Redirect to a one-time-password when ssl and regular server are different

This commit is contained in:
Evan Prodromou 2010-01-08 17:20:25 -08:00
parent f396701b64
commit ed5828f30e
5 changed files with 233 additions and 63 deletions

View File

@ -76,15 +76,10 @@ class LoginAction extends Action
{ {
parent::handle($args); parent::handle($args);
$disabled = common_config('logincommand','disabled');
$disabled = isset($disabled) && $disabled;
if (common_is_real_login()) { if (common_is_real_login()) {
$this->clientError(_('Already logged in.')); $this->clientError(_('Already logged in.'));
} else if ($_SERVER['REQUEST_METHOD'] == 'POST') { } else if ($_SERVER['REQUEST_METHOD'] == 'POST') {
$this->checkLogin(); $this->checkLogin();
} else if (!$disabled && isset($args['user_id']) && isset($args['token'])){
$this->checkLogin($args['user_id'],$args['token']);
} else { } else {
common_ensure_session(); common_ensure_session();
$this->showForm(); $this->showForm();
@ -103,30 +98,6 @@ class LoginAction extends Action
function checkLogin($user_id=null, $token=null) function checkLogin($user_id=null, $token=null)
{ {
if(isset($token) && isset($user_id)){
//Token based login (from the LoginCommand)
$login_token = Login_token::staticGet('user_id',$user_id);
if($login_token && $login_token->token == $token){
if($login_token->modified > time()+2*60){
//token has expired
//delete the token as it is useless
$login_token->delete();
$this->showForm(_('Invalid or expired token.'));
return;
}else{
//delete the token so it cannot be reused
$login_token->delete();
//it's a valid token - let them log in
$user = User::staticGet('id', $user_id);
//$user = User::staticGet('nickname', "candrews");
}
}else{
$this->showForm(_('Invalid or expired token.'));
return;
}
}else{
// Regular form submission login
// XXX: login throttle // XXX: login throttle
// CSRF protection - token set in NoticeForm // CSRF protection - token set in NoticeForm
@ -141,7 +112,6 @@ class LoginAction extends Action
$password = $this->arg('password'); $password = $this->arg('password');
$user = common_check_user($nickname, $password); $user = common_check_user($nickname, $password);
}
if (!$user) { if (!$user) {
$this->showForm(_('Incorrect username or password.')); $this->showForm(_('Incorrect username or password.'));
@ -162,6 +132,12 @@ class LoginAction extends Action
$url = common_get_returnto(); $url = common_get_returnto();
if (common_config('ssl', 'sometimes') && // mixed environment
common_config('site', 'server') != common_config('site', 'sslserver')) {
$this->redirectFromSSL($user, $url, $this->boolean('rememberme'));
return;
}
if ($url) { if ($url) {
// We don't have to return to it again // We don't have to return to it again
common_set_returnto(null); common_set_returnto(null);
@ -306,4 +282,31 @@ class LoginAction extends Action
$nav = new LoginGroupNav($this); $nav = new LoginGroupNav($this);
$nav->show(); $nav->show();
} }
function redirectFromSSL($user, $returnto, $rememberme)
{
try {
$login_token = Login_token::makeNew($user);
} catch (Exception $e) {
$this->serverError($e->getMessage());
return;
}
$params = array();
if (!empty($returnto)) {
$params['returnto'] = $returnto;
}
if (!empty($rememberme)) {
$params['rememberme'] = $rememberme;
}
$target = common_local_url('otp',
array('user_id' => $login_token->user_id,
'token' => $login_token->token),
$params);
common_redirect($target, 303);
}
} }

145
actions/otp.php Normal file
View File

@ -0,0 +1,145 @@
<?php
/**
* StatusNet, the distributed open-source microblogging tool
*
* Allow one-time password login
*
* PHP version 5
*
* LICENCE: This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
* @category Login
* @package StatusNet
* @author Evan Prodromou <evan@status.net>
* @copyright 2010 StatusNet, Inc.
* @license http://www.fsf.org/licensing/licenses/agpl-3.0.html AGPLv3
* @link http://status.net/
*/
if (!defined('STATUSNET')) {
exit(1);
}
/**
* Allow one-time password login
*
* This action will automatically log in the user identified by the user_id
* parameter. A login_token record must be constructed beforehand, typically
* by code where the user is already authenticated.
*
* @category Login
* @package StatusNet
* @author Evan Prodromou <evan@status.net>
* @copyright 2010 StatusNet, Inc.
* @license http://www.fsf.org/licensing/licenses/agpl-3.0.html AGPLv3
* @link http://status.net/
*/
class OtpAction extends Action
{
var $user;
var $token;
var $rememberme;
var $returnto;
var $lt;
function prepare($args)
{
parent::prepare($args);
if (common_is_real_login()) {
$this->clientError(_('Already logged in.'));
return false;
}
$id = $this->trimmed('user_id');
if (empty($id)) {
$this->clientError(_('No user ID specified.'));
return false;
}
$this->user = User::staticGet('id', $id);
if (empty($this->user)) {
$this->clientError(_('No such user.'));
return false;
}
$this->token = $this->trimmed('token');
if (empty($this->token)) {
$this->clientError(_('No login token specified.'));
return false;
}
$this->lt = Login_token::staticGet('user_id', $id);
if (empty($this->lt)) {
$this->clientError(_('No login token requested.'));
return false;
}
if ($this->lt->token != $this->token) {
$this->clientError(_('Invalid login token specified.'));
return false;
}
if ($this->lt->modified > time() + Login_token::TIMEOUT) {
//token has expired
//delete the token as it is useless
$this->lt->delete();
$this->lt = null;
$this->clientError(_('Login token expired.'));
return false;
}
$this->rememberme = $this->boolean('rememberme');
$this->returnto = $this->trimmed('returnto');
return true;
}
function handle($args)
{
parent::handle($args);
// success!
if (!common_set_user($this->user)) {
$this->serverError(_('Error setting user. You are probably not authorized.'));
return;
}
// We're now logged in; disable the lt
$this->lt->delete();
$this->lt = null;
if ($this->rememberme) {
common_rememberme($this->user);
}
if (!empty($this->returnto)) {
$url = $this->returnto;
// We don't have to return to it again
common_set_returnto(null);
} else {
$url = common_local_url('all',
array('nickname' =>
$this->user->nickname));
}
common_redirect($url, 303);
}
}

View File

@ -40,6 +40,8 @@ class Login_token extends Memcached_DataObject
/* the code above is auto generated do not remove the tag below */ /* the code above is auto generated do not remove the tag below */
###END_AUTOCODE ###END_AUTOCODE
const TIMEOUT = 120; // seconds after which to timeout the token
/* /*
DB_DataObject calculates the sequence key(s) by taking the first key returned by the keys() function. DB_DataObject calculates the sequence key(s) by taking the first key returned by the keys() function.
In this case, the keys() function returns user_id as the first key. user_id is not a sequence, but In this case, the keys() function returns user_id as the first key. user_id is not a sequence, but
@ -52,4 +54,29 @@ class Login_token extends Memcached_DataObject
{ {
return array(false,false); return array(false,false);
} }
function makeNew($user)
{
$login_token = Login_token::staticGet('user_id', $user->id);
if (!empty($login_token)) {
$login_token->delete();
}
$login_token = new Login_token();
$login_token->user_id = $user->id;
$login_token->token = common_good_rand(16);
$login_token->created = common_sql_now();
$result = $login_token->insert();
if (!$result) {
common_log_db_error($login_token, 'INSERT', __FILE__);
throw new Exception(sprintf(_('Could not create login token for %s'),
$user->nickname));
}
return $login_token;
}
} }

View File

@ -650,25 +650,17 @@ class LoginCommand extends Command
$channel->error($this->user, _('Login command is disabled')); $channel->error($this->user, _('Login command is disabled'));
return; return;
} }
$login_token = Login_token::staticGet('user_id',$this->user->id);
if($login_token){ try {
$login_token->delete(); $login_token = Login_token::makeNew($this->user);
} } catch (Exception $e) {
$login_token = new Login_token(); $channel->error($this->user, $e->getMessage());
$login_token->user_id = $this->user->id;
$login_token->token = common_good_rand(16);
$login_token->created = common_sql_now();
$result = $login_token->insert();
if (!$result) {
common_log_db_error($login_token, 'INSERT', __FILE__);
$channel->error($this->user, sprintf(_('Could not create login token for %s'),
$this->user->nickname));
return;
} }
$channel->output($this->user, $channel->output($this->user,
sprintf(_('This link is useable only once, and is good for only 2 minutes: %s'), sprintf(_('This link is useable only once, and is good for only 2 minutes: %s'),
common_local_url('login', common_local_url('otp',
array('user_id'=>$login_token->user_id, 'token'=>$login_token->token)))); array('user_id' => $login_token->user_id, 'token' => $login_token->token))));
} }
} }

View File

@ -88,7 +88,10 @@ class Router
$m->connect('doc/:title', array('action' => 'doc')); $m->connect('doc/:title', array('action' => 'doc'));
$m->connect('main/login?user_id=:user_id&token=:token', array('action'=>'login'), array('user_id'=> '[0-9]+', 'token'=>'.+')); $m->connect('main/otp/:user_id/:token',
array('action' => 'otp'),
array('user_id' => '[0-9]+',
'token' => '.+'));
// main stuff is repetitive // main stuff is repetitive