Added database queries during login flow

This commit is contained in:
djpbessems 2019-01-24 19:48:29 +01:00
parent 118e45db9c
commit ef4c97a784
3 changed files with 26 additions and 8 deletions

View File

@ -41,6 +41,18 @@ function authenticateLDAP (string $username, string $password) {
]; ];
$secureToken = JWT::encode($jwtPayload, base64_decode($settings->JWT['PrivateKey_base64'])); $secureToken = JWT::encode($jwtPayload, base64_decode($settings->JWT['PrivateKey_base64']));
// Store authentication token in database
$pdoQuery = $pdoDB->prepare('
INSERT INTO SecureToken (UserId, Value)
SELECT User.Id, :securetoken
FROM User
WHERE User.Username = :qualifiedusername
');
$pdoQuery->execute([
'securetoken' => $secureToken,
'qualifiedusername' => $qualifiedUsername
]);
return ['status' => 'Success', 'token' => $secureToken]; return ['status' => 'Success', 'token' => $secureToken];
} else { } else {
// LDAP authentication failed! // LDAP authentication failed!
@ -68,12 +80,12 @@ function validateToken (string $secureToken) {
try { try {
$jwtPayload = JWT::decode($secureToken, base64_decode($settings->JWT['PrivateKey_base64']), $settings->JWT['Algorithm']); $jwtPayload = JWT::decode($secureToken, base64_decode($settings->JWT['PrivateKey_base64']), $settings->JWT['Algorithm']);
} catch (Exception $e) { } catch (Exception $e) {
// Invalid token, inform client (client should handle discarding invalid token) // Invalid token
return ['status' => 'Fail', 'reason' => '3']; return ['status' => 'Fail', 'reason' => '1'];
} }
$pdoQuery = $pdoDB->prepare(' $pdoQuery = $pdoDB->prepare('
SELECT SecureToken.Payload SELECT SecureToken.Value
FROM SecureToken FROM SecureToken
LEFT JOIN User LEFT JOIN User
ON (User.Id=SecureToken.UserId) ON (User.Id=SecureToken.UserId)
@ -83,16 +95,19 @@ function validateToken (string $secureToken) {
'username' => $jwtPayload['sub'] 'username' => $jwtPayload['sub']
]); ]);
foreach($pdoQuery->fetchAll(PDO::FETCH_ASSOC) as $row) { foreach($pdoQuery->fetchAll(PDO::FETCH_ASSOC) as $row) {
$storedTokens[] = $row['Payload']; $storedTokens[] = $row['Value'];
} }
print_r($storedTokens); print_r($storedTokens);
# if (!empty($storedTokens) && <in_array or array_walk to determine if any of the stored tokens match>) { # if (!empty($storedTokens) && <in_array or array_walk to determine if any of the stored tokens match>) {
# } else {
// No matching token in database
# return ['status' => 'Fail', 'reason' => '2'];
# } # }
If ($secureToken['iat'] < (time() - $settings->Session['Duration'])) { If ($secureToken['iat'] < (time() - $settings->Session['Duration'])) {
// Expired token (shouldn't the browser disregard it?) // Expired token
return ['status' => 'Fail', 'reason' => '3']; return ['status' => 'Fail', 'reason' => '3'];
} }

View File

@ -7,7 +7,7 @@
$result = authenticateLDAP($_POST['username'], $_POST['password']); $result = authenticateLDAP($_POST['username'], $_POST['password']);
if ($result['status'] == 'Success') { if ($result['status'] == 'Success') {
// Save secure token in cookie // Save secure token in cookie
setcookie('JWT', $result['token'], (time() + $settings->Session['Duration'])); setcookie('JWT', $result['token'], (time() + $settings->Session['Duration']));
// Convert base64 encoded string back from JSON; // Convert base64 encoded string back from JSON;
// forcing it into an associative array (instead of javascript's default StdClass object) // forcing it into an associative array (instead of javascript's default StdClass object)

View File

@ -35,7 +35,10 @@
header("HTTP/1.1 202 Accepted"); header("HTTP/1.1 202 Accepted");
exit; exit;
} else { } else {
// No cookie containing valid authentication token found, redirecting to loginpage // No cookie containing valid authentication token found;
// explicitly deleting any remaining cookie, then redirecting to loginpage
setcookie('JWT', FALSE);
header("HTTP/1.1 401 Unauthorized"); header("HTTP/1.1 401 Unauthorized");
header("Location: lucidAuth.login.php?ref=" . base64_encode(json_encode($proxyHeaders))); header("Location: lucidAuth.login.php?ref=" . base64_encode(json_encode($proxyHeaders)));
} }