Auth::checkAuthentication() - Code Metrics - Inspection of "Recursive XSS Filter for Arrays and Objects" - panique/huge - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Pull Request — master (#792)

unknown

created 2016-02-13 00:11 UTC

Auth::checkAuthentication() B

↳ Parent: Auth

Complexity

Conditions	2
Paths	2

Size

Total Lines	25
Code Lines	6

Duplication

Lines	0
Ratio	0 %

Metric	Value
dl	0
loc	25
rs	8.8571
cc	2
eloc	6
nc	2
nop	0

<?php

/**
 * Class Auth
 * Checks if user is logged in, if not then sends the user to "yourdomain.com/login".
 * Auth::checkAuthentication() can be used in the constructor of a controller (to make the
 * entire controller only visible for logged-in users) or inside a controller-method to make only this part of the
 * application available for logged-in users.
 */
class Auth
namespace YourVendor;

class YourClass { }
{
    /**
     * The normal authentication flow, just check if the user is logged in (by looking into the session).
     * If user is not, then he will be redirected to login page and the application is hard-stopped via exit().
     */
    public static function checkAuthentication()
// Bad
class Router
{
    public function generate($path)
    {
        return $_SERVER['HOST'].$path;
    }
}

// Better
class Router
{
    private $host;

    public function __construct($host)
    {
        $this->host = $host;
    }

    public function generate($path)
    {
        return $this->host.$path;
    }
}

class Controller
{
    public function myAction(Request $request)
    {
        // Instead of
        $page = isset($_GET['page']) ? intval($_GET['page']) : 1;

        // Better (assuming you use the Symfony2 request)
        $page = $request->query->get('page', 1);
    }
}
    {
        // initialize the session (if not initialized yet)
        Session::init();

        // self::checkSessionConcurrency();


        // if user is NOT logged in...
        // (if user IS logged in the application will not run the code below and therefore just go on)
        if (!Session::userIsLoggedIn()) {

            // ... then treat user as "not logged in", destroy session, redirect to login page
            Session::destroy();

            // send the user to the login form page, but also add the current page's URI (the part after the base URL)
            // as a parameter argument, making it possible to send the user back to where he/she came from after a
            // successful login
            header('location: ' . Config::get('URL') . 'login?redirect=' . urlencode($_SERVER['REQUEST_URI']));

            // to prevent fetching views via cURL (which "ignores" the header-redirect above) we leave the application
            // the hard way, via exit(). @see https://github.com/panique/php-login/issues/453
            // this is not optimal and will be fixed in future releases
            exit();

        }
    }

    /**
     * The admin authentication flow, just check if the user is logged in (by looking into the session) AND has
     * user role type 7 (currently there's only type 1 (normal user), type 2 (premium user) and 7 (admin)).
     * If user is not, then he will be redirected to login page and the application is hard-stopped via exit().
     * Using this method makes only sense in controllers that should only be used by admins.
     */
    public static function checkAdminAuthentication()
    {
        // initialize the session (if not initialized yet)
        Session::init();

        // self::checkSessionConcurrency();


        // if user is not logged in or is not an admin (= not role type 7)
        if (!Session::userIsLoggedIn() || Session::get("user_account_type") != 7) {

            // ... then treat user as "not logged in", destroy session, redirect to login page
            Session::destroy();
            header('location: ' . Config::get('URL') . 'login');

            // to prevent fetching views via cURL (which "ignores" the header-redirect above) we leave the application
            // the hard way, via exit(). @see https://github.com/panique/php-login/issues/453
            // this is not optimal and will be fixed in future releases
            exit();

        }
    }

    /**
     * Detects if there is concurrent session (i.e. another user logged in with the same current user credentials),
     * If so, then logout.
     */
    public static function checkSessionConcurrency(){
        if(Session::userIsLoggedIn()){
            if(Session::isConcurrentSessionExists()){
                LoginModel::logout();
                Redirect::home();
                exit();

            }
        }
    }
}


1			<?php
2
3			/**
4			* Class Auth
5			* Checks if user is logged in, if not then sends the user to "yourdomain.com/login".
6			* Auth::checkAuthentication() can be used in the constructor of a controller (to make the
7			* entire controller only visible for logged-in users) or inside a controller-method to make only this part of the
8			* application available for logged-in users.
9			*/
10			class Auth
			0 ignored issues – show Coding Style Compatibility introduced 2015-11-21 00:55 UTC by Report Bug Copy Issue Report PSR1 recommends that each class must be in a namespace of at least one level to avoid collisions. You can fix this by adding a namespace to your class: namespace YourVendor; class YourClass { } When choosing a vendor namespace, try to pick something that is not too generic to avoid conflicts with other libraries. Loading history...
11			{
12			/**
13			* The normal authentication flow, just check if the user is logged in (by looking into the session).
14			* If user is not, then he will be redirected to login page and the application is hard-stopped via exit().
15			*/
16			public static function checkAuthentication()
			0 ignored issues – show Coding Style introduced 2015-11-21 00:55 UTC by Report Bug Copy Issue Report `checkAuthentication` uses the super-global variable `$_SERVER` which is generally not recommended. Instead of super-globals, we recommend to explicitly inject the dependencies of your class. This makes your code less dependent on global state and it becomes generally more testable: // Bad class Router { public function generate($path) { return $_SERVER['HOST'].$path; } } // Better class Router { private $host; public function __construct($host) { $this->host = $host; } public function generate($path) { return $this->host.$path; } } class Controller { public function myAction(Request $request) { // Instead of $page = isset($_GET['page']) ? intval($_GET['page']) : 1; // Better (assuming you use the Symfony2 request) $page = $request->query->get('page', 1); } } Loading history...
17			{
18			// initialize the session (if not initialized yet)
19			Session::init();
20
21			// self::checkSessionConcurrency();
			0 ignored issues – show Unused Code Comprehensibility introduced 2016-02-13 00:14 UTC by Report Bug Copy Issue Report `72%` of this comment could be valid code. Did you maybe forget this after debugging? Sometimes obsolete code just ends up commented out instead of removed. In this case it is better to remove the code once you have checked you do not need it. The code might also have been commented out for debugging purposes. In this case it is vital that someone uncomments it again or your project may behave in very unexpected ways in production. This check looks for comments that seem to be mostly valid code and reports them. Loading history...
22
23			// if user is NOT logged in...
24			// (if user IS logged in the application will not run the code below and therefore just go on)
25			if (!Session::userIsLoggedIn()) {
26
27			// ... then treat user as "not logged in", destroy session, redirect to login page
28			Session::destroy();
29
30			// send the user to the login form page, but also add the current page's URI (the part after the base URL)
31			// as a parameter argument, making it possible to send the user back to where he/she came from after a
32			// successful login
33			header('location: ' . Config::get('URL') . 'login?redirect=' . urlencode($_SERVER['REQUEST_URI']));
34
35			// to prevent fetching views via cURL (which "ignores" the header-redirect above) we leave the application
36			// the hard way, via exit(). @see https://github.com/panique/php-login/issues/453
37			// this is not optimal and will be fixed in future releases
38			exit();
			0 ignored issues – show Coding Style Compatibility introduced 2015-11-21 00:55 UTC by Report Bug Copy Issue Report The method `checkAuthentication()` contains an exit expression. An exit expression should only be used in rare cases. For example, if you write a short command line script. In most cases however, using an `exit` expression makes the code untestable and often causes incompatibilities with other libraries. Thus, unless you are absolutely sure it is required here, we recommend to refactor your code to avoid its usage. Loading history...
39			}
40			}
41
42			/**
43			* The admin authentication flow, just check if the user is logged in (by looking into the session) AND has
44			* user role type 7 (currently there's only type 1 (normal user), type 2 (premium user) and 7 (admin)).
45			* If user is not, then he will be redirected to login page and the application is hard-stopped via exit().
46			* Using this method makes only sense in controllers that should only be used by admins.
47			*/
48			public static function checkAdminAuthentication()
49			{
50			// initialize the session (if not initialized yet)
51			Session::init();
52
53			// self::checkSessionConcurrency();
			0 ignored issues – show Unused Code Comprehensibility introduced 2016-02-13 00:14 UTC by Report Bug Copy Issue Report `72%` of this comment could be valid code. Did you maybe forget this after debugging? Sometimes obsolete code just ends up commented out instead of removed. In this case it is better to remove the code once you have checked you do not need it. The code might also have been commented out for debugging purposes. In this case it is vital that someone uncomments it again or your project may behave in very unexpected ways in production. This check looks for comments that seem to be mostly valid code and reports them. Loading history...
54
55			// if user is not logged in or is not an admin (= not role type 7)
56			if (!Session::userIsLoggedIn() \|\| Session::get("user_account_type") != 7) {
57
58			// ... then treat user as "not logged in", destroy session, redirect to login page
59			Session::destroy();
60			header('location: ' . Config::get('URL') . 'login');
61
62			// to prevent fetching views via cURL (which "ignores" the header-redirect above) we leave the application
63			// the hard way, via exit(). @see https://github.com/panique/php-login/issues/453
64			// this is not optimal and will be fixed in future releases
65			exit();
			0 ignored issues – show Coding Style Compatibility introduced 2015-11-21 00:55 UTC by Report Bug Copy Issue Report The method `checkAdminAuthentication()` contains an exit expression. An exit expression should only be used in rare cases. For example, if you write a short command line script. In most cases however, using an `exit` expression makes the code untestable and often causes incompatibilities with other libraries. Thus, unless you are absolutely sure it is required here, we recommend to refactor your code to avoid its usage. Loading history...
66			}
67			}
68
69			/**
70			* Detects if there is concurrent session (i.e. another user logged in with the same current user credentials),
71			* If so, then logout.
72			*/
73			public static function checkSessionConcurrency(){
74			if(Session::userIsLoggedIn()){
75			if(Session::isConcurrentSessionExists()){
76			LoginModel::logout();
77			Redirect::home();
78			exit();
			0 ignored issues – show Coding Style Compatibility introduced 2015-11-21 00:55 UTC by Report Bug Copy Issue Report The method `checkSessionConcurrency()` contains an exit expression. An exit expression should only be used in rare cases. For example, if you write a short command line script. In most cases however, using an `exit` expression makes the code untestable and often causes incompatibilities with other libraries. Thus, unless you are absolutely sure it is required here, we recommend to refactor your code to avoid its usage. Loading history...
79			}
80			}
81			}
82			}
83

panique / huge

GitHub Access Token became invalid

Pull Request — master (#792)

Auth::checkAuthentication() B

Complexity

Size

Duplication

Duplication Side-by-Side

Filter issues like