flashii/misuzu
flashii/misuzu
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merged auth cookies into one.

Browse source
This commit is contained in:
flash 2019-02-12 16:26:39 +01:00
parent 6181dd25ef
commit dea897456a
4 changed files with 67 additions and 39 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

54
misuzu.php
View file

@ -325,36 +325,46 @@ MIG;
exit;
}
if (isset($_COOKIE['msz_uid'], $_COOKIE['msz_sid'])
&& user_session_start((int)$_COOKIE['msz_uid'], $_COOKIE['msz_sid'])) {
$mszUserId = (int)$_COOKIE['msz_uid'];
if (!empty($_COOKIE['msz_uid']) && !empty($_COOKIE['msz_sid'])
&& ctype_digit($_COOKIE['msz_uid']) && ctype_xdigit($_COOKIE['msz_sid'])
&& strlen($_COOKIE['msz_sid']) === 64) {
$_COOKIE['msz_auth'] = base64url_encode(user_session_cookie_pack($_COOKIE['msz_uid'], $_COOKIE['msz_sid']));
setcookie('msz_auth', $_COOKIE['msz_auth'], strtotime('1 year'), '/', '', true, true);
setcookie('msz_uid', '', -3600, '/', '', true, true);
setcookie('msz_sid', '', -3600, '/', '', true, true);
}
user_bump_last_active($mszUserId);
user_session_bump_active(user_session_current('session_id'));
if (!empty($_COOKIE['msz_auth']) && is_string($_COOKIE['msz_auth'])) {
$cookieData = user_session_cookie_unpack(base64url_decode($_COOKIE['msz_auth']));
$getUserDisplayInfo = db_prepare('
SELECT
u.`user_id`, u.`username`, u.`user_background_settings`,
COALESCE(u.`user_colour`, r.`role_colour`) AS `user_colour`
FROM `msz_users` AS u
LEFT JOIN `msz_roles` AS r
ON u.`display_role` = r.`role_id`
WHERE `user_id` = :user_id
');
$getUserDisplayInfo->bindValue('user_id', $mszUserId);
$userDisplayInfo = db_fetch($getUserDisplayInfo);
if (!empty($cookieData) && user_session_start($cookieData['user_id'], $cookieData['session_token'])) {
user_bump_last_active($cookieData['user_id']);
user_session_bump_active(user_session_current('session_id'));
if ($userDisplayInfo) {
$userDisplayInfo['general_perms'] = perms_get_user(MSZ_PERMS_GENERAL, $userDisplayInfo['user_id']);
$userDisplayInfo['comments_perms'] = perms_get_user(MSZ_PERMS_COMMENTS, $userDisplayInfo['user_id']);
$userDisplayInfo['ban_expiration'] = user_warning_check_expiration($userDisplayInfo['user_id'], MSZ_WARN_BAN);
$userDisplayInfo['silence_expiration'] = $userDisplayInfo['ban_expiration'] > 0 ? 0 : user_warning_check_expiration($userDisplayInfo['user_id'], MSZ_WARN_SILENCE);
$getUserDisplayInfo = db_prepare('
SELECT
u.`user_id`, u.`username`, u.`user_background_settings`,
COALESCE(u.`user_colour`, r.`role_colour`) AS `user_colour`
FROM `msz_users` AS u
LEFT JOIN `msz_roles` AS r
ON u.`display_role` = r.`role_id`
WHERE `user_id` = :user_id
');
$getUserDisplayInfo->bindValue('user_id', $cookieData['user_id']);
$userDisplayInfo = db_fetch($getUserDisplayInfo);
if ($userDisplayInfo) {
$userDisplayInfo['general_perms'] = perms_get_user(MSZ_PERMS_GENERAL, $userDisplayInfo['user_id']);
$userDisplayInfo['comments_perms'] = perms_get_user(MSZ_PERMS_COMMENTS, $userDisplayInfo['user_id']);
$userDisplayInfo['ban_expiration'] = user_warning_check_expiration($userDisplayInfo['user_id'], MSZ_WARN_BAN);
$userDisplayInfo['silence_expiration'] = $userDisplayInfo['ban_expiration'] > 0 ? 0 : user_warning_check_expiration($userDisplayInfo['user_id'], MSZ_WARN_SILENCE);
}
}
}
csrf_init(
config_get_default('insecure', 'CSRF', 'secret_key'),
empty($userDisplayInfo) ? ip_remote_address() : $_COOKIE['msz_sid']
empty($userDisplayInfo) ? ip_remote_address() : $cookieData['session_token']
);
if (!$misuzuBypassLockdown && boolval(config_get_default(false, 'Private', 'enabled'))) {

7
public/auth.php
View file

@ -45,8 +45,7 @@ switch ($authMode) {
}
if (csrf_verify('logout', $_GET['s'] ?? '')) {
set_cookie_m('uid', '', -3600);
set_cookie_m('sid', '', -3600);
setcookie('msz_auth', '', -3600, '/', '', true, true);
user_session_stop(true);
header(sprintf('Location: %s', url('index')));
return;
@ -260,8 +259,8 @@ MSG;
user_session_start($userData['user_id'], $sessionKey);
$cookieLife = strtotime(user_session_current('session_expires'));
set_cookie_m('uid', $userData['user_id'], $cookieLife);
set_cookie_m('sid', $sessionKey, $cookieLife);
$cookieValue = base64_encode(user_session_cookie_pack($userData['user_id'], $sessionKey));
setcookie('msz_auth', $cookieValue, $cookieLife, '/', '', true, true);
if (!is_local_url($authRedirect)) {
$authRedirect = url('index');

32
src/Users/session.php
View file

@ -174,3 +174,35 @@ function user_session_active(): bool
return !empty($GLOBALS[MSZ_SESSION_DATA_STORE])
&& time() < strtotime($GLOBALS[MSZ_SESSION_DATA_STORE]['session_expires']);
}
define('MSZ_SESSION_COOKIE_VERSION', 1);
// make sure to match this to the final fixed size of the cookie string
// it'll pad older tokens out for backwards compatibility
define('MSZ_SESSION_COOKIE_SIZE', 37);
function user_session_cookie_pack(int $userId, string $sessionToken): ?string
{
if (strlen($sessionToken) !== MSZ_SESSION_KEY_SIZE) {
return null;
}
return pack('CNH64', MSZ_SESSION_COOKIE_VERSION, $userId, $sessionToken);
}
function user_session_cookie_unpack(string $packed): array
{
$packed = str_pad($packed, MSZ_SESSION_COOKIE_SIZE, "\x00");
$unpacked = unpack('Cversion/Nuser/H64token', $packed);
if ($unpacked['version'] < 1 || $unpacked['version'] > MSZ_SESSION_COOKIE_VERSION) {
return [];
}
// Make sure this contains all fields with a default for version > 1 exclusive stuff
$data = [
'user_id' => $unpacked['user'],
'session_token' => $unpacked['token'],
];
return $data;
}

13
utility.php
View file

@ -1,17 +1,4 @@
<?php
function set_cookie_m(string $name, string $value, int $expires): void
{
setcookie(
"msz_{$name}",
$value,
$expires,
'/',
'',
!empty($_SERVER['HTTPS']),
true
);
}
function password_entropy(string $password): int
{
return count(count_chars(utf8_decode($password), 1)) * 8;