new basic auth alternative, session based, but backwards compatible

Author: janhalfar

lib/Foomo/BasicAuth.php

@@ -30,10 +30,21 @@ class BasicAuth {
 
 	private $authUserFile;
 	private $passwordEncryption;
+	private $authUserDomain;
 	private $authenticated = false;
 
 	const DEFAULT_AUTH_DOMAIN = 'default';
 
+	public static function getCurrentUser()
+	{
+		if(isset($_SERVER["PHP_AUTH_USER"])) {
+			return $_SERVER["PHP_AUTH_USER"];
+		} else if(BasicAuth\HTML::isAvailable()) {
+			return BasicAuth\HTML\Session::getUser();
+		} else {
+			return "";
+		}
+	}
 	/**
 	 * construct your auth object
 	 *
@@ -45,10 +56,12 @@ public function __construct($authUserDomain = null, $passwordEncryption = 'crypt
 	{
 		$authUserFile = null;
 		if (is_null($authUserDomain)) {
+			$this->authUserDomain = self::DEFAULT_AUTH_DOMAIN;
 			if (file_exists(self::getDefaultAuthFilename())) {
 				$authUserFile = self::getDefaultAuthFilename();
 			}
 		} else {
+			$this->authUserDomain = $authUserDomain;
 			$authUserFile = self::getAuthFilename($authUserDomain);
 		}
 		if (!file_exists($authUserFile)) {
@@ -136,47 +149,11 @@ public function checkAuthentication()
 		} else {
 			$auth = false;
 			if (isset($_SERVER["PHP_AUTH_USER"]) && $_SERVER["PHP_AUTH_PW"]) {
-				$fp = fopen($this->authUserFile, 'r');
-				while ($line = fgets($fp)) {
-					$line = trim($line);
-					$parts = explode(':', $line);
-					if(count($parts)==2) {
-						list($username, $password) = $parts;
-						if ($username == $_SERVER['PHP_AUTH_USER']) {
-							switch(true) {
-								case strpos($password, '{SHA}') === 0:
-									//trigger_error("sha " . $password . " " . $_SERVER["PHP_AUTH_PW"] . " " .  base64_encode(sha1($_SERVER["PHP_AUTH_PW"], true)), E_USER_WARNING);
-									// inline sha
-									$this->passwordEncryption = "sha1";
-									break;
-							}
-							switch ($this->passwordEncryption) {
-								case 'crypt':
-									// Get the salt from $password. It is always the first
-									// two characters of a DES-encrypted string.
-									$salt = substr($password, 0, 2);
-									// Encrypt $PHP_AUTH_PW based on $salt
-									$hashedPassword = crypt($_SERVER["PHP_AUTH_PW"], $salt);
-									break;
-								case 'sha1':
-									$hashedPassword = "{SHA}" . base64_encode(sha1($_SERVER["PHP_AUTH_PW"], true));
-									break;
-								default:
-									$hashedPassword = null;
-									trigger_error("unsupported password hashing algorithm", E_USER_ERROR);
-							}
-							if ($password == $hashedPassword) {
-								// A match is found, meaning the user is authenticated.
-								// Stop the search.
-								$auth = true;
-								break;
-							}
-						}
-					} else {
-						trigger_error("fishy line in basic auth file", E_USER_WARNING);
-					}
+				$auth = $this->checkCredentials($_SERVER["PHP_AUTH_USER"], $_SERVER["PHP_AUTH_PW"]);
+				if(!$auth && BasicAuth\HTML::isAvailable()) {
+					// token fallback
+					$auth = in_array($this->authUserDomain, BasicAuth\Token::useToken($_SERVER["PHP_AUTH_USER"], $_SERVER["PHP_AUTH_PW"]));
 				}
-				fclose($fp);
 			}
 			if (!$auth) {
 				return false;
@@ -186,6 +163,55 @@ public function checkAuthentication()
 			}
 		}
 	}
+	private function checkCredentials($user, $password)
+	{
+		$auth = false;
+		$fp = fopen($this->authUserFile, 'r');
+		while ($line = fgets($fp)) {
+			$line = trim($line);
+			$parts = explode(':', $line);
+			if(count($parts)==2) {
+				list($fileUserName, $filePasswordHash) = $parts;
+				if ($fileUserName == $user) {
+					switch(true) {
+						case strpos($filePasswordHash, '{SHA}') === 0:
+							// inline sha
+							$this->passwordEncryption = "sha1";
+							break;
+					}
+					switch ($this->passwordEncryption) {
+						case 'crypt':
+							// Get the salt from $password. It is always the first
+							// two characters of a DES-encrypted string.
+							$salt = substr($filePasswordHash, 0, 2);
+							$hashedPassword = crypt($password, $salt);
+							break;
+						case 'sha1':
+							$hashedPassword = "{SHA}" . base64_encode(sha1($password, true));
+							break;
+						default:
+							$hashedPassword = null;
+							trigger_error("unsupported password hashing algorithm", E_USER_ERROR);
+					}
+					if ($filePasswordHash == $hashedPassword) {
+						// A match is found, meaning the user is authenticated.
+						// Stop the search.
+						$auth = true;
+						break;
+					}
+				}
+			} else {
+				trigger_error("fishy line in basic auth file", E_USER_WARNING);
+			}
+		}
+		fclose($fp);
+		return $auth;
+	}
+	public static function checkCredentialsForDomain($user, $password, $domain)
+	{
+		$inst = new self($domain);
+		return $inst->checkCredentials($user, $password);
+	}
 	/**
 	 * check if you are authenticated use @see checkAuthentication instead
 	 *
@@ -197,8 +223,11 @@ public function getAuthenticated()
 		return $this->checkAuthentication();
 	}
 
-	public function logout()
+	public static function logout()
 	{
-
+		if(isset($_SERVER["PHP_AUTH_USER"])) {
+			header('WWW-Authenticate: Basic realm="' . \Foomo\Frontend::BASIC_AUTH_REALM . '", true, 401');
+		}
+		BasicAuth\HTML::logout();
 	}
 }

lib/Foomo/BasicAuth/Frontend/Controller.php

@@ -34,7 +34,7 @@ class Controller
 	//---------------------------------------------------------------------------------------------
 
 	/**
-	 * @var Foomo\BasicAuth\Frontend\Model
+	 * @var Model
 	 */
 	public $model;
 

lib/Foomo/BasicAuth/HTML.php

@@ -0,0 +1,69 @@
+<?php
+
+/*
+ * This file is part of the foomo Opensource Framework.
+ *
+ * The foomo Opensource Framework is free software: you can redistribute it
+ * and/or modify it under the terms of the GNU Lesser General Public License as
+ * published  by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * The foomo Opensource Framework is distributed in the hope that it will
+ * be useful, but WITHOUT ANY WARRANTY; without even the implied warranty
+ * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License along with
+ * the foomo Opensource Framework. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+namespace Foomo\BasicAuth;
+
+/**
+ * basic auth file CRUD
+ *
+ * @link www.foomo.org
+ * @license www.gnu.org/licenses/lgpl.txt
+ * @author jan <[email protected]>
+ */
+class HTML
+{
+	public static function auth(array $domains, $authMVCClassOrObject = "Foomo\\BasicAuth\\HTML\\Frontend")
+	{
+		if(!self::isAvailable() || (!empty($_SERVER["PHP_AUTH_USER"]) && !empty($_SERVER["PHP_AUTH_PW"]))) {
+			// basic auth fallback
+			\Foomo\BasicAuth::auth("authenticate", $domains[0]);
+		} else {
+			if(!HTML\Session::userIsAuthenticatedForOneDomain($domains)) {
+				if(is_string($authMVCClassOrObject)) {
+					$authMVCClassOrObject = new $authMVCClassOrObject($domains);
+				}
+				echo \Foomo\MVC::run($authMVCClassOrObject, $_SERVER["REQUEST_URI"], true);
+				exit;
+			}
+		}
+	}
+	public static function login($user, $password, $domains)
+	{
+		$authenticatedDomains = [];
+		foreach($domains as $domain) {
+			if(\Foomo\BasicAuth::checkCredentialsForDomain($user, $password, $domain)) {
+				$authenticatedDomains[] = $domain;
+			}
+		}
+		if(count($authenticatedDomains) > 0) {
+			\Foomo\MVC::abort();
+			\Foomo\BasicAuth\HTML\Session::setUser($user, $authenticatedDomains);
+			header('Location: ' . $_SERVER["REQUEST_URI"]);
+			exit;
+		}
+	}
+	public static function isAvailable()
+	{
+		return \Foomo\Session::getEnabled();
+	}
+	public static function logout()
+	{
+		HTML\Session::reset();
+	}
+}

lib/Foomo/BasicAuth/HTML/Frontend.php

@@ -0,0 +1,44 @@
+<?php
+/*
+ * This file is part of the foomo Opensource Framework.
+ * 
+ * The foomo Opensource Framework is free software: you can redistribute it
+ * and/or modify it under the terms of the GNU Lesser General Public License as
+ * published  by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ * 
+ * The foomo Opensource Framework is distributed in the hope that it will
+ * be useful, but WITHOUT ANY WARRANTY; without even the implied warranty
+ * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ * 
+ * You should have received a copy of the GNU Lesser General Public License along with
+ * the foomo Opensource Framework. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+namespace Foomo\BasicAuth\HTML;
+
+use Foomo\MVC\AbstractApp;
+
+/**
+ * @link www.foomo.org
+ * @license www.gnu.org/licenses/lgpl.txt
+ * @author jan
+ */
+
+class Frontend extends AbstractApp 
+{
+	/**
+	 * @var Frontend\Model
+	 */
+	public $model;
+	/**
+	 * @var Frontend\Controller
+	 */
+	public $controller;
+	public function __construct($domains)
+	{
+		parent::__construct(__CLASS__);
+		$this->model->domains = $domains;
+	}
+}

lib/Foomo/BasicAuth/HTML/Frontend/Controller.php

@@ -0,0 +1,47 @@
+<?php
+
+/*
+ * This file is part of the foomo Opensource Framework.
+ * 
+ * The foomo Opensource Framework is free software: you can redistribute it
+ * and/or modify it under the terms of the GNU Lesser General Public License as
+ * published  by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ * 
+ * The foomo Opensource Framework is distributed in the hope that it will
+ * be useful, but WITHOUT ANY WARRANTY; without even the implied warranty
+ * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ * 
+ * You should have received a copy of the GNU Lesser General Public License along with
+ * the foomo Opensource Framework. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+namespace Foomo\BasicAuth\HTML\Frontend;
+use Foomo\MVC;
+
+/**
+ * @link www.foomo.org
+ * @license www.gnu.org/licenses/lgpl.txt
+ * @author jan
+ */
+ 
+class Controller
+{
+	/**
+	 * my model
+	 *
+	 * @var Model
+	 */
+	public $model;
+
+	public function actionDefault()
+	{
+		if(!empty($_POST["name"]) && !empty($_POST["password"])) {
+			$user = $_POST["name"];
+			$password = $_POST["password"];
+			\Foomo\BasicAuth\HTML::login($user, $password, $this->model->domains);
+
+		}
+	}
+}

lib/Foomo/BasicAuth/HTML/Frontend/Model.php

@@ -0,0 +1,31 @@
+<?php
+
+/*
+ * This file is part of the foomo Opensource Framework.
+ * 
+ * The foomo Opensource Framework is free software: you can redistribute it
+ * and/or modify it under the terms of the GNU Lesser General Public License as
+ * published  by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ * 
+ * The foomo Opensource Framework is distributed in the hope that it will
+ * be useful, but WITHOUT ANY WARRANTY; without even the implied warranty
+ * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ * 
+ * You should have received a copy of the GNU Lesser General Public License along with
+ * the foomo Opensource Framework. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+namespace Foomo\BasicAuth\HTML\Frontend;
+ 
+/**
+ * @link www.foomo.org
+ * @license www.gnu.org/licenses/lgpl.txt
+ * @author jan
+ */
+ 
+class Model
+{
+	public $domains;
+}