Commit Graph

67 Commits

Author SHA1 Message Date
Isaac Connor b4aacde5bf Remove debug. Auth is pretty solid these days 2020-11-10 13:15:46 -05:00
Isaac Connor 1c5e161909 quotes 2020-10-21 10:37:06 -04:00
Isaac Connor 10c0a6617c Return Debug to a regular function to match other logging functions. Since we switched to using namespaces we no longer clash with cake_php. 2020-10-14 10:39:25 -04:00
Isaac Connor 98dce06d6b Introduce get_auth_relay to return an auth string to use in urls. 2020-08-25 12:38:31 -04:00
Isaac Connor 53f262a4cb Merge pull request #2870 from pliablepixels/dev
#2866 - fixes incorrect token type comparison
2020-03-04 11:31:16 -05:00
Isaac Connor bd59ae8856 Move the Basic Auth login code from skin.php to includes/auth.php 2020-03-02 15:00:31 -05:00
Isaac Connor 0de6396a5b Test for null in user before testing for access in CanEdit et all 2019-12-07 12:39:28 -05:00
Pliable Pixels 7b99c89541
its not necessary the token is a refresh. Can also be empty 2019-11-26 20:57:25 -05:00
Isaac Connor 92bc1791f5 fix accidentally removed code 2019-09-03 11:33:13 -04:00
Isaac Connor a384e978c8 don't load user from session if we have already gotten it from elsewhere 2019-09-03 11:19:42 -04:00
Isaac Connor b84d005d8f Load use from session when it exists 2019-09-03 10:54:34 -04:00
Isaac Connor c80ef0e0ab spacing 2019-08-28 12:20:03 -04:00
Isaac Connor 84492f29b1
Fix token auth sessions (#2676)
* If token is present do token based auth and do not do anything with session

* update HostController.  Use config constants, don't use sessions

* Remove Session from the components list

* spacing

* Remove Session from App Components list.

* Move APIEnabled check to the api from auth.php

* Rework auth.  login using username and password only occurs on login action now.  Including auth.php should not touch the session.  auth_hash logins no longer touch the session.  replace userLogin with a function called validateUser which matches the semantics of validateToken.

* remove debugging

* Add session storage if stateful query param is on, but only for LEGACY_API_AUTH

* fix mUser to username, etc.

* shuffle lines

* use  instead of session when generating auth hash.

* Add docs regarding the use of cookies and stateful query param

* Only open/close session if we are clearing a session var

* Use zm_session_start instead of session_start

* Should use zm_session_start instead of session_start

* document that zm_session_start should be called previously to session_regenerate_id

* Don't actually write out the session when generating auth hashes.  Means they should never actually persist.

* More backticking of SQL

* add .. to fix #2686

* Use material icons for sort because they look nicer

* fix typo

* have to add authhash to session on login

* restore username&password login for all urls

* fix

* fixes
2019-08-20 09:46:53 -04:00
Isaac Connor 3b58da860f fix 2019-08-19 12:08:41 -04:00
Isaac Connor b1132087b8 restore username&password login for all urls 2019-08-19 12:07:38 -04:00
Isaac Connor d39da61b66 Don't actually write out the session when generating auth hashes. Means they should never actually persist. 2019-08-16 15:27:24 -04:00
Isaac Connor 28155ebd90 Should use zm_session_start instead of session_start 2019-08-16 15:08:10 -04:00
Isaac Connor 3475a11e15 use instead of session when generating auth hash. 2019-08-16 14:13:13 -04:00
Isaac Connor 618e6816ef Rework auth. login using username and password only occurs on login action now. Including auth.php should not touch the session. auth_hash logins no longer touch the session. replace userLogin with a function called validateUser which matches the semantics of validateToken. 2019-08-15 14:59:15 -04:00
Isaac Connor 6a425b6988 If token is present do token based auth and do not do anything with session 2019-08-01 10:02:31 -04:00
Isaac Connor 7f19831e0c Use isset when testing for existence of authash in session 2019-07-29 14:54:55 -04:00
Isaac Connor 38bcdbbffe ONly close session if we opened it in generateAuthHash, only try to validate auth hash if it is set in the session 2019-06-21 18:04:39 -04:00
Isaac Connor 60618d5998 Fix hour subtraction in getAuthUser to actually subtract an hour 2019-06-21 11:45:33 -04:00
Isaac Connor 5346f82de9 Fix unable to login when ZM_AUTH_RELAY != hashed and fix setting the password in session when ZM_AUTH_RELAY==plain 2019-06-05 09:23:34 -04:00
Isaac Connor 168aa35461 force regeneration of auth_hash on login. Fix failed auth_hash verification not logging you out by returning null instead of false. Update session with new auth_hash when forcing regeneration 2019-06-04 16:26:29 -04:00
Isaac Connor 1ddd5b1f74 Merge branch 'master' of github.com:ZoneMinder/zoneminder 2019-05-24 13:56:30 -04:00
Pliable Pixels fc27393a96 Replace MySQL Password() with bcrypt, allow for alternate JWT tokens (#2598)
* added sha1 and bcrypt submodules

* added bcrypt and sha to src build process

* added test sha1 and bcrypt code to validate working

* bcrypt auth migration in PHP land

* added include path

* add sha source

* added bcrypt to others

* put link_dir ahead of add_executable

* fixed typo

* try add_library instead

* absolute path

* absolute path

* build bcrypt as static

* move to wrapper

* move to fork

* logs tweak

* added lib-ssl/dev for JWT signing

* Moved to openSSL SHA1, initial JWT plugin

* removed vog

* fixed SHA1 algo

* typo

* use php-jwt, use proper way to add PHP modules, via composer

* fixed module path

* first attempt to fix cast error

* own fork

* own fork

* add composer vendor directory

* go back to jwt-cpp as PR merged

* moved to jwt-cpp after PR merge

* New token= query for JWT

* Add JWT token creation, move old code to a different function for future deprecation, simplified code for ZM_XX parameter reading

* JWT integration, validate JWT token via validateToken

* added token validation to zms/zmu/zmuser

* add token to command line for zmu

* move decode inside try/catch

* exception handling for try/catch

* fix db read, forgot to exec query

* remove allowing auth_hash_ip for token

* support refresh tokens as well for increased security

* remove auth_hash_ip

* Error out if used did not create an AUTH_HASH_SECRET

* fixed type conversion

* make sure refresh token login doesn't generate another refresh token

* fix absolute path

* move JWT/Bcrypt inside zm_crypt

* move sha headers out

* move out sha header

* handle case when supplied password is hashed, fix wrong params in AppController

* initial baby step for api tab

* initial plumbing to introduce token expiry and API bans per user

* remove M typo

* display user table in api

* added revoke all tokens code, removed test code

* use strtoul for conversion

* use strtoul for conversion

* use strtoul for conversion

* more fixes

* more fixes

* add mintokenexpiry to DB seek

* typo

* add ability to revoke tokens and enable/disable APIs per user

* moved API enable back to system

* comma

* enable API options only if API enabled

* move user creation to bcrypt

* added password_compat for PHP >=5.3 <5.5

* add Password back so User object indexes don't change

* move token index after adding password

* demote logs

* make old API auth optional, on by default

* make old API auth mechanism optional

* removed stale code

* forgot to checkin update file

* bulk overlay hash mysql encoded passwords

* add back ssl_dev, got deleted

* fix update script

* added token support to index.php

* reworked API document for new changes in 2.0

* Migrate from libdigest to crypt-eks-blowfish due to notice

* merge typo

* css classess for text that disappear

* fixed html typo

* added deps to ubuntu control files

* spaces

* removed extra line

* when regenerating using refresh tokens, username needs to be derived from the refresh token, as no session would exist

* add libssl1.0.0 for ubuntu 16/12

* small API fixes

* clean up of API, remove redundant sections

* moved to ZM fork for bcrypt

* whitespace and google code style

* regenerate auth hash if doing password migration

* dont need AUTH HASH LOGIN to be on

* Add auth hash verification to the user logged in already case

* fix missing ]

* reject requests if per user API disabled
2019-05-24 13:48:40 -04:00
Isaac Connor aa1264f4d2 fix missing ] 2019-05-23 16:26:40 -04:00
Isaac Connor 7559c975e3 Merge branch 'crypt-replacement' of https://github.com/pliablepixels/ZoneMinder into pliablepixels-crypt-replacement3 2019-05-23 15:15:52 -04:00
Isaac Connor 883688a72d Add auth hash verification to the user logged in already case 2019-05-23 15:15:37 -04:00
Pliable Pixels 57708c016c dont need AUTH HASH LOGIN to be on 2019-05-23 14:59:21 -04:00
Isaac Connor d5120f7506 regenerate auth hash if doing password migration 2019-05-23 14:30:45 -04:00
Isaac Connor bc9116dd94 whitespace and google code style 2019-05-23 14:27:17 -04:00
Pliable Pixels 8e1037458a when regenerating using refresh tokens, username needs to be derived from the refresh token, as no session would exist 2019-05-18 11:23:16 -04:00
Pliable Pixels 95460a945a added token support to index.php 2019-05-14 19:22:49 -04:00
Pliable Pixels e9f843f297 bulk overlay hash mysql encoded passwords 2019-05-13 14:29:24 -04:00
Pliable Pixels adb01c4d0e added password_compat for PHP >=5.3 <5.5 2019-05-12 13:57:25 -04:00
Pliable Pixels ae14be916c initial plumbing to introduce token expiry and API bans per user 2019-05-11 13:39:40 -04:00
Pliable Pixels 95b448abdd handle case when supplied password is hashed, fix wrong params in AppController 2019-05-10 11:25:55 -04:00
Pliable Pixels f9730bb46b remove auth_hash_ip 2019-05-08 14:07:48 -04:00
Pliable Pixels bc050fe330 support refresh tokens as well for increased security 2019-05-08 13:38:42 -04:00
Pliable Pixels b293592e4c added token validation to zms/zmu/zmuser 2019-05-08 10:55:32 -04:00
Pliable Pixels e8f79f3254 JWT integration, validate JWT token via validateToken 2019-05-07 15:04:51 -04:00
Pliable Pixels ca3f65deef go back to jwt-cpp as PR merged 2019-05-05 14:32:09 -04:00
Pliable Pixels a55a11dad1 first attempt to fix cast error 2019-05-05 11:24:55 -04:00
Pliable Pixels 8d62c61b7a fixed module path 2019-05-05 07:50:52 -04:00
Pliable Pixels 725c3c50ed use php-jwt, use proper way to add PHP modules, via composer 2019-05-05 07:08:25 -04:00
Pliable Pixels 887912e7ad bcrypt auth migration in PHP land 2019-05-01 13:22:24 -04:00
Matthew Noorenberghe 3c31dd63ce Use zm_session_start() for API auth. Fixes #2547 2019-03-11 00:27:46 -07:00
Isaac Connor 6e4444099b Only populate session with user info on successful login. Use parameters in sql when loading users in getAuthUser. Fixes #2542 2019-02-27 09:57:50 -05:00