mdaniels5757 / waca

includes/ConsoleTasks/RefreshOAuthDataTask.php

Indentation +46 added lines, -46 removed lines

@@ -18,60 +18,60 @@
 
 class RefreshOAuthDataTask extends ConsoleTaskBase
 {
-    public function execute()
-    {
-        $database = $this->getDatabase();
+	public function execute()
+	{
+		$database = $this->getDatabase();
 
-        $idList = $database
-            ->query('SELECT user FROM oauthtoken WHERE type = \'access\' AND expiry IS NULL')
-            ->fetchAll(PDO::FETCH_COLUMN);
+		$idList = $database
+			->query('SELECT user FROM oauthtoken WHERE type = \'access\' AND expiry IS NULL')
+			->fetchAll(PDO::FETCH_COLUMN);
 
-        if (count($idList) > 0) {
-            /** @var User[] $users */
-            $users = UserSearchHelper::get($database)->inIds($idList)->fetch();
+		if (count($idList) > 0) {
+			/** @var User[] $users */
+			$users = UserSearchHelper::get($database)->inIds($idList)->fetch();
 
-            $expiredStatement = $database
-                ->prepare('UPDATE oauthtoken SET expiry = CURRENT_TIMESTAMP() WHERE user = :u AND type = \'access\'');
+			$expiredStatement = $database
+				->prepare('UPDATE oauthtoken SET expiry = CURRENT_TIMESTAMP() WHERE user = :u AND type = \'access\'');
 
-            foreach ($users as $u) {
-                try {
-                    $database->beginTransaction();
+			foreach ($users as $u) {
+				try {
+					$database->beginTransaction();
 
-                    $oauth = new OAuthUserHelper($u, $database, $this->getOAuthProtocolHelper(),
-                        $this->getSiteConfiguration());
+					$oauth = new OAuthUserHelper($u, $database, $this->getOAuthProtocolHelper(),
+						$this->getSiteConfiguration());
 
-                    if ($oauth->getIdentity(true)->getAudience() !== $this->getSiteConfiguration()
-                            ->getOAuthConsumerToken()) {
-                        // not the current consumer token. Approval from the user is *required* for this.
-                        printf("\n\nBoldly refusing to update OAuth data for user with legacy consumer: %s\n", $u->getUsername());
-                        continue;
-                    }
+					if ($oauth->getIdentity(true)->getAudience() !== $this->getSiteConfiguration()
+							->getOAuthConsumerToken()) {
+						// not the current consumer token. Approval from the user is *required* for this.
+						printf("\n\nBoldly refusing to update OAuth data for user with legacy consumer: %s\n", $u->getUsername());
+						continue;
+					}
 
-                    try {
-                        $oauth->refreshIdentity();
-                    }
-                    catch (OAuthException $ex) {
-                        $expiredStatement->execute(array(':u' => $u->getId()));
-                    }
+					try {
+						$oauth->refreshIdentity();
+					}
+					catch (OAuthException $ex) {
+						$expiredStatement->execute(array(':u' => $u->getId()));
+					}
 
-                    $database->commit();
-                }
-                catch (Exception $ex) {
-                    $database->rollBack();
+					$database->commit();
+				}
+				catch (Exception $ex) {
+					$database->rollBack();
 
-                    printf("\n\nFailed updating OAuth data for %s\n", $u->getUsername());
-                    printf($ex->getMessage());
-                }
-                finally {
-                    if ($database->hasActiveTransaction()) {
-                        $database->rollBack();
-                    }
-                }
-            }
-        }
+					printf("\n\nFailed updating OAuth data for %s\n", $u->getUsername());
+					printf($ex->getMessage());
+				}
+				finally {
+					if ($database->hasActiveTransaction()) {
+						$database->rollBack();
+					}
+				}
+			}
+		}
 
-        $database->beginTransaction();
-        $database->exec('DELETE FROM oauthtoken WHERE expiry IS NOT NULL AND expiry < NOW() AND type = \'request\'');
-        $database->commit();
-    }
+		$database->beginTransaction();
+		$database->exec('DELETE FROM oauthtoken WHERE expiry IS NOT NULL AND expiry < NOW() AND type = \'request\'');
+		$database->commit();
+	}
 }
\ No newline at end of file

includes/ConsoleTasks/ClearOldDataTask.php

Indentation +25 added lines, -25 removed lines

@@ -13,50 +13,50 @@
 
 class ClearOldDataTask extends ConsoleTaskBase
 {
-    public function execute()
-    {
-        $dataClearInterval = $this->getSiteConfiguration()->getDataClearInterval();
-        $database = $this->getDatabase();
+	public function execute()
+	{
+		$dataClearInterval = $this->getSiteConfiguration()->getDataClearInterval();
+		$database = $this->getDatabase();
 
-        $query = $database->prepare(<<<SQL
+		$query = $database->prepare(<<<SQL
 UPDATE request
 SET ip = :ip, forwardedip = null, email = :mail, useragent = ''
 WHERE date < DATE_SUB(curdate(), INTERVAL {$dataClearInterval})
 AND status = 'Closed';
 SQL
-        );
+		);
 
-        $success = $query->execute(array(
-            ":ip"   => $this->getSiteConfiguration()->getDataClearIp(),
-            ":mail" => $this->getSiteConfiguration()->getDataClearEmail(),
-        ));
+		$success = $query->execute(array(
+			":ip"   => $this->getSiteConfiguration()->getDataClearIp(),
+			":mail" => $this->getSiteConfiguration()->getDataClearEmail(),
+		));
 
-        if (!$success) {
-            throw new Exception("Error in transaction 1: Could not clear data.");
-        }
+		if (!$success) {
+			throw new Exception("Error in transaction 1: Could not clear data.");
+		}
 
-        $dataQuery = $database->prepare(<<<SQL
+		$dataQuery = $database->prepare(<<<SQL
 DELETE rd
 FROM requestdata rd
 INNER JOIN request r ON r.id = rd.request
 WHERE r.date < DATE_SUB(curdate(), INTERVAL {$dataClearInterval})
   AND r.status = 'Closed';
 SQL
-        );
+		);
 
-        $success = $dataQuery->execute();
+		$success = $dataQuery->execute();
 
-        if (!$success) {
-            throw new Exception("Error in transaction 2: Could not clear data.");
-        }
+		if (!$success) {
+			throw new Exception("Error in transaction 2: Could not clear data.");
+		}
 
-        // FIXME: domains!
-        $flaggedCommentsQuery = $database->query(<<<SQL
+		// FIXME: domains!
+		$flaggedCommentsQuery = $database->query(<<<SQL
 SELECT COUNT(1) FROM comment c INNER JOIN request r ON c.request = r.id WHERE c.flagged = 1 AND r.status = 'Closed'
 SQL
-        );
+		);
 
-        $flaggedCommentsCount = $flaggedCommentsQuery->fetchColumn();
-        $this->getNotificationHelper()->alertFlaggedComments($flaggedCommentsCount);
-    }
+		$flaggedCommentsCount = $flaggedCommentsQuery->fetchColumn();
+		$this->getNotificationHelper()->alertFlaggedComments($flaggedCommentsCount);
+	}
 }
\ No newline at end of file

includes/ConsoleTasks/ClearOAuthDataTask.php

Indentation +13 added lines, -13 removed lines

@@ -15,20 +15,20 @@
 
 class ClearOAuthDataTask extends ConsoleTaskBase
 {
-    public function execute()
-    {
-        $database = $this->getDatabase();
+	public function execute()
+	{
+		$database = $this->getDatabase();
 
-        $users = UserSearchHelper::get($database)->inIds(
-            $database->query('SELECT user FROM oauthtoken WHERE type = \'access\'')->fetchAll(PDO::FETCH_COLUMN)
-        );
+		$users = UserSearchHelper::get($database)->inIds(
+			$database->query('SELECT user FROM oauthtoken WHERE type = \'access\'')->fetchAll(PDO::FETCH_COLUMN)
+		);
 
-        foreach ($users as $u) {
-            $oauth = new OAuthUserHelper($u, $database, $this->getOAuthProtocolHelper(), $this->getSiteConfiguration());
-            $oauth->detach();
-        }
+		foreach ($users as $u) {
+			$oauth = new OAuthUserHelper($u, $database, $this->getOAuthProtocolHelper(), $this->getSiteConfiguration());
+			$oauth->detach();
+		}
 
-        $database->exec('DELETE FROM oauthtoken');
-        $database->exec('DELETE FROM oauthidentity');
-    }
+		$database->exec('DELETE FROM oauthtoken');
+		$database->exec('DELETE FROM oauthidentity');
+	}
 }
\ No newline at end of file

includes/ConsoleTasks/MigrateToDomains.php

Indentation +4 added lines, -4 removed lines

@@ -14,8 +14,8 @@
 
 class MigrateToDomains extends ConsoleTaskBase
 {
-    public function execute()
-    {
-        echo "This migration script must be run with the entire application at an earlier version.";
-    }
+	public function execute()
+	{
+		echo "This migration script must be run with the entire application at an earlier version.";
+	}
 }

includes/ConsoleTasks/MigrateToRoles.php

Indentation +41 added lines, -41 removed lines

@@ -16,55 +16,55 @@
 
 class MigrateToRoles extends ConsoleTaskBase
 {
-    public function execute()
-    {
-        $communityUser = User::getCommunity();
+	public function execute()
+	{
+		$communityUser = User::getCommunity();
 
-        $database = $this->getDatabase();
-        $statement = $database->query('SELECT id, status, checkuser FROM user;');
-        $update = $database->prepare("UPDATE user SET status = 'Active' WHERE id = :id;");
+		$database = $this->getDatabase();
+		$statement = $database->query('SELECT id, status, checkuser FROM user;');
+		$update = $database->prepare("UPDATE user SET status = 'Active' WHERE id = :id;");
 
-        $users = $statement->fetchAll(PDO::FETCH_ASSOC);
+		$users = $statement->fetchAll(PDO::FETCH_ASSOC);
 
-        foreach ($users as $user) {
-            $toAdd = array('user');
+		foreach ($users as $user) {
+			$toAdd = array('user');
 
-            if ($user['status'] === 'Admin') {
-                $toAdd[] = 'admin';
-            }
+			if ($user['status'] === 'Admin') {
+				$toAdd[] = 'admin';
+			}
 
-            if ($user['checkuser'] == 1) {
-                $toAdd[] = 'checkuser';
-            }
+			if ($user['checkuser'] == 1) {
+				$toAdd[] = 'checkuser';
+			}
 
-            foreach ($toAdd as $x) {
-                $a = new UserRole();
-                $a->setUser($user['id']);
-                $a->setRole($x);
-                $a->setDatabase($database);
-                $a->save();
-            }
+			foreach ($toAdd as $x) {
+				$a = new UserRole();
+				$a->setUser($user['id']);
+				$a->setRole($x);
+				$a->setDatabase($database);
+				$a->save();
+			}
 
-            $logData = serialize(array(
-                'added' => $toAdd,
-                'removed' => array(),
-                'reason' => 'Initial migration'
-            ));
+			$logData = serialize(array(
+				'added' => $toAdd,
+				'removed' => array(),
+				'reason' => 'Initial migration'
+			));
 
-            $log = new Log();
-            $log->setDatabase($database);
-            $log->setAction('RoleChange');
-            $log->setObjectId($user['id']);
-            $log->setObjectType('User');
-            $log->setUser($communityUser);
-            $log->setComment($logData);
-            $log->save();
+			$log = new Log();
+			$log->setDatabase($database);
+			$log->setAction('RoleChange');
+			$log->setObjectId($user['id']);
+			$log->setObjectType('User');
+			$log->setUser($communityUser);
+			$log->setComment($logData);
+			$log->save();
 
-            if ($user['status'] === 'Admin' || $user['status'] === 'User') {
-                $update->execute(array('id' => $user['id']));
-            }
-        }
+			if ($user['status'] === 'Admin' || $user['status'] === 'User') {
+				$update->execute(array('id' => $user['id']));
+			}
+		}
 
-        $database->exec("UPDATE schemaversion SET version = 25;");
-    }
+		$database->exec("UPDATE schemaversion SET version = 25;");
+	}
 }

includes/Security/CredentialProviders/PasswordCredentialProvider.php

Indentation +122 added lines, -122 removed lines

@@ -20,136 +20,136 @@
 
 class PasswordCredentialProvider extends CredentialProviderBase
 {
-    const PASSWORD_COST = 10;
-    const PASSWORD_ALGO = PASSWORD_BCRYPT;
-
-    public function __construct(PdoDatabase $database, SiteConfiguration $configuration)
-    {
-        parent::__construct($database, $configuration, 'password');
-    }
-
-    public function authenticate(User $user, $data)
-    {
-        $storedData = $this->getCredentialData($user->getId());
-        if ($storedData === null) {
-            // No available credential matching these parameters
-            return false;
-        }
-
-        if ($storedData->getVersion() !== 2) {
-            // Non-2 versions are not supported.
-            return false;
-        }
-
-        if (!password_verify($data, $storedData->getData())) {
-            return false;
-        }
-
-        if (password_needs_rehash($storedData->getData(), self::PASSWORD_ALGO,
-            array('cost' => self::PASSWORD_COST))) {
-            try {
-                $this->reallySetCredential($user, $storedData->getFactor(), $data);
-            }
-            catch (OptimisticLockFailedException $e) {
-                // optimistic lock failed, but no biggie. We'll catch it on the next login.
-            }
-        }
-
-        $strengthTester = new Zxcvbn();
-        $strength = $strengthTester->passwordStrength($data, [$user->getUsername(), $user->getOnWikiName(), $user->getEmail()]);
-
-        /*  0 means the password is extremely guessable (within 10^3 guesses), dictionary words like 'password' or 'mother' score a 0
+	const PASSWORD_COST = 10;
+	const PASSWORD_ALGO = PASSWORD_BCRYPT;
+
+	public function __construct(PdoDatabase $database, SiteConfiguration $configuration)
+	{
+		parent::__construct($database, $configuration, 'password');
+	}
+
+	public function authenticate(User $user, $data)
+	{
+		$storedData = $this->getCredentialData($user->getId());
+		if ($storedData === null) {
+			// No available credential matching these parameters
+			return false;
+		}
+
+		if ($storedData->getVersion() !== 2) {
+			// Non-2 versions are not supported.
+			return false;
+		}
+
+		if (!password_verify($data, $storedData->getData())) {
+			return false;
+		}
+
+		if (password_needs_rehash($storedData->getData(), self::PASSWORD_ALGO,
+			array('cost' => self::PASSWORD_COST))) {
+			try {
+				$this->reallySetCredential($user, $storedData->getFactor(), $data);
+			}
+			catch (OptimisticLockFailedException $e) {
+				// optimistic lock failed, but no biggie. We'll catch it on the next login.
+			}
+		}
+
+		$strengthTester = new Zxcvbn();
+		$strength = $strengthTester->passwordStrength($data, [$user->getUsername(), $user->getOnWikiName(), $user->getEmail()]);
+
+		/*  0 means the password is extremely guessable (within 10^3 guesses), dictionary words like 'password' or 'mother' score a 0
             1 is still very guessable (guesses < 10^6), an extra character on a dictionary word can score a 1
             2 is somewhat guessable (guesses < 10^8), provides some protection from unthrottled online attacks
             3 is safely unguessable (guesses < 10^10), offers moderate protection from offline slow-hash scenario
             4 is very unguessable (guesses >= 10^10) and provides strong protection from offline slow-hash scenario         */
 
-        if ($strength['score'] <= 1 || CommonPasswords::isCommon($data) || mb_strlen($data) < 8) {
-            // prevent login for extremely weak passwords
-            // at this point the user has authenticated via password, so they *know* it's weak.
-            SessionAlert::error('Your password is too weak to permit login. Please choose the "forgotten your password" option below and set a new one.', null);
-            return false;
-        }
-
-        $this->revokePasswordResetTokens($user->getId());
-
-        return true;
-    }
-
-    /**
-     * @param User   $user
-     * @param int    $factor
-     * @param string $password
-     *
-     * @throws OptimisticLockFailedException
-     */
-    private function reallySetCredential(User $user, int $factor, string $password) : void {
-        $storedData = $this->getCredentialData($user->getId());
-
-        if ($storedData === null) {
-            $storedData = $this->createNewCredential($user);
-        }
-
-        $storedData->setData(password_hash($password, self::PASSWORD_ALGO, array('cost' => self::PASSWORD_COST)));
-        $storedData->setFactor($factor);
-        $storedData->setVersion(2);
-
-        $storedData->save();
-    }
-
-    /**
-     * @param User   $user
-     * @param int    $factor
-     * @param string $password
-     *
-     * @throws ApplicationLogicException
-     * @throws OptimisticLockFailedException
-     */
-    public function setCredential(User $user, $factor, $password)
-    {
-        if (CommonPasswords::isCommon($password)) {
-            throw new ApplicationLogicException("Your new password is listed in the top 100,000 passwords. Please choose a stronger one.", null);
-        }
-
-        $strengthTester = new Zxcvbn();
-        $strength = $strengthTester->passwordStrength($password, [$user->getUsername(), $user->getOnWikiName(), $user->getEmail()]);
-
-        /*  0 means the password is extremely guessable (within 10^3 guesses), dictionary words like 'password' or 'mother' score a 0
+		if ($strength['score'] <= 1 || CommonPasswords::isCommon($data) || mb_strlen($data) < 8) {
+			// prevent login for extremely weak passwords
+			// at this point the user has authenticated via password, so they *know* it's weak.
+			SessionAlert::error('Your password is too weak to permit login. Please choose the "forgotten your password" option below and set a new one.', null);
+			return false;
+		}
+
+		$this->revokePasswordResetTokens($user->getId());
+
+		return true;
+	}
+
+	/**
+	 * @param User   $user
+	 * @param int    $factor
+	 * @param string $password
+	 *
+	 * @throws OptimisticLockFailedException
+	 */
+	private function reallySetCredential(User $user, int $factor, string $password) : void {
+		$storedData = $this->getCredentialData($user->getId());
+
+		if ($storedData === null) {
+			$storedData = $this->createNewCredential($user);
+		}
+
+		$storedData->setData(password_hash($password, self::PASSWORD_ALGO, array('cost' => self::PASSWORD_COST)));
+		$storedData->setFactor($factor);
+		$storedData->setVersion(2);
+
+		$storedData->save();
+	}
+
+	/**
+	 * @param User   $user
+	 * @param int    $factor
+	 * @param string $password
+	 *
+	 * @throws ApplicationLogicException
+	 * @throws OptimisticLockFailedException
+	 */
+	public function setCredential(User $user, $factor, $password)
+	{
+		if (CommonPasswords::isCommon($password)) {
+			throw new ApplicationLogicException("Your new password is listed in the top 100,000 passwords. Please choose a stronger one.", null);
+		}
+
+		$strengthTester = new Zxcvbn();
+		$strength = $strengthTester->passwordStrength($password, [$user->getUsername(), $user->getOnWikiName(), $user->getEmail()]);
+
+		/*  0 means the password is extremely guessable (within 10^3 guesses), dictionary words like 'password' or 'mother' score a 0
             1 is still very guessable (guesses < 10^6), an extra character on a dictionary word can score a 1
             2 is somewhat guessable (guesses < 10^8), provides some protection from unthrottled online attacks
             3 is safely unguessable (guesses < 10^10), offers moderate protection from offline slow-hash scenario
             4 is very unguessable (guesses >= 10^10) and provides strong protection from offline slow-hash scenario         */
 
-        if ($strength['score'] <= 2 || mb_strlen($password) < 8) {
-            throw new ApplicationLogicException("Your new password is too weak. Please choose a stronger one.", null);
-        }
-
-        if ($strength['score'] <= 3) {
-            SessionAlert::warning("Your new password is not as strong as it could be. Consider replacing it with a stronger password.", null);
-        }
-
-        $this->reallySetCredential($user, $factor, $password);
-    }
-
-    /**
-     * @param User $user
-     *
-     * @throws ApplicationLogicException
-     */
-    public function deleteCredential(User $user)
-    {
-        throw new ApplicationLogicException('Deletion of password credential is not allowed.');
-    }
-
-    private function revokePasswordResetTokens(int $userId)
-    {
-        $statement = $this->getDatabase()->prepare("SELECT * FROM credential WHERE type = 'reset' AND user = :user;");
-        $statement->execute([':user' => $userId]);
-        $existing = $statement->fetchAll(PdoDatabase::FETCH_CLASS, Credential::class);
-
-        foreach ($existing as $c) {
-            $c->setDatabase($this->getDatabase());
-            $c->delete();
-        }
-    }
+		if ($strength['score'] <= 2 || mb_strlen($password) < 8) {
+			throw new ApplicationLogicException("Your new password is too weak. Please choose a stronger one.", null);
+		}
+
+		if ($strength['score'] <= 3) {
+			SessionAlert::warning("Your new password is not as strong as it could be. Consider replacing it with a stronger password.", null);
+		}
+
+		$this->reallySetCredential($user, $factor, $password);
+	}
+
+	/**
+	 * @param User $user
+	 *
+	 * @throws ApplicationLogicException
+	 */
+	public function deleteCredential(User $user)
+	{
+		throw new ApplicationLogicException('Deletion of password credential is not allowed.');
+	}
+
+	private function revokePasswordResetTokens(int $userId)
+	{
+		$statement = $this->getDatabase()->prepare("SELECT * FROM credential WHERE type = 'reset' AND user = :user;");
+		$statement->execute([':user' => $userId]);
+		$existing = $statement->fetchAll(PdoDatabase::FETCH_CLASS, Credential::class);
+
+		foreach ($existing as $c) {
+			$c->setDatabase($this->getDatabase());
+			$c->delete();
+		}
+	}
 }

includes/Security/CredentialProviders/CredentialProviderBase.php

Indentation +135 added lines, -135 removed lines

@@ -15,139 +15,139 @@
 
 abstract class CredentialProviderBase implements ICredentialProvider
 {
-    /**
-     * @var PdoDatabase
-     */
-    private $database;
-    /**
-     * @var SiteConfiguration
-     */
-    private $configuration;
-    /** @var string */
-    private $type;
-
-    /**
-     * CredentialProviderBase constructor.
-     *
-     * @param PdoDatabase       $database
-     * @param SiteConfiguration $configuration
-     * @param string            $type
-     */
-    public function __construct(PdoDatabase $database, SiteConfiguration $configuration, $type)
-    {
-        $this->database = $database;
-        $this->configuration = $configuration;
-        $this->type = $type;
-    }
-
-    /**
-     * @param int  $userId
-     *
-     * @param bool $disabled
-     *
-     * @return Credential
-     */
-    protected function getCredentialData($userId, $disabled = false)
-    {
-        $sql = 'SELECT * FROM credential WHERE type = :t AND user = :u';
-        $parameters = array(
-            ':u' => $userId,
-            ':t' => $this->type
-        );
-
-        if ($disabled !== null) {
-            $sql .= ' AND disabled = :d';
-            $parameters[':d'] = $disabled ? 1 : 0;
-        }
-
-        $statement = $this->database->prepare($sql);
-        $statement->execute($parameters);
-
-        /** @var Credential $obj */
-        $obj = $statement->fetchObject(Credential::class);
-
-        if ($obj === false) {
-            return null;
-        }
-
-        $obj->setDatabase($this->database);
-
-        $statement->closeCursor();
-
-        return $obj;
-    }
-
-    /**
-     * @return PdoDatabase
-     */
-    public function getDatabase()
-    {
-        return $this->database;
-    }
-
-    /**
-     * @return SiteConfiguration
-     */
-    public function getConfiguration()
-    {
-        return $this->configuration;
-    }
-
-    public function deleteCredential(User $user)
-    {
-        // get this factor
-        $statement = $this->database->prepare('SELECT * FROM credential WHERE user = :user AND type = :type');
-        $statement->execute(array(':user' => $user->getId(), ':type' => $this->type));
-        /** @var Credential $credential */
-        $credential = $statement->fetchObject(Credential::class);
-        $credential->setDatabase($this->database);
-        $statement->closeCursor();
-
-        $stage = $credential->getFactor();
-
-        $statement = $this->database->prepare('SELECT COUNT(*) FROM credential WHERE user = :user AND factor = :factor');
-        $statement->execute(array(':user' => $user->getId(), ':factor' => $stage));
-        $alternates = $statement->fetchColumn();
-        $statement->closeCursor();
-
-        if ($alternates <= 1) {
-            // decrement the factor for every stage above this
-            $sql = 'UPDATE credential SET factor = factor - 1 WHERE user = :user AND factor > :factor';
-            $statement = $this->database->prepare($sql);
-            $statement->execute(array(':user' => $user->getId(), ':factor' => $stage));
-        }
-        else {
-            // There are other auth factors at this point. Don't renumber the factors just yet.
-        }
-
-        // delete this credential.
-        $credential->delete();
-    }
-
-    /**
-     * @param User $user
-     *
-     * @return Credential
-     */
-    protected function createNewCredential(User $user)
-    {
-        $credential = new Credential();
-        $credential->setDatabase($this->getDatabase());
-        $credential->setUserId($user->getId());
-        $credential->setType($this->type);
-
-        return $credential;
-    }
-
-    /**
-     * @param int $userId
-     *
-     * @return bool
-     */
-    public function userIsEnrolled($userId)
-    {
-        $cred = $this->getCredentialData($userId);
-
-        return $cred !== null;
-    }
+	/**
+	 * @var PdoDatabase
+	 */
+	private $database;
+	/**
+	 * @var SiteConfiguration
+	 */
+	private $configuration;
+	/** @var string */
+	private $type;
+
+	/**
+	 * CredentialProviderBase constructor.
+	 *
+	 * @param PdoDatabase       $database
+	 * @param SiteConfiguration $configuration
+	 * @param string            $type
+	 */
+	public function __construct(PdoDatabase $database, SiteConfiguration $configuration, $type)
+	{
+		$this->database = $database;
+		$this->configuration = $configuration;
+		$this->type = $type;
+	}
+
+	/**
+	 * @param int  $userId
+	 *
+	 * @param bool $disabled
+	 *
+	 * @return Credential
+	 */
+	protected function getCredentialData($userId, $disabled = false)
+	{
+		$sql = 'SELECT * FROM credential WHERE type = :t AND user = :u';
+		$parameters = array(
+			':u' => $userId,
+			':t' => $this->type
+		);
+
+		if ($disabled !== null) {
+			$sql .= ' AND disabled = :d';
+			$parameters[':d'] = $disabled ? 1 : 0;
+		}
+
+		$statement = $this->database->prepare($sql);
+		$statement->execute($parameters);
+
+		/** @var Credential $obj */
+		$obj = $statement->fetchObject(Credential::class);
+
+		if ($obj === false) {
+			return null;
+		}
+
+		$obj->setDatabase($this->database);
+
+		$statement->closeCursor();
+
+		return $obj;
+	}
+
+	/**
+	 * @return PdoDatabase
+	 */
+	public function getDatabase()
+	{
+		return $this->database;
+	}
+
+	/**
+	 * @return SiteConfiguration
+	 */
+	public function getConfiguration()
+	{
+		return $this->configuration;
+	}
+
+	public function deleteCredential(User $user)
+	{
+		// get this factor
+		$statement = $this->database->prepare('SELECT * FROM credential WHERE user = :user AND type = :type');
+		$statement->execute(array(':user' => $user->getId(), ':type' => $this->type));
+		/** @var Credential $credential */
+		$credential = $statement->fetchObject(Credential::class);
+		$credential->setDatabase($this->database);
+		$statement->closeCursor();
+
+		$stage = $credential->getFactor();
+
+		$statement = $this->database->prepare('SELECT COUNT(*) FROM credential WHERE user = :user AND factor = :factor');
+		$statement->execute(array(':user' => $user->getId(), ':factor' => $stage));
+		$alternates = $statement->fetchColumn();
+		$statement->closeCursor();
+
+		if ($alternates <= 1) {
+			// decrement the factor for every stage above this
+			$sql = 'UPDATE credential SET factor = factor - 1 WHERE user = :user AND factor > :factor';
+			$statement = $this->database->prepare($sql);
+			$statement->execute(array(':user' => $user->getId(), ':factor' => $stage));
+		}
+		else {
+			// There are other auth factors at this point. Don't renumber the factors just yet.
+		}
+
+		// delete this credential.
+		$credential->delete();
+	}
+
+	/**
+	 * @param User $user
+	 *
+	 * @return Credential
+	 */
+	protected function createNewCredential(User $user)
+	{
+		$credential = new Credential();
+		$credential->setDatabase($this->getDatabase());
+		$credential->setUserId($user->getId());
+		$credential->setType($this->type);
+
+		return $credential;
+	}
+
+	/**
+	 * @param int $userId
+	 *
+	 * @return bool
+	 */
+	public function userIsEnrolled($userId)
+	{
+		$cred = $this->getCredentialData($userId);
+
+		return $cred !== null;
+	}
 }
\ No newline at end of file

Braces +1 added lines, -2 removed lines

@@ -115,8 +115,7 @@
             $sql = 'UPDATE credential SET factor = factor - 1 WHERE user = :user AND factor > :factor';
             $statement = $this->database->prepare($sql);
             $statement->execute(array(':user' => $user->getId(), ':factor' => $stage));
-        }
-        else {
+        } else {
             // There are other auth factors at this point. Don't renumber the factors just yet.
         }
 

includes/Security/CredentialProviders/ScratchTokenCredentialProvider.php

Indentation +132 added lines, -132 removed lines

@@ -20,136 +20,136 @@
 
 class ScratchTokenCredentialProvider extends CredentialProviderBase
 {
-    /** @var EncryptionHelper */
-    private $encryptionHelper;
-    /** @var array the tokens generated in the last generation round. */
-    private $generatedTokens;
-
-    /**
-     * ScratchTokenCredentialProvider constructor.
-     *
-     * @param PdoDatabase       $database
-     * @param SiteConfiguration $configuration
-     */
-    public function __construct(PdoDatabase $database, SiteConfiguration $configuration)
-    {
-        parent::__construct($database, $configuration, 'scratch');
-        $this->encryptionHelper = new EncryptionHelper($configuration);
-    }
-
-    /**
-     * Validates a user-provided credential
-     *
-     * @param User   $user The user to test the authentication against
-     * @param string $data The raw credential data to be validated
-     *
-     * @return bool
-     * @throws ApplicationLogicException|OptimisticLockFailedException
-     */
-    public function authenticate(User $user, $data)
-    {
-        if (is_array($data)) {
-            return false;
-        }
-
-        $storedData = $this->getCredentialData($user->getId());
-
-        if ($storedData === null) {
-            throw new ApplicationLogicException('Credential data not found');
-        }
-
-        $scratchTokens = unserialize($this->encryptionHelper->decryptData($storedData->getData()));
-
-        $usedToken = null;
-        foreach ($scratchTokens as $scratchToken) {
-            if (password_verify($data, $scratchToken)) {
-                $usedToken = $scratchToken;
-                SessionAlert::quick("Hey, it looks like you used a scratch token to log in. Would you like to change your multi-factor authentication configuration?", 'alert-warning');
-                WebRequest::setPostLoginRedirect($this->getConfiguration()->getBaseUrl() . "/internal.php/multiFactor");
-                break;
-            }
-        }
-
-        if ($usedToken === null) {
-            return false;
-        }
-
-        $scratchTokens = array_diff($scratchTokens, [$usedToken]);
-
-        $storedData->setData($this->encryptionHelper->encryptData(serialize($scratchTokens)));
-        $storedData->save();
-
-        return true;
-    }
-
-    /**
-     * @param User   $user   The user the credential belongs to
-     * @param int    $factor The factor this credential provides
-     * @param string $data   Unused.
-     *
-     * @throws OptimisticLockFailedException
-     */
-    public function setCredential(User $user, $factor, $data)
-    {
-        $plaintextScratch = array();
-        $storedScratch = array();
-        for ($i = 0; $i < 5; $i++) {
-            $token = Base32::encodeUpper(openssl_random_pseudo_bytes(10));
-            $plaintextScratch[] = $token;
-
-            $storedScratch[] = password_hash(
-                $token,
-                PasswordCredentialProvider::PASSWORD_ALGO,
-                array('cost' => PasswordCredentialProvider::PASSWORD_COST)
-            );
-        }
-
-        $storedData = $this->getCredentialData($user->getId(), null);
-
-        if ($storedData !== null) {
-            $storedData->delete();
-        }
-
-        $storedData = $this->createNewCredential($user);
-
-        $storedData->setData($this->encryptionHelper->encryptData(serialize($storedScratch)));
-        $storedData->setFactor($factor);
-        $storedData->setVersion(1);
-        $storedData->setPriority(9);
-
-        $storedData->save();
-        $this->generatedTokens = $plaintextScratch;
-    }
-
-    /**
-     * Gets the count of remaining valid tokens
-     *
-     * @param int $userId
-     *
-     * @return int
-     */
-    public function getRemaining($userId)
-    {
-        $storedData = $this->getCredentialData($userId);
-
-        if ($storedData === null) {
-            return 0;
-        }
-
-        $scratchTokens = unserialize($this->encryptionHelper->decryptData($storedData->getData()));
-
-        return count($scratchTokens);
-    }
-
-    /**
-     * @return array
-     */
-    public function getTokens()
-    {
-        if ($this->generatedTokens != null) {
-            return $this->generatedTokens;
-        }
-
-        return array();
-    }
+	/** @var EncryptionHelper */
+	private $encryptionHelper;
+	/** @var array the tokens generated in the last generation round. */
+	private $generatedTokens;
+
+	/**
+	 * ScratchTokenCredentialProvider constructor.
+	 *
+	 * @param PdoDatabase       $database
+	 * @param SiteConfiguration $configuration
+	 */
+	public function __construct(PdoDatabase $database, SiteConfiguration $configuration)
+	{
+		parent::__construct($database, $configuration, 'scratch');
+		$this->encryptionHelper = new EncryptionHelper($configuration);
+	}
+
+	/**
+	 * Validates a user-provided credential
+	 *
+	 * @param User   $user The user to test the authentication against
+	 * @param string $data The raw credential data to be validated
+	 *
+	 * @return bool
+	 * @throws ApplicationLogicException|OptimisticLockFailedException
+	 */
+	public function authenticate(User $user, $data)
+	{
+		if (is_array($data)) {
+			return false;
+		}
+
+		$storedData = $this->getCredentialData($user->getId());
+
+		if ($storedData === null) {
+			throw new ApplicationLogicException('Credential data not found');
+		}
+
+		$scratchTokens = unserialize($this->encryptionHelper->decryptData($storedData->getData()));
+
+		$usedToken = null;
+		foreach ($scratchTokens as $scratchToken) {
+			if (password_verify($data, $scratchToken)) {
+				$usedToken = $scratchToken;
+				SessionAlert::quick("Hey, it looks like you used a scratch token to log in. Would you like to change your multi-factor authentication configuration?", 'alert-warning');
+				WebRequest::setPostLoginRedirect($this->getConfiguration()->getBaseUrl() . "/internal.php/multiFactor");
+				break;
+			}
+		}
+
+		if ($usedToken === null) {
+			return false;
+		}
+
+		$scratchTokens = array_diff($scratchTokens, [$usedToken]);
+
+		$storedData->setData($this->encryptionHelper->encryptData(serialize($scratchTokens)));
+		$storedData->save();
+
+		return true;
+	}
+
+	/**
+	 * @param User   $user   The user the credential belongs to
+	 * @param int    $factor The factor this credential provides
+	 * @param string $data   Unused.
+	 *
+	 * @throws OptimisticLockFailedException
+	 */
+	public function setCredential(User $user, $factor, $data)
+	{
+		$plaintextScratch = array();
+		$storedScratch = array();
+		for ($i = 0; $i < 5; $i++) {
+			$token = Base32::encodeUpper(openssl_random_pseudo_bytes(10));
+			$plaintextScratch[] = $token;
+
+			$storedScratch[] = password_hash(
+				$token,
+				PasswordCredentialProvider::PASSWORD_ALGO,
+				array('cost' => PasswordCredentialProvider::PASSWORD_COST)
+			);
+		}
+
+		$storedData = $this->getCredentialData($user->getId(), null);
+
+		if ($storedData !== null) {
+			$storedData->delete();
+		}
+
+		$storedData = $this->createNewCredential($user);
+
+		$storedData->setData($this->encryptionHelper->encryptData(serialize($storedScratch)));
+		$storedData->setFactor($factor);
+		$storedData->setVersion(1);
+		$storedData->setPriority(9);
+
+		$storedData->save();
+		$this->generatedTokens = $plaintextScratch;
+	}
+
+	/**
+	 * Gets the count of remaining valid tokens
+	 *
+	 * @param int $userId
+	 *
+	 * @return int
+	 */
+	public function getRemaining($userId)
+	{
+		$storedData = $this->getCredentialData($userId);
+
+		if ($storedData === null) {
+			return 0;
+		}
+
+		$scratchTokens = unserialize($this->encryptionHelper->decryptData($storedData->getData()));
+
+		return count($scratchTokens);
+	}
+
+	/**
+	 * @return array
+	 */
+	public function getTokens()
+	{
+		if ($this->generatedTokens != null) {
+			return $this->generatedTokens;
+		}
+
+		return array();
+	}
 }

includes/Security/AuthenticationManager.php

Indentation +55 added lines, -55 removed lines

@@ -21,66 +21,66 @@
 
 class AuthenticationManager
 {
-    const AUTH_OK = 1;
-    const AUTH_FAIL = 2;
-    const AUTH_REQUIRE_NEXT_STAGE = 3;
-    private $typeMap = array();
-    /**
-     * @var PdoDatabase
-     */
-    private $database;
+	const AUTH_OK = 1;
+	const AUTH_FAIL = 2;
+	const AUTH_REQUIRE_NEXT_STAGE = 3;
+	private $typeMap = array();
+	/**
+	 * @var PdoDatabase
+	 */
+	private $database;
 
-    /**
-     * AuthenticationManager constructor.
-     *
-     * @param PdoDatabase       $database
-     * @param SiteConfiguration $siteConfiguration
-     * @param HttpHelper        $httpHelper
-     */
-    public function __construct(PdoDatabase $database, SiteConfiguration $siteConfiguration, HttpHelper $httpHelper)
-    {
-        // setup providers
-        // note on type map: this *must* be the value in the database, as this is what it maps.
-        $this->typeMap['password'] = new PasswordCredentialProvider($database, $siteConfiguration);
-        $this->typeMap['yubikeyotp'] = new YubikeyOtpCredentialProvider($database, $siteConfiguration, $httpHelper);
-        $this->typeMap['totp'] = new TotpCredentialProvider($database, $siteConfiguration);
-        $this->typeMap['scratch'] = new ScratchTokenCredentialProvider($database, $siteConfiguration);
-        $this->database = $database;
-    }
+	/**
+	 * AuthenticationManager constructor.
+	 *
+	 * @param PdoDatabase       $database
+	 * @param SiteConfiguration $siteConfiguration
+	 * @param HttpHelper        $httpHelper
+	 */
+	public function __construct(PdoDatabase $database, SiteConfiguration $siteConfiguration, HttpHelper $httpHelper)
+	{
+		// setup providers
+		// note on type map: this *must* be the value in the database, as this is what it maps.
+		$this->typeMap['password'] = new PasswordCredentialProvider($database, $siteConfiguration);
+		$this->typeMap['yubikeyotp'] = new YubikeyOtpCredentialProvider($database, $siteConfiguration, $httpHelper);
+		$this->typeMap['totp'] = new TotpCredentialProvider($database, $siteConfiguration);
+		$this->typeMap['scratch'] = new ScratchTokenCredentialProvider($database, $siteConfiguration);
+		$this->database = $database;
+	}
 
-    public function authenticate(User $user, $data, $stage)
-    {
-        $sql = 'SELECT type FROM credential WHERE user = :user AND factor = :stage AND disabled = 0 ORDER BY priority ASC';
-        $statement = $this->database->prepare($sql);
-        $statement->execute(array(':user' => $user->getId(), ':stage' => $stage));
-        $options = $statement->fetchAll(PDO::FETCH_COLUMN);
+	public function authenticate(User $user, $data, $stage)
+	{
+		$sql = 'SELECT type FROM credential WHERE user = :user AND factor = :stage AND disabled = 0 ORDER BY priority ASC';
+		$statement = $this->database->prepare($sql);
+		$statement->execute(array(':user' => $user->getId(), ':stage' => $stage));
+		$options = $statement->fetchAll(PDO::FETCH_COLUMN);
 
-        $sql = 'SELECT count(DISTINCT factor) FROM credential WHERE user = :user AND factor > :stage AND disabled = 0 AND type <> :scratch';
-        $statement = $this->database->prepare($sql);
-        $statement->execute(array(':user' => $user->getId(), ':stage' => $stage, ':scratch' => 'scratch'));
-        $requiredFactors = $statement->fetchColumn();
+		$sql = 'SELECT count(DISTINCT factor) FROM credential WHERE user = :user AND factor > :stage AND disabled = 0 AND type <> :scratch';
+		$statement = $this->database->prepare($sql);
+		$statement->execute(array(':user' => $user->getId(), ':stage' => $stage, ':scratch' => 'scratch'));
+		$requiredFactors = $statement->fetchColumn();
 
-        // prep the correct OK response based on how many factors are ahead of this one
-        $success = self::AUTH_OK;
-        if ($requiredFactors > 0) {
-            $success = self::AUTH_REQUIRE_NEXT_STAGE;
-        }
+		// prep the correct OK response based on how many factors are ahead of this one
+		$success = self::AUTH_OK;
+		if ($requiredFactors > 0) {
+			$success = self::AUTH_REQUIRE_NEXT_STAGE;
+		}
 
-        foreach ($options as $type) {
-            if (!isset($this->typeMap[$type])) {
-                // does this type have a credentialProvider registered?
-                continue;
-            }
+		foreach ($options as $type) {
+			if (!isset($this->typeMap[$type])) {
+				// does this type have a credentialProvider registered?
+				continue;
+			}
 
-            /** @var ICredentialProvider $credentialProvider */
-            $credentialProvider = $this->typeMap[$type];
-            if ($credentialProvider->authenticate($user, $data)) {
-                return $success;
-            }
-        }
+			/** @var ICredentialProvider $credentialProvider */
+			$credentialProvider = $this->typeMap[$type];
+			if ($credentialProvider->authenticate($user, $data)) {
+				return $success;
+			}
+		}
 
-        // We've iterated over all the available providers for this stage.
-        // They all hate you.
-        return self::AUTH_FAIL;
-    }
+		// We've iterated over all the available providers for this stage.
+		// They all hate you.
+		return self::AUTH_FAIL;
+	}
 }
\ No newline at end of file