Move GOOGLE RECAPCHA to includes/auth.php, clean login actions.

This commit is contained in:
Isaac Connor 2018-10-09 10:05:50 -04:00
parent 918d5fd469
commit a3d0cb42ea
3 changed files with 68 additions and 63 deletions

View File

@ -43,52 +43,17 @@ if ( empty($action) ) {
return;
}
if ( $action == 'login' && isset($_REQUEST['username']) && ( ZM_AUTH_TYPE == 'remote' || isset($_REQUEST['password']) ) ) {
// if true, a popup will display after login
// PP - lets validate reCaptcha if it exists
if ( defined('ZM_OPT_USE_GOOG_RECAPTCHA')
&& defined('ZM_OPT_GOOG_RECAPTCHA_SECRETKEY')
&& defined('ZM_OPT_GOOG_RECAPTCHA_SITEKEY')
&& ZM_OPT_USE_GOOG_RECAPTCHA && ZM_OPT_GOOG_RECAPTCHA_SECRETKEY
&& ZM_OPT_GOOG_RECAPTCHA_SITEKEY )
{
$url = 'https://www.google.com/recaptcha/api/siteverify';
$fields = array (
'secret' => ZM_OPT_GOOG_RECAPTCHA_SECRETKEY,
'response' => $_REQUEST['g-recaptcha-response'],
'remoteip' => $_SERVER['REMOTE_ADDR']
);
$res = do_post_request($url, http_build_query($fields));
$responseData = json_decode($res,true);
// PP - credit: https://github.com/google/recaptcha/blob/master/src/ReCaptcha/Response.php
// if recaptcha resulted in error, we might have to deny login
if ( isset($responseData['success']) && $responseData['success'] == false ) {
// PP - before we deny auth, let's make sure the error was not 'invalid secret'
// because that means the user did not configure the secret key correctly
// in this case, we prefer to let him login in and display a message to correct
// the key. Unfortunately, there is no way to check for invalid site key in code
// as it produces the same error as when you don't answer a recaptcha
if ( isset($responseData['error-codes']) && is_array($responseData['error-codes']) ) {
if ( !in_array('invalid-input-secret',$responseData['error-codes']) ) {
Error('reCaptcha authentication failed');
userLogout();
$view = 'login';
$refreshParent = true;
return;
} else {
//Let them login but show an error
echo '<script type="text/javascript">alert("'.translate('RecaptchaWarning').'"); </script>';
Error('Invalid recaptcha secret detected');
}
}
} // end if success==false
} // end if using reCaptcha
$username = validStr($_REQUEST['username']);
$password = isset($_REQUEST['password'])?validStr($_REQUEST['password']):'';
userLogin($username, $password);
$refreshParent = true;
$view = 'console';
$redirect = ZM_BASE_URL.$_SERVER['PHP_SELF'].'?view=console';
// User login is automatically performed in includes/auth.php So we don't need to perform a login here,
// just handle redirects. This is the action that comes from the login view, so the logical thing to
// do on successful auth is redirect to console, otherwise loop back to login.
if ( !$user ) {
$view = 'login';
} else {
$view = 'console';
$redirect = ZM_BASE_URL.$_SERVER['PHP_SELF'].'?view=console';
}
} else if ( $action == 'logout' ) {
userLogout();
$refreshParent = true;

View File

@ -18,9 +18,50 @@
// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
//
function userLogin($username, $password='', $passwordHashed=false) {
function userLogin($username='', $password='', $passwordHashed=false) {
global $user;
if ( !$username and isset($_REQUEST['username']) )
$username = $_REQUEST['username'];
if ( !$password and isset($_REQUEST['password']) )
$password = $_REQUEST['password'];
// if true, a popup will display after login
// PP - lets validate reCaptcha if it exists
if ( defined('ZM_OPT_USE_GOOG_RECAPTCHA')
&& defined('ZM_OPT_GOOG_RECAPTCHA_SECRETKEY')
&& defined('ZM_OPT_GOOG_RECAPTCHA_SITEKEY')
&& ZM_OPT_USE_GOOG_RECAPTCHA
&& ZM_OPT_GOOG_RECAPTCHA_SECRETKEY
&& ZM_OPT_GOOG_RECAPTCHA_SITEKEY )
{
$url = 'https://www.google.com/recaptcha/api/siteverify';
$fields = array (
'secret' => ZM_OPT_GOOG_RECAPTCHA_SECRETKEY,
'response' => $_REQUEST['g-recaptcha-response'],
'remoteip' => $_SERVER['REMOTE_ADDR']
);
$res = do_post_request($url, http_build_query($fields));
$responseData = json_decode($res,true);
// PP - credit: https://github.com/google/recaptcha/blob/master/src/ReCaptcha/Response.php
// if recaptcha resulted in error, we might have to deny login
if ( isset($responseData['success']) && $responseData['success'] == false ) {
// PP - before we deny auth, let's make sure the error was not 'invalid secret'
// because that means the user did not configure the secret key correctly
// in this case, we prefer to let him login in and display a message to correct
// the key. Unfortunately, there is no way to check for invalid site key in code
// as it produces the same error as when you don't answer a recaptcha
if ( isset($responseData['error-codes']) && is_array($responseData['error-codes']) ) {
if ( !in_array('invalid-input-secret',$responseData['error-codes']) ) {
Error('reCaptcha authentication failed');
return null;
} else {
Error('Invalid recaptcha secret detected');
}
}
} // end if success==false
} // end if using reCaptcha
$sql = 'SELECT * FROM Users WHERE Enabled=1';
$sql_values = NULL;
if ( ZM_AUTH_TYPE == 'builtin' ) {
@ -36,7 +77,6 @@ function userLogin($username, $password='', $passwordHashed=false) {
}
$close_session = 0;
if ( !is_session_started() ) {
Logger::Debug("Starting session in userLogin");
session_start();
$close_session = 1;
}
@ -70,7 +110,6 @@ function userLogout() {
session_start();
unset($_SESSION['user']);
unset($user);
session_destroy();
}
@ -179,4 +218,18 @@ function is_session_started() {
return FALSE;
}
if ( ZM_OPT_USE_AUTH ) {
if ( ZM_AUTH_HASH_LOGINS && empty($user) && ! empty($_REQUEST['auth']) ) {
if ( $authUser = getAuthUser($_REQUEST['auth']) ) {
userLogin($authUser['Username'], $authUser['Password'], true);
}
}
else if ( isset($_REQUEST['username']) and isset($_REQUEST['password']) ) {
userLogin($_REQUEST['username'], $_REQUEST['password'], false);
}
if ( !empty($user) ) {
// generate it once here, while session is open. Value will be cached in session and return when called later on
generateAuthHash(ZM_AUTH_HASH_IPS);
}
}
?>

View File

@ -156,7 +156,6 @@ session_write_close();
require_once('includes/lang.php');
require_once('includes/functions.php');
require_once('includes/auth.php');
# Running is global but only do the daemonCheck if it is actually needed
$running = null;
@ -182,20 +181,8 @@ if ( isset($_REQUEST['request']) )
foreach ( getSkinIncludes('skin.php') as $includeFile )
require_once $includeFile;
if ( ZM_OPT_USE_AUTH ) {
if ( ZM_AUTH_HASH_LOGINS && empty($user) && ! empty($_REQUEST['auth']) ) {
if ( $authUser = getAuthUser($_REQUEST['auth']) ) {
userLogin($authUser['Username'], $authUser['Password'], true);
}
}
else if ( isset($_REQUEST['username']) and isset($_REQUEST['password']) ) {
userLogin($_REQUEST['username'], $_REQUEST['password'], false);
}
if ( !empty($user) ) {
// generate it once here, while session is open. Value will be cached in session and return when called later on
generateAuthHash(ZM_AUTH_HASH_IPS);
}
}
# User Login will be performed in auth.php
require_once('includes/auth.php');
if ( isset($_REQUEST['action']) ) {
$action = detaintPath($_REQUEST['action']);
@ -229,7 +216,7 @@ if ( ZM_OPT_USE_AUTH and !isset($user) ) {
Logger::Debug('Redirecting to login');
$view = 'login';
$request = null;
} else if ( ZM_SHOW_PRIVACY && ($action != 'privacy') && ($view !='options') && (!$request) && canEdit('System') ) {
} else if ( ZM_SHOW_PRIVACY && ($action != 'privacy') && ($view != 'options') && (!$request) && canEdit('System') ) {
Logger::Debug('Redirecting to privacy');
$view = 'privacy';
$request = null;