/trunk/doc/developer_notes/server_secret.md |
---|
11,7 → 11,7 |
Derivation of secrets and auth keys |
----------------------------------- |
Important: The usage of `OIDplus::baseConfig()->getValue("SERVER_SECRET")` |
The usage of `OIDplus::baseConfig()->getValue("SERVER_SECRET")` |
is deprecated due to security considerations. |
Instead, please always use `OIDplus::authUtils()->makeSecret()` |
22,58 → 22,49 |
use `OIDplus::authUtils()->makeAuthKey()` |
with a unique `$data` argument (prefer a GUID) |
in combination with `OIDplus::authUtils()->validateAuthKey()`. |
This auth key is NOT temporary by default so you need to make sure |
that you encode a timestamp in it. |
An auth key is usually temporary; therefore `makeAuthKey` encodes a timestamp |
which can be checked by `validateAuthKey` by providing |
a validity period in seconds. |
Implementation |
-------------- |
`makeAuthKey(data) = makeSecret(data) = sha3_512_hmac(data, "OIDplus:" + SERVER_SECRET)` |
Currently, the implementation of `makeAuthKey` and `makeSecret` |
is the same, but you should only use `makeAuthKey` |
if you combine it with `validateAuthKey`, otherwise, you |
should use `makeSecret`. This makes the code easier to understand. |
Where are makeAuthKey and makeSecret being used? |
------------------------------------------------ |
System / Core: |
- Auth content Store (OIDplusAuthContentStoreJWT.class.php): |
Key to sign JWT tokens (used for Automated AJAX requests, REST API and logins with "Remember me") using PBKDF2+HMAC |
Key to sign JWT tokens (used for Automated AJAX requests, REST API and logins with "Remember me") |
* If a private/public key pair exists: Sign the JWT using that private key. |
* Otherwise sign it with: |
`JWT = HS512(hash_pbkdf2("sha512", OIDplus::authUtils()->makeSecret("0be35e52-f4ef-11ed-b67e-3c4a92df8582"), "", 10000, 64/*256bit*/, false))` |
* Otherwise sign it using PBKDF2+HMAC: |
`JWT = HS512(hash_pbkdf2("sha512", OIDplus::authUtils()->makeSecret(["0be35e52-f4ef-11ed-b67e-3c4a92df8582"]), "", 10000, 64/*256bit*/, false))` |
- Session Handler (OIDplusSessionHandler.class.php): |
Encryption of session contents (regular logins) |
* if OpenSSL is installed: sha512-pbkdf2 + AES-256-CBC + sha3-512-hmac |
* if OpenSSL is not installed: sha3-512-hmac |
* In both cases, the key is `OIDplus::authUtils()->makeSecret("b118abc8-f4ec-11ed-86ca-3c4a92df8582")`. |
* In both cases, the key is `OIDplus::authUtils()->makeSecret(["b118abc8-f4ec-11ed-86ca-3c4a92df8582"])`. |
Temporary auth keys (sent via email etc.): |
* used at plugin forgot RA password (public/091): |
`makeAuthKey("93a16dbe-f4fb-11ed-b67e-3c4a92df8582:" + email + "/" + timestamp)` |
`makeAuthKey(["93a16dbe-f4fb-11ed-b67e-3c4a92df8582", email])` |
* used at plugin ViaThinkSoft FreeOID activation (public/200): |
`makeAuthKey("40c87e20-f4fb-11ed-86ca-3c4a92df8582:" + email + "/" + timestamp)` |
`makeAuthKey(["40c87e20-f4fb-11ed-86ca-3c4a92df8582", email])` |
* used at plugin invite RA (ra/092): |
`makeAuthKey("ed840c3e-f4fa-11ed-b67e-3c4a92df8582:" + email + "/" + timestamp)` |
`makeAuthKey(["ed840c3e-f4fa-11ed-b67e-3c4a92df8582", email])` |
* used at plugin change RA email (ra/102): |
`makeAuthKey("5ef24124-f4fb-11ed-b67e-3c4a92df8582:" + old_email + "/" + new_email + "/" + timestamp)` |
`makeAuthKey(["5ef24124-f4fb-11ed-b67e-3c4a92df8582", old_email, new_email])` |
Plugin OID-IP (public/100): |
- Authentication token for hidden OIDs = `smallhash(OIDplus::authUtils()->makeSecret("d8f44c7c-f4e9-11ed-86ca-3c4a92df8582:" + id))` |
- Authentication token for hidden OIDs = `smallhash(OIDplus::authUtils()->makeSecret(["d8f44c7c-f4e9-11ed-86ca-3c4a92df8582", id]))` |
Plugin VNag version check (admin/901): |
- Webreader password = `OIDplus::authUtils()->makeSecret("65d9f488-f4eb-11ed-b67e-3c4a92df8582")` |
- Webreader password = `OIDplus::authUtils()->makeSecret(["65d9f488-f4eb-11ed-b67e-3c4a92df8582"])` |
Plugin RDAP (frdl): |
- `OIDplus::authUtils()->makeSecret("cee75760-f4f8-11ed-b67e-3c4a92df8582")` is used to generate a cache filename |
- `OIDplus::authUtils()->makeSecret(["cee75760-f4f8-11ed-b67e-3c4a92df8582"])` is used to generate a cache filename |
Plugin VTS Client Challenge Captcha: |
- Challenge integrity : `OIDplus::authUtils()->makeAuthKey("797bfc34-f4fa-11ed-86ca-3c4a92df8582:" + challenge)` |
- Cache filename : `"vts_client_challenge_" + OIDplus::authUtils()->makeSecret("461f4a9e-f4fa-11ed-86ca-3c4a92df8582:" + ipTarget + "/" + random) + ".tmp"` |
- Challenge integrity : `OIDplus::authUtils()->makeAuthKey(["797bfc34-f4fa-11ed-86ca-3c4a92df8582", challenge])` |
- Cache filename : `"vts_client_challenge_" + OIDplus::authUtils()->makeSecret(["461f4a9e-f4fa-11ed-86ca-3c4a92df8582", ipTarget, random]) + ".tmp"` |
GUID Registry |
------------- |
The "real GUIDs" are documented at the [ViaThinkSoft OIDplus Registration Authority](https://oidplus.viathinksoft.com/oidplus/?goto=guid%3Aoidplus%2FauthRealms). |
The "realm GUIDs" are documented at the [ViaThinkSoft OIDplus Registration Authority](https://oidplus.viathinksoft.com/oidplus/?goto=guid%3Aoidplus%2FauthRealms). |
/trunk/includes/classes/OIDplusAuthContentStoreJWT.class.php |
---|
414,7 → 414,7 |
$k = new \Firebase\JWT\Key($pubKey, 'RS256'); // RSA+SHA256 ist hardcoded in getPkiStatus() generation |
$this->content = (array) \Firebase\JWT\JWT::decode($jwt, $k); |
} else { |
$key = OIDplus::authUtils()->makeSecret('0be35e52-f4ef-11ed-b67e-3c4a92df8582'); |
$key = OIDplus::authUtils()->makeSecret(['0be35e52-f4ef-11ed-b67e-3c4a92df8582']); |
$key = hash_pbkdf2('sha512', $key, '', 10000, 32/*256bit*/, false); |
$k = new \Firebase\JWT\Key($key, 'HS512'); // HMAC+SHA512 is hardcoded here |
$this->content = (array) \Firebase\JWT\JWT::decode($jwt, $k); |
436,7 → 436,7 |
$privKey = OIDplus::getSystemPrivateKey(); |
return \Firebase\JWT\JWT::encode($payload, $privKey, 'RS256'); // RSA+SHA256 ist hardcoded in getPkiStatus() generation |
} else { |
$key = OIDplus::authUtils()->makeSecret('0be35e52-f4ef-11ed-b67e-3c4a92df8582'); |
$key = OIDplus::authUtils()->makeSecret(['0be35e52-f4ef-11ed-b67e-3c4a92df8582']); |
$key = hash_pbkdf2('sha512', $key, '', 10000, 32/*256bit*/, false); |
return \Firebase\JWT\JWT::encode($payload, $key, 'HS512'); // HMAC+SHA512 is hardcoded here |
} |
/trunk/includes/classes/OIDplusAuthUtils.class.php |
---|
383,32 → 383,48 |
// Authentication keys for generating secrets or validating arguments (e.g. sent by mail) |
/** |
* @param string $data |
* @param array|string $data |
* @return string |
* @throws OIDplusException |
*/ |
public function makeSecret(string $data): string { |
public function makeSecret($data): string { |
if (!is_array($data)) $data = [$data]; |
$data = json_encode($data); |
return sha3_512_hmac($data, 'OIDplus:'.OIDplus::baseConfig()->getValue('SERVER_SECRET'), false); |
} |
/** |
* @param string $data |
* @return string |
* @param array|string $data Arbitary data to be validated later |
* @return string A string that need to be validated with validateAuthKey |
* @throws OIDplusException |
*/ |
public function makeAuthKey(string $data): string { |
return $this->makeSecret($data); |
public function makeAuthKey($data): string { |
if (!is_array($data)) $data = [$data]; |
$ts = time(); |
$data_ext = [$ts, $data]; |
$secret = $this->makeSecret($data_ext); |
return $ts.'.'.$secret; |
} |
/** |
* @param string $data |
* @param string $auth_key |
* @return bool |
* @param array|string $data The original data that had been passed to makeAuthKey() |
* @param string $auth_key The result from makeAuthKey() |
* @param int $valid_secs How many seconds is the auth key valid? (-1 for infinite) |
* @return bool True if the key is valid and not expired. |
* @throws OIDplusException |
*/ |
public function validateAuthKey(string $data, string $auth_key): bool { |
return hash_equals($this->makeAuthKey($data), $auth_key); |
public function validateAuthKey($data, string $auth_key, int $valid_secs=-1): bool { |
$auth_key_ary = explode('.', $auth_key, 2); |
if (count($auth_key_ary) != 2) return false; // invalid auth key syntax |
list($ts, $secret) = $auth_key_ary; |
if (!is_numeric($ts)) return false; // invalid auth key syntax |
if ($valid_secs >= 0) { |
if (time() > ($ts+$valid_secs)) return false; // expired auth key |
} |
if (!is_array($data)) $data = [$data]; |
$data_ext = [(int)$ts, $data]; |
return hash_equals($this->makeSecret($data_ext), $secret); |
} |
// "Veto" functions to force logout state |
/trunk/includes/classes/OIDplusSessionHandler.class.php |
---|
40,7 → 40,7 |
*/ |
public function __construct() { |
$this->sessionLifetime = OIDplus::baseConfig()->getValue('SESSION_LIFETIME', 30*60); |
$this->secret = OIDplus::authUtils()->makeSecret('b118abc8-f4ec-11ed-86ca-3c4a92df8582'); |
$this->secret = OIDplus::authUtils()->makeSecret(['b118abc8-f4ec-11ed-86ca-3c4a92df8582']); |
// **PREVENTING SESSION HIJACKING** |
// Prevents javascript XSS attacks aimed to steal the session ID |
/trunk/plugins/frdl/publicPages/1276945_rdap/OIDplusRDAP.class.php |
---|
81,7 → 81,7 |
$cacheFile = $this->rdapCacheDir. 'rdap_' |
.sha1(\get_current_user() |
. $this->rdapBaseUri.__FILE__.$query |
.OIDplus::authUtils()->makeSecret('cee75760-f4f8-11ed-b67e-3c4a92df8582') |
.OIDplus::authUtils()->makeSecret(['cee75760-f4f8-11ed-b67e-3c4a92df8582']) |
) |
.'.' |
.strlen( $this->rdapBaseUri.$query ) |
/trunk/plugins/viathinksoft/adminPages/901_vnag_version_check/OIDplusPageAdminVNagVersionCheck.class.php |
---|
142,7 → 142,7 |
* @throws OIDplusException |
*/ |
public static function vnag_password(): string { |
return OIDplus::authUtils()->makeSecret('65d9f488-f4eb-11ed-b67e-3c4a92df8582'); |
return OIDplus::authUtils()->makeSecret(['65d9f488-f4eb-11ed-b67e-3c4a92df8582']); |
} |
} |
/trunk/plugins/viathinksoft/captcha/vts_challenge/OIDplusCaptchaPluginVtsClientChallenge.class.php |
---|
65,7 → 65,7 |
$random = mt_rand($min,$max); |
$ip_target = $_SERVER['REMOTE_ADDR'] ?? 'unknown'; |
$challenge = sha3_512($starttime.'/'.$ip_target.'/'.$random); // $random is secret! |
$challenge_integrity = OIDplus::authUtils()->makeAuthKey('797bfc34-f4fa-11ed-86ca-3c4a92df8582:'.$challenge); |
$challenge_integrity = OIDplus::authUtils()->makeAuthKey(['797bfc34-f4fa-11ed-86ca-3c4a92df8582',$challenge]); |
$send_to_client = array($starttime, $ip_target, $challenge, $min, $max, $challenge_integrity); |
$open_trans_file = self::getOpenTransFileName($ip_target, $random); |
102,7 → 102,7 |
@unlink($file); |
} |
return $dir.'/vts_client_challenge_'.OIDplus::authUtils()->makeSecret('461f4a9e-f4fa-11ed-86ca-3c4a92df8582:'.$ip_target.'/'.$random).'.tmp'; |
return $dir.'/vts_client_challenge_'.OIDplus::authUtils()->makeSecret(['461f4a9e-f4fa-11ed-86ca-3c4a92df8582',$ip_target,$random]).'.tmp'; |
} |
/** |
149,10 → 149,10 |
$current_ip = ($_SERVER['REMOTE_ADDR'] ?? 'unknown'); |
if ($ip_target != $current_ip) { |
throw new OIDplusException(_L('IP address has changed. Please try again. (current IP %1, expected %2)', $current_ip, $ip_target)); |
} else if (time()-$starttime > OIDplus::baseConfig()->getValue('VTS_CAPTCHA_MAXTIME', 10*60/*10 minutes*/)) { |
throw new OIDplusException(_L('Challenge expired. Please try again.')); |
} else if (!OIDplus::authUtils()->validateAuthKey('797bfc34-f4fa-11ed-86ca-3c4a92df8582:'.$challenge, $challenge_integrity)) { |
throw new OIDplusException(_L('Challenge integrity failed')); |
//} else if (time()-$starttime > OIDplus::baseConfig()->getValue('VTS_CAPTCHA_MAXTIME', 10*60/*10 minutes*/)) { |
// throw new OIDplusException(_L('Challenge expired. Please try again.')); |
} else if (!OIDplus::authUtils()->validateAuthKey(['797bfc34-f4fa-11ed-86ca-3c4a92df8582',$challenge],$challenge_integrity,OIDplus::baseConfig()->getValue('VTS_CAPTCHA_MAXTIME', 10*60/*10 minutes*/))) { |
throw new OIDplusException(_L('Invalid or expired authentication key')); |
} else if ($challenge !== sha3_512($starttime.'/'.$ip_target.'/'.$answer)) { |
throw new OIDplusException(_L('Wrong answer')); |
} else if (!file_exists($open_trans_file)) { |
/trunk/plugins/viathinksoft/language/dede/messages.xml |
---|
382,14 → 382,6 |
</message> |
<message> |
<source><![CDATA[ |
Activation link expired! |
]]></source> |
<target><![CDATA[ |
Aktivierungs-Link ist abgelaufen! |
]]></target> |
</message> |
<message> |
<source><![CDATA[ |
Add a file attachment |
]]></source> |
<target><![CDATA[ |
1158,22 → 1150,6 |
</message> |
<message> |
<source><![CDATA[ |
Challenge expired. Please try again. |
]]></source> |
<target><![CDATA[ |
Challenge abgelaufen. Bitte noch einmal versuchen. |
]]></target> |
</message> |
<message> |
<source><![CDATA[ |
Challenge integrity failed |
]]></source> |
<target><![CDATA[ |
Challenge ist möglicherweise manipuliert worden |
]]></target> |
</message> |
<message> |
<source><![CDATA[ |
Challenge response is invalid |
]]></source> |
<target><![CDATA[ |
3438,14 → 3414,6 |
</message> |
<message> |
<source><![CDATA[ |
Invalid auth key |
]]></source> |
<target><![CDATA[ |
Ungültiger Authentifizierungs-Schlüssel |
]]></target> |
</message> |
<message> |
<source><![CDATA[ |
Invalid auth plugin name. It is usually the folder name, without path, e.g. "%1" |
]]></source> |
<target><![CDATA[ |
3518,6 → 3486,14 |
</message> |
<message> |
<source><![CDATA[ |
Invalid or expired authentication key |
]]></source> |
<target><![CDATA[ |
Ungültiger oder abgelaufener Sicherheitsschlüssel |
]]></target> |
</message> |
<message> |
<source><![CDATA[ |
Invalid protection flag, use OIDplusConfig::PROTECTION_* constants |
]]></source> |
<target><![CDATA[ |
3550,14 → 3526,6 |
</message> |
<message> |
<source><![CDATA[ |
Invitation expired! |
]]></source> |
<target><![CDATA[ |
Einladung abgelaufen! |
]]></target> |
</message> |
<message> |
<source><![CDATA[ |
Invitations are disabled by the administrator. |
]]></source> |
<target><![CDATA[ |
/trunk/plugins/viathinksoft/publicPages/091_forgot_password/OIDplusPagePublicForgotPassword.class.php |
---|
45,8 → 45,7 |
OIDplus::logger()->log("V2:[WARN]RA(%1)", "A new password for '%1' was requested (forgot password)", $email); |
$timestamp = time(); |
$activate_url = OIDplus::webpath(null,OIDplus::PATH_ABSOLUTE_CANONICAL) . '?goto='.urlencode('oidplus:reset_password$'.$email.'$'.$timestamp.'$'.OIDplus::authUtils()->makeAuthKey('93a16dbe-f4fb-11ed-b67e-3c4a92df8582:'.$email.'/'.$timestamp)); |
$activate_url = OIDplus::webpath(null,OIDplus::PATH_ABSOLUTE_CANONICAL) . '?goto='.urlencode('oidplus:reset_password$'.$email.'$'.OIDplus::authUtils()->makeAuthKey(['93a16dbe-f4fb-11ed-b67e-3c4a92df8582',$email])); |
$message = $this->getForgotPasswordText($params['email']); |
$message = str_replace('{{ACTIVATE_URL}}', $activate_url, $message); |
61,22 → 60,16 |
_CheckParamExists($params, 'password2'); |
_CheckParamExists($params, 'email'); |
_CheckParamExists($params, 'auth'); |
_CheckParamExists($params, 'timestamp'); |
$password1 = $params['password1']; |
$password2 = $params['password2']; |
$email = $params['email']; |
$auth = $params['auth']; |
$timestamp = $params['timestamp']; |
if (!OIDplus::authUtils()->validateAuthKey('93a16dbe-f4fb-11ed-b67e-3c4a92df8582:'.$email.'/'.$timestamp, $auth)) { |
throw new OIDplusException(_L('Invalid auth key')); |
if (!OIDplus::authUtils()->validateAuthKey(['93a16dbe-f4fb-11ed-b67e-3c4a92df8582',$email], $auth, OIDplus::config()->getValue('max_ra_pwd_reset_time',-1))) { |
throw new OIDplusException(_L('Invalid or expired authentication key')); |
} |
if ((OIDplus::config()->getValue('max_ra_pwd_reset_time') > 0) && (time()-$timestamp > OIDplus::config()->getValue('max_ra_pwd_reset_time'))) { |
throw new OIDplusException(_L('Invitation expired!')); |
} |
if ($password1 !== $password2) { |
throw new OIDplusException(_L('Passwords do not match')); |
} |
143,13 → 136,12 |
$handled = true; |
$email = explode('$',$id)[1]; |
$timestamp = explode('$',$id)[2]; |
$auth = explode('$',$id)[3]; |
$auth = explode('$',$id)[2]; |
$out['title'] = _L('Reset password'); |
$out['icon'] = OIDplus::webpath(__DIR__,OIDplus::PATH_RELATIVE).'img/reset_password_icon.png'; |
if (!OIDplus::authUtils()->validateAuthKey('reset_password;'.$email.';'.$timestamp, $auth)) { |
if (!OIDplus::authUtils()->validateAuthKey(['93a16dbe-f4fb-11ed-b67e-3c4a92df8582',$email], $auth, OIDplus::config()->getValue('max_ra_pwd_reset_time',-1))) { |
throw new OIDplusException(_L('Invalid authorization. Is the URL OK?'), $out['title']); |
} else { |
$out['text'] = '<p>'._L('E-Mail-Address: %1','<b>'.$email.'</b>').'</p> |
156,7 → 148,6 |
<form id="resetPasswordForm" action="javascript:void(0);" onsubmit="return OIDplusPagePublicForgotPassword.resetPasswordFormOnSubmit();"> |
<input type="hidden" id="email" value="'.htmlentities($email).'"/> |
<input type="hidden" id="timestamp" value="'.htmlentities($timestamp).'"/> |
<input type="hidden" id="auth" value="'.htmlentities($auth).'"/> |
<div><label class="padding_label">'._L('New password').':</label><input type="password" id="password1" value=""/></div> |
<div><label class="padding_label">'._L('Repeat').':</label><input type="password" id="password2" value=""/></div> |
/trunk/plugins/viathinksoft/publicPages/100_whois/OIDplusPagePublicWhois.class.php |
---|
233,6 → 233,6 |
* @throws OIDplusException |
*/ |
public static function genWhoisAuthToken(string $id): int { |
return smallhash(OIDplus::authUtils()->makeSecret('d8f44c7c-f4e9-11ed-86ca-3c4a92df8582:'.$id)); |
return smallhash(OIDplus::authUtils()->makeSecret(['d8f44c7c-f4e9-11ed-86ca-3c4a92df8582',$id])); |
} |
} |
/trunk/plugins/viathinksoft/publicPages/200_viathinksoft_freeoid/OIDplusPagePublicFreeOID.class.php |
---|
81,8 → 81,7 |
$root_oid = self::getFreeRootOid(false); |
OIDplus::logger()->log("V2:[INFO]OID(oid:%1)+RA(%2)", "Requested a free OID for email '%2' to be placed into root '%1'", $root_oid, $email); |
$timestamp = time(); |
$activate_url = OIDplus::webpath(null,OIDplus::PATH_ABSOLUTE_CANONICAL) . '?goto='.urlencode('oidplus:com.viathinksoft.freeoid.activate_freeoid$'.$email.'$'.$timestamp.'$'.OIDplus::authUtils()->makeAuthKey('40c87e20-f4fb-11ed-86ca-3c4a92df8582:'.$email.'/'.$timestamp)); |
$activate_url = OIDplus::webpath(null,OIDplus::PATH_ABSOLUTE_CANONICAL) . '?goto='.urlencode('oidplus:com.viathinksoft.freeoid.activate_freeoid$'.$email.'$'.OIDplus::authUtils()->makeAuthKey(['40c87e20-f4fb-11ed-86ca-3c4a92df8582',$email])); |
$message = file_get_contents(__DIR__ . '/request_msg.tpl'); |
$message = str_replace('{{SYSTEM_URL}}', OIDplus::webpath(null,OIDplus::PATH_ABSOLUTE_CANONICAL), $message); |
97,20 → 96,14 |
} else if ($actionID == 'activate_freeoid') { |
_CheckParamExists($params, 'email'); |
_CheckParamExists($params, 'auth'); |
_CheckParamExists($params, 'timestamp'); |
$email = $params['email']; |
$auth = $params['auth']; |
$timestamp = $params['timestamp']; |
if (!OIDplus::authUtils()->validateAuthKey('40c87e20-f4fb-11ed-86ca-3c4a92df8582:'.$email.'/'.$timestamp, $auth)) { |
throw new OIDplusException(_L('Invalid auth key')); |
if (!OIDplus::authUtils()->validateAuthKey(['40c87e20-f4fb-11ed-86ca-3c4a92df8582',$email], $auth, OIDplus::config()->getValue('max_ra_invite_time', -1))) { |
throw new OIDplusException(_L('Invalid or expired authentication key')); |
} |
if ((OIDplus::config()->getValue('max_ra_invite_time') > 0) && (time()-$timestamp > OIDplus::config()->getValue('max_ra_invite_time'))) { |
throw new OIDplusException(_L('Invitation expired!')); |
} |
// 1. step: Check entered data and add the RA to the database |
$ra = new OIDplusRA($email); |
286,8 → 279,7 |
$handled = true; |
$email = explode('$',$id)[1]; |
$timestamp = explode('$',$id)[2]; |
$auth = explode('$',$id)[3]; |
$auth = explode('$',$id)[2]; |
$out['title'] = _L('Activate Free OID'); |
$out['icon'] = file_exists(__DIR__.'/img/main_icon.png') ? OIDplus::webpath(__DIR__,OIDplus::PATH_RELATIVE).'img/main_icon.png' : ''; |
295,7 → 287,7 |
if ($already_registered_oid = $this->alreadyHasFreeOid($email, true)) { |
throw new OIDplusHtmlException(_L('This email address already has a FreeOID registered (%1)', '<a '.OIDplus::gui()->link($already_registered_oid).'>'.htmlentities($already_registered_oid).'</a>')); |
} else { |
if (!OIDplus::authUtils()->validateAuthKey('com.viathinksoft.freeoid.activate_freeoid;'.$email.';'.$timestamp, $auth)) { |
if (!OIDplus::authUtils()->validateAuthKey(['40c87e20-f4fb-11ed-86ca-3c4a92df8582',$email], $auth, OIDplus::config()->getValue('max_ra_invite_time', -1))) { |
throw new OIDplusException(_L('Invalid authorization. Is the URL OK?'), $out['title']); |
} else { |
$ra = new OIDplusRA($email); |
305,7 → 297,6 |
$out['text'] .= ' <form id="activateFreeOIDForm" action="javascript:void(0);" onsubmit="return OIDplusPagePublicFreeOID.activateFreeOIDFormOnSubmit();">'; |
$out['text'] .= ' <input type="hidden" id="email" value="'.htmlentities($email).'"/>'; |
$out['text'] .= ' <input type="hidden" id="timestamp" value="'.htmlentities($timestamp).'"/>'; |
$out['text'] .= ' <input type="hidden" id="auth" value="'.htmlentities($auth).'"/>'; |
if ($ra_existing) { |
/trunk/plugins/viathinksoft/raPages/092_invite/OIDplusPageRaInvite.class.php |
---|
46,8 → 46,7 |
// TODO: should we also log who has invited? |
OIDplus::logger()->log("V2:[INFO]RA(%1)", "RA '%1' has been invited", $email); |
$timestamp = time(); |
$activate_url = OIDplus::webpath(null,OIDplus::PATH_ABSOLUTE_CANONICAL) . '?goto='.urlencode('oidplus:activate_ra$'.$email.'$'.$timestamp.'$'.OIDplus::authUtils()->makeAuthKey('ed840c3e-f4fa-11ed-b67e-3c4a92df8582:'.$email.'/'.$timestamp)); |
$activate_url = OIDplus::webpath(null,OIDplus::PATH_ABSOLUTE_CANONICAL) . '?goto='.urlencode('oidplus:activate_ra$'.$email.'$'.OIDplus::authUtils()->makeAuthKey(['ed840c3e-f4fa-11ed-b67e-3c4a92df8582',$email])); |
$message = $this->getInvitationText($email); |
$message = str_replace('{{ACTIVATE_URL}}', $activate_url, $message); |
62,22 → 61,16 |
_CheckParamExists($params, 'password2'); |
_CheckParamExists($params, 'email'); |
_CheckParamExists($params, 'auth'); |
_CheckParamExists($params, 'timestamp'); |
$password1 = $params['password1']; |
$password2 = $params['password2']; |
$email = $params['email']; |
$auth = $params['auth']; |
$timestamp = $params['timestamp']; |
if (!OIDplus::authUtils()->validateAuthKey('ed840c3e-f4fa-11ed-b67e-3c4a92df8582:'.$email.'/'.$timestamp, $auth)) { |
throw new OIDplusException(_L('Invalid auth key')); |
if (!OIDplus::authUtils()->validateAuthKey(['ed840c3e-f4fa-11ed-b67e-3c4a92df8582',$email], $auth, OIDplus::config()->getValue('max_ra_invite_time',-1))) { |
throw new OIDplusException(_L('Invalid or expired authentication key')); |
} |
if ((OIDplus::config()->getValue('max_ra_invite_time') > 0) && (time()-$timestamp > OIDplus::config()->getValue('max_ra_invite_time'))) { |
throw new OIDplusException(_L('Invitation expired!')); |
} |
if ($password1 !== $password2) { |
throw new OIDplusException(_L('Passwords do not match')); |
} |
161,8 → 154,7 |
$handled = true; |
$email = explode('$',$id)[1]; |
$timestamp = explode('$',$id)[2]; |
$auth = explode('$',$id)[3]; |
$auth = explode('$',$id)[2]; |
$out['title'] = _L('Register as Registration Authority'); |
176,7 → 168,7 |
if ($res->any()) { |
$out['text'] = _L('This RA is already registered and does not need to be invited.'); |
} else { |
if (!OIDplus::authUtils()->validateAuthKey('activate_ra;'.$email.';'.$timestamp, $auth)) { |
if (!OIDplus::authUtils()->validateAuthKey(['ed840c3e-f4fa-11ed-b67e-3c4a92df8582',$email], $auth, OIDplus::config()->getValue('max_ra_invite_time',-1))) { |
throw new OIDplusException(_L('Invalid authorization. Is the URL OK?'), $out['title']); |
} else { |
// TODO: like in the FreeOID plugin, we could ask here at least for a name for the RA |
184,7 → 176,6 |
<form id="activateRaForm" action="javascript:void(0);" onsubmit="return OIDplusPageRaInvite.activateRaFormOnSubmit();"> |
<input type="hidden" id="email" value="'.htmlentities($email).'"/> |
<input type="hidden" id="timestamp" value="'.htmlentities($timestamp).'"/> |
<input type="hidden" id="auth" value="'.htmlentities($auth).'"/> |
<div><label class="padding_label">'._L('New password').':</label><input type="password" id="password1" value=""/></div> |
<div><label class="padding_label">'._L('Repeat').':</label><input type="password" id="password2" value=""/></div> |
/trunk/plugins/viathinksoft/raPages/102_change_email/OIDplusPageRaChangeEMail.class.php |
---|
94,8 → 94,7 |
} else { |
OIDplus::logger()->log("V2:[INFO]RA(%1)+RA(%2)", "Requested email address change from '%1' to '%2'", $old_email, $new_email); |
$timestamp = time(); |
$activate_url = OIDplus::webpath(null,OIDplus::PATH_ABSOLUTE_CANONICAL) . '?goto='.urlencode('oidplus:activate_new_ra_email$'.$old_email.'$'.$new_email.'$'.$timestamp.'$'.OIDplus::authUtils()->makeAuthKey('5ef24124-f4fb-11ed-b67e-3c4a92df8582:'.$old_email.'/'.$new_email.'/'.$timestamp)); |
$activate_url = OIDplus::webpath(null,OIDplus::PATH_ABSOLUTE_CANONICAL) . '?goto='.urlencode('oidplus:activate_new_ra_email$'.$old_email.'$'.$new_email.'$'.OIDplus::authUtils()->makeAuthKey(['5ef24124-f4fb-11ed-b67e-3c4a92df8582',$old_email,$new_email])); |
$message = file_get_contents(__DIR__ . '/change_request_email.tpl'); |
$message = str_replace('{{SYSTEM_URL}}', OIDplus::webpath(null,OIDplus::PATH_ABSOLUTE_CANONICAL), $message); |
119,7 → 118,6 |
_CheckParamExists($params, 'new_email'); |
_CheckParamExists($params, 'password'); |
_CheckParamExists($params, 'auth'); |
_CheckParamExists($params, 'timestamp'); |
$old_email = $params['old_email']; |
$new_email = $params['new_email']; |
126,7 → 124,6 |
$password = $params['password']; |
$auth = $params['auth']; |
$timestamp = $params['timestamp']; |
$ra_was_logged_in = OIDplus::authUtils()->isRaLoggedIn($old_email); |
135,14 → 132,10 |
throw new OIDplusException(_L('E-Mail-Address cannot be changed because this user does not have a password')); |
} |
if (!OIDplus::authUtils()->validateAuthKey('5ef24124-f4fb-11ed-b67e-3c4a92df8582:'.$old_email.'/'.$new_email.'/'.$timestamp, $auth)) { |
throw new OIDplusException(_L('Invalid auth key')); |
if (!OIDplus::authUtils()->validateAuthKey(['5ef24124-f4fb-11ed-b67e-3c4a92df8582',$old_email,$new_email], $auth, OIDplus::config()->getValue('max_ra_email_change_time', -1))) { |
throw new OIDplusException(_L('Invalid or expired authentication key')); |
} |
if ((OIDplus::config()->getValue('max_ra_email_change_time') > 0) && (time()-$timestamp > OIDplus::config()->getValue('max_ra_email_change_time'))) { |
throw new OIDplusException(_L('Activation link expired!')); |
} |
$res = OIDplus::db()->query("select * from ###ra where email = ?", array($old_email)); |
if (!$res->any()) { |
throw new OIDplusException(_L('eMail address does not exist anymore. It was probably already changed.')); |
274,8 → 267,7 |
$old_email = explode('$',$id)[1]; |
$new_email = explode('$',$id)[2]; |
$timestamp = explode('$',$id)[3]; |
$auth = explode('$',$id)[4]; |
$auth = explode('$',$id)[3]; |
$out['title'] = _L('Perform email address change'); |
$out['icon'] = file_exists(__DIR__.'/img/main_icon.png') ? OIDplus::webpath(__DIR__,OIDplus::PATH_RELATIVE).'img/main_icon.png' : ''; |
297,7 → 289,7 |
if ($res->any()) { |
throw new OIDplusException(_L('eMail address is already used by another RA. To merge accounts, please contact the superior RA of your objects and request an owner change of your objects.'), $out['title']); |
} else { |
if (!OIDplus::authUtils()->validateAuthKey('activate_new_ra_email;'.$old_email.';'.$new_email.';'.$timestamp, $auth)) { |
if (!OIDplus::authUtils()->validateAuthKey(['5ef24124-f4fb-11ed-b67e-3c4a92df8582',$old_email,$new_email], $auth, OIDplus::config()->getValue('max_ra_email_change_time', -1))) { |
throw new OIDplusException(_L('Invalid authorization. Is the URL OK?'), $out['title']); |
} else { |
$out['text'] = '<p>'._L('Old eMail-Address').': <b>'.$old_email.'</b></p> |
306,7 → 298,6 |
<form id="activateNewRaEmailForm" action="javascript:void(0);" onsubmit="return OIDplusPageRaChangeEMail.activateNewRaEmailFormOnSubmit();"> |
<input type="hidden" id="old_email" value="'.htmlentities($old_email).'"/> |
<input type="hidden" id="new_email" value="'.htmlentities($new_email).'"/> |
<input type="hidden" id="timestamp" value="'.htmlentities($timestamp).'"/> |
<input type="hidden" id="auth" value="'.htmlentities($auth).'"/> |
<div><label class="padding_label">'._L('Please verify your password').':</label><input type="password" id="password" value=""/></div> |