From 079150eee4eebce3549c3d7db84dd0180bdd11e7 Mon Sep 17 00:00:00 2001
From: Alexandre Alapetite <alexandre@alapetite.fr>
Date: Fri, 3 Jul 2015 23:47:18 +0200
Subject: Updated log visibility

In particular, ensure that ERROR is only used for errors that may affect
FreshRSS integrity, and ensure that feed errors are visible also in
production, i.e. visibility of WARNING
https://github.com/FreshRSS/FreshRSS/issues/885
https://github.com/FreshRSS/FreshRSS/issues/884
---
 app/Controllers/authController.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'app/Controllers/authController.php')

diff --git a/app/Controllers/authController.php b/app/Controllers/authController.php
index 937c0759d..b55892475 100644
--- a/app/Controllers/authController.php
+++ b/app/Controllers/authController.php
@@ -253,7 +253,7 @@ class FreshRSS_auth_Controller extends Minz_ActionController {
 				FreshRSS_Auth::giveAccess();
 				invalidateHttpCache();
 			} else {
-				Minz_Log::error($reason);
+				Minz_Log::warning($reason);
 
 				$res = array();
 				$res['status'] = 'failure';
-- 
cgit v1.2.3


From 37f06799589d9bb92ecfa6368197daf187251ab4 Mon Sep 17 00:00:00 2001
From: Marien Fressinaud <dev@marienfressinaud.fr>
Date: Tue, 21 Jul 2015 16:03:46 +0200
Subject: First draft for registration form

See https://github.com/FreshRSS/FreshRSS/issues/679
---
 app/Controllers/authController.php |  6 ++++++
 app/views/auth/formLogin.phtml     |  2 ++
 app/views/auth/register.phtml      | 31 +++++++++++++++++++++++++++++++
 3 files changed, 39 insertions(+)
 create mode 100644 app/views/auth/register.phtml

(limited to 'app/Controllers/authController.php')

diff --git a/app/Controllers/authController.php b/app/Controllers/authController.php
index b55892475..1c8ad2193 100644
--- a/app/Controllers/authController.php
+++ b/app/Controllers/authController.php
@@ -346,4 +346,10 @@ class FreshRSS_auth_Controller extends Minz_ActionController {
 			}
 		}
 	}
+
+	/**
+	 * This action gives possibility to a user to create an account.
+	 */
+	public function registerAction() {
+	}
 }
diff --git a/app/views/auth/formLogin.phtml b/app/views/auth/formLogin.phtml
index 979e17349..75537ee26 100644
--- a/app/views/auth/formLogin.phtml
+++ b/app/views/auth/formLogin.phtml
@@ -1,6 +1,8 @@
 <div class="prompt">
 	<h1><?php echo _t('gen.auth.login'); ?></h1>
 
+	<a href="<?php echo _url('auth', 'register'); ?>"><?php echo _t('gen.auth.register.ask'); ?></a>
+
 	<form id="crypto-form" method="post" action="<?php echo _url('auth', 'login'); ?>">
 		<div>
 			<label for="username"><?php echo _t('gen.auth.username'); ?></label>
diff --git a/app/views/auth/register.phtml b/app/views/auth/register.phtml
new file mode 100644
index 000000000..f67ecc4d9
--- /dev/null
+++ b/app/views/auth/register.phtml
@@ -0,0 +1,31 @@
+<div class="prompt">
+    <h1><?php echo _t('gen.auth.register'); ?></h1>
+
+    <form method="post" action="<?php echo _url('user', 'create'); ?>">
+        <div>
+            <label class="group-name" for="new_user_name"><?php echo _t('gen.auth.username'); ?></label>
+            <input id="new_user_name" name="new_user_name" type="text" size="16" required="required" maxlength="16" autocomplete="off" pattern="[0-9a-zA-Z]{1,16}" />
+        </div>
+
+        <div>
+            <label class="group-name" for="new_user_passwordPlain"><?php echo _t('gen.auth.password'); ?></label>
+            <div class="stick">
+                <input type="password" id="new_user_passwordPlain" name="new_user_passwordPlain" required="required" autocomplete="off" pattern=".{7,}" />
+                <a class="btn toggle-password" data-toggle="new_user_passwordPlain"><?php echo _i('key'); ?></a>
+            </div>
+            <noscript><b><?php echo _t('gen.js.should_be_activated'); ?></b></noscript>
+        </div>
+
+        <div>
+            <label class="group-name" for="new_user_email"><?php echo _t('gen.auth.email'); ?></label>
+            <input type="email" id="new_user_email" name="new_user_email" class="extend" required="required" autocomplete="off" />
+        </div>
+
+        <div>
+            <button type="submit" class="btn btn-important"><?php echo _t('gen.action.create'); ?></button>
+            <a class="btn" href="<?php echo _url('index', 'index'); ?>"><?php echo _t('gen.action.cancel'); ?></a>
+        </div>
+    </form>
+
+    <p><a href="<?php echo _url('index', 'about'); ?>"><?php echo _t('gen.freshrss.about'); ?></a></p>
+</div>
-- 
cgit v1.2.3


From f560c44a003ca69644f8e7262dca2f8f7e6932d5 Mon Sep 17 00:00:00 2001
From: Marien Fressinaud <dev@marienfressinaud.fr>
Date: Wed, 22 Jul 2015 14:00:08 +0200
Subject: Hide registration form if max registration reached

See https://github.com/FreshRSS/FreshRSS/issues/679
---
 app/Controllers/authController.php | 3 +++
 app/views/auth/formLogin.phtml     | 4 +++-
 app/views/auth/personaLogin.phtml  | 4 ++++
 3 files changed, 10 insertions(+), 1 deletion(-)

(limited to 'app/Controllers/authController.php')

diff --git a/app/Controllers/authController.php b/app/Controllers/authController.php
index 1c8ad2193..223282afb 100644
--- a/app/Controllers/authController.php
+++ b/app/Controllers/authController.php
@@ -351,5 +351,8 @@ class FreshRSS_auth_Controller extends Minz_ActionController {
 	 * This action gives possibility to a user to create an account.
 	 */
 	public function registerAction() {
+		if (max_registrations_reached()) {
+			Minz_Error::error(403);
+		}
 	}
 }
diff --git a/app/views/auth/formLogin.phtml b/app/views/auth/formLogin.phtml
index 75537ee26..3a6053065 100644
--- a/app/views/auth/formLogin.phtml
+++ b/app/views/auth/formLogin.phtml
@@ -1,7 +1,9 @@
 <div class="prompt">
 	<h1><?php echo _t('gen.auth.login'); ?></h1>
 
-	<a href="<?php echo _url('auth', 'register'); ?>"><?php echo _t('gen.auth.register.ask'); ?></a>
+	<?php if (!max_registrations_reached()) { ?>
+		<a href="<?php echo _url('auth', 'register'); ?>"><?php echo _t('gen.auth.register.ask'); ?></a>
+	<?php } ?>
 
 	<form id="crypto-form" method="post" action="<?php echo _url('auth', 'login'); ?>">
 		<div>
diff --git a/app/views/auth/personaLogin.phtml b/app/views/auth/personaLogin.phtml
index 545ed2eac..91349a67e 100644
--- a/app/views/auth/personaLogin.phtml
+++ b/app/views/auth/personaLogin.phtml
@@ -2,6 +2,10 @@
 <div class="prompt">
 	<h1><?php echo _t('gen.auth.login'); ?></h1>
 
+	<?php if (!max_registrations_reached()) { ?>
+		<a href="<?php echo _url('auth', 'register'); ?>"><?php echo _t('gen.auth.register.ask'); ?></a>
+	<?php } ?>
+
 	<p>
 		<a class="signin btn btn-important" href="<?php echo _url('auth', 'login'); ?>">
 			<?php echo _i('login'); ?> <?php echo _t('gen.auth.login_persona'); ?>
-- 
cgit v1.2.3


From f0a1b26584787e173c8c9cd1a5fea27bb3044f1c Mon Sep 17 00:00:00 2001
From: Marien Fressinaud <dev@marienfressinaud.fr>
Date: Wed, 22 Jul 2015 23:06:46 +0200
Subject: Add title to the account creation page

See https://github.com/FreshRSS/FreshRSS/issues/679
---
 app/Controllers/authController.php | 2 ++
 app/i18n/cz/gen.php                | 1 +
 app/i18n/de/gen.php                | 1 +
 app/i18n/en/gen.php                | 1 +
 app/i18n/fr/gen.php                | 1 +
 5 files changed, 6 insertions(+)

(limited to 'app/Controllers/authController.php')

diff --git a/app/Controllers/authController.php b/app/Controllers/authController.php
index 223282afb..aff184263 100644
--- a/app/Controllers/authController.php
+++ b/app/Controllers/authController.php
@@ -354,5 +354,7 @@ class FreshRSS_auth_Controller extends Minz_ActionController {
 		if (max_registrations_reached()) {
 			Minz_Error::error(403);
 		}
+
+		Minz_View::prependTitle(_t('gen.auth.registration.title') . ' · ');
 	}
 }
diff --git a/app/i18n/cz/gen.php b/app/i18n/cz/gen.php
index a89bf6b49..53127998f 100644
--- a/app/i18n/cz/gen.php
+++ b/app/i18n/cz/gen.php
@@ -34,6 +34,7 @@ return array(
 		'registration' => array(
 			'_' => 'New account',  // TODO: translate
 			'ask' => 'Create an account?',  // TODO: translate
+			'title' => 'Account creation',  // TODO: translate
 		),
 		'reset' => 'Reset přihlášení',
 		'username' => array(
diff --git a/app/i18n/de/gen.php b/app/i18n/de/gen.php
index d6fcfe1e4..f8f4823a6 100644
--- a/app/i18n/de/gen.php
+++ b/app/i18n/de/gen.php
@@ -34,6 +34,7 @@ return array(
 		'registration' => array(
 			'_' => 'New account',  // TODO: translate
 			'ask' => 'Create an account?',  // TODO: translate
+			'title' => 'Account creation',  // TODO: translate
 		),
 		'reset' => 'Zurücksetzen der Authentifizierung',
 		'username' => array(
diff --git a/app/i18n/en/gen.php b/app/i18n/en/gen.php
index 063322cbf..1feb8d6ac 100644
--- a/app/i18n/en/gen.php
+++ b/app/i18n/en/gen.php
@@ -34,6 +34,7 @@ return array(
 		'registration' => array(
 			'_' => 'New account',
 			'ask' => 'Create an account?',
+			'title' => 'Account creation',
 		),
 		'reset' => 'Authentication reset',
 		'username' => array(
diff --git a/app/i18n/fr/gen.php b/app/i18n/fr/gen.php
index 5abc7a27b..67d278be4 100644
--- a/app/i18n/fr/gen.php
+++ b/app/i18n/fr/gen.php
@@ -34,6 +34,7 @@ return array(
 		'registration' => array(
 			'_' => 'Nouveau compte',
 			'ask' => 'Créer un compte ?',
+			'title' => 'Création de compte',
 		),
 		'reset' => 'Réinitialisation de l’authentification',
 		'username' => array(
-- 
cgit v1.2.3


From 7bb28c3f2b77b109451e2514e83fa99789fee35e Mon Sep 17 00:00:00 2001
From: Alexandre Alapetite <alexandre@alapetite.fr>
Date: Sun, 25 Oct 2015 13:24:48 +0100
Subject: HTTP 403 for invalid login

https://github.com/FreshRSS/FreshRSS/issues/1015
And does not leak if user exists or not
---
 app/Controllers/authController.php       | 9 +++------
 app/Controllers/javascriptController.php | 8 ++++++--
 2 files changed, 9 insertions(+), 8 deletions(-)

(limited to 'app/Controllers/authController.php')

diff --git a/app/Controllers/authController.php b/app/Controllers/authController.php
index aff184263..bccce5a59 100644
--- a/app/Controllers/authController.php
+++ b/app/Controllers/authController.php
@@ -123,8 +123,7 @@ class FreshRSS_auth_Controller extends Minz_ActionController {
 
 			$conf = get_user_configuration($username);
 			if (is_null($conf)) {
-				Minz_Request::bad(_t('feedback.auth.login.invalid'),
-				                  array('c' => 'auth', 'a' => 'login'));
+				Minz_Error::error(403, array(_t('feedback.auth.login.invalid')), false);
 			}
 
 			$ok = FreshRSS_FormAuth::checkCredentials(
@@ -151,8 +150,7 @@ class FreshRSS_auth_Controller extends Minz_ActionController {
 				                  ' user=' . $username .
 				                  ', nonce=' . $nonce .
 				                  ', c=' . $challenge);
-				Minz_Request::bad(_t('feedback.auth.login.invalid'),
-				                  array('c' => 'auth', 'a' => 'login'));
+				Minz_Error::error(403, array(_t('feedback.auth.login.invalid')), false);
 			}
 		} elseif (FreshRSS_Context::$system_conf->unsafe_autologin_enabled) {
 			$username = Minz_Request::param('u', '');
@@ -184,8 +182,7 @@ class FreshRSS_auth_Controller extends Minz_ActionController {
 				                   array('c' => 'index', 'a' => 'index'));
 			} else {
 				Minz_Log::warning('Unsafe password mismatch for user ' . $username);
-				Minz_Request::bad(_t('feedback.auth.login.invalid'),
-				                  array('c' => 'auth', 'a' => 'login'));
+				Minz_Error::error(403, array(_t('feedback.auth.login.invalid')), false);
 			}
 		}
 	}
diff --git a/app/Controllers/javascriptController.php b/app/Controllers/javascriptController.php
index 421cf6f72..f8746240c 100755
--- a/app/Controllers/javascriptController.php
+++ b/app/Controllers/javascriptController.php
@@ -43,7 +43,11 @@ class FreshRSS_javascript_Controller extends Minz_ActionController {
 		} else {
 			Minz_Log::notice('Nonce failure due to invalid username!');
 		}
-		$this->view->nonce = '';	//Failure
-		$this->view->salt1 = '';
+		//Failure: Return random data.
+		$this->view->salt1 = sprintf('$2a$%02d$', FreshRSS_user_Controller::BCRYPT_COST);
+		for ($i = 22; $i > 0; $i--) {
+			$this->view->salt1 .= './ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'[rand(0, 63)];
+		}
+		$this->view->nonce = sha1(rand());
 	}
 }
-- 
cgit v1.2.3


From ad1f0cb96b3eefdeac5031e59c8810fc9427b6e2 Mon Sep 17 00:00:00 2001
From: Alexandre Alapetite <alexandre@alapetite.fr>
Date: Sun, 25 Oct 2015 19:31:41 +0100
Subject: Return after 403

https://github.com/FreshRSS/FreshRSS/pull/1016
https://github.com/FreshRSS/FreshRSS/issues/1015
---
 app/Controllers/authController.php | 1 +
 1 file changed, 1 insertion(+)

(limited to 'app/Controllers/authController.php')

diff --git a/app/Controllers/authController.php b/app/Controllers/authController.php
index bccce5a59..f58b008de 100644
--- a/app/Controllers/authController.php
+++ b/app/Controllers/authController.php
@@ -124,6 +124,7 @@ class FreshRSS_auth_Controller extends Minz_ActionController {
 			$conf = get_user_configuration($username);
 			if (is_null($conf)) {
 				Minz_Error::error(403, array(_t('feedback.auth.login.invalid')), false);
+				return;
 			}
 
 			$ok = FreshRSS_FormAuth::checkCredentials(
-- 
cgit v1.2.3