diff options
| author |  Alexandre Alapetite <alexandre@alapetite.fr>
| 2014-01-11 16:48:10 +0100 |
|---|---|---|
| committer | Alexandre Alapetite <alexandre@alapetite.fr>
| 2014-01-11 16:48:10 +0100 |
| commit | eb50ab3b61ee2280dac2696598a58803e246fe22 (patch) | |
| tree | 789a402d3734459425f7111f298d2f588b96131c | |
| parent | fa34f3149f2534dc50af1b69e12befc3ca62785a (diff) | |
Mot de passe + nonce serveur
Début de https://github.com/marienfressinaud/FreshRSS/issues/104
| -rw-r--r-- | README.md | 7 | ||||
| -rwxr-xr-x | app/Controllers/javascriptController.php | 27 | ||||
| -rw-r--r-- | app/Models/Configuration.php | 4 | ||||
| -rw-r--r-- | app/views/javascript/nonce.phtml | 2 |
4 files changed, 35 insertions, 5 deletions
@@ -74,17 +74,14 @@ mysqldump -u utilisateur -p --databases freshrss > freshrss.sql ``` - ---- - # Bibliothèques incluses -* [SimplePie](https://github.com/simplepie/simplepie) +* [SimplePie](http://simplepie.org/) * [MINZ](https://github.com/marienfressinaud/MINZ) * [php-http-304](http://alexandre.alapetite.fr/doc-alex/php-http-304/) * [jQuery](http://jquery.com/) * [keyboard_shortcuts](http://www.openjs.com/scripts/events/keyboard_shortcuts/) -## Uniquement dans certaines configurations +## Uniquement pour certaines options * [bcrypt.js](https://github.com/dcodeIO/bcrypt.js) * [phpQuery](http://code.google.com/p/phpquery/) * [Lazy Load](http://www.appelsiini.net/projects/lazyload) diff --git a/app/Controllers/javascriptController.php b/app/Controllers/javascriptController.php index 2d0ff4984..e29f439d8 100755 --- a/app/Controllers/javascriptController.php +++ b/app/Controllers/javascriptController.php @@ -16,4 +16,31 @@ class FreshRSS_javascript_Controller extends Minz_ActionController { $catDAO = new FreshRSS_CategoryDAO(); $this->view->categories = $catDAO->listCategories(true, false); } + + // For Web-form login + public function nonceAction() { + header('Content-Type: application/json; charset=UTF-8'); + header('Last-Modified: ' . gmdate('D, d M Y H:i:s \G\M\T')); + header('Expires: 0'); + header('Cache-Control: private, no-cache, no-store, must-revalidate'); + header('Pragma: no-cache'); + + $user = isset($_GET['user']) ? $_GET['user'] : ''; + if (ctype_alnum($user)) { + try { + $conf = new FreshRSS_Configuration($user); + $hash = $conf->passwordHash; //CRYPT_BLOWFISH - Blowfish hashing with a salt as follows: "$2a$", "$2x$" or "$2y$", a two digit cost parameter, "$", and 22 characters from the alphabet "./0-9A-Za-z". + if (strlen($hash) >= 60) { + $this->view->salt1 = substr($hash, 0, 29); + $this->view->nonce = sha1(Minz_Configuration::salt() . uniqid(mt_rand(), true)); + Minz_Session::_param ('nonce', $this->view->nonce); + return; //Success + } + } catch (Minz_Exception $me) { + Minz_Log::record ('Login failure: ' . $me->getMessage(), Minz_Log::WARNING); + } + } + $this->view->nonce = ''; //Failure + $this->view->salt1 = ''; + } } diff --git a/app/Models/Configuration.php b/app/Models/Configuration.php index c29e74603..8f394737a 100644 --- a/app/Models/Configuration.php +++ b/app/Models/Configuration.php @@ -9,6 +9,7 @@ class FreshRSS_Configuration { 'keep_history_default' => 0, 'mail_login' => '', 'token' => '', + 'passwordHash' => '', //CRYPT_BLOWFISH 'posts_per_page' => 20, 'view_mode' => 'normal', 'default_view' => 'not_read', @@ -162,6 +163,9 @@ class FreshRSS_Configuration { } } } + public function _passwordHash ($value) { + $this->data['passwordHash'] = ctype_graph($value) && (strlen($value) >= 60) ? $value : ''; + } public function _mail_login ($value) { $value = filter_var($value, FILTER_VALIDATE_EMAIL); if ($value) { diff --git a/app/views/javascript/nonce.phtml b/app/views/javascript/nonce.phtml new file mode 100644 index 000000000..4ac46c8fc --- /dev/null +++ b/app/views/javascript/nonce.phtml @@ -0,0 +1,2 @@ +<?php +echo json_encode(array('salt1' => $this->salt1, 'nonce' => $this->nonce)); |