|
1
|
|
|
<?php |
|
2
|
|
|
/** |
|
3
|
|
|
* |
|
4
|
|
|
* 2FA extension for the phpBB Forum Software package. |
|
5
|
|
|
* |
|
6
|
|
|
* @copyright (c) 2015 Paul Sohier |
|
7
|
|
|
* @license GNU General Public License, version 2 (GPL-2.0) |
|
8
|
|
|
* |
|
9
|
|
|
*/ |
|
10
|
|
|
|
|
11
|
|
|
namespace paul999\tfa\controller; |
|
12
|
|
|
|
|
13
|
|
|
use paul999\tfa\helper\session_helper_interface; |
|
14
|
|
|
use paul999\tfa\modules\module_interface; |
|
15
|
|
|
use phpbb\config\config; |
|
16
|
|
|
use phpbb\controller\helper; |
|
17
|
|
|
use phpbb\db\driver\driver_interface; |
|
18
|
|
|
use phpbb\request\request_interface; |
|
19
|
|
|
use phpbb\template\template; |
|
20
|
|
|
use phpbb\user; |
|
21
|
|
|
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException; |
|
22
|
|
|
use Symfony\Component\HttpKernel\Exception\BadRequestHttpException; |
|
23
|
|
|
|
|
24
|
|
|
/** |
|
25
|
|
|
* Controller |
|
26
|
|
|
*/ |
|
27
|
|
|
class main_controller |
|
28
|
|
|
{ |
|
29
|
|
|
/** |
|
30
|
|
|
* @var helper |
|
31
|
|
|
*/ |
|
32
|
|
|
private $controller_helper; |
|
33
|
|
|
|
|
34
|
|
|
/** |
|
35
|
|
|
* @var template |
|
36
|
|
|
*/ |
|
37
|
|
|
private $template; |
|
38
|
|
|
|
|
39
|
|
|
/** |
|
40
|
|
|
* @var driver_interface |
|
41
|
|
|
*/ |
|
42
|
|
|
private $db; |
|
43
|
|
|
|
|
44
|
|
|
/** |
|
45
|
|
|
* @var user |
|
46
|
|
|
*/ |
|
47
|
|
|
private $user; |
|
48
|
|
|
|
|
49
|
|
|
/** |
|
50
|
|
|
* @var request_interface |
|
51
|
|
|
*/ |
|
52
|
|
|
private $request; |
|
53
|
|
|
|
|
54
|
|
|
/** |
|
55
|
|
|
* @var config |
|
56
|
|
|
*/ |
|
57
|
|
|
private $config; |
|
58
|
|
|
|
|
59
|
|
|
/** |
|
60
|
|
|
* @var session_helper_interface |
|
61
|
|
|
*/ |
|
62
|
|
|
private $session_helper; |
|
63
|
|
|
|
|
64
|
|
|
/** |
|
65
|
|
|
* @var string |
|
66
|
|
|
*/ |
|
67
|
|
|
private $root_path; |
|
68
|
|
|
|
|
69
|
|
|
/** |
|
70
|
|
|
* @var string |
|
71
|
|
|
*/ |
|
72
|
|
|
private $php_ext; |
|
73
|
|
|
|
|
74
|
|
|
/** |
|
75
|
|
|
* Constructor |
|
76
|
|
|
* |
|
77
|
|
|
* @access public |
|
78
|
|
|
* @param helper $controller_helper |
|
79
|
|
|
* @param driver_interface $db |
|
80
|
|
|
* @param template $template |
|
81
|
|
|
* @param user $user |
|
82
|
|
|
* @param request_interface $request |
|
83
|
|
|
* @param config $config |
|
84
|
|
|
* @param session_helper_interface $session_helper |
|
85
|
|
|
* @param string $root_path |
|
86
|
|
|
* @param string $php_ext |
|
87
|
|
|
*/ |
|
88
|
|
View Code Duplication |
public function __construct(helper $controller_helper, driver_interface $db, template $template, user $user, request_interface $request, config $config, session_helper_interface $session_helper, $root_path, $php_ext) |
|
|
|
|
|
|
89
|
|
|
{ |
|
90
|
|
|
$this->controller_helper = $controller_helper; |
|
91
|
|
|
$this->template = $template; |
|
92
|
|
|
$this->db = $db; |
|
93
|
|
|
$this->user = $user; |
|
94
|
|
|
$this->request = $request; |
|
95
|
|
|
$this->config = $config; |
|
96
|
|
|
$this->session_helper = $session_helper; |
|
97
|
|
|
$this->root_path = $root_path; |
|
98
|
|
|
$this->php_ext = $php_ext; |
|
99
|
|
|
|
|
100
|
|
|
} |
|
101
|
|
|
|
|
102
|
|
|
/** |
|
103
|
|
|
* @param int $user_id |
|
104
|
|
|
* @param bool $admin |
|
105
|
|
|
* @param bool $auto_login |
|
106
|
|
|
* @param bool $viewonline |
|
107
|
|
|
* @return \Symfony\Component\HttpFoundation\Response |
|
108
|
|
|
* @throws AccessDeniedHttpException |
|
109
|
|
|
*/ |
|
110
|
|
|
public function submit($user_id, $admin, $auto_login, $viewonline, $class) |
|
111
|
|
|
{ |
|
112
|
|
|
$this->user->add_lang_ext('paul999/tfa', 'common'); |
|
113
|
|
|
|
|
114
|
|
|
if (!check_form_key('tfa_login_page')) |
|
115
|
|
|
{ |
|
116
|
|
|
throw new AccessDeniedHttpException($this->user->lang('FORM_INVALID')); |
|
117
|
|
|
} |
|
118
|
|
|
|
|
119
|
|
|
if (empty($this->user->data['tfa_random']) || $user_id != $this->user->data['tfa_uid']) |
|
120
|
|
|
{ |
|
121
|
|
|
throw new BadRequestHttpException($this->user->lang('TFA_SOMETHING_WENT_WRONG')); |
|
122
|
|
|
} |
|
123
|
|
|
$random = $this->request->variable('random', ''); |
|
124
|
|
|
$cookie = $this->request->variable($this->config['cookie_name'] . 'rm', '', false, request_interface::COOKIE); |
|
125
|
|
|
|
|
126
|
|
|
if ($this->user->data['tfa_random'] !== $cookie || $cookie !== $random || $this->user->data['tfa_random'] !== $random || strlen($random) != 40) |
|
127
|
|
|
{ |
|
128
|
|
|
throw new BadRequestHttpException($this->user->lang('TFA_SOMETHING_WENT_WRONG')); |
|
129
|
|
|
} |
|
130
|
|
|
$sql_ary = array( |
|
131
|
|
|
'tfa_random' => '', |
|
132
|
|
|
'tfa_uid' => 0, |
|
133
|
|
|
); |
|
134
|
|
|
$sql = 'UPDATE ' . SESSIONS_TABLE . ' SET ' . $this->db->sql_build_array('UPDATE', $sql_ary) . ' |
|
135
|
|
|
WHERE |
|
136
|
|
|
session_id = \'' . $this->db->sql_escape($this->user->data['session_id']) . '\' AND |
|
137
|
|
|
session_user_id = ' . (int) $this->user->data['user_id']; |
|
138
|
|
|
$this->db->sql_query($sql); |
|
139
|
|
|
|
|
140
|
|
|
if (empty($class)) |
|
141
|
|
|
{ |
|
142
|
|
|
throw new BadRequestHttpException($this->user->lang('TFA_SOMETHING_WENT_WRONG')); |
|
143
|
|
|
} |
|
144
|
|
|
|
|
145
|
|
|
$module = $this->session_helper->findModule($class); |
|
146
|
|
|
|
|
147
|
|
|
if ($module == null) |
|
148
|
|
|
{ |
|
149
|
|
|
throw new BadRequestHttpException($this->user->lang('TFA_SOMETHING_WENT_WRONG')); |
|
150
|
|
|
} |
|
151
|
|
|
if (!$module->login($user_id)) |
|
152
|
|
|
{ |
|
153
|
|
|
throw new AccessDeniedHttpException($this->user->lang('TFA_INCORRECT_KEY')); |
|
154
|
|
|
} |
|
155
|
|
|
|
|
156
|
|
|
$old_session_id = $this->user->session_id; |
|
157
|
|
|
|
|
158
|
|
|
if ($admin) |
|
159
|
|
|
{ |
|
160
|
|
|
$cookie_expire = time() - 31536000; |
|
161
|
|
|
$this->user->set_cookie('u', '', $cookie_expire); |
|
162
|
|
|
$this->user->set_cookie('sid', '', $cookie_expire); |
|
163
|
|
|
} |
|
164
|
|
|
|
|
165
|
|
|
$result = $this->user->session_create($user_id, $admin, $auto_login, $viewonline); |
|
166
|
|
|
|
|
167
|
|
|
// Successful session creation |
|
168
|
|
|
if ($result === true) |
|
169
|
|
|
{ |
|
170
|
|
|
// If admin re-authentication we remove the old session entry because a new one has been created... |
|
171
|
|
|
if ($admin) |
|
172
|
|
|
{ |
|
173
|
|
|
// the login array is used because the user ids do not differ for re-authentication |
|
174
|
|
|
$sql = 'DELETE FROM ' . SESSIONS_TABLE . " |
|
175
|
|
|
WHERE session_id = '" . $this->db->sql_escape($old_session_id) . "' |
|
176
|
|
|
AND session_user_id = " . (int) $user_id; |
|
177
|
|
|
$this->db->sql_query($sql); |
|
178
|
|
|
|
|
179
|
|
|
redirect(append_sid("{$this->root_path}adm/index.{$this->php_ext}", false, true, $this->user->data['session_id'])); |
|
180
|
|
|
} |
|
181
|
|
|
$redirect = $this->request->variable('redirect', "{$this->root_path}/index.{$this->php_ext}"); |
|
182
|
|
|
redirect(append_sid($redirect, false, true, $this->user->data['session_id'])); |
|
183
|
|
|
} |
|
184
|
|
|
throw new BadRequestHttpException($this->user->lang('TFA_SOMETHING_WENT_WRONG')); |
|
185
|
|
|
} |
|
186
|
|
|
} |
|
187
|
|
|
|
paul999 /
phpbb_2fa
Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation.
You can also find more detailed suggestions in the “Code” section of your repository.