Source for file joomla.php

Documentation is available at joomla.php

  1. <?php
  2. /**
  3.  * @package     Joomla.Plugin
  4.  * @subpackage  Authentication.joomla
  5.  *
  6.  * @copyright   Copyright (C) 2005 - 2013 Open Source Matters, Inc. All rights reserved.
  7.  * @license     GNU General Public License version 2 or later; see LICENSE.txt
  8.  */
  9.  
  10. defined('_JEXEC'or die;
  11.  
  12. /**
  13.  * Joomla Authentication plugin
  14.  *
  15.  * @package     Joomla.Plugin
  16.  * @subpackage  Authentication.joomla
  17.  * @since       1.5
  18.  */
  19. class PlgAuthenticationJoomla extends JPlugin
  20. {
  21.     /**
  22.      * This method should handle any authentication and report back to the subject
  23.      *
  24.      * @param   array   $credentials  Array holding the user credentials
  25.      * @param   array   $options      Array of extra options
  26.      * @param   object  &$response    Authentication response object
  27.      *
  28.      * @return  boolean 
  29.      *
  30.      * @since   1.5
  31.      */
  32.     public function onUserAuthenticate($credentials$options&$response)
  33.     {
  34.         $response->type 'Joomla';
  35.  
  36.         // Joomla does not like blank passwords
  37.         if (empty($credentials['password']))
  38.         {
  39.             $response->status JAuthentication::STATUS_FAILURE;
  40.             $response->error_message JText::_('JGLOBAL_AUTH_EMPTY_PASS_NOT_ALLOWED');
  41.  
  42.             return false;
  43.         }
  44.  
  45.         // Get a database object
  46.         $db    JFactory::getDbo();
  47.         $query $db->getQuery(true)
  48.             ->select('id, password')
  49.             ->from('#__users')
  50.             ->where('username=' $db->quote($credentials['username']));
  51.  
  52.         $db->setQuery($query);
  53.         $result $db->loadObject();
  54.  
  55.         if ($result)
  56.         {
  57.             if (substr($result->password04== '$2y$')
  58.             {
  59.                 // BCrypt passwords are always 60 characters, but it is possible that salt is appended although non standard.
  60.                 $password60 substr($result->password060);
  61.  
  62.                 if (JCrypt::hasStrongPasswordSupport())
  63.                 {
  64.                     $match password_verify($credentials['password']$password60);
  65.                 }
  66.             }
  67.             elseif (substr($result->password08== '{SHA256}')
  68.             {
  69.                 // Check the password
  70.                 $parts    explode(':'$result->password);
  71.                 $crypt    $parts[0];
  72.                 $salt    @$parts[1];
  73.                 $testcrypt JUserHelper::getCryptedPassword($credentials['password']$salt'sha256'false);
  74.  
  75.                 if ($result->password == $testcrypt)
  76.                 {
  77.                     $match true;
  78.                 }
  79.             }
  80.             else
  81.             {
  82.                 // Check the password
  83.                 $parts    explode(':'$result->password);
  84.                 $crypt    $parts[0];
  85.                 $salt    @$parts[1];
  86.  
  87.                 $testcrypt JUserHelper::getCryptedPassword($credentials['password']$salt'md5-hex'false);
  88.  
  89.                 if ($crypt == $testcrypt)
  90.                 {
  91.                     $match true;
  92.                 }
  93.             }
  94.  
  95.             if (isset($match&& $match === true)
  96.             {
  97.                 // Bring this in line with the rest of the system
  98.                 $user JUser::getInstance($result->id);
  99.                 $response->email $user->email;
  100.                 $response->fullname $user->name;
  101.  
  102.                 if (JFactory::getApplication()->isAdmin())
  103.                 {
  104.                     $response->language $user->getParam('admin_language');
  105.                 }
  106.                 else
  107.                 {
  108.                     $response->language $user->getParam('language');
  109.                 }
  110.  
  111.                 $response->status JAuthentication::STATUS_SUCCESS;
  112.                 $response->error_message '';
  113.             }
  114.             else
  115.             {
  116.                 // Invalid password
  117.                 $response->status JAuthentication::STATUS_FAILURE;
  118.                 $response->error_message JText::_('JGLOBAL_AUTH_INVALID_PASS');
  119.             }
  120.         }
  121.         else
  122.         {
  123.             // Invalid user
  124.             $response->status JAuthentication::STATUS_FAILURE;
  125.             $response->error_message JText::_('JGLOBAL_AUTH_NO_USER');
  126.         }
  127.  
  128.         // Check the two factor authentication
  129.         if ($response->status == JAuthentication::STATUS_SUCCESS)
  130.         {
  131.             require_once JPATH_ADMINISTRATOR '/components/com_users/helpers/users.php';
  132.  
  133.             $methods UsersHelper::getTwoFactorMethods();
  134.  
  135.             if (count($methods<= 1)
  136.             {
  137.                 // No two factor authentication method is enabled
  138.                 return;
  139.             }
  140.  
  141.             require_once JPATH_ADMINISTRATOR '/components/com_users/models/user.php';
  142.  
  143.             $model new UsersModelUser;
  144.  
  145.             // Load the user's OTP (one time password, a.k.a. two factor auth) configuration
  146.             if (!array_key_exists('otp_config'$options))
  147.             {
  148.                 $otpConfig $model->getOtpConfig($result->id);
  149.                 $options['otp_config'$otpConfig;
  150.             }
  151.             else
  152.             {
  153.                 $otpConfig $options['otp_config'];
  154.             }
  155.  
  156.             // Check if the user has enabled two factor authentication
  157.             if (empty($otpConfig->method|| ($otpConfig->method == 'none'))
  158.             {
  159.                 // Warn the user if he's using a secret code but he has not
  160.                 // enabed two factor auth in his account.
  161.                 if (!empty($credentials['secretkey']))
  162.                 {
  163.                     try
  164.                     {
  165.                         $app JFactory::getApplication();
  166.  
  167.                         $this->loadLanguage();
  168.  
  169.                         $app->enqueueMessage(JText::_('PLG_AUTH_JOOMLA_ERR_SECRET_CODE_WITHOUT_TFA')'warning');
  170.                     }
  171.                     catch (Exception $exc)
  172.                     {
  173.                         // This happens when we are in CLI mode. In this case
  174.                         // no warning is issued
  175.                         return;
  176.                     }
  177.                 }
  178.  
  179.                 return;
  180.             }
  181.  
  182.             // Load the Joomla! RAD layer
  183.             if (!defined('FOF_INCLUDED'))
  184.             {
  185.                 include_once JPATH_LIBRARIES '/fof/include.php';
  186.             }
  187.  
  188.             // Try to validate the OTP
  189.             FOFPlatform::getInstance()->importPlugin('twofactorauth');
  190.  
  191.             $otpAuthReplies FOFPlatform::getInstance()->runPlugins('onUserTwofactorAuthenticate'array($credentials$options));
  192.  
  193.             $check false;
  194.  
  195.             /*
  196.              * This looks like noob code but DO NOT TOUCH IT and do not convert
  197.              * to in_array(). During testing in_array() inexplicably returned
  198.              * null when the OTEP begins with a zero! o_O
  199.              */
  200.             if (!empty($otpAuthReplies))
  201.             {
  202.                 foreach ($otpAuthReplies as $authReply)
  203.                 {
  204.                     $check $check || $authReply;
  205.                 }
  206.             }
  207.  
  208.             // Fall back to one time emergency passwords
  209.             if (!$check)
  210.             {
  211.                 // Did the user use an OTEP instead?
  212.                 if (empty($otpConfig->otep))
  213.                 {
  214.                     if (empty($otpConfig->method|| ($otpConfig->method == 'none'))
  215.                     {
  216.                         // Two factor authentication is not enabled on this account.
  217.                         // Any string is assumed to be a valid OTEP.
  218.  
  219.                         return true;
  220.                     }
  221.                     else
  222.                     {
  223.                         /*
  224.                          * Two factor authentication enabled and no OTEPs defined. The
  225.                          * user has used them all up. Therefore anything he enters is
  226.                          * an invalid OTEP.
  227.                          */
  228.                         return false;
  229.                     }
  230.                     }
  231.  
  232.                 // Clean up the OTEP (remove dashes, spaces and other funny stuff
  233.                 // our beloved users may have unwittingly stuffed in it)
  234.                 $otep $credentials['secretkey'];
  235.                 $otep filter_var($otepFILTER_SANITIZE_NUMBER_INT);
  236.                 $otep str_replace('-'''$otep);
  237.  
  238.                 $check false;
  239.  
  240.                 // Did we find a valid OTEP?
  241.                 if (in_array($otep$otpConfig->otep))
  242.                 {
  243.                     // Remove the OTEP from the array
  244.                     $otpConfig->otep array_diff($otpConfig->oteparray($otep));
  245.  
  246.                     $model->setOtpConfig($result->id$otpConfig);
  247.  
  248.                     // Return true; the OTEP was a valid one
  249.                     $check true;
  250.                 }
  251.             }
  252.  
  253.             if (!$check)
  254.             {
  255.                 $response->status JAuthentication::STATUS_FAILURE;
  256.                 $response->error_message JText::_('JGLOBAL_AUTH_INVALID_SECRETKEY');
  257.             }
  258.         }
  259.     }
  260. }

Documentation generated on Tue, 19 Nov 2013 15:06:08 +0100 by phpDocumentor 1.4.3