]> git.immae.eu Git - github/shaarli/Shaarli.git/blob - application/security/LoginManager.php
projects / github / shaarli / Shaarli.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Rewrite IP ban management
[github/shaarli/Shaarli.git] / application / security / LoginManager.php
1 <?php
2 namespace Shaarli\Security;
3
4 use Shaarli\Config\ConfigManager;
5
6 /**
7 * User login management
8 */
9 class LoginManager
10 {
11 /** @var string Name of the cookie set after logging in **/
12 public static $STAY_SIGNED_IN_COOKIE = 'shaarli_staySignedIn';
13
14 /** @var array A reference to the $_GLOBALS array */
15 protected $globals = [];
16
17 /** @var ConfigManager Configuration Manager instance **/
18 protected $configManager = null;
19
20 /** @var SessionManager Session Manager instance **/
21 protected $sessionManager = null;
22
23 /** @var BanManager Ban Manager instance **/
24 protected $banManager;
25
26 /** @var bool Whether the user is logged in **/
27 protected $isLoggedIn = false;
28
29 /** @var bool Whether the Shaarli instance is open to public edition **/
30 protected $openShaarli = false;
31
32 /** @var string User sign-in token depending on remote IP and credentials */
33 protected $staySignedInToken = '';
34
35 /**
36 * Constructor
37 *
38 * @param ConfigManager $configManager Configuration Manager instance
39 * @param SessionManager $sessionManager SessionManager instance
40 */
41 public function __construct($configManager, $sessionManager)
42 {
43 $this->configManager = $configManager;
44 $this->sessionManager = $sessionManager;
45 $this->banManager = new BanManager(
46 $this->configManager->get('security.trusted_proxies', []),
47 $this->configManager->get('security.ban_after'),
48 $this->configManager->get('security.ban_duration'),
49 $this->configManager->get('resource.ban_file', 'data/ipbans.php'),
50 $this->configManager->get('resource.log')
51 );
52
53 if ($this->configManager->get('security.open_shaarli') === true) {
54 $this->openShaarli = true;
55 }
56 }
57
58 /**
59 * Generate a token depending on deployment salt, user password and client IP
60 *
61 * @param string $clientIpAddress The remote client IP address
62 */
63 public function generateStaySignedInToken($clientIpAddress)
64 {
65 if ($this->configManager->get('security.session_protection_disabled') === true) {
66 $clientIpAddress = '';
67 }
68 $this->staySignedInToken = sha1(
69 $this->configManager->get('credentials.hash')
70 . $clientIpAddress
71 . $this->configManager->get('credentials.salt')
72 );
73 }
74
75 /**
76 * Return the user's client stay-signed-in token
77 *
78 * @return string User's client stay-signed-in token
79 */
80 public function getStaySignedInToken()
81 {
82 return $this->staySignedInToken;
83 }
84
85 /**
86 * Check user session state and validity (expiration)
87 *
88 * @param array $cookie The $_COOKIE array
89 * @param string $clientIpId Client IP address identifier
90 */
91 public function checkLoginState($cookie, $clientIpId)
92 {
93 if (! $this->configManager->exists('credentials.login')) {
94 // Shaarli is not configured yet
95 $this->isLoggedIn = false;
96 return;
97 }
98
99 if (isset($cookie[self::$STAY_SIGNED_IN_COOKIE])
100 && $cookie[self::$STAY_SIGNED_IN_COOKIE] === $this->staySignedInToken
101 ) {
102 // The user client has a valid stay-signed-in cookie
103 // Session information is updated with the current client information
104 $this->sessionManager->storeLoginInfo($clientIpId);
105 } elseif ($this->sessionManager->hasSessionExpired()
106 || $this->sessionManager->hasClientIpChanged($clientIpId)
107 ) {
108 $this->sessionManager->logout();
109 $this->isLoggedIn = false;
110 return;
111 }
112
113 $this->isLoggedIn = true;
114 $this->sessionManager->extendSession();
115 }
116
117 /**
118 * Return whether the user is currently logged in
119 *
120 * @return true when the user is logged in, false otherwise
121 */
122 public function isLoggedIn()
123 {
124 if ($this->openShaarli) {
125 return true;
126 }
127 return $this->isLoggedIn;
128 }
129
130 /**
131 * Check user credentials are valid
132 *
133 * @param string $remoteIp Remote client IP address
134 * @param string $clientIpId Client IP address identifier
135 * @param string $login Username
136 * @param string $password Password
137 *
138 * @return bool true if the provided credentials are valid, false otherwise
139 */
140 public function checkCredentials($remoteIp, $clientIpId, $login, $password)
141 {
142 $hash = sha1($password . $login . $this->configManager->get('credentials.salt'));
143
144 if ($login != $this->configManager->get('credentials.login')
145 || $hash != $this->configManager->get('credentials.hash')
146 ) {
147 logm(
148 $this->configManager->get('resource.log'),
149 $remoteIp,
150 'Login failed for user ' . $login
151 );
152 return false;
153 }
154
155 $this->sessionManager->storeLoginInfo($clientIpId);
156 logm(
157 $this->configManager->get('resource.log'),
158 $remoteIp,
159 'Login successful'
160 );
161 return true;
162 }
163
164 /**
165 * Handle a failed login and ban the IP after too many failed attempts
166 *
167 * @param array $server The $_SERVER array
168 */
169 public function handleFailedLogin($server)
170 {
171 $this->banManager->handleFailedAttempt($server);
172 }
173
174 /**
175 * Handle a successful login
176 *
177 * @param array $server The $_SERVER array
178 */
179 public function handleSuccessfulLogin($server)
180 {
181 $this->banManager->clearFailures($server);
182 }
183
184 /**
185 * Check if the user can login from this IP
186 *
187 * @param array $server The $_SERVER array
188 *
189 * @return bool true if the user is allowed to login
190 */
191 public function canLogin($server)
192 {
193 return ! $this->banManager->isBanned($server);
194 }
195 }
The personal, minimalist, super-fast, database free, bookmarking service - community repo