1 files changed, 38 insertions, 0 deletions

diff --git a/app/Controllers/authController.php b/app/Controllers/authController.php
index 751ce1f3f..d4b65d849 100644
--- a/app/Controllers/authController.php
+++ b/app/Controllers/authController.php
@@ -104,6 +104,8 @@ class FreshRSS_auth_Controller extends Minz_ActionController {
 	 *   - username (default: '')
 	 *   - challenge (default: '')
 	 *   - keep_logged_in (default: false)
+	 *
+	 * @todo move unsafe autologin in an extension.
 	 */
 	public function formLoginAction() {
 		invalidateHttpCache();
@@ -151,6 +153,42 @@ class FreshRSS_auth_Controller extends Minz_ActionController {
 				Minz_Request::bad(_t('invalid_login'),
 				                  array('c' => 'auth', 'a' => 'login'));
 			}
+		} elseif (Minz_Configuration::unsafeAutologinEnabled()) {
+			$username = Minz_Request::param('u', '');
+			$password = Minz_Request::param('p', '');
+			Minz_Request::_param('p');
+
+			if (!$username) {
+				return;
+			}
+
+			try {
+				$conf = new FreshRSS_Configuration($username);
+			} catch(Minz_Exception $e) {
+				// $username is not a valid user, nor the configuration file!
+				Minz_Log::warning('Login failure: ' . $e->getMessage());
+				return;
+			}
+
+			if (!function_exists('password_verify')) {
+				include_once(LIB_PATH . '/password_compat.php');
+			}
+
+			$s = $conf->passwordHash;
+			$ok = password_verify($password, $s);
+			unset($password);
+			if ($ok) {
+				Minz_Session::_param('currentUser', $username);
+				Minz_Session::_param('passwordHash', $s);
+				FreshRSS_Auth::giveAccess();
+
+				Minz_Request::good(_t('login'),
+				                   array('c' => 'index', 'a' => 'index'));
+			} else {
+				Minz_Log::warning('Unsafe password mismatch for user ' . $username);
+				Minz_Request::bad(_t('invalid_login'),
+				                  array('c' => 'auth', 'a' => 'login'));
+			}
 		}
 	}