From ef4c97a78486b7daacbe2097a74349e49250034a Mon Sep 17 00:00:00 2001
From: djpbessems <github.com.danny@spamasaurus.com>
Date: Thu, 24 Jan 2019 19:48:29 +0100
Subject: [PATCH] Added database queries during login flow

---
 include/lucidAuth.functions.php      | 27 +++++++++++++++++++++------
 public/lucidAuth.login.php           |  2 +-
 public/lucidAuth.validateRequest.php |  5 ++++-
 3 files changed, 26 insertions(+), 8 deletions(-)

diff --git a/include/lucidAuth.functions.php b/include/lucidAuth.functions.php
index 5c1ba8c..b589875 100644
--- a/include/lucidAuth.functions.php
+++ b/include/lucidAuth.functions.php
@@ -41,6 +41,18 @@ function authenticateLDAP (string $username, string $password) {
 			];
 
 			$secureToken = JWT::encode($jwtPayload, base64_decode($settings->JWT['PrivateKey_base64']));
+			// Store authentication token in database
+			$pdoQuery = $pdoDB->prepare('
+				INSERT INTO SecureToken (UserId, Value)
+				SELECT User.Id, :securetoken
+				FROM User
+				WHERE User.Username = :qualifiedusername
+ 			');
+			$pdoQuery->execute([
+				'securetoken'		=>	$secureToken,
+				'qualifiedusername'	=>	$qualifiedUsername
+			]);
+			
 			return ['status' => 'Success', 'token' => $secureToken];
 		} else {
 			// LDAP authentication failed!
@@ -68,12 +80,12 @@ function validateToken (string $secureToken) {
 	try {
 		$jwtPayload = JWT::decode($secureToken, base64_decode($settings->JWT['PrivateKey_base64']), $settings->JWT['Algorithm']);
 	} catch (Exception $e) {
-		// Invalid token, inform client (client should handle discarding invalid token)
-		return ['status' => 'Fail', 'reason' => '3'];
+		// Invalid token
+		return ['status' => 'Fail', 'reason' => '1'];
 	}
 
 	$pdoQuery = $pdoDB->prepare('
-		SELECT SecureToken.Payload
+		SELECT SecureToken.Value
 		FROM SecureToken
 		LEFT JOIN User 
 			ON (User.Id=SecureToken.UserId)
@@ -83,16 +95,19 @@ function validateToken (string $secureToken) {
 			'username'	=>	$jwtPayload['sub']
 		]);
 	foreach($pdoQuery->fetchAll(PDO::FETCH_ASSOC) as $row) {
-		$storedTokens[] = $row['Payload'];
+		$storedTokens[] = $row['Value'];
 	}
 	
-	print_r($storedTokens);
+print_r($storedTokens);
 #	if (!empty($storedTokens) && <in_array or array_walk to determine if any of the stored tokens match>) {
 
+#	} else {
+		// No matching token in database
+#		return ['status' => 'Fail', 'reason' => '2'];
 #	}
 
 	If ($secureToken['iat'] < (time() - $settings->Session['Duration'])) {
-		// Expired token (shouldn't the browser disregard it?)
+		// Expired token
 		return ['status' => 'Fail', 'reason' => '3'];
 	}
 	
diff --git a/public/lucidAuth.login.php b/public/lucidAuth.login.php
index b8285d2..a2ce736 100644
--- a/public/lucidAuth.login.php
+++ b/public/lucidAuth.login.php
@@ -7,7 +7,7 @@
 		$result = authenticateLDAP($_POST['username'], $_POST['password']);
 		if ($result['status'] == 'Success') {
 			// Save secure token in cookie
-            setcookie('JWT', $result['token'], (time() + $settings->Session['Duration']));
+			setcookie('JWT', $result['token'], (time() + $settings->Session['Duration']));
             
 			// Convert base64 encoded string back from JSON;
 			//   forcing it into an associative array (instead of javascript's default StdClass object)
diff --git a/public/lucidAuth.validateRequest.php b/public/lucidAuth.validateRequest.php
index 572aba5..3b289f1 100644
--- a/public/lucidAuth.validateRequest.php
+++ b/public/lucidAuth.validateRequest.php
@@ -35,7 +35,10 @@
 		header("HTTP/1.1 202 Accepted");
 		exit;
 	} else {
-		// No cookie containing valid authentication token found, redirecting to loginpage
+		// No cookie containing valid authentication token found;
+		//   explicitly deleting any remaining cookie, then redirecting to loginpage
+		setcookie('JWT', FALSE);
+
 		header("HTTP/1.1 401 Unauthorized");
 		header("Location: lucidAuth.login.php?ref=" . base64_encode(json_encode($proxyHeaders)));
 	}