From ef4c97a78486b7daacbe2097a74349e49250034a Mon Sep 17 00:00:00 2001 From: djpbessems Date: Thu, 24 Jan 2019 19:48:29 +0100 Subject: [PATCH] Added database queries during login flow --- include/lucidAuth.functions.php | 27 +++++++++++++++++++++------ public/lucidAuth.login.php | 2 +- public/lucidAuth.validateRequest.php | 5 ++++- 3 files changed, 26 insertions(+), 8 deletions(-) diff --git a/include/lucidAuth.functions.php b/include/lucidAuth.functions.php index 5c1ba8c..b589875 100644 --- a/include/lucidAuth.functions.php +++ b/include/lucidAuth.functions.php @@ -41,6 +41,18 @@ function authenticateLDAP (string $username, string $password) { ]; $secureToken = JWT::encode($jwtPayload, base64_decode($settings->JWT['PrivateKey_base64'])); + // Store authentication token in database + $pdoQuery = $pdoDB->prepare(' + INSERT INTO SecureToken (UserId, Value) + SELECT User.Id, :securetoken + FROM User + WHERE User.Username = :qualifiedusername + '); + $pdoQuery->execute([ + 'securetoken' => $secureToken, + 'qualifiedusername' => $qualifiedUsername + ]); + return ['status' => 'Success', 'token' => $secureToken]; } else { // LDAP authentication failed! @@ -68,12 +80,12 @@ function validateToken (string $secureToken) { try { $jwtPayload = JWT::decode($secureToken, base64_decode($settings->JWT['PrivateKey_base64']), $settings->JWT['Algorithm']); } catch (Exception $e) { - // Invalid token, inform client (client should handle discarding invalid token) - return ['status' => 'Fail', 'reason' => '3']; + // Invalid token + return ['status' => 'Fail', 'reason' => '1']; } $pdoQuery = $pdoDB->prepare(' - SELECT SecureToken.Payload + SELECT SecureToken.Value FROM SecureToken LEFT JOIN User ON (User.Id=SecureToken.UserId) @@ -83,16 +95,19 @@ function validateToken (string $secureToken) { 'username' => $jwtPayload['sub'] ]); foreach($pdoQuery->fetchAll(PDO::FETCH_ASSOC) as $row) { - $storedTokens[] = $row['Payload']; + $storedTokens[] = $row['Value']; } - print_r($storedTokens); +print_r($storedTokens); # if (!empty($storedTokens) && ) { +# } else { + // No matching token in database +# return ['status' => 'Fail', 'reason' => '2']; # } If ($secureToken['iat'] < (time() - $settings->Session['Duration'])) { - // Expired token (shouldn't the browser disregard it?) + // Expired token return ['status' => 'Fail', 'reason' => '3']; } diff --git a/public/lucidAuth.login.php b/public/lucidAuth.login.php index b8285d2..a2ce736 100644 --- a/public/lucidAuth.login.php +++ b/public/lucidAuth.login.php @@ -7,7 +7,7 @@ $result = authenticateLDAP($_POST['username'], $_POST['password']); if ($result['status'] == 'Success') { // Save secure token in cookie - setcookie('JWT', $result['token'], (time() + $settings->Session['Duration'])); + setcookie('JWT', $result['token'], (time() + $settings->Session['Duration'])); // Convert base64 encoded string back from JSON; // forcing it into an associative array (instead of javascript's default StdClass object) diff --git a/public/lucidAuth.validateRequest.php b/public/lucidAuth.validateRequest.php index 572aba5..3b289f1 100644 --- a/public/lucidAuth.validateRequest.php +++ b/public/lucidAuth.validateRequest.php @@ -35,7 +35,10 @@ header("HTTP/1.1 202 Accepted"); exit; } else { - // No cookie containing valid authentication token found, redirecting to loginpage + // No cookie containing valid authentication token found; + // explicitly deleting any remaining cookie, then redirecting to loginpage + setcookie('JWT', FALSE); + header("HTTP/1.1 401 Unauthorized"); header("Location: lucidAuth.login.php?ref=" . base64_encode(json_encode($proxyHeaders))); }