Update password handling and session methods
This commit is contained in:
netkas
parent
8b9896f196
commit
85814913e4
11 changed files with 239 additions and 70 deletions
|
|
@ -642,7 +642,6 @@
|
||||||
*
|
*
|
||||||
* @param string $hash The hash string to be validated.
|
* @param string $hash The hash string to be validated.
|
||||||
* @return bool Returns true if the hash is valid and meets current security standards.
|
* @return bool Returns true if the hash is valid and meets current security standards.
|
||||||
* @throws CryptographyException If the hash format is invalid or does not meet security requirements.
|
|
||||||
*/
|
*/
|
||||||
public static function validatePasswordHash(string $hash): bool
|
public static function validatePasswordHash(string $hash): bool
|
||||||
{
|
{
|
||||||
|
|
@ -652,23 +651,22 @@
|
||||||
$argon2id_pattern = '/^\$argon2id\$v=\d+\$m=\d+,t=\d+,p=\d+\$[A-Za-z0-9+\/=]+\$[A-Za-z0-9+\/=]+$/D';
|
$argon2id_pattern = '/^\$argon2id\$v=\d+\$m=\d+,t=\d+,p=\d+\$[A-Za-z0-9+\/=]+\$[A-Za-z0-9+\/=]+$/D';
|
||||||
if (!preg_match($argon2id_pattern, $hash))
|
if (!preg_match($argon2id_pattern, $hash))
|
||||||
{
|
{
|
||||||
throw new CryptographyException("Invalid hash format");
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Step 2: Check if it needs rehashing (validates the hash structure)
|
// Step 2: Check if it needs rehashing (validates the hash structure)
|
||||||
if (sodium_crypto_pwhash_str_needs_rehash($hash, SODIUM_CRYPTO_PWHASH_OPSLIMIT_INTERACTIVE, SODIUM_CRYPTO_PWHASH_MEMLIMIT_INTERACTIVE))
|
if (sodium_crypto_pwhash_str_needs_rehash($hash, SODIUM_CRYPTO_PWHASH_OPSLIMIT_INTERACTIVE, SODIUM_CRYPTO_PWHASH_MEMLIMIT_INTERACTIVE))
|
||||||
{
|
{
|
||||||
throw new CryptographyException("Hash does not meet current security requirements");
|
return false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
catch (Exception)
|
||||||
|
{
|
||||||
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
// If all checks pass, the hash is valid.
|
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
catch (Exception $e)
|
|
||||||
{
|
|
||||||
throw new CryptographyException("Invalid hash: " . $e->getMessage());
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Verifies a password against a stored hash.
|
* Verifies a password against a stored hash.
|
||||||
|
|
|
||||||
|
|
@ -3,7 +3,6 @@
|
||||||
namespace Socialbox\Classes\StandardMethods;
|
namespace Socialbox\Classes\StandardMethods;
|
||||||
|
|
||||||
use Socialbox\Abstracts\Method;
|
use Socialbox\Abstracts\Method;
|
||||||
use Socialbox\Enums\StandardError;
|
|
||||||
use Socialbox\Interfaces\SerializableInterface;
|
use Socialbox\Interfaces\SerializableInterface;
|
||||||
use Socialbox\Objects\ClientRequest;
|
use Socialbox\Objects\ClientRequest;
|
||||||
use Socialbox\Objects\RpcRequest;
|
use Socialbox\Objects\RpcRequest;
|
||||||
|
|
@ -16,11 +15,6 @@
|
||||||
*/
|
*/
|
||||||
public static function execute(ClientRequest $request, RpcRequest $rpcRequest): ?SerializableInterface
|
public static function execute(ClientRequest $request, RpcRequest $rpcRequest): ?SerializableInterface
|
||||||
{
|
{
|
||||||
if($request->getSessionUuid() === null)
|
|
||||||
{
|
|
||||||
return $rpcRequest->produceError(StandardError::SESSION_REQUIRED);
|
|
||||||
}
|
|
||||||
|
|
||||||
return $rpcRequest->produceResponse($request->getSession()->toStandardSessionState());
|
return $rpcRequest->produceResponse($request->getSession()->toStandardSessionState());
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -0,0 +1,53 @@
|
||||||
|
<?php
|
||||||
|
|
||||||
|
namespace Socialbox\Classes\StandardMethods;
|
||||||
|
|
||||||
|
use Exception;
|
||||||
|
use Socialbox\Abstracts\Method;
|
||||||
|
use Socialbox\Classes\Configuration;
|
||||||
|
use Socialbox\Classes\Cryptography;
|
||||||
|
use Socialbox\Enums\StandardError;
|
||||||
|
use Socialbox\Exceptions\DatabaseOperationException;
|
||||||
|
use Socialbox\Exceptions\StandardException;
|
||||||
|
use Socialbox\Interfaces\SerializableInterface;
|
||||||
|
use Socialbox\Managers\PasswordManager;
|
||||||
|
use Socialbox\Objects\ClientRequest;
|
||||||
|
use Socialbox\Objects\RpcRequest;
|
||||||
|
|
||||||
|
class SettingsDeletePassword extends Method
|
||||||
|
{
|
||||||
|
/**
|
||||||
|
* @inheritDoc
|
||||||
|
*/
|
||||||
|
public static function execute(ClientRequest $request, RpcRequest $rpcRequest): ?SerializableInterface
|
||||||
|
{
|
||||||
|
if(Configuration::getRegistrationConfiguration()->isPasswordRequired())
|
||||||
|
{
|
||||||
|
return $rpcRequest->produceError(StandardError::FORBIDDEN, 'A password is required for this server');
|
||||||
|
}
|
||||||
|
|
||||||
|
try
|
||||||
|
{
|
||||||
|
if (!PasswordManager::usesPassword($request->getPeer()->getUuid()))
|
||||||
|
{
|
||||||
|
return $rpcRequest->produceError(StandardError::METHOD_NOT_ALLOWED, "Cannot update password when one isn't already set, use 'settingsSetPassword' instead");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
catch (DatabaseOperationException $e)
|
||||||
|
{
|
||||||
|
throw new StandardException('Failed to check password due to an internal exception', StandardError::INTERNAL_SERVER_ERROR, $e);
|
||||||
|
}
|
||||||
|
|
||||||
|
try
|
||||||
|
{
|
||||||
|
// Set the password
|
||||||
|
PasswordManager::updatePassword($request->getPeer(), $rpcRequest->getParameter('password'));
|
||||||
|
}
|
||||||
|
catch(Exception $e)
|
||||||
|
{
|
||||||
|
throw new StandardException('Failed to set password due to an internal exception', StandardError::INTERNAL_SERVER_ERROR, $e);
|
||||||
|
}
|
||||||
|
|
||||||
|
return $rpcRequest->produceResponse(true);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
@ -4,6 +4,7 @@
|
||||||
|
|
||||||
use Exception;
|
use Exception;
|
||||||
use Socialbox\Abstracts\Method;
|
use Socialbox\Abstracts\Method;
|
||||||
|
use Socialbox\Classes\Cryptography;
|
||||||
use Socialbox\Enums\Flags\SessionFlags;
|
use Socialbox\Enums\Flags\SessionFlags;
|
||||||
use Socialbox\Enums\StandardError;
|
use Socialbox\Enums\StandardError;
|
||||||
use Socialbox\Exceptions\DatabaseOperationException;
|
use Socialbox\Exceptions\DatabaseOperationException;
|
||||||
|
|
@ -26,16 +27,16 @@
|
||||||
return $rpcRequest->produceError(StandardError::RPC_INVALID_ARGUMENTS, "Missing 'password' parameter");
|
return $rpcRequest->produceError(StandardError::RPC_INVALID_ARGUMENTS, "Missing 'password' parameter");
|
||||||
}
|
}
|
||||||
|
|
||||||
if(!preg_match('/^[a-f0-9]{128}$/', $rpcRequest->getParameter('password')))
|
if(!Cryptography::validatePasswordHash($rpcRequest->getParameter('password')))
|
||||||
{
|
{
|
||||||
return $rpcRequest->produceError(StandardError::RPC_INVALID_ARGUMENTS, "Invalid 'password' parameter, must be sha512 hexadecimal hash");
|
return $rpcRequest->produceError(StandardError::RPC_INVALID_ARGUMENTS, "Invalid 'password' parameter, must be a valid argon2id hash");
|
||||||
}
|
}
|
||||||
|
|
||||||
try
|
try
|
||||||
{
|
{
|
||||||
if (PasswordManager::usesPassword($request->getPeer()->getUuid()))
|
if (PasswordManager::usesPassword($request->getPeer()->getUuid()))
|
||||||
{
|
{
|
||||||
return $rpcRequest->produceError(StandardError::METHOD_NOT_ALLOWED, "Cannot set password when one is already set, use 'settingsChangePassword' instead");
|
return $rpcRequest->produceError(StandardError::METHOD_NOT_ALLOWED, "Cannot set password when one is already set, use 'settingsUpdatePassword' instead");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
catch (DatabaseOperationException $e)
|
catch (DatabaseOperationException $e)
|
||||||
|
|
@ -48,11 +49,11 @@
|
||||||
// Set the password
|
// Set the password
|
||||||
PasswordManager::setPassword($request->getPeer(), $rpcRequest->getParameter('password'));
|
PasswordManager::setPassword($request->getPeer(), $rpcRequest->getParameter('password'));
|
||||||
|
|
||||||
// Remove the SET_PASSWORD flag
|
// Remove the SET_PASSWORD flag & update the session flow if necessary
|
||||||
SessionManager::removeFlags($request->getSessionUuid(), [SessionFlags::SET_PASSWORD]);
|
if($request->getSession()->flagExists(SessionFlags::SET_PASSWORD))
|
||||||
|
{
|
||||||
// Check & update the session flow
|
SessionManager::updateFlow($request->getSession(), [SessionFlags::SET_PASSWORD]);
|
||||||
SessionManager::updateFlow($request->getSession());
|
}
|
||||||
}
|
}
|
||||||
catch(Exception $e)
|
catch(Exception $e)
|
||||||
{
|
{
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,57 @@
|
||||||
|
<?php
|
||||||
|
|
||||||
|
namespace Socialbox\Classes\StandardMethods;
|
||||||
|
|
||||||
|
use Exception;
|
||||||
|
use Socialbox\Abstracts\Method;
|
||||||
|
use Socialbox\Classes\Cryptography;
|
||||||
|
use Socialbox\Enums\StandardError;
|
||||||
|
use Socialbox\Exceptions\DatabaseOperationException;
|
||||||
|
use Socialbox\Exceptions\StandardException;
|
||||||
|
use Socialbox\Interfaces\SerializableInterface;
|
||||||
|
use Socialbox\Managers\PasswordManager;
|
||||||
|
use Socialbox\Objects\ClientRequest;
|
||||||
|
use Socialbox\Objects\RpcRequest;
|
||||||
|
|
||||||
|
class SettingsUpdatePassword extends Method
|
||||||
|
{
|
||||||
|
/**
|
||||||
|
* @inheritDoc
|
||||||
|
*/
|
||||||
|
public static function execute(ClientRequest $request, RpcRequest $rpcRequest): ?SerializableInterface
|
||||||
|
{
|
||||||
|
if(!$rpcRequest->containsParameter('password'))
|
||||||
|
{
|
||||||
|
return $rpcRequest->produceError(StandardError::RPC_INVALID_ARGUMENTS, "Missing 'password' parameter");
|
||||||
|
}
|
||||||
|
|
||||||
|
if(!Cryptography::validatePasswordHash($rpcRequest->getParameter('password')))
|
||||||
|
{
|
||||||
|
return $rpcRequest->produceError(StandardError::RPC_INVALID_ARGUMENTS, "Invalid 'password' parameter, must be a valid argon2id hash");
|
||||||
|
}
|
||||||
|
|
||||||
|
try
|
||||||
|
{
|
||||||
|
if (!PasswordManager::usesPassword($request->getPeer()->getUuid()))
|
||||||
|
{
|
||||||
|
return $rpcRequest->produceError(StandardError::METHOD_NOT_ALLOWED, "Cannot update password when one isn't already set, use 'settingsSetPassword' instead");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
catch (DatabaseOperationException $e)
|
||||||
|
{
|
||||||
|
throw new StandardException('Failed to check password due to an internal exception', StandardError::INTERNAL_SERVER_ERROR, $e);
|
||||||
|
}
|
||||||
|
|
||||||
|
try
|
||||||
|
{
|
||||||
|
// Set the password
|
||||||
|
PasswordManager::updatePassword($request->getPeer(), $rpcRequest->getParameter('password'));
|
||||||
|
}
|
||||||
|
catch(Exception $e)
|
||||||
|
{
|
||||||
|
throw new StandardException('Failed to set password due to an internal exception', StandardError::INTERNAL_SERVER_ERROR, $e);
|
||||||
|
}
|
||||||
|
|
||||||
|
return $rpcRequest->produceResponse(true);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
@ -7,7 +7,7 @@ enum StandardError : int
|
||||||
// Fallback Codes
|
// Fallback Codes
|
||||||
case UNKNOWN = -1;
|
case UNKNOWN = -1;
|
||||||
|
|
||||||
// Server/Request Errors
|
// Generic Errors
|
||||||
case INTERNAL_SERVER_ERROR = -100;
|
case INTERNAL_SERVER_ERROR = -100;
|
||||||
case SERVER_UNAVAILABLE = -101;
|
case SERVER_UNAVAILABLE = -101;
|
||||||
case BAD_REQUEST = -102;
|
case BAD_REQUEST = -102;
|
||||||
|
|
@ -26,12 +26,7 @@ enum StandardError : int
|
||||||
|
|
||||||
// Authentication/Cryptography Errors
|
// Authentication/Cryptography Errors
|
||||||
case INVALID_PUBLIC_KEY = -4000; // *
|
case INVALID_PUBLIC_KEY = -4000; // *
|
||||||
|
|
||||||
case SESSION_REQUIRED = -5001; // *
|
|
||||||
case SESSION_NOT_FOUND = -5002; // *
|
case SESSION_NOT_FOUND = -5002; // *
|
||||||
case SESSION_EXPIRED = -5003; // *
|
|
||||||
case SESSION_DHE_REQUIRED = -5004; // *
|
|
||||||
|
|
||||||
case ALREADY_AUTHENTICATED = -6005;
|
case ALREADY_AUTHENTICATED = -6005;
|
||||||
case UNSUPPORTED_AUTHENTICATION_TYPE = -6006;
|
case UNSUPPORTED_AUTHENTICATION_TYPE = -6006;
|
||||||
case AUTHENTICATION_REQUIRED = -6007;
|
case AUTHENTICATION_REQUIRED = -6007;
|
||||||
|
|
@ -55,7 +50,7 @@ enum StandardError : int
|
||||||
{
|
{
|
||||||
return match ($this)
|
return match ($this)
|
||||||
{
|
{
|
||||||
self::UNKNOWN => 'Unknown Error',
|
default => 'Unknown Error',
|
||||||
|
|
||||||
self::RPC_METHOD_NOT_FOUND => 'The request method was not found',
|
self::RPC_METHOD_NOT_FOUND => 'The request method was not found',
|
||||||
self::RPC_INVALID_ARGUMENTS => 'The request method contains one or more invalid arguments',
|
self::RPC_INVALID_ARGUMENTS => 'The request method contains one or more invalid arguments',
|
||||||
|
|
@ -68,7 +63,6 @@ enum StandardError : int
|
||||||
self::ALREADY_AUTHENTICATED => 'The action cannot be preformed while authenticated',
|
self::ALREADY_AUTHENTICATED => 'The action cannot be preformed while authenticated',
|
||||||
self::AUTHENTICATION_REQUIRED => 'Authentication is required to preform this action',
|
self::AUTHENTICATION_REQUIRED => 'Authentication is required to preform this action',
|
||||||
self::SESSION_NOT_FOUND => 'The requested session UUID was not found',
|
self::SESSION_NOT_FOUND => 'The requested session UUID was not found',
|
||||||
self::SESSION_REQUIRED => 'A session is required to preform this action',
|
|
||||||
self::REGISTRATION_DISABLED => 'Registration is disabled on the server',
|
self::REGISTRATION_DISABLED => 'Registration is disabled on the server',
|
||||||
self::CAPTCHA_NOT_AVAILABLE => 'Captcha is not available',
|
self::CAPTCHA_NOT_AVAILABLE => 'Captcha is not available',
|
||||||
self::INCORRECT_CAPTCHA_ANSWER => 'The Captcha answer is incorrect',
|
self::INCORRECT_CAPTCHA_ANSWER => 'The Captcha answer is incorrect',
|
||||||
|
|
@ -79,8 +73,6 @@ enum StandardError : int
|
||||||
self::USERNAME_ALREADY_EXISTS => 'The given username already exists on the network',
|
self::USERNAME_ALREADY_EXISTS => 'The given username already exists on the network',
|
||||||
self::NOT_REGISTERED => 'The given username is not registered on the server',
|
self::NOT_REGISTERED => 'The given username is not registered on the server',
|
||||||
self::METHOD_NOT_ALLOWED => 'The requested method is not allowed',
|
self::METHOD_NOT_ALLOWED => 'The requested method is not allowed',
|
||||||
self::SESSION_EXPIRED => 'The session has expired',
|
|
||||||
self::SESSION_DHE_REQUIRED => 'The session requires DHE to be established',
|
|
||||||
};
|
};
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -2,6 +2,7 @@
|
||||||
|
|
||||||
namespace Socialbox\Enums;
|
namespace Socialbox\Enums;
|
||||||
|
|
||||||
|
use Socialbox\Classes\Configuration;
|
||||||
use Socialbox\Classes\StandardMethods\AcceptCommunityGuidelines;
|
use Socialbox\Classes\StandardMethods\AcceptCommunityGuidelines;
|
||||||
use Socialbox\Classes\StandardMethods\AcceptPrivacyPolicy;
|
use Socialbox\Classes\StandardMethods\AcceptPrivacyPolicy;
|
||||||
use Socialbox\Classes\StandardMethods\AcceptTermsOfService;
|
use Socialbox\Classes\StandardMethods\AcceptTermsOfService;
|
||||||
|
|
@ -12,9 +13,11 @@
|
||||||
use Socialbox\Classes\StandardMethods\Ping;
|
use Socialbox\Classes\StandardMethods\Ping;
|
||||||
use Socialbox\Classes\StandardMethods\SettingsAddSigningKey;
|
use Socialbox\Classes\StandardMethods\SettingsAddSigningKey;
|
||||||
use Socialbox\Classes\StandardMethods\SettingsDeleteDisplayName;
|
use Socialbox\Classes\StandardMethods\SettingsDeleteDisplayName;
|
||||||
|
use Socialbox\Classes\StandardMethods\SettingsDeletePassword;
|
||||||
use Socialbox\Classes\StandardMethods\SettingsGetSigningKeys;
|
use Socialbox\Classes\StandardMethods\SettingsGetSigningKeys;
|
||||||
use Socialbox\Classes\StandardMethods\SettingsSetDisplayName;
|
use Socialbox\Classes\StandardMethods\SettingsSetDisplayName;
|
||||||
use Socialbox\Classes\StandardMethods\SettingsSetPassword;
|
use Socialbox\Classes\StandardMethods\SettingsSetPassword;
|
||||||
|
use Socialbox\Classes\StandardMethods\SettingsUpdatePassword;
|
||||||
use Socialbox\Classes\StandardMethods\VerificationAnswerImageCaptcha;
|
use Socialbox\Classes\StandardMethods\VerificationAnswerImageCaptcha;
|
||||||
use Socialbox\Classes\StandardMethods\VerificationGetImageCaptcha;
|
use Socialbox\Classes\StandardMethods\VerificationGetImageCaptcha;
|
||||||
use Socialbox\Enums\Flags\SessionFlags;
|
use Socialbox\Enums\Flags\SessionFlags;
|
||||||
|
|
@ -54,6 +57,8 @@
|
||||||
case VERIFICATION_ANSWER_EXTERNAL_URL = 'verificationAnswerExternalUrl';
|
case VERIFICATION_ANSWER_EXTERNAL_URL = 'verificationAnswerExternalUrl';
|
||||||
|
|
||||||
case SETTINGS_SET_PASSWORD = 'settingsSetPassword';
|
case SETTINGS_SET_PASSWORD = 'settingsSetPassword';
|
||||||
|
case SETTINGS_UPDATE_PASSWORD = 'settingsUpdatePassword';
|
||||||
|
case SETTINGS_DELETE_PASSWORD = 'settingsDeletePassword';
|
||||||
case SETTINGS_SET_OTP = 'settingsSetOtp';
|
case SETTINGS_SET_OTP = 'settingsSetOtp';
|
||||||
case SETTINGS_SET_DISPLAY_NAME = 'settingsSetDisplayName';
|
case SETTINGS_SET_DISPLAY_NAME = 'settingsSetDisplayName';
|
||||||
case SETTINGS_DELETE_DISPLAY_NAME = 'settingsDeleteDisplayName';
|
case SETTINGS_DELETE_DISPLAY_NAME = 'settingsDeleteDisplayName';
|
||||||
|
|
@ -91,6 +96,8 @@
|
||||||
self::VERIFICATION_ANSWER_IMAGE_CAPTCHA => VerificationAnswerImageCaptcha::execute($request, $rpcRequest),
|
self::VERIFICATION_ANSWER_IMAGE_CAPTCHA => VerificationAnswerImageCaptcha::execute($request, $rpcRequest),
|
||||||
|
|
||||||
self::SETTINGS_SET_PASSWORD => SettingsSetPassword::execute($request, $rpcRequest),
|
self::SETTINGS_SET_PASSWORD => SettingsSetPassword::execute($request, $rpcRequest),
|
||||||
|
self::SETTINGS_UPDATE_PASSWORD => SettingsUpdatePassword::execute($request, $rpcRequest),
|
||||||
|
self::SETTINGS_DELETE_PASSWORD => SettingsDeletePassword::execute($request, $rpcRequest),
|
||||||
self::SETTINGS_SET_DISPLAY_NAME => SettingsSetDisplayName::execute($request, $rpcRequest),
|
self::SETTINGS_SET_DISPLAY_NAME => SettingsSetDisplayName::execute($request, $rpcRequest),
|
||||||
self::SETTINGS_DELETE_DISPLAY_NAME => SettingsDeleteDisplayName::execute($request, $rpcRequest),
|
self::SETTINGS_DELETE_DISPLAY_NAME => SettingsDeleteDisplayName::execute($request, $rpcRequest),
|
||||||
|
|
||||||
|
|
@ -138,6 +145,38 @@
|
||||||
|
|
||||||
$session = $clientRequest->getSession();
|
$session = $clientRequest->getSession();
|
||||||
|
|
||||||
|
// If the session is external (eg; coming from a different server)
|
||||||
|
// Servers will have their own access control mechanisms
|
||||||
|
if($session->isExternal())
|
||||||
|
{
|
||||||
|
// TODO: Implement server access control
|
||||||
|
}
|
||||||
|
// If the session is authenticated, then allow additional method calls
|
||||||
|
elseif($session->isAuthenticated())
|
||||||
|
{
|
||||||
|
// These methods are always allowed for authenticated users
|
||||||
|
$methods = array_merge($methods, [
|
||||||
|
self::SETTINGS_ADD_SIGNING_KEY,
|
||||||
|
self::SETTINGS_GET_SIGNING_KEYS,
|
||||||
|
self::SETTINGS_SET_DISPLAY_NAME,
|
||||||
|
self::SETTINGS_SET_PASSWORD,
|
||||||
|
]);
|
||||||
|
|
||||||
|
// Prevent the user from deleting their display name if it is required
|
||||||
|
if(!Configuration::getRegistrationConfiguration()->isDisplayNameRequired())
|
||||||
|
{
|
||||||
|
$methods[] = self::SETTINGS_DELETE_DISPLAY_NAME;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Always allow the authenticated user to change their password
|
||||||
|
if(!in_array(SessionFlags::SET_PASSWORD, $session->getFlags()))
|
||||||
|
{
|
||||||
|
$methods[] = self::SETTINGS_SET_PASSWORD;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
// If the session isn't authenticated nor a host, a limited set of methods is available
|
||||||
|
else
|
||||||
|
{
|
||||||
// If the flag `VER_PRIVACY_POLICY` is set, then the user can accept the privacy policy
|
// If the flag `VER_PRIVACY_POLICY` is set, then the user can accept the privacy policy
|
||||||
if($session->flagExists(SessionFlags::VER_PRIVACY_POLICY))
|
if($session->flagExists(SessionFlags::VER_PRIVACY_POLICY))
|
||||||
{
|
{
|
||||||
|
|
@ -164,22 +203,15 @@
|
||||||
}
|
}
|
||||||
|
|
||||||
// If the flag `SET_PASSWORD` is set, then the user has to set a password
|
// If the flag `SET_PASSWORD` is set, then the user has to set a password
|
||||||
if(in_array(SessionFlags::SET_PASSWORD, $session->getFlags()))
|
if($session->flagExists(SessionFlags::SET_PASSWORD))
|
||||||
{
|
{
|
||||||
$methods[] = self::SETTINGS_SET_PASSWORD;
|
$methods[] = self::SETTINGS_SET_PASSWORD;
|
||||||
}
|
}
|
||||||
|
|
||||||
// If the user is authenticated, then allow additional method calls
|
// If the flag `SET_DISPLAY_NAME` is set, then the user has to set a display name
|
||||||
if($session->isAuthenticated())
|
if($session->flagExists(SessionFlags::SET_DISPLAY_NAME))
|
||||||
{
|
{
|
||||||
// Authenticated users can always manage their signing keys
|
$methods[] = self::SETTINGS_SET_DISPLAY_NAME;
|
||||||
$methods[] = self::SETTINGS_ADD_SIGNING_KEY;
|
|
||||||
$methods[] = self::SETTINGS_GET_SIGNING_KEYS;
|
|
||||||
|
|
||||||
// Always allow the authenticated user to change their password
|
|
||||||
if(!in_array(SessionFlags::SET_PASSWORD, $session->getFlags()))
|
|
||||||
{
|
|
||||||
$methods[] = self::SETTINGS_SET_PASSWORD;
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -115,6 +115,32 @@
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Deletes the stored password for a specific peer.
|
||||||
|
*
|
||||||
|
* @param string|RegisteredPeerRecord $peerUuid The unique identifier of the peer, or an instance of RegisteredPeerRecord.
|
||||||
|
* @return void
|
||||||
|
* @throws DatabaseOperationException If an error occurs during the database operation.
|
||||||
|
*/
|
||||||
|
public static function deletePassword(string|RegisteredPeerRecord $peerUuid): void
|
||||||
|
{
|
||||||
|
if($peerUuid instanceof RegisteredPeerRecord)
|
||||||
|
{
|
||||||
|
$peerUuid = $peerUuid->getUuid();
|
||||||
|
}
|
||||||
|
|
||||||
|
try
|
||||||
|
{
|
||||||
|
$stmt = Database::getConnection()->prepare('DELETE FROM authentication_passwords WHERE peer_uuid=:uuid');
|
||||||
|
$stmt->bindParam(':uuid', $peerUuid);
|
||||||
|
$stmt->execute();
|
||||||
|
}
|
||||||
|
catch(PDOException $e)
|
||||||
|
{
|
||||||
|
throw new DatabaseOperationException('An error occurred while deleting the password', $e);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Verifies a given password against a stored password hash for a specific peer.
|
* Verifies a given password against a stored password hash for a specific peer.
|
||||||
*
|
*
|
||||||
|
|
|
||||||
|
|
@ -423,11 +423,12 @@
|
||||||
* Marks the session as complete if all necessary conditions are met.
|
* Marks the session as complete if all necessary conditions are met.
|
||||||
*
|
*
|
||||||
* @param SessionRecord $session The session record to evaluate and potentially mark as complete.
|
* @param SessionRecord $session The session record to evaluate and potentially mark as complete.
|
||||||
|
* @param array $flagsToRemove An array of flags to remove from the session if it is marked as complete.
|
||||||
|
* @return void
|
||||||
* @throws DatabaseOperationException If there is an error while updating the session in the database.
|
* @throws DatabaseOperationException If there is an error while updating the session in the database.
|
||||||
* @throws StandardException If the session record cannot be found or if there is an error during retrieval.
|
* @throws StandardException If the session record cannot be found or if there is an error during retrieval.
|
||||||
* @return void
|
|
||||||
*/
|
*/
|
||||||
public static function updateFlow(SessionRecord $session): void
|
public static function updateFlow(SessionRecord $session, array $flagsToRemove=[]): void
|
||||||
{
|
{
|
||||||
// Don't do anything if the session is already authenticated
|
// Don't do anything if the session is already authenticated
|
||||||
if(!in_array(SessionFlags::REGISTRATION_REQUIRED, $session->getFlags()) || !in_array(SessionFlags::AUTHENTICATION_REQUIRED, $session->getFlags()))
|
if(!in_array(SessionFlags::REGISTRATION_REQUIRED, $session->getFlags()) || !in_array(SessionFlags::AUTHENTICATION_REQUIRED, $session->getFlags()))
|
||||||
|
|
@ -435,6 +436,9 @@
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
self::removeFlags($session->getUuid(), $flagsToRemove);
|
||||||
|
$session = self::getSession($session->getUuid());
|
||||||
|
|
||||||
// Check if all registration/authentication requirements are met
|
// Check if all registration/authentication requirements are met
|
||||||
if(SessionFlags::isComplete($session->getFlags()))
|
if(SessionFlags::isComplete($session->getFlags()))
|
||||||
{
|
{
|
||||||
|
|
|
||||||
|
|
@ -228,13 +228,14 @@
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Determines if the server is external.
|
* Determines if the user is considered external by checking if the username is 'host' and the server
|
||||||
|
* is not the same as the domain from the configuration.
|
||||||
*
|
*
|
||||||
* @return bool True if the server is external, false otherwise.
|
* @return bool True if the user is external, false otherwise.
|
||||||
*/
|
*/
|
||||||
public function isExternal(): bool
|
public function isExternal(): bool
|
||||||
{
|
{
|
||||||
return $this->server === 'host';
|
return $this->username === 'host' && $this->server !== Configuration::getInstanceConfiguration()->getDomain();
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
|
||||||
|
|
@ -260,6 +260,17 @@
|
||||||
return $this->clientVersion;
|
return $this->clientVersion;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Returns whether the session is external.
|
||||||
|
*
|
||||||
|
* @return bool True if the session is external, false otherwise.
|
||||||
|
* @throws DatabaseOperationException Thrown if the peer record cannot be retrieved.
|
||||||
|
*/
|
||||||
|
public function isExternal(): bool
|
||||||
|
{
|
||||||
|
return RegisteredPeerManager::getPeer($this->peerUuid)->isExternal();
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Converts the current session state into a standard session state object.
|
* Converts the current session state into a standard session state object.
|
||||||
*
|
*
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue