<?php /** * StatusNet, the distributed open-source microblogging tool * * Allow one-time password login * * PHP version 5 * * LICENCE: This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Affero General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU Affero General Public License for more details. * * You should have received a copy of the GNU Affero General Public License * along with this program. If not, see <http://www.gnu.org/licenses/>. * * @category Login * @package StatusNet * @author Evan Prodromou <evan@status.net> * @copyright 2010 StatusNet, Inc. * @license http://www.fsf.org/licensing/licenses/agpl-3.0.html AGPLv3 * @link http://status.net/ */ if (!defined('STATUSNET')) { exit(1); } /** * Allow one-time password login * * This action will automatically log in the user identified by the user_id * parameter. A login_token record must be constructed beforehand, typically * by code where the user is already authenticated. * * @category Login * @package StatusNet * @author Evan Prodromou <evan@status.net> * @copyright 2010 StatusNet, Inc. * @license http://www.fsf.org/licensing/licenses/agpl-3.0.html AGPLv3 * @link http://status.net/ */ class OtpAction extends Action { var $user; var $token; var $rememberme; var $returnto; var $lt; function prepare($args) { parent::prepare($args); if (common_is_real_login()) { $this->clientError(_('Already logged in.')); return false; } $id = $this->trimmed('user_id'); if (empty($id)) { $this->clientError(_('No user ID specified.')); return false; } $this->user = User::staticGet('id', $id); if (empty($this->user)) { $this->clientError(_('No such user.')); return false; } $this->token = $this->trimmed('token'); if (empty($this->token)) { $this->clientError(_('No login token specified.')); return false; } $this->lt = Login_token::staticGet('user_id', $id); if (empty($this->lt)) { $this->clientError(_('No login token requested.')); return false; } if ($this->lt->token != $this->token) { $this->clientError(_('Invalid login token specified.')); return false; } if ($this->lt->modified > time() + Login_token::TIMEOUT) { //token has expired //delete the token as it is useless $this->lt->delete(); $this->lt = null; $this->clientError(_('Login token expired.')); return false; } $this->rememberme = $this->boolean('rememberme'); $this->returnto = $this->trimmed('returnto'); return true; } function handle($args) { parent::handle($args); // success! if (!common_set_user($this->user)) { $this->serverError(_('Error setting user. You are probably not authorized.')); return; } // We're now logged in; disable the lt $this->lt->delete(); $this->lt = null; common_real_login(true); if ($this->rememberme) { common_rememberme($this->user); } if (!empty($this->returnto)) { $url = $this->returnto; // We don't have to return to it again common_set_returnto(null); } else { $url = common_local_url('all', array('nickname' => $this->user->nickname)); } common_redirect($url, 303); } }