Skip to content
Snippets Groups Projects
Commit 02926ef4 authored by Jared Hancock's avatar Jared Hancock
Browse files

Add single-sign-on for password reset tokens

parent 1ea3a12a
Branches
Tags
No related merge requests found
...@@ -119,7 +119,7 @@ abstract class AuthenticationBackend { ...@@ -119,7 +119,7 @@ abstract class AuthenticationBackend {
$result = $bk->authenticate($username, $password); $result = $bk->authenticate($username, $password);
if ($result instanceof AuthenticatedUser if ($result instanceof AuthenticatedUser
&& (static::login($result, $bk))) && ($bk->login($result, $bk)))
return $result; return $result;
// TODO: Handle permission denied, for instance // TODO: Handle permission denied, for instance
elseif ($result instanceof AccessDenied) { elseif ($result instanceof AccessDenied) {
...@@ -141,7 +141,7 @@ abstract class AuthenticationBackend { ...@@ -141,7 +141,7 @@ abstract class AuthenticationBackend {
$result = $bk->signOn(); $result = $bk->signOn();
if ($result instanceof AuthenticatedUser) { if ($result instanceof AuthenticatedUser) {
//Perform further Object specific checks and the actual login //Perform further Object specific checks and the actual login
if (!static::login($result, $bk)) if (!$bk->login($result, $bk))
continue; continue;
return $result; return $result;
...@@ -620,6 +620,39 @@ class osTicketAuthentication extends StaffAuthenticationBackend { ...@@ -620,6 +620,39 @@ class osTicketAuthentication extends StaffAuthenticationBackend {
} }
StaffAuthenticationBackend::register(osTicketAuthentication); StaffAuthenticationBackend::register(osTicketAuthentication);
class PasswordResetTokenBackend extends StaffAuthenticationBackend {
static $id = "pwreset.staff";
function authenticate($username, $password) {}
function signOn($errors=array()) {
if (!isset($_POST['userid']) || !isset($_POST['token']))
return false;
elseif (!($_config = new Config('pwreset')))
return false;
elseif (($staff = new StaffSession($_POST['userid'])) &&
!$staff->getId())
$errors['msg'] = 'Invalid user-id given';
elseif (!($id = $_config->get($_POST['token']))
|| $id != $staff->getId())
$errors['msg'] = 'Invalid reset token';
elseif (!($ts = $_config->lastModified($_POST['token']))
&& ($ost->getConfig()->getPwResetWindow() < (time() - strtotime($ts))))
$errors['msg'] = 'Invalid reset token';
elseif (!$staff->forcePasswdRest())
$errors['msg'] = 'Unable to reset password';
else
return $staff;
}
function login($staff, $bk) {
$_SESSION['_staff']['reset-token'] = $_POST['token'];
Signal::send('auth.pwreset.login', $staff);
return parent::login($staff, $bk);
}
}
StaffAuthenticationBackend::register(PasswordResetTokenBackend);
/* /*
* AuthToken Authentication Backend * AuthToken Authentication Backend
* *
......
...@@ -47,26 +47,15 @@ if($_POST) { ...@@ -47,26 +47,15 @@ if($_POST) {
case 'newpasswd': case 'newpasswd':
// TODO: Compare passwords // TODO: Compare passwords
$tpl = 'pwreset.login.php'; $tpl = 'pwreset.login.php';
$_config = new Config('pwreset'); $errors = array();
if (($staff = new StaffSession($_POST['userid'])) && if ($staff = StaffAuthenticationBackend::processSignOn($errors)) {
!$staff->getId())
$msg = 'Invalid user-id given';
elseif (!($id = $_config->get($_POST['token']))
|| $id != $staff->getId())
$msg = 'Invalid reset token';
elseif (!($ts = $_config->lastModified($_POST['token']))
&& ($ost->getConfig()->getPwResetWindow() < (time() - strtotime($ts))))
$msg = 'Invalid reset token';
elseif (!$staff->forcePasswdRest())
$msg = 'Unable to reset password';
else {
$info = array('page' => 'index.php'); $info = array('page' => 'index.php');
Signal::send('auth.pwreset.login', $staff, $info);
Staff::_do_login($staff, $_POST['userid']);
$_SESSION['_staff']['reset-token'] = $_POST['token'];
header('Location: '.$info['page']); header('Location: '.$info['page']);
exit(); exit();
} }
elseif (isset($errors['msg'])) {
$msg = $errors['msg'];
}
break; break;
} }
} }
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment