this access anyway.
+		}
+
+		$oauth->detach();
+
+		// TODO: figure out why we need to force logout after a detach.
+		$user->setForcelogout(true);
+		$user->save();
+
+		// force the user to log out
+		Session::destroy();
+
+		$this->redirect('login');
+	}
+
+	/**
+	 * Main function for this page, when no specific actions are called.
+	 * @return void
+	 */
+	protected function main()
+	{
+		$this->redirect('preferences');
+	}
 }