2007-09-14 05:12:21 +02:00
|
|
|
<?php
|
|
|
|
/**
|
|
|
|
* Authenticator for the default "member" method
|
|
|
|
*
|
|
|
|
* @author Markus Lanthaler <markus@silverstripe.com>
|
2012-04-12 08:02:46 +02:00
|
|
|
* @package framework
|
2008-02-25 03:10:37 +01:00
|
|
|
* @subpackage security
|
2007-09-14 05:12:21 +02:00
|
|
|
*/
|
|
|
|
class MemberAuthenticator extends Authenticator {
|
|
|
|
|
2009-11-06 03:23:30 +01:00
|
|
|
/**
|
2013-06-21 00:32:08 +02:00
|
|
|
* Contains encryption algorithm identifiers.
|
|
|
|
* If set, will migrate to new precision-safe password hashing
|
|
|
|
* upon login. See http://open.silverstripe.org/ticket/3004
|
2014-08-15 08:53:05 +02:00
|
|
|
*
|
2013-06-21 00:32:08 +02:00
|
|
|
* @var array
|
2009-11-06 03:23:30 +01:00
|
|
|
*/
|
2013-03-21 19:48:54 +01:00
|
|
|
private static $migrate_legacy_hashes = array(
|
2014-08-15 08:53:05 +02:00
|
|
|
'md5' => 'md5_v2.4',
|
2009-11-06 03:23:30 +01:00
|
|
|
'sha1' => 'sha1_v2.4'
|
|
|
|
);
|
|
|
|
|
2012-12-08 12:20:20 +01:00
|
|
|
/**
|
|
|
|
* Method to authenticate an user
|
|
|
|
*
|
|
|
|
* @param array $RAW_data Raw data to authenticate the user
|
|
|
|
* @param Form $form Optional: If passed, better error messages can be
|
|
|
|
* produced by using
|
|
|
|
* {@link Form::sessionMessage()}
|
|
|
|
* @return bool|Member Returns FALSE if authentication fails, otherwise
|
|
|
|
* the member object
|
|
|
|
* @see Security::setDefaultAdmin()
|
|
|
|
*/
|
2014-08-15 08:53:05 +02:00
|
|
|
public static function authenticate($RAW_data, Form $form = null) {
|
2013-06-21 00:32:08 +02:00
|
|
|
// Check for email
|
|
|
|
if(empty($RAW_data['Email'])) return false;
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2013-06-21 00:32:08 +02:00
|
|
|
$userEmail = $RAW_data['Email'];
|
|
|
|
if(is_array($userEmail)) {
|
|
|
|
user_error("Bad email passed to MemberAuthenticator::authenticate()", E_USER_WARNING);
|
2012-12-08 12:20:20 +01:00
|
|
|
return false;
|
2010-10-13 03:35:19 +02:00
|
|
|
}
|
2010-02-05 01:36:25 +01:00
|
|
|
|
2012-12-08 12:20:20 +01:00
|
|
|
$result = null;
|
|
|
|
|
|
|
|
// Default login (see Security::setDefaultAdmin())
|
2013-06-21 00:32:08 +02:00
|
|
|
if(Security::check_default_admin($userEmail, $RAW_data['Password'])) {
|
2012-12-08 12:20:20 +01:00
|
|
|
$member = Security::findAnAdministrator();
|
2008-08-11 02:14:48 +02:00
|
|
|
} else {
|
2013-06-21 00:32:08 +02:00
|
|
|
$member = Member::get()
|
|
|
|
->filter(Member::config()->unique_identifier_field, $userEmail)
|
|
|
|
->where('"Member"."Password" IS NOT NULL')
|
|
|
|
->first();
|
2012-12-08 12:20:20 +01:00
|
|
|
|
|
|
|
if($member) {
|
|
|
|
$result = $member->checkPassword($RAW_data['Password']);
|
2008-08-12 22:59:32 +02:00
|
|
|
} else {
|
2012-12-08 12:20:20 +01:00
|
|
|
$result = new ValidationResult(false, _t('Member.ERRORWRONGCRED'));
|
|
|
|
}
|
|
|
|
|
2014-08-15 08:53:05 +02:00
|
|
|
if($member && !$result->valid()) {
|
2012-12-08 12:20:20 +01:00
|
|
|
$member->registerFailedLogin();
|
|
|
|
$member = false;
|
|
|
|
}
|
|
|
|
}
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2012-12-08 12:20:20 +01:00
|
|
|
// Optionally record every login attempt as a {@link LoginAttempt} object
|
|
|
|
/**
|
|
|
|
* TODO We could handle this with an extension
|
|
|
|
*/
|
2013-03-21 19:48:54 +01:00
|
|
|
if(Security::config()->login_recording) {
|
2012-12-08 12:20:20 +01:00
|
|
|
$attempt = new LoginAttempt();
|
|
|
|
if($member) {
|
|
|
|
// successful login (member is existing with matching password)
|
|
|
|
$attempt->MemberID = $member->ID;
|
|
|
|
$attempt->Status = 'Success';
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2008-08-12 22:59:32 +02:00
|
|
|
// Audit logging hook
|
2012-12-08 12:20:20 +01:00
|
|
|
$member->extend('authenticated');
|
|
|
|
} else {
|
|
|
|
// failed login - we're trying to see if a user exists with this email (disregarding wrong passwords)
|
2013-06-21 00:32:08 +02:00
|
|
|
$existingMember = DataObject::get_one("Member", array(
|
|
|
|
'"'.Member::config()->unique_identifier_field.'"' => $userEmail
|
|
|
|
));
|
2012-12-08 12:20:20 +01:00
|
|
|
if($existingMember) {
|
|
|
|
$attempt->MemberID = $existingMember->ID;
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2012-12-08 12:20:20 +01:00
|
|
|
// Audit logging hook
|
|
|
|
$existingMember->extend('authenticationFailed');
|
|
|
|
} else {
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2012-12-08 12:20:20 +01:00
|
|
|
// Audit logging hook
|
|
|
|
singleton('Member')->extend('authenticationFailedUnknownUser', $RAW_data);
|
|
|
|
}
|
|
|
|
$attempt->Status = 'Failure';
|
2008-08-12 22:59:32 +02:00
|
|
|
}
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2013-06-21 00:32:08 +02:00
|
|
|
$attempt->Email = $userEmail;
|
2012-12-08 12:20:20 +01:00
|
|
|
$attempt->IP = Controller::curr()->getRequest()->getIP();
|
|
|
|
$attempt->write();
|
2008-08-11 05:39:14 +02:00
|
|
|
}
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2012-12-08 12:20:20 +01:00
|
|
|
// Legacy migration to precision-safe password hashes.
|
|
|
|
// A login-event with cleartext passwords is the only time
|
|
|
|
// when we can rehash passwords to a different hashing algorithm,
|
|
|
|
// bulk-migration doesn't work due to the nature of hashing.
|
|
|
|
// See PasswordEncryptor_LegacyPHPHash class.
|
|
|
|
if(
|
|
|
|
$member // only migrate after successful login
|
|
|
|
&& self::$migrate_legacy_hashes
|
|
|
|
&& array_key_exists($member->PasswordEncryption, self::$migrate_legacy_hashes)
|
|
|
|
) {
|
|
|
|
$member->Password = $RAW_data['Password'];
|
|
|
|
$member->PasswordEncryption = self::$migrate_legacy_hashes[$member->PasswordEncryption];
|
|
|
|
$member->write();
|
|
|
|
}
|
2007-09-14 05:12:21 +02:00
|
|
|
|
2014-05-02 06:51:23 +02:00
|
|
|
if(!$member && $form && $result) {
|
|
|
|
$form->sessionMessage($result->message(), 'bad');
|
2010-02-05 01:36:25 +01:00
|
|
|
}
|
2007-09-14 05:12:21 +02:00
|
|
|
|
2010-02-05 01:36:25 +01:00
|
|
|
return $member;
|
|
|
|
}
|
2007-09-14 05:12:21 +02:00
|
|
|
|
|
|
|
|
2012-12-08 12:20:20 +01:00
|
|
|
/**
|
|
|
|
* Method that creates the login form for this authentication method
|
|
|
|
*
|
|
|
|
* @param Controller The parent controller, necessary to create the
|
|
|
|
* appropriate form action tag
|
|
|
|
* @return Form Returns the login form to use with this authentication
|
|
|
|
* method
|
|
|
|
*/
|
|
|
|
public static function get_login_form(Controller $controller) {
|
|
|
|
return Object::create("MemberLoginForm", $controller, "LoginForm");
|
|
|
|
}
|
2007-09-14 21:13:12 +02:00
|
|
|
|
|
|
|
|
2012-12-08 12:20:20 +01:00
|
|
|
/**
|
|
|
|
* Get the name of the authentication method
|
|
|
|
*
|
|
|
|
* @return string Returns the name of the authentication method.
|
|
|
|
*/
|
|
|
|
public static function get_name() {
|
2007-10-25 04:47:45 +02:00
|
|
|
return _t('MemberAuthenticator.TITLE', "E-mail & Password");
|
2007-09-14 21:13:12 +02:00
|
|
|
}
|
2007-09-14 05:12:21 +02:00
|
|
|
}
|
|
|
|
|