diff options
author | Yorhel <git@yorhel.nl> | 2019-09-30 18:05:28 +0200 |
---|---|---|
committer | Yorhel <git@yorhel.nl> | 2019-09-30 18:05:41 +0200 |
commit | 2d7e855cfb37f35cb2cd0f8f39754002c20c8a7c (patch) | |
tree | b1ff536adee289c3b6e1a56c1f1a71acd1da6c87 /lib/VNWeb/Auth.pm | |
parent | 24e08e0f2caf8dede4a0c8a77b8ede1e13899785 (diff) |
v2rw: Convert login, logout & insecure-password-change forms
The insecure-password-change flow is now slightly more friendly. The
logout functionality has been hardened to use POST and require CSRF.
Diffstat (limited to 'lib/VNWeb/Auth.pm')
-rw-r--r-- | lib/VNWeb/Auth.pm | 16 |
1 files changed, 11 insertions, 5 deletions
diff --git a/lib/VNWeb/Auth.pm b/lib/VNWeb/Auth.pm index a10fb256..35840680 100644 --- a/lib/VNWeb/Auth.pm +++ b/lib/VNWeb/Auth.pm @@ -128,7 +128,7 @@ sub _encpass { # Arguments: self, uid, encpass # Returns: 0 on error, 1 on success sub _create_session { - my($self, $uid, $encpass) = @_; + my($self, $uid, $encpass, $pretend) = @_; my $token = urandom 20; my $token_db = sha1_hex $token; @@ -136,8 +136,12 @@ sub _create_session { sql_func(user_login => \$uid, sql_fromhex($encpass), sql_fromhex $token_db) ); - tuwf->resCookie(auth => unpack('H*', $token).'.'.$uid, httponly => 1, expires => time + 31536000); - $self->_load_session($uid, $token_db); + if($pretend) { + tuwf->dbExeci('SELECT', sql_func user_logout => \$uid, sql_fromhex $token_db); + } else { + tuwf->resCookie(auth => unpack('H*', $token).'.'.$uid, httponly => 1, expires => time + 31536000); + $self->_load_session($uid, $token_db); + } return 1; } @@ -180,15 +184,17 @@ sub new { # Returns 1 on success, 0 on failure +# When $pretend is true, it only tests if the user/pass combination is correct, +# but doesn't actually create a session. sub login { - my($self, $user, $pass) = @_; + my($self, $user, $pass, $pretend) = @_; return 0 if $self->uid || !$user || !$pass; my $uid = tuwf->dbVali('SELECT id FROM users WHERE username =', \$user); return 0 if !$uid; my $encpass = $self->_encpass($uid, $pass); return 0 if !$encpass; - $self->_create_session($uid, $encpass); + $self->_create_session($uid, $encpass, $pretend); } |