From 0ac38198ab1c00dfb290d5631fa7c1cf5ac2a48a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20L=C5=93uillet?= Date: Mon, 9 Feb 2015 13:59:48 +0100 Subject: authentication on API --- .../CoreBundle/Security/Authentication/Provider/WsseProvider.php | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'src/Wallabag/CoreBundle/Security/Authentication/Provider/WsseProvider.php') diff --git a/src/Wallabag/CoreBundle/Security/Authentication/Provider/WsseProvider.php b/src/Wallabag/CoreBundle/Security/Authentication/Provider/WsseProvider.php index 5499f400..eaad9c63 100644 --- a/src/Wallabag/CoreBundle/Security/Authentication/Provider/WsseProvider.php +++ b/src/Wallabag/CoreBundle/Security/Authentication/Provider/WsseProvider.php @@ -44,6 +44,12 @@ class WsseProvider implements AuthenticationProviderInterface if (file_exists($this->cacheDir.'/'.$nonce) && file_get_contents($this->cacheDir.'/'.$nonce) + 300 > time()) { throw new NonceExpiredException('Previously used nonce detected'); } + + // If cache directory does not exist we create it + if (!is_dir($this->cacheDir)) { + mkdir($this->cacheDir, 0777, true); + } + file_put_contents($this->cacheDir.'/'.$nonce, time()); // Valide le Secret -- cgit v1.2.3 From 2a94b1d1b74b4e776e76a522621b67b45d115fe7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20L=C5=93uillet?= Date: Mon, 9 Feb 2015 22:07:39 +0100 Subject: log for authentication on API --- .../Authentication/Provider/WsseProvider.php | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) (limited to 'src/Wallabag/CoreBundle/Security/Authentication/Provider/WsseProvider.php') diff --git a/src/Wallabag/CoreBundle/Security/Authentication/Provider/WsseProvider.php b/src/Wallabag/CoreBundle/Security/Authentication/Provider/WsseProvider.php index eaad9c63..c9b9b692 100644 --- a/src/Wallabag/CoreBundle/Security/Authentication/Provider/WsseProvider.php +++ b/src/Wallabag/CoreBundle/Security/Authentication/Provider/WsseProvider.php @@ -23,6 +23,10 @@ class WsseProvider implements AuthenticationProviderInterface { $user = $this->userProvider->loadUserByUsername($token->getUsername()); + if (!$user) { + throw new AuthenticationException("Bad credentials. Did you forgot your username?"); + } + if ($user && $this->validateDigest($token->digest, $token->nonce, $token->created, $user->getPassword())) { $authenticatedToken = new WsseUserToken($user->getRoles()); $authenticatedToken->setUser($user); @@ -35,12 +39,17 @@ class WsseProvider implements AuthenticationProviderInterface protected function validateDigest($digest, $nonce, $created, $secret) { - // Expire le timestamp après 5 minutes + // Check created time is not in the future + if (strtotime($created) > time()) { + throw new AuthenticationException("Back to the future..."); + } + + // Expire timestamp after 5 minutes if (time() - strtotime($created) > 300) { - return false; + throw new AuthenticationException("Too late for this timestamp... Watch your watch."); } - // Valide que le nonce est unique dans les 5 minutes + // Validate nonce is unique within 5 minutes if (file_exists($this->cacheDir.'/'.$nonce) && file_get_contents($this->cacheDir.'/'.$nonce) + 300 > time()) { throw new NonceExpiredException('Previously used nonce detected'); } @@ -52,9 +61,13 @@ class WsseProvider implements AuthenticationProviderInterface file_put_contents($this->cacheDir.'/'.$nonce, time()); - // Valide le Secret + // Validate Secret $expected = base64_encode(sha1(base64_decode($nonce).$created.$secret, true)); + if ($digest !== $expected) { + throw new AuthenticationException("Bad credentials ! Digest is not as expected."); + } + return $digest === $expected; } -- cgit v1.2.3 From 92504e0dd489c0d11abc87bee42ffca717db0480 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20L=C5=93uillet?= Date: Tue, 10 Feb 2015 13:35:34 +0100 Subject: move dir check into constructor --- .../Security/Authentication/Provider/WsseProvider.php | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'src/Wallabag/CoreBundle/Security/Authentication/Provider/WsseProvider.php') diff --git a/src/Wallabag/CoreBundle/Security/Authentication/Provider/WsseProvider.php b/src/Wallabag/CoreBundle/Security/Authentication/Provider/WsseProvider.php index c9b9b692..7e6a5dfb 100644 --- a/src/Wallabag/CoreBundle/Security/Authentication/Provider/WsseProvider.php +++ b/src/Wallabag/CoreBundle/Security/Authentication/Provider/WsseProvider.php @@ -17,6 +17,11 @@ class WsseProvider implements AuthenticationProviderInterface { $this->userProvider = $userProvider; $this->cacheDir = $cacheDir; + + // If cache directory does not exist we create it + if (!is_dir($this->cacheDir)) { + mkdir($this->cacheDir, 0777, true); + } } public function authenticate(TokenInterface $token) @@ -54,11 +59,6 @@ class WsseProvider implements AuthenticationProviderInterface throw new NonceExpiredException('Previously used nonce detected'); } - // If cache directory does not exist we create it - if (!is_dir($this->cacheDir)) { - mkdir($this->cacheDir, 0777, true); - } - file_put_contents($this->cacheDir.'/'.$nonce, time()); // Validate Secret -- cgit v1.2.3