From 79aa5beaf44af13a1828bfa5fc824a08c62054dc Mon Sep 17 00:00:00 2001
From: Marien Fressinaud <dev@marienfressinaud.fr>
Date: Mon, 6 Oct 2014 23:29:20 +0200
Subject: Refactor authentication system.

Big work, not finished. A lot of features have been removed.

See https://github.com/marienfressinaud/FreshRSS/issues/655
---
 app/Models/Auth.php | 209 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 209 insertions(+)
 create mode 100644 app/Models/Auth.php

(limited to 'app/Models/Auth.php')

diff --git a/app/Models/Auth.php b/app/Models/Auth.php
new file mode 100644
index 000000000..c4a3abd98
--- /dev/null
+++ b/app/Models/Auth.php
@@ -0,0 +1,209 @@
+<?php
+
+/**
+ * This class handles all authentication process.
+ */
+class FreshRSS_Auth {
+	/**
+	 * Determines if user is connected.
+	 */
+	private static $login_ok = false;
+
+	/**
+	 * This method initializes authentication system.
+	 */
+	public static function init() {
+		self::$login_ok = Minz_Session::param('loginOk', false);
+		$current_user = Minz_Session::param('currentUser', '');
+		if ($current_user === '') {
+			$current_user = Minz_Configuration::defaultUser();
+			Minz_Session::_param('currentUser', $current_user);
+		}
+
+		$access_ok = self::accessControl($current_user);
+
+		if ($access_ok) {
+			self::giveAccess();
+		} else {
+			// Be sure all accesses are removed!
+			self::removeAccess();
+		}
+	}
+
+	/**
+	 * This method checks if user is allowed to connect.
+	 *
+	 * Required session parameters are also set in this method (such as
+	 * currentUser).
+	 *
+	 * @param string $username username of the user to check access.
+	 * @return boolean true if user can be connected, false else.
+	 */
+	public static function accessControl($username) {
+		if (self::$login_ok) {
+			return true;
+		}
+
+		switch (Minz_Configuration::authType()) {
+		case 'form':
+			$credentials = FreshRSS_FormAuth::getCredentialsFromCookie();
+			$current_user = '';
+			if (isset($credentials[1])) {
+				$current_user = trim($credentials[0]);
+				Minz_Session::_param('currentUser', $current_user);
+				Minz_Session::_param('passwordHash', trim($credentials[1]));
+			}
+			return $current_user != '';
+		case 'http_auth':
+			$current_user = httpAuthUser();
+			$login_ok = $current_user != '';
+			if ($login_ok) {
+				Minz_Session::_param('currentUser', $current_user);
+			}
+			return $login_ok;
+		case 'none':
+			return true;
+		default:
+			// TODO load extension
+			return false;
+		}
+	}
+
+	/**
+	 * Gives access to the current user.
+	 */
+	public static function giveAccess() {
+		$current_user = Minz_Session::param('currentUser');
+		try {
+			$conf = new FreshRSS_Configuration($current_user);
+		} catch(Minz_Exception $e) {
+			die($e->getMessage());
+		}
+
+		switch (Minz_Configuration::authType()) {
+		case 'form':
+			self::$login_ok = Minz_Session::param('passwordHash') === $conf->passwordHash;
+			break;
+		case 'http_auth':
+			self::$login_ok = strcasecmp($current_user, httpAuthUser()) === 0;
+			break;
+		case 'none':
+			self::$login_ok = true;
+			break;
+		default:
+			// TODO: extensions
+			self::$login_ok = false;
+		}
+
+		Minz_Session::_param('loginOk', self::$login_ok);
+	}
+
+	/**
+	 * Returns if current user is connected.
+	 *
+	 * @return boolean true if user is connected, false else.
+	 */
+	public static function hasAccess() {
+		return self::$login_ok;
+	}
+
+	/**
+	 * Removes all accesses for the current user.
+	 */
+	public static function removeAccess() {
+		Minz_Session::_param('loginOk');
+		self::$login_ok = false;
+		Minz_Session::_param('currentUser', Minz_Configuration::defaultUser());
+
+		switch (Minz_Configuration::authType()) {
+		case 'form':
+			Minz_Session::_param('passwordHash');
+			FreshRSS_FormAuth::deleteCookie();
+			break;
+		case 'http_auth':
+		case 'none':
+			// Nothing to do...
+			break;
+		default:
+			// TODO: extensions
+		}
+	}
+}
+
+
+class FreshRSS_FormAuth {
+	public static function checkCredentials($username, $hash, $nonce, $challenge) {
+		if (!ctype_alnum($username) ||
+				!ctype_graph($challenge) ||
+				!ctype_alnum($nonce)) {
+			Minz_Log::debug('Invalid credential parameters:' .
+			                ' user=' . $username .
+			                ' challenge=' . $challenge .
+			                ' nonce=' . $nonce);
+			return false;
+		}
+
+		if (!function_exists('password_verify')) {
+			include_once(LIB_PATH . '/password_compat.php');
+		}
+
+		return password_verify($nonce . $hash, $challenge);
+	}
+
+	public static function getCredentialsFromCookie() {
+		$token = Minz_Session::getLongTermCookie('FreshRSS_login');
+		if (!ctype_alnum($token)) {
+			return array();
+		}
+
+		$token_file = DATA_PATH . '/tokens/' . $token . '.txt';
+		$mtime = @filemtime($token_file);
+		if ($mtime + 2629744 < time()) {
+			// Token has expired (> 1 month) or does not exist.
+			// TODO: 1 month -> use a configuration instead
+			@unlink($token_file);
+			return array(); 	
+		}
+
+		$credentials = @file_get_contents($token_file);
+		return $credentials === false ? array() : explode("\t", $credentials, 2);
+	}
+
+	public static function makeCookie($username, $password_hash) {
+		do {
+			$token = sha1(Minz_Configuration::salt() . $username . uniqid(mt_rand(), true));
+			$token_file = DATA_PATH . '/tokens/' . $token . '.txt';
+		} while (file_exists($token_file));
+
+		if (@file_put_contents($token_file, $username . "\t" . $password_hash) === false) {
+			return false;
+		}
+
+		$expire = time() + 2629744;	//1 month	//TODO: Use a configuration instead
+		Minz_Session::setLongTermCookie('FreshRSS_login', $token, $expire);
+		return $token;
+	}
+
+	public static function deleteCookie() {
+		$token = Minz_Session::getLongTermCookie('FreshRSS_login');
+		Minz_Session::deleteLongTermCookie('FreshRSS_login');
+		if (ctype_alnum($token)) {
+			@unlink(DATA_PATH . '/tokens/' . $token . '.txt');
+		}
+
+		if (rand(0, 10) === 1) {
+			self::purgeTokens();
+		}
+	}
+
+	public static function purgeTokens() {
+		$oldest = time() - 2629744;	// 1 month	// TODO: Use a configuration instead
+		foreach (new DirectoryIterator(DATA_PATH . '/tokens/') as $file_info) {
+			// $extension = $file_info->getExtension(); doesn't work in PHP < 5.3.7
+			$extension = pathinfo($file_info->getFilename(), PATHINFO_EXTENSION);
+			if ($extension === 'txt' && $file_info->getMTime() < $oldest) {
+				@unlink($file_info->getPathname());
+			}
+		}
+	}
+}
-- 
cgit v1.2.3


From 6009990935a2d06c252073f6b51ea5378536ef52 Mon Sep 17 00:00:00 2001
From: Marien Fressinaud <dev@marienfressinaud.fr>
Date: Tue, 7 Oct 2014 10:16:38 +0200
Subject: Introduce FreshRSS_Auth::hasAccess('admin')

Replace Minz_Configuration::isAdmin($user). FreshRSS_Auth::hasAccess() could
be extended to others scopes later.

See https://github.com/marienfressinaud/FreshRSS/issues/655
---
 app/Controllers/configureController.php |  2 +-
 app/Controllers/updateController.php    |  2 +-
 app/Controllers/usersController.php     |  8 ++++----
 app/Models/Auth.php                     | 19 +++++++++++++++----
 app/layout/aside_configure.phtml        |  5 +----
 app/layout/header.phtml                 |  5 +----
 app/views/configure/archiving.phtml     |  2 +-
 app/views/users/index.phtml             |  6 +++---
 lib/Minz/Configuration.php              |  3 ---
 9 files changed, 27 insertions(+), 25 deletions(-)

(limited to 'app/Models/Auth.php')

diff --git a/app/Controllers/configureController.php b/app/Controllers/configureController.php
index 7e77a757a..fb8c1466e 100755
--- a/app/Controllers/configureController.php
+++ b/app/Controllers/configureController.php
@@ -229,7 +229,7 @@ class FreshRSS_configure_Controller extends Minz_ActionController {
 		$this->view->nb_total = $entryDAO->count();
 		$this->view->size_user = $entryDAO->size();
 
-		if (Minz_Configuration::isAdmin(Minz_Session::param('currentUser', '_'))) {
+		if (FreshRSS_Auth::hasAccess('admin')) {
 			$this->view->size_total = $entryDAO->size(true);
 		}
 	}
diff --git a/app/Controllers/updateController.php b/app/Controllers/updateController.php
index 9da1e8657..9d1e1ddf5 100644
--- a/app/Controllers/updateController.php
+++ b/app/Controllers/updateController.php
@@ -3,7 +3,7 @@
 class FreshRSS_update_Controller extends Minz_ActionController {
 	public function firstAction() {
 		$current_user = Minz_Session::param('currentUser', '');
-		if (!FreshRSS_Auth::hasAccess() && Minz_Configuration::isAdmin($current_user)) {
+		if (!FreshRSS_Auth::hasAccess('admin')) {
 			Minz_Error::error(
 				403,
 				array('error' => array(_t('access_denied')))
diff --git a/app/Controllers/usersController.php b/app/Controllers/usersController.php
index c2b1d163f..11862ce27 100644
--- a/app/Controllers/usersController.php
+++ b/app/Controllers/usersController.php
@@ -51,7 +51,7 @@ class FreshRSS_users_Controller extends Minz_ActionController {
 				$this->view->conf->_apiPasswordHash($passwordHash);
 			}
 
-			if (Minz_Configuration::isAdmin(Minz_Session::param('currentUser', '_'))) {
+			if (FreshRSS_Auth::hasAccess('admin')) {
 				$this->view->conf->_mail_login(Minz_Request::param('mail_login', '', true));
 			}
 			$email = $this->view->conf->mail_login;
@@ -65,7 +65,7 @@ class FreshRSS_users_Controller extends Minz_ActionController {
 				$ok &= (file_put_contents($personaFile, Minz_Session::param('currentUser', '_')) !== false);
 			}
 
-			if (Minz_Configuration::isAdmin(Minz_Session::param('currentUser', '_'))) {
+			if (FreshRSS_Auth::hasAccess('admin')) {
 				$current_token = $this->view->conf->token;
 				$token = Minz_Request::param('token', $current_token);
 				$this->view->conf->_token($token);
@@ -105,7 +105,7 @@ class FreshRSS_users_Controller extends Minz_ActionController {
 	}
 
 	public function createAction() {
-		if (Minz_Request::isPost() && Minz_Configuration::isAdmin(Minz_Session::param('currentUser', '_'))) {
+		if (Minz_Request::isPost() && FreshRSS_Auth::hasAccess('admin')) {
 			$db = Minz_Configuration::dataBase();
 			require_once(APP_PATH . '/SQL/install.sql.' . $db['type'] . '.php');
 
@@ -177,7 +177,7 @@ class FreshRSS_users_Controller extends Minz_ActionController {
 	}
 
 	public function deleteAction() {
-		if (Minz_Request::isPost() && Minz_Configuration::isAdmin(Minz_Session::param('currentUser', '_'))) {
+		if (Minz_Request::isPost() && FreshRSS_Auth::hasAccess('admin')) {
 			$db = Minz_Configuration::dataBase();
 			require_once(APP_PATH . '/SQL/install.sql.' . $db['type'] . '.php');
 
diff --git a/app/Models/Auth.php b/app/Models/Auth.php
index c4a3abd98..992b444a5 100644
--- a/app/Models/Auth.php
+++ b/app/Models/Auth.php
@@ -99,12 +99,23 @@ class FreshRSS_Auth {
 	}
 
 	/**
-	 * Returns if current user is connected.
+	 * Returns if current user has access to the given scope.
 	 *
-	 * @return boolean true if user is connected, false else.
+	 * @param string $scope general (default) or admin
+	 * @return boolean true if user has corresponding access, false else.
 	 */
-	public static function hasAccess() {
-		return self::$login_ok;
+	public static function hasAccess($scope = 'general') {
+		$ok = self::$login_ok;
+		switch ($scope) {
+		case 'general':
+			break;
+		case 'admin':
+			$ok &= Minz_Session::param('currentUser') === Minz_Configuration::defaultUser();
+			break;
+		default:
+			$ok = false;
+		}
+		return $ok;
 	}
 
 	/**
diff --git a/app/layout/aside_configure.phtml b/app/layout/aside_configure.phtml
index e17bcb254..59846a7c8 100644
--- a/app/layout/aside_configure.phtml
+++ b/app/layout/aside_configure.phtml
@@ -22,10 +22,7 @@
 	<li class="item<?php echo Minz_Request::controllerName() === 'users' ? ' active' : ''; ?>">
 		<a href="<?php echo _url('users', 'index'); ?>"><?php echo _t('users'); ?></a>
 	</li>
-	<?php
-		$current_user = Minz_Session::param('currentUser', '');
-		if (Minz_Configuration::isAdmin($current_user)) {
-	?>
+	<?php if (FreshRSS_Auth::hasAccess('admin')) { ?>
 	<li class="item<?php echo Minz_Request::controllerName() === 'update' ? ' active' : ''; ?>">
 		<a href="<?php echo _url('update', 'index'); ?>"><?php echo _t('update'); ?></a>
 	</li>
diff --git a/app/layout/header.phtml b/app/layout/header.phtml
index fadfd13d7..12c86d61d 100644
--- a/app/layout/header.phtml
+++ b/app/layout/header.phtml
@@ -64,10 +64,7 @@ if (Minz_Configuration::canLogIn()) {
 				<li class="item"><a href="<?php echo _url('configure', 'queries'); ?>"><?php echo _t('queries'); ?></a></li>
 				<li class="separator"></li>
 				<li class="item"><a href="<?php echo _url('users', 'index'); ?>"><?php echo _t('users'); ?></a></li>
-				<?php
-					$current_user = Minz_Session::param('currentUser', '');
-					if (Minz_Configuration::isAdmin($current_user)) {
-				?>
+				<?php if (FreshRSS_Auth::hasAccess('admin')) { ?>
 				<li class="item"><a href="<?php echo _url('update', 'index'); ?>"><?php echo _t('update'); ?></a></li>
 				<?php } ?>
 				<li class="separator"></li>
diff --git a/app/views/configure/archiving.phtml b/app/views/configure/archiving.phtml
index a883571aa..adbfdb77e 100644
--- a/app/views/configure/archiving.phtml
+++ b/app/views/configure/archiving.phtml
@@ -67,7 +67,7 @@
 			</div>
 		</div>
 
-		<?php if (Minz_Configuration::isAdmin(Minz_Session::param('currentUser', '_'))) { ?>
+		<?php if (FreshRSS_Auth::hasAccess('admin')) { ?>
 		<div class="form-group">
 			<p class="group-name"><?php echo _t('users'); ?></p>
 			<div class="group-controls">
diff --git a/app/views/users/index.phtml b/app/views/users/index.phtml
index 95659f727..f1cdf01a3 100644
--- a/app/views/users/index.phtml
+++ b/app/views/users/index.phtml
@@ -11,7 +11,7 @@
 			<div class="group-controls">
 				<input id="current_user" type="text" disabled="disabled" value="<?php echo Minz_Session::param('currentUser', '_'); ?>" />
 				<label class="checkbox" for="is_admin">
-					<input type="checkbox" id="is_admin" disabled="disabled" <?php echo Minz_Configuration::isAdmin(Minz_Session::param('currentUser', '_')) ? 'checked="checked" ' : ''; ?>/>
+					<input type="checkbox" id="is_admin" disabled="disabled" <?php echo FreshRSS_Auth::hasAccess('admin') ? 'checked="checked" ' : ''; ?>/>
 					<?php echo _t('is_admin'); ?>
 				</label>
 			</div>
@@ -44,7 +44,7 @@
 			<label class="group-name" for="mail_login"><?php echo _t('persona_connection_email'); ?></label>
 			<?php $mail = $this->conf->mail_login; ?>
 			<div class="group-controls">
-				<input type="email" id="mail_login" name="mail_login" class="extend" autocomplete="off" value="<?php echo $mail; ?>" <?php echo Minz_Configuration::isAdmin(Minz_Session::param('currentUser', '_')) ? '' : 'disabled="disabled"'; ?> placeholder="alice@example.net" />
+				<input type="email" id="mail_login" name="mail_login" class="extend" autocomplete="off" value="<?php echo $mail; ?>" <?php echo FreshRSS_Auth::hasAccess('admin') ? '' : 'disabled="disabled"'; ?> placeholder="alice@example.net" />
 				<noscript><b><?php echo _t('javascript_should_be_activated'); ?></b></noscript>
 			</div>
 		</div>
@@ -56,7 +56,7 @@
 			</div>
 		</div>
 
-	<?php if (Minz_Configuration::isAdmin(Minz_Session::param('currentUser', '_'))) { ?>
+	<?php if (FreshRSS_Auth::hasAccess('admin')) { ?>
 
 		<legend><?php echo _t('auth_type'); ?></legend>
 
diff --git a/lib/Minz/Configuration.php b/lib/Minz/Configuration.php
index 4e9da58b4..554bc8c96 100644
--- a/lib/Minz/Configuration.php
+++ b/lib/Minz/Configuration.php
@@ -100,9 +100,6 @@ class Minz_Configuration {
 	public static function defaultUser () {
 		return self::$default_user;
 	}
-	public static function isAdmin($currentUser) {
-		return $currentUser === self::$default_user;
-	}
 	public static function allowAnonymous() {
 		return self::$allow_anonymous;
 	}
-- 
cgit v1.2.3


From 1252b3dd867e59917cf303f0c39c7da938b8ce32 Mon Sep 17 00:00:00 2001
From: Marien Fressinaud <dev@marienfressinaud.fr>
Date: Tue, 7 Oct 2014 16:37:10 +0200
Subject: Authentication system moved + Persona comes back!

AuthController is dedicated to auhentication.
Persona is back, greater than ever!

See https://github.com/marienfressinaud/FreshRSS/issues/655
---
 app/Controllers/authController.php      | 182 ++++++++++++++++++++++++++++++++
 app/Controllers/indexController.php     |  90 +---------------
 app/FreshRSS.php                        |   8 ++
 app/Models/Auth.php                     |  21 +++-
 app/layout/header.phtml                 |  23 ++--
 app/views/auth/formLogin.phtml          |  28 +++++
 app/views/auth/logout.phtml             |   0
 app/views/auth/personaLogin.phtml       |  24 +++++
 app/views/helpers/javascript_vars.phtml |  13 ++-
 app/views/index/formLogin.phtml         |  46 --------
 p/scripts/main.js                       |  65 ------------
 p/scripts/persona.js                    |  76 +++++++++++++
 12 files changed, 356 insertions(+), 220 deletions(-)
 create mode 100644 app/Controllers/authController.php
 create mode 100644 app/views/auth/formLogin.phtml
 create mode 100644 app/views/auth/logout.phtml
 create mode 100644 app/views/auth/personaLogin.phtml
 delete mode 100644 app/views/index/formLogin.phtml
 create mode 100644 p/scripts/persona.js

(limited to 'app/Models/Auth.php')

diff --git a/app/Controllers/authController.php b/app/Controllers/authController.php
new file mode 100644
index 000000000..2b67e34b8
--- /dev/null
+++ b/app/Controllers/authController.php
@@ -0,0 +1,182 @@
+<?php
+
+/**
+ * This controller handles action about authentication.
+ */
+class FreshRSS_auth_Controller extends Minz_ActionController {
+	/**
+	 * This action handles the login page.
+	 *
+	 * It forwards to the correct login page (form or Persona) or main page if
+	 * the user is already connected.
+	 */
+	public function loginAction() {
+		if (FreshRSS_Auth::hasAccess()) {
+			Minz_Request::forward(array('c' => 'index', 'a' => 'index'), true);
+		}
+
+		$auth_type = Minz_Configuration::authType();
+		switch ($auth_type) {
+		case 'form':
+			Minz_Request::forward(array('c' => 'auth', 'a' => 'formLogin'));
+			break;
+		case 'persona':
+			Minz_Request::forward(array('c' => 'auth', 'a' => 'personaLogin'));
+			break;
+		case 'http_auth':
+		case 'none':
+			// It should not happened!
+			Minz_Error::error(404);
+		default:
+			// TODO load plugin instead
+			Minz_Error::error(404);
+		}
+	}
+
+	/**
+	 * This action handles form login page.
+	 *
+	 * If this action is reached through a POST request, username and password
+	 * are compared to login the current user.
+	 *
+	 * Parameters are:
+	 *   - nonce (default: false)
+	 *   - username (default: '')
+	 *   - challenge (default: '')
+	 *   - keep_logged_in (default: false)
+	 */
+	public function formLoginAction() {
+		invalidateHttpCache();
+
+		$file_mtime = @filemtime(PUBLIC_PATH . '/scripts/bcrypt.min.js');
+		Minz_View::appendScript(Minz_Url::display('/scripts/bcrypt.min.js?' . $file_mtime));
+
+		if (Minz_Request::isPost()) {
+			$nonce = Minz_Session::param('nonce');
+			$username = Minz_Request::param('username', '');
+			$challenge = Minz_Request::param('challenge', '');
+			try {
+				$conf = new FreshRSS_Configuration($username);
+			} catch(Minz_Exception $e) {
+				// $username is not a valid user, nor the configuration file!
+				Minz_Log::warning('Login failure: ' . $e->getMessage());
+				Minz_Request::bad(_t('invalid_login'),
+				                  array('c' => 'auth', 'a' => 'login'));
+			}
+
+			$ok = FreshRSS_FormAuth::checkCredentials(
+				$username, $conf->passwordHash, $nonce, $challenge
+			);
+			if ($ok) {
+				// Set session parameter to give access to the user.
+				Minz_Session::_param('currentUser', $username);
+				Minz_Session::_param('passwordHash', $conf->passwordHash);
+				FreshRSS_Auth::giveAccess();
+
+				// Set cookie parameter if nedded.
+				if (Minz_Request::param('keep_logged_in')) {
+					FreshRSS_FormAuth::makeCookie($username, $conf->passwordHash);
+				} else {
+					FreshRSS_FormAuth::deleteCookie();
+				}
+
+				// All is good, go back to the index.
+				Minz_Request::good(_t('login'),
+				                   array('c' => 'index', 'a' => 'index'));
+			} else {
+				Minz_Log::warning('Password mismatch for' .
+				                  ' user=' . $username .
+				                  ', nonce=' . $nonce .
+				                  ', c=' . $challenge);
+				Minz_Request::bad(_t('invalid_login'),
+				                  array('c' => 'auth', 'a' => 'login'));
+			}
+		}
+	}
+
+	/**
+	 * This action handles Persona login page.
+	 *
+	 * If this action is reached through a POST request, assertion from Persona
+	 * is verificated and user connected if all is ok.
+	 *
+	 * Parameter is:
+	 *   - assertion (default: false)
+	 *
+	 * @todo: Persona system should be moved to a plugin
+	 */
+	public function personaLoginAction() {
+		$this->view->res = false;
+
+		if (Minz_Request::isPost()) {
+			$this->view->_useLayout(false);
+
+			$assert = Minz_Request::param('assertion');
+			$url = 'https://verifier.login.persona.org/verify';
+			$params = 'assertion=' . $assert . '&audience=' .
+			          urlencode(Minz_Url::display(null, 'php', true));
+			$ch = curl_init();
+			$options = array(
+				CURLOPT_URL => $url,
+				CURLOPT_RETURNTRANSFER => TRUE,
+				CURLOPT_POST => 2,
+				CURLOPT_POSTFIELDS => $params
+			);
+			curl_setopt_array($ch, $options);
+			$result = curl_exec($ch);
+			curl_close($ch);
+
+			$res = json_decode($result, true);
+
+			$login_ok = false;
+			$reason = '';
+			if ($res['status'] === 'okay') {
+				$email = filter_var($res['email'], FILTER_VALIDATE_EMAIL);
+				if ($email != '') {
+					$persona_file = DATA_PATH . '/persona/' . $email . '.txt';
+					if (($current_user = @file_get_contents($persona_file)) !== false) {
+						$current_user = trim($current_user);
+						try {
+							$conf = new FreshRSS_Configuration($current_user);
+							$login_ok = strcasecmp($email, $conf->mail_login) === 0;
+						} catch (Minz_Exception $e) {
+							//Permission denied or conf file does not exist
+							$reason = 'Invalid configuration for user ' .
+							          '[' . $current_user . '] ' . $e->getMessage();
+						}
+					}
+				} else {
+					$reason = 'Invalid email format [' . $res['email'] . ']';
+				}
+			} else {
+				$reason = $res['reason'];
+			}
+
+			if ($login_ok) {
+				Minz_Session::_param('currentUser', $current_user);
+				Minz_Session::_param('mail', $email);
+				FreshRSS_Auth::giveAccess();
+				invalidateHttpCache();
+			} else {
+				Minz_Log::error($reason);
+
+				$res = array();
+				$res['status'] = 'failure';
+				$res['reason'] = _t('invalid_login');
+			}
+
+			header('Content-Type: application/json; charset=UTF-8');
+			$this->view->res = $res;
+		}
+	}
+
+	/**
+	 * This action removes all accesses of the current user.
+	 */
+	public function logoutAction() {
+		invalidateHttpCache();
+		FreshRSS_Auth::removeAccess();
+		Minz_Request::good(_t('disconnected'),
+		                   array('c' => 'index', 'a' => 'index'));
+	}
+}
diff --git a/app/Controllers/indexController.php b/app/Controllers/indexController.php
index 3006480f9..5b490e672 100755
--- a/app/Controllers/indexController.php
+++ b/app/Controllers/indexController.php
@@ -20,7 +20,7 @@ class FreshRSS_index_Controller extends Minz_ActionController {
 			} elseif ($output !== 'rss') {
 				// "hard" redirection is not required, just ask dispatcher to
 				// forward to the login form without 302 redirection
-				Minz_Request::forward(array('c' => 'index', 'a' => 'login'));
+				Minz_Request::forward(array('c' => 'auth', 'a' => 'login'));
 				return;
 			}
 		}
@@ -228,92 +228,4 @@ class FreshRSS_index_Controller extends Minz_ActionController {
 		$this->view->logsPaginator->_nbItemsPerPage(50);
 		$this->view->logsPaginator->_currentPage($page);
 	}
-
-	/**
-	 * This action handles the login page.
-	 */
-	public function loginAction() {
-		if (FreshRSS_Auth::hasAccess()) {
-			Minz_Request::forward(array('c' => 'index', 'a' => 'index'), true);
-		}
-
-		invalidateHttpCache();
-
-		$auth_type = Minz_Configuration::authType();
-		switch ($auth_type) {
-		case 'form':
-			Minz_Request::forward(array('c' => 'index', 'a' => 'formLogin'));
-			break;
-		case 'http_auth':
-		case 'none':
-			// It should not happened!
-			Minz_Error::error(404);
-		default:
-			// TODO load plugin instead
-			Minz_Error::error(404);
-		}
-	}
-
-	/**
-	 *
-	 */
-	public function formLoginAction() {
-		if (FreshRSS_Auth::hasAccess()) {
-			Minz_Request::forward(array('c' => 'index', 'a' => 'index'), true);
-		}
-
-		invalidateHttpCache();
-
-		$file_mtime = @filemtime(PUBLIC_PATH . '/scripts/bcrypt.min.js');
-		Minz_View::appendScript(Minz_Url::display('/scripts/bcrypt.min.js?' . $file_mtime));
-
-		if (Minz_Request::isPost()) {
-			$nonce = Minz_Session::param('nonce');
-			$username = Minz_Request::param('username', '');
-			$challenge = Minz_Request::param('challenge', '');
-			try {
-				$conf = new FreshRSS_Configuration($username);
-			} catch(Minz_Exception $e) {
-				// $username is not a valid user, nor the configuration file!
-				Minz_Log::warning('Login failure: ' . $e->getMessage());
-				Minz_Request::bad(_t('invalid_login'),
-				                  array('c' => 'index', 'a' => 'login'));
-			}
-
-			$ok = FreshRSS_FormAuth::checkCredentials(
-				$username, $conf->passwordHash, $nonce, $challenge
-			);
-			if ($ok) {
-				// Set session parameter to give access to the user.
-				Minz_Session::_param('currentUser', $username);
-				Minz_Session::_param('passwordHash', $conf->passwordHash);
-				FreshRSS_Auth::giveAccess();
-
-				// Set cookie parameter if nedded.
-				if (Minz_Request::param('keep_logged_in', false)) {
-					FreshRSS_FormAuth::makeCookie($username, $conf->passwordHash);
-				} else {
-					FreshRSS_FormAuth::deleteCookie();
-				}
-
-				// All is good, go back to the index.
-				Minz_Request::good(_t('login'),
-				                   array('c' => 'index', 'a' => 'index'));
-			} else {
-				Minz_Log::warning('Password mismatch for' .
-				                  ' user=' . $username .
-				                  ', nonce=' . $nonce .
-				                  ', c=' . $challenge);
-				Minz_Request::bad(_t('invalid_login'),
-				                  array('c' => 'index', 'a' => 'login'));
-			}
-		}
-	}
-
-	public function logoutAction() {
-		invalidateHttpCache();
-		FreshRSS_Auth::removeAccess();
-		Minz_Request::good(_t('disconnected'),
-		                   array('c' => 'index', 'a' => 'index'));
-	}
 }
diff --git a/app/FreshRSS.php b/app/FreshRSS.php
index 35a37b887..6b7a813bf 100644
--- a/app/FreshRSS.php
+++ b/app/FreshRSS.php
@@ -64,6 +64,14 @@ class FreshRSS extends Minz_FrontController {
 		Minz_View::appendScript(Minz_Url::display('/scripts/jquery.min.js?' . @filemtime(PUBLIC_PATH . '/scripts/jquery.min.js')));
 		Minz_View::appendScript(Minz_Url::display('/scripts/shortcut.js?' . @filemtime(PUBLIC_PATH . '/scripts/shortcut.js')));
 		Minz_View::appendScript(Minz_Url::display('/scripts/main.js?' . @filemtime(PUBLIC_PATH . '/scripts/main.js')));
+
+		if (Minz_Configuration::authType() === 'persona') {
+			// TODO move it in a plugin
+			// Needed for login AND logout with Persona.
+			Minz_View::appendScript('https://login.persona.org/include.js');
+			$file_mtime = @filemtime(PUBLIC_PATH . '/scripts/persona.js');
+			Minz_View::appendScript(Minz_Url::display('/scripts/persona.js?' . $file_mtime));
+		}
 	}
 
 	private function loadNotifications() {
diff --git a/app/Models/Auth.php b/app/Models/Auth.php
index 992b444a5..cc23d7974 100644
--- a/app/Models/Auth.php
+++ b/app/Models/Auth.php
@@ -20,7 +20,7 @@ class FreshRSS_Auth {
 			Minz_Session::_param('currentUser', $current_user);
 		}
 
-		$access_ok = self::accessControl($current_user);
+		$access_ok = self::accessControl();
 
 		if ($access_ok) {
 			self::giveAccess();
@@ -36,10 +36,9 @@ class FreshRSS_Auth {
 	 * Required session parameters are also set in this method (such as
 	 * currentUser).
 	 *
-	 * @param string $username username of the user to check access.
 	 * @return boolean true if user can be connected, false else.
 	 */
-	public static function accessControl($username) {
+	public static function accessControl() {
 		if (self::$login_ok) {
 			return true;
 		}
@@ -61,6 +60,16 @@ class FreshRSS_Auth {
 				Minz_Session::_param('currentUser', $current_user);
 			}
 			return $login_ok;
+		case 'persona':
+			$email = filter_var(Minz_Session::param('mail'), FILTER_VALIDATE_EMAIL);
+			$persona_file = DATA_PATH . '/persona/' . $email . '.txt';
+			if (($current_user = @file_get_contents($persona_file)) !== false) {
+				$current_user = trim($current_user);
+				Minz_Session::_param('currentUser', $current_user);
+				Minz_Session::_param('mail', $email);
+				return true;
+			}
+			return false;
 		case 'none':
 			return true;
 		default:
@@ -87,6 +96,9 @@ class FreshRSS_Auth {
 		case 'http_auth':
 			self::$login_ok = strcasecmp($current_user, httpAuthUser()) === 0;
 			break;
+		case 'persona':
+			self::$login_ok = strcasecmp(Minz_Session::param('mail'), $conf->mail_login) === 0;
+			break;
 		case 'none':
 			self::$login_ok = true;
 			break;
@@ -131,6 +143,9 @@ class FreshRSS_Auth {
 			Minz_Session::_param('passwordHash');
 			FreshRSS_FormAuth::deleteCookie();
 			break;
+		case 'persona':
+			Minz_Session::_param('mail');
+			break;
 		case 'http_auth':
 		case 'none':
 			// Nothing to do...
diff --git a/app/layout/header.phtml b/app/layout/header.phtml
index 12c86d61d..deb21edc9 100644
--- a/app/layout/header.phtml
+++ b/app/layout/header.phtml
@@ -2,9 +2,9 @@
 if (Minz_Configuration::canLogIn()) {
 	?><ul class="nav nav-head nav-login"><?php
 		if (FreshRSS_Auth::hasAccess()) {
-			?><li class="item"><?php echo _i('logout'); ?> <a class="signout" href="<?php echo _url('index', 'logout'); ?>"><?php echo _t('logout'); ?></a></li><?php
+			?><li class="item"><?php echo _i('logout'); ?> <a class="signout" href="<?php echo _url('auth', 'logout'); ?>"><?php echo _t('logout'); ?></a></li><?php
 		} else {
-			?><li class="item"><?php echo _i('login'); ?> <a class="signin" href="<?php echo _url('index', 'login'); ?>"><?php echo _t('login'); ?></a></li><?php
+			?><li class="item"><?php echo _i('login'); ?> <a class="signin" href="<?php echo _url('auth', 'login'); ?>"><?php echo _t('login'); ?></a></li><?php
 		}
 	?></ul><?php
 }
@@ -74,21 +74,14 @@ if (Minz_Configuration::canLogIn()) {
 				<?php
 				if (Minz_Configuration::canLogIn()) {
 					?><li class="separator"></li>
-				<li class="item"><a class="signout" href="<?php echo _url('index', 'logout'); ?>"><?php echo _i('logout'), ' ', _t('logout'); ?></a></li><?php
+				<li class="item"><a class="signout" href="<?php echo _url('auth', 'logout'); ?>"><?php echo _i('logout'), ' ', _t('logout'); ?></a></li><?php
 				} ?>
 			</ul>
 		</div>
 	</div>
-	<?php } elseif (Minz_Configuration::canLogIn()) {
-		?><div class="item configure"><?php
-		switch (Minz_Configuration::authType()) {
-		case 'form':
-			echo _i('login'); ?><a class="signin" href="<?php echo _url('index', 'formLogin'); ?>"><?php echo _t('login'); ?></a></li><?php
-			break;
-		case 'persona':
-			echo _i('login'); ?><a class="signin" href="#"><?php echo _t('login'); ?></a></li><?php
-			break;
-		}
-		?></div><?php
-	} ?>
+	<?php } elseif (Minz_Configuration::canLogIn()) { ?>
+	<div class="item configure">
+		<?php echo _i('login'); ?><a class="signin" href="<?php echo _url('auth', 'login'); ?>"><?php echo _t('login'); ?></a>
+	</div>
+	<?php } ?>
 </div>
diff --git a/app/views/auth/formLogin.phtml b/app/views/auth/formLogin.phtml
new file mode 100644
index 000000000..0194a11a5
--- /dev/null
+++ b/app/views/auth/formLogin.phtml
@@ -0,0 +1,28 @@
+<div class="prompt">
+	<h1><?php echo _t('login'); ?></h1>
+
+	<form id="crypto-form" method="post" action="<?php echo _url('auth', 'login'); ?>">
+		<div>
+			<label for="username"><?php echo _t('username'); ?></label>
+			<input type="text" id="username" name="username" size="16" required="required" maxlength="16" pattern="[0-9a-zA-Z]{1,16}" autofocus="autofocus" />
+		</div>
+		<div>
+			<label for="passwordPlain"><?php echo _t('password'); ?></label>
+				<input type="password" id="passwordPlain" required="required" />
+				<input type="hidden" id="challenge" name="challenge" /><br />
+				<noscript><strong><?php echo _t('javascript_should_be_activated'); ?></strong></noscript>
+		</div>
+		<div>
+			<label class="checkbox" for="keep_logged_in">
+				<input type="checkbox" name="keep_logged_in" id="keep_logged_in" value="1" />
+				<?php echo _t('keep_logged_in'); ?>
+			</label>
+			<br />
+		</div>
+		<div>
+			<button id="loginButton" type="submit" class="btn btn-important"><?php echo _t('login'); ?></button>
+		</div>
+	</form>
+
+	<p><a href="<?php echo _url('index', 'about'); ?>"><?php echo _t('about_freshrss'); ?></a></p>
+</div>
diff --git a/app/views/auth/logout.phtml b/app/views/auth/logout.phtml
new file mode 100644
index 000000000..e69de29bb
diff --git a/app/views/auth/personaLogin.phtml b/app/views/auth/personaLogin.phtml
new file mode 100644
index 000000000..d62fe5818
--- /dev/null
+++ b/app/views/auth/personaLogin.phtml
@@ -0,0 +1,24 @@
+<?php if ($this->res === false) { ?>
+<div class="prompt">
+	<h1><?php echo _t('login'); ?></h1>
+
+	<p>
+		<a class="signin btn btn-important" href="<?php echo _url('auth', 'login'); ?>">
+			<?php echo _i('login'); ?> <?php echo _t('login_with_persona'); ?>
+		</a>
+
+		<br /><br />
+
+		<?php echo _i('help'); ?>
+		<small>
+			<a href="<?php echo _url('auth', 'resetAuth'); ?>"><?php echo _t('login_persona_problem'); ?></a>
+		</small>
+	</p>
+
+	<p><a href="<?php echo _url('index', 'about'); ?>"><?php echo _t('about_freshrss'); ?></a></p>
+</div>
+<?php
+} else {
+	echo json_encode($this->res);
+}
+?>
diff --git a/app/views/helpers/javascript_vars.phtml b/app/views/helpers/javascript_vars.phtml
index 8f615ed87..3bbcc3848 100644
--- a/app/views/helpers/javascript_vars.phtml
+++ b/app/views/helpers/javascript_vars.phtml
@@ -8,6 +8,15 @@ $hide_posts = ($this->conf->display_posts ||
                Minz_Request::param('output') === 'reader');
 $s = $this->conf->shortcuts;
 
+$url_login = Minz_Url::display(array(
+	'c' => 'auth',
+	'a' => 'login'
+), 'php');
+$url_logout = Minz_Url::display(array(
+	'c' => 'auth',
+	'a' => 'logout'
+), 'php');
+
 echo 'var context={',
 	'hide_posts:', $hide_posts ? 'false' : 'true', ',',
 	'display_order:"', Minz_Request::param('order', $this->conf->sort_order), '",',
@@ -43,8 +52,8 @@ echo 'shortcuts={',
 
 echo 'url={',
 	'index:"', _url('index', 'index'), '",',
-	'login:"', _url('index', 'login'), '",',
-	'logout:"', _url('index', 'logout'), '",',
+	'login:"', $url_login, '",',
+	'logout:"', $url_logout, '",',
 	'help:"', FRESHRSS_WIKI, '"',
 "},\n";
 
diff --git a/app/views/index/formLogin.phtml b/app/views/index/formLogin.phtml
deleted file mode 100644
index b05cdced4..000000000
--- a/app/views/index/formLogin.phtml
+++ /dev/null
@@ -1,46 +0,0 @@
-<div class="prompt">
-	<h1><?php echo _t('login'); ?></h1><?php
-
-	switch (Minz_Configuration::authType()) {
-	case 'form':
-	?><form id="crypto-form" method="post" action="<?php echo _url('index', 'formLogin'); ?>">
-		<div>
-			<label for="username"><?php echo _t('username'); ?></label>
-			<input type="text" id="username" name="username" size="16" required="required" maxlength="16" pattern="[0-9a-zA-Z]{1,16}" autofocus="autofocus" />
-		</div>
-		<div>
-			<label for="passwordPlain"><?php echo _t('password'); ?></label>
-				<input type="password" id="passwordPlain" required="required" />
-				<input type="hidden" id="challenge" name="challenge" /><br />
-				<noscript><strong><?php echo _t('javascript_should_be_activated'); ?></strong></noscript>
-		</div>
-		<div>
-			<label class="checkbox" for="keep_logged_in">
-				<input type="checkbox" name="keep_logged_in" id="keep_logged_in" value="1" />
-				<?php echo _t('keep_logged_in'); ?>
-			</label>
-			<br />
-		</div>
-		<div>
-			<button id="loginButton" type="submit" class="btn btn-important"><?php echo _t('login'); ?></button>
-		</div>
-	</form><?php
-		break;
-
-	case 'persona':
-		?><p>
-			<a class="signin btn btn-important" href="#">
-				<?php echo _i('login'); ?>
-				<?php echo _t('login_with_persona'); ?>
-			</a><br /><br />
-
-			<?php echo _i('help'); ?>
-			<small>
-				<a href="<?php echo _url('index', 'resetAuth'); ?>"><?php echo _t('login_persona_problem'); ?></a>
-			</small>
-		</p><?php
-		break;
-	} ?>
-
-	<p><a href="<?php echo _url('index', 'about'); ?>"><?php echo _t('about_freshrss'); ?></a></p>
-</div>
diff --git a/p/scripts/main.js b/p/scripts/main.js
index b01a3a34d..77e1e3f77 100644
--- a/p/scripts/main.js
+++ b/p/scripts/main.js
@@ -1034,67 +1034,7 @@ function init_crypto_form() {
 }
 //</crypto form (Web login)>
 
-//<persona>
-function init_persona() {
-	if (!(navigator.id)) {
-		if (window.console) {
-			console.log('FreshRSS waiting for Persona…');
-		}
-		window.setTimeout(init_persona, 100);
-		return;
-	}
-	$('a.signin').click(function() {
-		navigator.id.request();
-		return false;
-	});
-
-	$('a.signout').click(function() {
-		navigator.id.logout();
-		return false;
-	});
 
-	navigator.id.watch({
-		loggedInUser: context['current_user_mail'],
-
-		onlogin: function(assertion) {
-			// A user has logged in! Here you need to:
-			// 1. Send the assertion to your backend for verification and to create a session.
-			// 2. Update your UI.
-			$.ajax ({
-				type: 'POST',
-				url: url['login'],
-				data: {assertion: assertion},
-				success: function(res, status, xhr) {
-					/*if (res.status === 'failure') {
-						alert (res_obj.reason);
-					} else*/ if (res.status === 'okay') {
-						location.href = url['index'];
-					}
-				},
-				error: function(res, status, xhr) {
-					alert("Login failure: " + res);
-				}
-			});
-		},
-		onlogout: function() {
-			// A user has logged out! Here you need to:
-			// Tear down the user's session by redirecting the user or making a call to your backend.
-			// Also, make sure loggedInUser will get set to null on the next page load.
-			// (That's a literal JavaScript null. Not false, 0, or undefined. null.)
-			$.ajax ({
-				type: 'POST',
-				url: url['logout'],
-				success: function(res, status, xhr) {
-					location.href = url['index'];
-				},
-				error: function(res, status, xhr) {
-					//alert("logout failure" + res);
-				}
-			});
-		}
-	});
-}
-//</persona>
 
 function init_confirm_action() {
 	$('body').on('click', '.confirm', function () {
@@ -1274,11 +1214,6 @@ function init_all() {
 		return;
 	}
 	init_notifications();
-	switch (context['auth_type']) {
-		case 'persona':
-			init_persona();
-			break;
-	}
 	init_confirm_action();
 	$stream = $('#stream');
 	if ($stream.length > 0) {
diff --git a/p/scripts/persona.js b/p/scripts/persona.js
new file mode 100644
index 000000000..36aeeaf56
--- /dev/null
+++ b/p/scripts/persona.js
@@ -0,0 +1,76 @@
+"use strict";
+
+function init_persona() {
+	if (!(navigator.id && window.$)) {
+		if (window.console) {
+			console.log('FreshRSS (Persona) waiting for JS…');
+		}
+		window.setTimeout(init_persona, 100);
+		return;
+	}
+
+	$('a.signin').click(function() {
+		navigator.id.request();
+		return false;
+	});
+
+	$('a.signout').click(function() {
+		navigator.id.logout();
+		return false;
+	});
+
+	navigator.id.watch({
+		loggedInUser: context['current_user_mail'],
+
+		onlogin: function(assertion) {
+			// A user has logged in! Here you need to:
+			// 1. Send the assertion to your backend for verification and to create a session.
+			// 2. Update your UI.
+			$.ajax ({
+				type: 'POST',
+				url: url['login'],
+				data: {assertion: assertion},
+				success: function(res, status, xhr) {
+					if (res.status === 'failure') {
+						openNotification(res.reason, 'bad');
+					} else if (res.status === 'okay') {
+						location.href = url['index'];
+					}
+				},
+				error: function(res, status, xhr) {
+					// alert(res);
+				}
+			});
+		},
+		onlogout: function() {
+			// A user has logged out! Here you need to:
+			// Tear down the user's session by redirecting the user or making a call to your backend.
+			// Also, make sure loggedInUser will get set to null on the next page load.
+			// (That's a literal JavaScript null. Not false, 0, or undefined. null.)
+			$.ajax ({
+				type: 'POST',
+				url: url['logout'],
+				success: function(res, status, xhr) {
+					location.href = url['index'];
+				},
+				error: function(res, status, xhr) {
+					// alert(res);
+				}
+			});
+		}
+	});
+}
+
+if (document.readyState && document.readyState !== 'loading') {
+	if (window.console) {
+		console.log('FreshRSS (Persona) immediate init…');
+	}
+	init_persona();
+} else if (document.addEventListener) {
+	document.addEventListener('DOMContentLoaded', function () {
+		if (window.console) {
+			console.log('FreshRSS (Persona) waiting for DOMContentLoaded…');
+		}
+		init_persona();
+	}, false);
+}
-- 
cgit v1.2.3