Commit Graph

28 Commits

Author SHA1 Message Date
Pliable Pixels f9730bb46b remove auth_hash_ip 2019-05-08 14:07:48 -04:00
Pliable Pixels bc050fe330 support refresh tokens as well for increased security 2019-05-08 13:38:42 -04:00
Pliable Pixels b293592e4c added token validation to zms/zmu/zmuser 2019-05-08 10:55:32 -04:00
Pliable Pixels e8f79f3254 JWT integration, validate JWT token via validateToken 2019-05-07 15:04:51 -04:00
Pliable Pixels ca3f65deef go back to jwt-cpp as PR merged 2019-05-05 14:32:09 -04:00
Pliable Pixels a55a11dad1 first attempt to fix cast error 2019-05-05 11:24:55 -04:00
Pliable Pixels 8d62c61b7a fixed module path 2019-05-05 07:50:52 -04:00
Pliable Pixels 725c3c50ed use php-jwt, use proper way to add PHP modules, via composer 2019-05-05 07:08:25 -04:00
Pliable Pixels 887912e7ad bcrypt auth migration in PHP land 2019-05-01 13:22:24 -04:00
Matthew Noorenberghe 3c31dd63ce Use zm_session_start() for API auth. Fixes #2547 2019-03-11 00:27:46 -07:00
Isaac Connor 6e4444099b Only populate session with user info on successful login. Use parameters in sql when loading users in getAuthUser. Fixes #2542 2019-02-27 09:57:50 -05:00
Isaac Connor df3e11d83c Fix authentication in api because we no longer store the user object in the session 2019-02-26 17:01:45 -05:00
Isaac Connor 2b90bf15a6
Improve session (#2487)
* Introduce ZM_COOKIE_LIFETIME which sets the life of the SESSION cookie, instead of using what is in php.ini

* Use zm specific session functions, which are now located in includes/session.php.  Be more agressive about clearing session on logout.

* Move session code to includes/session.php

* remove duplicate line

* Move is_session_open to session.php.  Move code to clear a session into session.php

* improve debug line when there is a problem updating config entry

* split description into description and help text for COOKIE_LIFETIME

* Remove redirect on line.  We do it in javascript on postlogin view so that we can say logging in before switching to console

* If there is a username in the session, then we are logged in, but we need to load the user object from the db.  We can't just trust it from the session. The user may have been deleted and having that data in the session can be a security risk. So load the user object on every request.

* Use session_regenerate_id instead of our broken code to do the same

* Move auth code to includes/auth.php

* add autocomplete tags to username and password inputs

* Don't redirect to login if we are already viewing login.  Put auth before including skin includes

* need to include session.php in auth.php

* update to php namespace
2019-02-22 09:43:38 -05:00
Isaac Connor 8dd8888975
Php namespace (#2537)
* experiment with namespaces on the Server class

* experiment with namespaces on the Server class

* Implement the ZM namespace on objects

* Implement the ZM namespace on objects

* Implement the ZM namespace on objects
2019-02-22 09:19:07 -05:00
Isaac Connor eba8b3327d Merge branch 'master' into cleanup_auth 2018-12-11 16:04:42 -05:00
Isaac Connor 17a5519dd6
Include the remoteAddr in the session authhash cache, so that a change of ip won't allow the same useless auth hash. (#2264) 2018-10-19 13:39:37 -04:00
Isaac Connor cbc26e0cec cleanup trailing whitespace 2018-10-09 10:07:40 -04:00
Isaac Connor a3d0cb42ea Move GOOGLE RECAPCHA to includes/auth.php, clean login actions. 2018-10-09 10:05:50 -04:00
Pliable Pixels 0ff9002adf 2156 api login (#2157)
* error can be due to bad user or password

* added login/logout and related private functions

* handle case when userLogin fails, current code returns PHP error for  and API throw is not called

* formatting

* converted login params to POST, removed user=&pass= for other APIs

* formatting

* add auth check back but leave out login/out

* fixes to make it work across zmN, postman and curl

* added back enabled check
2018-07-15 21:17:35 -04:00
Isaac Connor b8691e4654 Don't need global cookies. Only open session if needed in userLogin 2018-07-11 11:45:19 -04:00
Isaac Connor c6ded845d0 Return the user db row ifrom userLogin instead of assuming it will be accessed as a global. Add is_session_started function and use it to detect when we need to start/stop the session in generateAuthHash 2018-07-11 10:34:45 -04:00
Isaac Connor d271d8bf1d Fix my botched change to generateAuthHash 2018-06-25 14:50:54 -04:00
Isaac Connor 99a97543f1 Rework generateAuthHash to take a force parameter so that it can be used to generate auth hashes for zmu 2018-06-25 13:43:08 -04:00
Isaac Connor 3bb1a5b544 Whitespace 2018-04-30 13:02:53 -04:00
Isaac Connor 0b0fbae1c5 Add output of paused image when paused 2018-04-12 18:43:57 -04:00
Isaac Connor 530ac15344 remove csrf_startup 2018-04-06 14:46:33 -04:00
Isaac Connor 53ce8c008a move auth functions into it's own file 2018-04-06 14:36:23 -04:00
Isaac Connor 7b23ef80a4 blah 2018-04-06 14:31:11 -04:00