force regeneration of auth_hash on login. Fix failed auth_hash verification not logging you out by returning null instead of false. Update session with new auth_hash when forcing regeneration

This commit is contained in:
Isaac Connor 2019-06-04 16:26:29 -04:00
parent 7649f5d6b9
commit 168aa35461
1 changed files with 12 additions and 19 deletions

View File

@ -283,8 +283,7 @@ function getAuthUser($auth, $from_api_layer = false) {
$sql = 'SELECT * FROM Users WHERE Enabled = 1';
}
foreach ( dbFetchAll($sql, NULL, $values) as $user )
{
foreach ( dbFetchAll($sql, NULL, $values) as $user ) {
$now = time();
for ( $i = 0; $i < ZM_AUTH_HASH_TTL; $i++, $now -= ZM_AUTH_HASH_TTL * 1800 ) { // Try for last two hours
$time = localtime($now);
@ -309,14 +308,13 @@ function getAuthUser($auth, $from_api_layer = false) {
} // end foreach user
} // end if using auth hash
ZM\Error("Unable to authenticate user from auth hash '$auth'");
return false;
return null;
} // end getAuthUser($auth)
function generateAuthHash($useRemoteAddr, $force=false) {
if ( ZM_OPT_USE_AUTH and ZM_AUTH_RELAY == 'hashed' and isset($_SESSION['username']) and $_SESSION['passwordHash'] ) {
if ( ZM_OPT_USE_AUTH and (ZM_AUTH_RELAY == 'hashed') and isset($_SESSION['username']) and $_SESSION['passwordHash'] ) {
$time = time();
$mintime = $time - ( ZM_AUTH_HASH_TTL * 1800 );
if ( $force or ( !isset($_SESSION['AuthHash'.$_SESSION['remoteAddr']]) ) or ( $_SESSION['AuthHashGeneratedAt'] < $mintime ) ) {
@ -330,18 +328,14 @@ function generateAuthHash($useRemoteAddr, $force=false) {
}
#ZM\Logger::Debug("Generated using hour:".$local_time[2] . ' mday:' . $local_time[3] . ' month:'.$local_time[4] . ' year: ' . $local_time[5] );
$auth = md5($authKey);
if ( !$force ) {
$close_session = 0;
if ( !is_session_started() ) {
session_start();
$close_session = 1;
}
$_SESSION['AuthHash'.$_SESSION['remoteAddr']] = $auth;
$_SESSION['AuthHashGeneratedAt'] = $time;
session_write_close();
} else {
return $auth;
$close_session = 0;
if ( !is_session_started() ) {
session_start();
$close_session = 1;
}
$_SESSION['AuthHash'.$_SESSION['remoteAddr']] = $auth;
$_SESSION['AuthHashGeneratedAt'] = $time;
session_write_close();
#ZM\Logger::Debug("Generated new auth $auth at " . $_SESSION['AuthHashGeneratedAt']. " using $authKey" );
#} else {
#ZM\Logger::Debug("Using cached auth " . $_SESSION['AuthHash'] ." beacuse generatedat:" . $_SESSION['AuthHashGeneratedAt'] . ' < now:'. $time . ' - ' . ZM_AUTH_HASH_TTL . ' * 1800 = '. $mintime);
@ -401,15 +395,14 @@ if ( ZM_OPT_USE_AUTH ) {
}
} else if ( isset($_REQUEST['username']) and isset($_REQUEST['password']) ) {
userLogin($_REQUEST['username'], $_REQUEST['password'], false);
generateAuthHash(ZM_AUTH_HASH_IPS, true);
}
if (empty($user) && !empty($_REQUEST['token']) ) {
if ( empty($user) && !empty($_REQUEST['token']) ) {
$ret = validateToken($_REQUEST['token'], 'access');
$user = $ret[0];
}
if ( !empty($user) ) {
// generate it once here, while session is open. Value will be cached in session and return when called later on
generateAuthHash(ZM_AUTH_HASH_IPS);