[ Index ]

PHP Cross Reference of DokuWiki

title

Body

[close]

/inc/ -> auth.php (summary)

Authentication library Including this file will automatically try to login a user by calling auth_login()

Author: Andreas Gohr
License: GPL 2 (http://www.gnu.org/licenses/gpl.html)
File Size: 1267 lines (38 kb)
Included or required: 1 time
Referenced: 0 times
Includes or requires: 0 files

Defines 29 functions

  auth_setup()
  auth_loadACL()
  auth_login_wrapper()
  auth_login()
  auth_browseruid()
  auth_cookiesalt()
  auth_randombytes()
  auth_random()
  auth_encrypt()
  auth_decrypt()
  auth_logoff()
  auth_ismanager()
  auth_isadmin()
  auth_isMember()
  auth_quickaclcheck()
  auth_aclcheck()
  auth_aclcheck_cb()
  auth_nameencode()
  auth_nameencode_callback()
  auth_pwgen()
  auth_sendPassword()
  register()
  updateprofile()
  auth_deleteprofile()
  act_resendpwd()
  auth_cryptPassword()
  auth_verifyPassword()
  auth_setCookie()
  auth_getCookie()

Functions
Functions that are not part of a class:

auth_setup()   X-Ref
Initialize the auth system.

This function is automatically called at the end of init.php

This used to be the main() of the auth.php

triggers: AUTH_LOGIN_CHECK
return: bool

auth_loadACL()   X-Ref
Loads the ACL setup and handle user wildcards

author: Andreas Gohr <andi@splitbrain.org>
return: array

auth_login_wrapper($evdata)   X-Ref
Event hook callback for AUTH_LOGIN_CHECK

param: array $evdata
return: bool

auth_login($user, $pass, $sticky = false, $silent = false)   X-Ref
This tries to login the user based on the sent auth credentials

The authentication works like this: if a username was given
a new login is assumed and user/password are checked. If they
are correct the password is encrypted with blowfish and stored
together with the username in a cookie - the same info is stored
in the session, too. Additonally a browserID is stored in the
session.

If no username was given the cookie is checked: if the username,
crypted password and browserID match between session and cookie
no further testing is done and the user is accepted

If a cookie was found but no session info was availabe the
blowfish encrypted password from the cookie is decrypted and
together with username rechecked by calling this function again.

On a successful login $_SERVER[REMOTE_USER] and $USERINFO
are set.

author: Andreas Gohr <andi@splitbrain.org>
param: string  $user    Username
param: string  $pass    Cleartext Password
param: bool    $sticky  Cookie should not expire
param: bool    $silent  Don't show error on bad auth
return: bool             true on successful auth

auth_browseruid()   X-Ref
Builds a pseudo UID from browser and IP data

This is neither unique nor unfakable - still it adds some
security. Using the first part of the IP makes sure
proxy farms like AOLs are still okay.

author: Andreas Gohr <andi@splitbrain.org>
return: string  a MD5 sum of various browser headers

auth_cookiesalt($addsession = false, $secure = false)   X-Ref
Creates a random key to encrypt the password in cookies

This function tries to read the password for encrypting
cookies from $conf['metadir'].'/_htcookiesalt'
if no such file is found a random key is created and
and stored in this file.

author: Andreas Gohr <andi@splitbrain.org>
param: bool $addsession if true, the sessionid is added to the salt
param: bool $secure     if security is more important than keeping the old value
return: string

auth_randombytes($length)   X-Ref
Return cryptographically secure random bytes.

author: Niklas Keller <me@kelunik.com>
param: int $length number of bytes
return: string cryptographically secure random bytes

auth_random($min, $max)   X-Ref
Cryptographically secure random number generator.

author: Niklas Keller <me@kelunik.com>
param: int $min
param: int $max
return: int

auth_encrypt($data, $secret)   X-Ref
Encrypt data using the given secret using AES

The mode is CBC with a random initialization vector, the key is derived
using pbkdf2.

param: string $data   The data that shall be encrypted
param: string $secret The secret/password that shall be used
return: string The ciphertext

auth_decrypt($ciphertext, $secret)   X-Ref
Decrypt the given AES ciphertext

The mode is CBC, the key is derived using pbkdf2

param: string $ciphertext The encrypted data
param: string $secret     The secret/password that shall be used
return: string The decrypted data

auth_logoff($keepbc = false)   X-Ref
Log out the current user

This clears all authentication data and thus log the user
off. It also clears session data.

author: Andreas Gohr <andi@splitbrain.org>
param: bool $keepbc - when true, the breadcrumb data is not cleared

auth_ismanager($user = null, $groups = null, $adminonly = false)   X-Ref
Check if a user is a manager

Should usually be called without any parameters to check the current
user.

The info is available through $INFO['ismanager'], too

author: Andreas Gohr <andi@splitbrain.org>
param: string $user       Username
param: array  $groups     List of groups the user is in
param: bool   $adminonly  when true checks if user is admin
return: bool
see: auth_isadmin

auth_isadmin($user = null, $groups = null)   X-Ref
Check if a user is admin

Alias to auth_ismanager with adminonly=true

The info is available through $INFO['isadmin'], too

author: Andreas Gohr <andi@splitbrain.org>
param: string $user       Username
param: array  $groups     List of groups the user is in
return: bool
see: auth_ismanager()

auth_isMember($memberlist, $user, array $groups)   X-Ref
Match a user and his groups against a comma separated list of
users and groups to determine membership status

Note: all input should NOT be nameencoded.

param: string $memberlist commaseparated list of allowed users and groups
param: string $user       user to match against
param: array  $groups     groups the user is member of
return: bool       true for membership acknowledged

auth_quickaclcheck($id)   X-Ref
Convinience function for auth_aclcheck()

This checks the permissions for the current user

author: Andreas Gohr <andi@splitbrain.org>
param: string  $id  page ID (needs to be resolved and cleaned)
return: int          permission level

auth_aclcheck($id, $user, $groups)   X-Ref
Returns the maximum rights a user has for the given ID or its namespace

author: Andreas Gohr <andi@splitbrain.org>
triggers: AUTH_ACL_CHECK
param: string       $id     page ID (needs to be resolved and cleaned)
param: string       $user   Username
param: array|null   $groups Array of groups the user is in
return: int             permission level

auth_aclcheck_cb($data)   X-Ref
default ACL check method

DO NOT CALL DIRECTLY, use auth_aclcheck() instead

author: Andreas Gohr <andi@splitbrain.org>
param: array $data event data
return: int   permission level

auth_nameencode($name, $skip_group = false)   X-Ref
Encode ASCII special chars

Some auth backends allow special chars in their user and groupnames
The special chars are encoded with this function. Only ASCII chars
are encoded UTF-8 multibyte are left as is (different from usual
urlencoding!).

Decoding can be done with rawurldecode

author: Andreas Gohr <gohr@cosmocode.de>
param: string $name
param: bool $skip_group
return: string
see: rawurldecode()

auth_nameencode_callback($matches)   X-Ref
callback encodes the matches

param: array $matches first complete match, next matching subpatterms
return: string

auth_pwgen($foruser = '')   X-Ref
Create a pronouncable password

The $foruser variable might be used by plugins to run additional password
policy checks, but is not used by the default implementation

author: Andreas Gohr <andi@splitbrain.org>
triggers: AUTH_PASSWORD_GENERATE
link: http://www.phpbuilder.com/annotate/message.php3?id=1014451
param: string $foruser username for which the password is generated
return: string  pronouncable password

auth_sendPassword($user, $password)   X-Ref
Sends a password to the given user

author: Andreas Gohr <andi@splitbrain.org>
param: string $user Login name of the user
param: string $password The new password in clear text
return: bool  true on success

register()   X-Ref
Register a new user

This registers a new user - Data is read directly from $_POST

author: Andreas Gohr <andi@splitbrain.org>
return: bool  true on success, false on any error

updateprofile()   X-Ref
Update user profile

author: Christopher Smith <chris@jalakai.co.uk>

auth_deleteprofile()   X-Ref
Delete the current logged-in user

return: bool true on success, false on any error

act_resendpwd()   X-Ref
Send a  new password

This function handles both phases of the password reset:

- handling the first request of password reset
- validating the password reset auth token

author: Benoit Chesneau <benoit@bchesneau.info>
author: Chris Smith <chris@jalakai.co.uk>
author: Andreas Gohr <andi@splitbrain.org>
return: bool true on success, false on any error

auth_cryptPassword($clear, $method = '', $salt = null)   X-Ref
Encrypts a password using the given method and salt

If the selected method needs a salt and none was given, a random one
is chosen.

author: Andreas Gohr <andi@splitbrain.org>
param: string $clear The clear text password
param: string $method The hashing method
param: string $salt A salt, null for random
return: string  The crypted password

auth_verifyPassword($clear, $crypt)   X-Ref
Verifies a cleartext password against a crypted hash

author: Andreas Gohr <andi@splitbrain.org>
param: string $clear The clear text password
param: string $crypt The hash to compare with
return: bool true if both match

auth_setCookie($user, $pass, $sticky)   X-Ref
Set the authentication cookie and add user identification data to the session

param: string  $user       username
param: string  $pass       encrypted password
param: bool    $sticky     whether or not the cookie will last beyond the session
return: bool

auth_getCookie()   X-Ref
Returns the user, (encrypted) password and sticky bit from cookie

returns: array