Feature #18039 » felogin-trunk2944.diff
typo3/sysext/felogin/ext_localconf.php (working copy) | ||
---|---|---|
|
||
t3lib_extMgm::addTypoScript($_EXTKEY,'setup','# Setting '.$_EXTKEY.' plugin TypoScript'.$addLine.'',43);
|
||
if ($TYPO3_CONF_VARS['FE']['passwordType'] == 'md5' && $TYPO3_CONF_VARS['FE']['loginSecurityLevel'] == 'superchallenged') {
|
||
t3lib_extMgm::addService($_EXTKEY, 'auth' /* sv type */, 'tx_felogin' /* sv key */,
|
||
array(
|
||
//activate support for kb_md5fepw
|
||
if (t3lib_extMgm::isLoaded('kb_md5fepw') && (TYPO3_MODE == 'FE')) {
|
||
$GLOBALS ['TYPO3_CONF_VARS']['EXTCONF']['felogin']['loginFormOnSubmitFuncs'][] = 'tx_kbmd5fepw_newloginbox->loginFormOnSubmit';
|
||
require_once(t3lib_extMgm::extPath('kb_md5fepw').'pi1/class.tx_kbmd5fepw_newloginbox.php');
|
||
}
|
||
'title' => 'FE MD5 authentication with superchallenge',
|
||
'description' => 'Performs the server side part of the challenge response authentication.',
|
||
'subtype' => 'authUserFE',
|
||
'available' => true,
|
||
'priority' => 70,
|
||
'quality' => 70,
|
||
'os' => '',
|
||
'exec' => '',
|
||
'classFile' => t3lib_extMgm::extPath($_EXTKEY).'sv1/class.tx_felogin_sv1.php',
|
||
'className' => 'tx_felogin_sv1',
|
||
)
|
||
);
|
||
?>
|
typo3/sysext/felogin/ext_tables.sql (working copy) | ||
---|---|---|
#
|
||
# Table structure for table 'fe_groups'
|
||
#
|
||
CREATE TABLE fe_groups (
|
||
felogin_redirectPid tinytext
|
||
);
|
||
#
|
||
# Table structure for table 'fe_users'
|
||
#
|
||
CREATE TABLE fe_users (
|
||
felogin_redirectPid tinytext
|
||
);
|
||
#
|
||
# Table structure for table 'fe_groups'
|
||
#
|
||
CREATE TABLE fe_groups (
|
||
felogin_redirectPid tinytext
|
||
);
|
||
|
||
|
||
|
||
#
|
||
# Table structure for table 'fe_users'
|
||
#
|
||
CREATE TABLE fe_users (
|
||
felogin_redirectPid tinytext
|
||
);
|
||
|
||
CREATE TABLE tx_felogin_challenge (
|
||
challenge varchar(100) DEFAULT '' NOT NULL,
|
||
tstamp int(11) DEFAULT '0' NOT NULL,
|
||
PRIMARY KEY (challenge)
|
||
);
|
typo3/sysext/felogin/pi1/class.tx_felogin_pi1.php (working copy) | ||
---|---|---|
$onSubmit = implode('; ', $onSubmitAr).'; return true;';
|
||
$extraHidden = implode(chr(10), $extraHiddenAr);
|
||
}
|
||
|
||
// Implements the MD5 superchallenged On Submit as in Hook
|
||
// keeps hook in mind
|
||
if ( $GLOBALS['TYPO3_CONF_VARS']['FE']['passwordType'] == 'md5' && $GLOBALS['TYPO3_CONF_VARS']['FE']['loginSecurityLevel'] == 'superchallenged') {
|
||
list($onSub, $hid) = $this->getFormOnSubmitMD5();
|
||
$onSubmit = $onSub . $onSubmit;;
|
||
$extraHidden .= $hid;
|
||
}
|
||
// Login form
|
||
$markerArray['###ACTION_URI###'] = $this->getPageLink('',array(),true);
|
||
$markerArray['###EXTRA_HIDDEN###'] = $extraHidden; // used by kb_md5fepw extension...
|
||
... | ... | |
}
|
||
return $pass;
|
||
}
|
||
/*
|
||
* return the additional onSubmit-JS Code, for superchallenged Login
|
||
* copied from kb_md5fepw/class.tx_kbmd5fepw_newloginbox.php
|
||
* original Name loginFormOnSubmit()
|
||
*/
|
||
private function getFormOnSubmitMD5() {
|
||
$js = '
|
||
function superchallenge_pass(form) {
|
||
var pass = form.pass.value;
|
||
if (pass) {
|
||
var enc_pass = MD5(pass);
|
||
var str = form.user.value+":"+enc_pass+":"+form.challenge.value;
|
||
form.pass.value = MD5(str);
|
||
return true;
|
||
} else {
|
||
return false;
|
||
}
|
||
}
|
||
';
|
||
$GLOBALS['TSFE']->JSCode .= $js;
|
||
$GLOBALS['TSFE']->additionalHeaderData['tx_felogin'] = '<script language="JavaScript" type="text/javascript" src="typo3/md5.js"></script>';
|
||
$chal_val = md5(time().getmypid());
|
||
$res = $GLOBALS['TYPO3_DB']->exec_INSERTquery('tx_felogin_challenge', array('challenge' => $chal_val, 'tstamp' => time()));
|
||
$onSubmit = 'superchallenge_pass(this)';
|
||
$hidden = '<input type="hidden" name="challenge" value="'.$chal_val.'">';
|
||
return array($onSubmit, $hidden);
|
||
}
|
||
|
||
/**
|
||
* Returns the header / message value from flexform if present, else from locallang.xml
|
typo3/sysext/felogin/sv1/class.tx_felogin_sv1.php (revision 0) | ||
---|---|---|
<?php
|
||
/***************************************************************
|
||
* Copyright notice
|
||
*
|
||
* (c) 2005 Kraft Bernhard (kraftb@gmx.net)
|
||
* All rights reserved
|
||
*
|
||
* Based on ext/sv/class.tx_sv_auth.php:
|
||
* (c) 2004-2005 Ren? Fritz <r.fritz@colorcube.de>
|
||
* All rights reserved
|
||
*
|
||
* This script is part of the TYPO3 project. The TYPO3 project is
|
||
* free software; you can redistribute it and/or modify
|
||
* it under the terms of the GNU General Public License as published by
|
||
* the Free Software Foundation; either version 2 of the License, or
|
||
* (at your option) any later version.
|
||
*
|
||
* The GNU General Public License can be found at
|
||
* http://www.gnu.org/copyleft/gpl.html.
|
||
* A copy is found in the textfile GPL.txt and important notices to the license
|
||
* from the author is found in LICENSE.txt distributed with these scripts.
|
||
*
|
||
*
|
||
* This script is distributed in the hope that it will be useful,
|
||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||
* GNU General Public License for more details.
|
||
*
|
||
* This copyright notice MUST APPEAR in all copies of the script!
|
||
***************************************************************/
|
||
/**
|
||
* Service class which performs challenge response.
|
||
* copied from kb_md5fepw
|
||
* $Id$
|
||
*
|
||
* @author Kraft Bernhard <kraftb@kraftb.at>
|
||
* @author Ren? Fritz <r.fritz@colorcube.de>
|
||
*/
|
||
/**
|
||
* [CLASS/FUNCTION INDEX of SCRIPT]
|
||
*/
|
||
|
||
|
||
class tx_felogin_sv1 extends tx_sv_authbase {
|
||
|
||
/**
|
||
* Authenticate a user (Check various conditions for the user that might invalidate its authentication, eg. password match, domain, IP, etc.)
|
||
*
|
||
* @param array Data of user.
|
||
* @return boolean
|
||
*/
|
||
function authUser($user) {
|
||
$OK = 100;
|
||
|
||
if ($this->login['uident'] && $this->login['uname']) {
|
||
|
||
// Checking password match for user:
|
||
$OK = $this->compareUident($user, $this->login, 'superchallenged');
|
||
|
||
$F_chalvalue = $this->login['chalvalue'];
|
||
if (strlen($F_chalvalue)) {
|
||
$res = $GLOBALS['TYPO3_DB']->exec_SELECTquery('count(*) as count', 'tx_felogin_challenge', 'challenge='.$GLOBALS['TYPO3_DB']->fullQuoteStr($F_chalvalue, 'tx_felogin_challenge'));
|
||
$row = $GLOBALS['TYPO3_DB']->sql_fetch_assoc($res);
|
||
$cnt = $row['count'];
|
||
// If we don't find this challenge in the database it's invalid
|
||
if (!$cnt) {
|
||
$OK = 0;
|
||
} else {
|
||
$GLOBALS['TYPO3_DB']->exec_DELETEquery('tx_felogin_challenge', 'challenge='.$GLOBALS['TYPO3_DB']->fullQuoteStr($F_chalvalue, 'tx_felogin_challenge'));
|
||
}
|
||
}
|
||
if(!$OK) {
|
||
|
||
// Failed login attempt (wrong password) - write that to the log!
|
||
if ($this->writeAttemptLog) {
|
||
$this->writelog(255,3,3,1,
|
||
"Login-attempt from %s (%s), username '%s', password not accepted!",
|
||
Array($this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $this->login['uname']));
|
||
}
|
||
if ($this->writeDevLog) t3lib_div::devLog('Password not accepted: '.$this->login['uident'], 'tx_sv_auth', 2);
|
||
}
|
||
|
||
// Checking the domain (lockToDomain)
|
||
if ($OK && $user['lockToDomain'] && $user['lockToDomain']!=$this->authInfo['HTTP_HOST']) {
|
||
// Lock domain didn't match, so error:
|
||
if ($this->writeAttemptLog) {
|
||
$this->writelog(255,3,3,1,
|
||
"Login-attempt from %s (%s), username '%s', locked domain '%s' did not match '%s'!",
|
||
Array($this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $user[$this->db_user['username_column']], $user['lockToDomain'], $this->authInfo['HTTP_HOST']));
|
||
}
|
||
$OK = false;
|
||
}
|
||
}
|
||
return $OK>0?200:0;
|
||
}
|
||
|
||
|
||
}
|
||
|
||
if (defined('TYPO3_MODE') && $TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['ext/felogin/sv1/class.tx_felogin_sv1.php']) {
|
||
include_once($TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['ext/felogin/sv1/class.tx_felogin_sv1.php']);
|
||
}
|
||
?>
|
typo3/sysext/felogin/sv1/class.tx_felogin_sv1.php (revision 0) | ||
---|---|---|
<?php
|
||
/***************************************************************
|
||
* Copyright notice
|
||
*
|
||
* (c) 2005 Kraft Bernhard (kraftb@gmx.net)
|
||
* All rights reserved
|
||
*
|
||
* Based on ext/sv/class.tx_sv_auth.php:
|
||
* (c) 2004-2005 Ren? Fritz <r.fritz@colorcube.de>
|
||
* All rights reserved
|
||
*
|
||
* This script is part of the TYPO3 project. The TYPO3 project is
|
||
* free software; you can redistribute it and/or modify
|
||
* it under the terms of the GNU General Public License as published by
|
||
* the Free Software Foundation; either version 2 of the License, or
|
||
* (at your option) any later version.
|
||
*
|
||
* The GNU General Public License can be found at
|
||
* http://www.gnu.org/copyleft/gpl.html.
|
||
* A copy is found in the textfile GPL.txt and important notices to the license
|
||
* from the author is found in LICENSE.txt distributed with these scripts.
|
||
*
|
||
*
|
||
* This script is distributed in the hope that it will be useful,
|
||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||
* GNU General Public License for more details.
|
||
*
|
||
* This copyright notice MUST APPEAR in all copies of the script!
|
||
***************************************************************/
|
||
/**
|
||
* Service class which performs challenge response.
|
||
* copied from kb_md5fepw
|
||
* $Id$
|
||
*
|
||
* @author Kraft Bernhard <kraftb@kraftb.at>
|
||
* @author Ren? Fritz <r.fritz@colorcube.de>
|
||
*/
|
||
/**
|
||
* [CLASS/FUNCTION INDEX of SCRIPT]
|
||
*/
|
||
|
||
|
||
class tx_felogin_sv1 extends tx_sv_authbase {
|
||
|
||
/**
|
||
* Authenticate a user (Check various conditions for the user that might invalidate its authentication, eg. password match, domain, IP, etc.)
|
||
*
|
||
* @param array Data of user.
|
||
* @return boolean
|
||
*/
|
||
function authUser($user) {
|
||
$OK = 100;
|
||
|
||
if ($this->login['uident'] && $this->login['uname']) {
|
||
|
||
// Checking password match for user:
|
||
$OK = $this->compareUident($user, $this->login, 'superchallenged');
|
||
|
||
$F_chalvalue = $this->login['chalvalue'];
|
||
if (strlen($F_chalvalue)) {
|
||
$res = $GLOBALS['TYPO3_DB']->exec_SELECTquery('count(*) as count', 'tx_felogin_challenge', 'challenge='.$GLOBALS['TYPO3_DB']->fullQuoteStr($F_chalvalue, 'tx_felogin_challenge'));
|
||
$row = $GLOBALS['TYPO3_DB']->sql_fetch_assoc($res);
|
||
$cnt = $row['count'];
|
||
// If we don't find this challenge in the database it's invalid
|
||
if (!$cnt) {
|
||
$OK = 0;
|
||
} else {
|
||
$GLOBALS['TYPO3_DB']->exec_DELETEquery('tx_felogin_challenge', 'challenge='.$GLOBALS['TYPO3_DB']->fullQuoteStr($F_chalvalue, 'tx_felogin_challenge'));
|
||
}
|
||
}
|
||
if(!$OK) {
|
||
|
||
// Failed login attempt (wrong password) - write that to the log!
|
||
if ($this->writeAttemptLog) {
|
||
$this->writelog(255,3,3,1,
|
||
"Login-attempt from %s (%s), username '%s', password not accepted!",
|
||
Array($this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $this->login['uname']));
|
||
}
|
||
if ($this->writeDevLog) t3lib_div::devLog('Password not accepted: '.$this->login['uident'], 'tx_sv_auth', 2);
|
||
}
|
||
|
||
// Checking the domain (lockToDomain)
|
||
if ($OK && $user['lockToDomain'] && $user['lockToDomain']!=$this->authInfo['HTTP_HOST']) {
|
||
// Lock domain didn't match, so error:
|
||
if ($this->writeAttemptLog) {
|
||
$this->writelog(255,3,3,1,
|
||
"Login-attempt from %s (%s), username '%s', locked domain '%s' did not match '%s'!",
|
||
Array($this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $user[$this->db_user['username_column']], $user['lockToDomain'], $this->authInfo['HTTP_HOST']));
|
||
}
|
||
$OK = false;
|
||
}
|
||
}
|
||
return $OK>0?200:0;
|
||
}
|
||
|
||
|
||
}
|
||
|
||
if (defined('TYPO3_MODE') && $TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['ext/felogin/sv1/class.tx_felogin_sv1.php']) {
|
||
include_once($TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['ext/felogin/sv1/class.tx_felogin_sv1.php']);
|
||
}
|
||
?>
|
typo3/sysext/felogin/tools/user_getChallenge.php (revision 0) | ||
---|---|---|
<?php
|
||
/***************************************************************
|
||
* Copyright notice
|
||
*
|
||
* (c) 2005 Kraft Bernhard (kraftb@gmx.net)
|
||
* All rights reserved
|
||
*
|
||
* This script is part of the TYPO3 project. The TYPO3 project is
|
||
* free software; you can redistribute it and/or modify
|
||
* it under the terms of the GNU General Public License as published by
|
||
* the Free Software Foundation; either version 2 of the License, or
|
||
* (at your option) any later version.
|
||
*
|
||
* The GNU General Public License can be found at
|
||
* http://www.gnu.org/copyleft/gpl.html.
|
||
* A copy is found in the textfile GPL.txt and important notices to the license
|
||
* from the author is found in LICENSE.txt distributed with these scripts.
|
||
*
|
||
*
|
||
* This script is distributed in the hope that it will be useful,
|
||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||
* GNU General Public License for more details.
|
||
*
|
||
* This copyright notice MUST APPEAR in all copies of the script!
|
||
***************************************************************/
|
||
/**
|
||
* Challenge generation classl
|
||
*
|
||
* $Id$
|
||
*
|
||
* @author Kraft Bernhard <kraftb@gmx.net>
|
||
*/
|
||
/**
|
||
* [CLASS/FUNCTION INDEX of SCRIPT]
|
||
*/
|
||
|
||
class user_felogin_challenge {
|
||
function getChallenge() {
|
||
$chal_val = md5(time().getmypid());
|
||
$res = $GLOBALS['TYPO3_DB']->exec_INSERTquery('tx_felogin_challenge', array('challenge' => $chal_val, 'tstamp' => time()));
|
||
return $chal_val;
|
||
}
|
||
}
|
||
|
||
?>
|
typo3/sysext/felogin/tools/user_getChallenge.php (revision 0) | ||
---|---|---|
<?php
|
||
/***************************************************************
|
||
* Copyright notice
|
||
*
|
||
* (c) 2005 Kraft Bernhard (kraftb@gmx.net)
|
||
* All rights reserved
|
||
*
|
||
* This script is part of the TYPO3 project. The TYPO3 project is
|
||
* free software; you can redistribute it and/or modify
|
||
* it under the terms of the GNU General Public License as published by
|
||
* the Free Software Foundation; either version 2 of the License, or
|
||
* (at your option) any later version.
|
||
*
|
||
* The GNU General Public License can be found at
|
||
* http://www.gnu.org/copyleft/gpl.html.
|
||
* A copy is found in the textfile GPL.txt and important notices to the license
|
||
* from the author is found in LICENSE.txt distributed with these scripts.
|
||
*
|
||
*
|
||
* This script is distributed in the hope that it will be useful,
|
||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||
* GNU General Public License for more details.
|
||
*
|
||
* This copyright notice MUST APPEAR in all copies of the script!
|
||
***************************************************************/
|
||
/**
|
||
* Challenge generation classl
|
||
*
|
||
* $Id$
|
||
*
|
||
* @author Kraft Bernhard <kraftb@gmx.net>
|
||
*/
|
||
/**
|
||
* [CLASS/FUNCTION INDEX of SCRIPT]
|
||
*/
|
||
|
||
class user_felogin_challenge {
|
||
function getChallenge() {
|
||
$chal_val = md5(time().getmypid());
|
||
$res = $GLOBALS['TYPO3_DB']->exec_INSERTquery('tx_felogin_challenge', array('challenge' => $chal_val, 'tstamp' => time()));
|
||
return $chal_val;
|
||
}
|
||
}
|
||
|
||
?>
|