diff options
author | Yorhel <git@yorhel.nl> | 2016-01-10 11:05:59 +0100 |
---|---|---|
committer | Yorhel <git@yorhel.nl> | 2016-01-10 11:18:39 +0100 |
commit | 8994032a68da279acdcc22963d7d6eda2d0e59f8 (patch) | |
tree | 95d94a0ad55ed66f889f13c72f583b19b3c5419f /lib/VNDB/Util/Auth.pm | |
parent | 48bbb8d0c3b121568c580dfd7c78f9dd0528cd8a (diff) |
Require current password on /u+/edit + only hash password once on /u+/setpass
Diffstat (limited to 'lib/VNDB/Util/Auth.pm')
-rw-r--r-- | lib/VNDB/Util/Auth.pm | 35 |
1 files changed, 22 insertions, 13 deletions
diff --git a/lib/VNDB/Util/Auth.pm b/lib/VNDB/Util/Auth.pm index 0c3b5b73..9c742dc7 100644 --- a/lib/VNDB/Util/Auth.pm +++ b/lib/VNDB/Util/Auth.pm @@ -14,7 +14,7 @@ use VNDB::Func; our @EXPORT = qw| - authInit authLogin authLogout authInfo authCan authPreparePass + authInit authLogin authLogout authInfo authCan authPreparePass authCreateSession authCheck authPrepareReset authValidateReset authGetCode authCheckCode authPref |; @@ -50,18 +50,10 @@ sub authInit { # login, arguments: user, password, url-to-redirect-to-on-success # returns 1 on success (redirected), 0 otherwise (no reply sent) sub authLogin { - my $self = shift; - my $user = lc(scalar shift); - my $pass = shift; - my $to = shift; - - if(_authCheck($self, $user, $pass)) { - my $token = urandom(20); - my $cookie = unpack('H*', $token).'.'.$self->{_auth}{id}; - $self->dbSessionAdd($self->{_auth}{id}, sha1 $token); + my($self, $user, $pass, $to) = @_; - $self->resRedirect($to, 'post'); - $self->resCookie(auth => $cookie, httponly => 1, expires => time + 31536000); # keep the cookie for 1 year + if($self->authCheck($user, $pass)) { + $self->authCreateSession($user, $to); return 1; } @@ -69,6 +61,23 @@ sub authLogin { } +# Args: user, url-to-redirect-to-on-success +# Should only be called if the user is already authenticated (i.e. after authCheck or when the user just confirmed his email address). +sub authCreateSession { + my($self, $user, $to) = @_; + + $self->{_auth} = $self->dbUserGet(username => $user, what => 'extended notifycount')->[0] if $user; + die "No valid user!" if !$self->{_auth}{id}; + + my $token = urandom(20); + my $cookie = unpack('H*', $token).'.'.$self->{_auth}{id}; + $self->dbSessionAdd($self->{_auth}{id}, sha1 $token); + + $self->resRedirect($to, 'post'); + $self->resCookie(auth => $cookie, httponly => 1, expires => time + 31536000); # keep the cookie for 1 year +} + + # clears authentication cookie and redirects to / sub authLogout { my $self = shift; @@ -104,7 +113,7 @@ sub authCan { # Checks for a valid login and writes information in _auth # Arguments: user, pass # Returns: 1 if login is valid, 0 otherwise -sub _authCheck { +sub authCheck { my($self, $user, $pass) = @_; return 0 if !$user || length($user) > 15 || length($user) < 2 || !$pass; |