Split calculateAuthHash out from generateAuthHash. API is sessionless, so we just want provide a means of getting the auth hash without caching or do anything else fancy with it.

This commit is contained in:
Isaac Connor 2021-05-18 10:51:29 -04:00
parent 8dd1c67c1c
commit fffe72a3fa
1 changed files with 9 additions and 9 deletions

View File

@ -208,6 +208,14 @@ function getAuthUser($auth) {
return null; return null;
} // end getAuthUser($auth) } // end getAuthUser($auth)
function calculateAuthHash($remoteAddr) {
global $user;
$local_time = localtime();
$authKey = ZM_AUTH_HASH_SECRET.$user['Username'].$user['Password'].$remoteAddr.$local_time[2].$local_time[3].$local_time[4].$local_time[5];
#ZM\Debug("Generated using hour:".$local_time[2] . ' mday:' . $local_time[3] . ' month:'.$local_time[4] . ' year: ' . $local_time[5] );
return md5($authKey);
}
function generateAuthHash($useRemoteAddr, $force=false) { function generateAuthHash($useRemoteAddr, $force=false) {
global $user; global $user;
if (ZM_OPT_USE_AUTH and (ZM_AUTH_RELAY == 'hashed') and isset($user['Username']) and isset($user['Password']) and isset($_SESSION)) { if (ZM_OPT_USE_AUTH and (ZM_AUTH_RELAY == 'hashed') and isset($user['Username']) and isset($user['Password']) and isset($_SESSION)) {
@ -218,16 +226,8 @@ function generateAuthHash($useRemoteAddr, $force=false) {
# Appending the remoteAddr prevents us from using an auth hash generated for a different ip # Appending the remoteAddr prevents us from using an auth hash generated for a different ip
if ($force or ( !isset($_SESSION['AuthHash'.$_SESSION['remoteAddr']]) ) or ( $_SESSION['AuthHashGeneratedAt'] < $mintime )) { if ($force or ( !isset($_SESSION['AuthHash'.$_SESSION['remoteAddr']]) ) or ( $_SESSION['AuthHashGeneratedAt'] < $mintime )) {
$auth = calculateAuthHash($useRemoteAddr?$_SESSION['remoteAddr']:'');
# Don't both regenerating Auth Hash if an hour hasn't gone by yet # Don't both regenerating Auth Hash if an hour hasn't gone by yet
$local_time = localtime();
$authKey = '';
if ($useRemoteAddr) {
$authKey = ZM_AUTH_HASH_SECRET.$user['Username'].$user['Password'].$_SESSION['remoteAddr'].$local_time[2].$local_time[3].$local_time[4].$local_time[5];
} else {
$authKey = ZM_AUTH_HASH_SECRET.$user['Username'].$user['Password'].$local_time[2].$local_time[3].$local_time[4].$local_time[5];
}
#ZM\Debug("Generated using hour:".$local_time[2] . ' mday:' . $local_time[3] . ' month:'.$local_time[4] . ' year: ' . $local_time[5] );
$auth = md5($authKey);
$_SESSION['AuthHash'.$_SESSION['remoteAddr']] = $auth; $_SESSION['AuthHash'.$_SESSION['remoteAddr']] = $auth;
$_SESSION['AuthHashGeneratedAt'] = $time; $_SESSION['AuthHashGeneratedAt'] = $time;
# Because we don't write out the session, it shouldn't actually get written out to disk. However if it does, the GeneratedAt should protect us. # Because we don't write out the session, it shouldn't actually get written out to disk. However if it does, the GeneratedAt should protect us.