99 lines
3.1 KiB
PHP
99 lines
3.1 KiB
PHP
<?php
|
|
|
|
$configurationFile = '../lucidAuth.config.php';
|
|
if (!file_exists($configurationFile)) {
|
|
throw new Exception(sprintf('Missing config file. Please rename \'%1$s.example\' to \'%1$s\' and edit it to reflect your setup.', explode('../', $configurationFile)[1]));
|
|
}
|
|
$settings = include_once($configurationFile);
|
|
try {
|
|
# switch ($settings->Database['Driver']) {
|
|
# case 'sqlite':
|
|
# $database = new PDO('sqlite:' . $settings->Database['Path']);
|
|
$pdoDB = new PDO('sqlite:' . $settings->Sqlite['Path']);
|
|
# }
|
|
}
|
|
catch (Exception $e) {
|
|
throw new Exception(sprintf('Unable to connect to database \'%1$s\'', $settings->Sqlite['Path']));
|
|
}
|
|
|
|
function authenticateLDAP (string $username, string $password) {
|
|
global $settings;
|
|
|
|
if (!empty($username) && !empty($password)) {
|
|
// Handle login requests
|
|
|
|
$ds = ldap_connect($settings->LDAP['Server'], $settings->LDAP['Port']);
|
|
|
|
// Strict namingconvention: only allow alphabetic characters
|
|
$sanitizedUsername = preg_replace('([^a-zA-Z]*)', '', $_POST['username']);
|
|
$qualifiedUsername = $settings->LDAP['Domain'] . '\\' . $sanitizedUsername;
|
|
|
|
if (@ldap_bind($ds, $qualifiedUsername, utf8_encode($_POST['password']))) {
|
|
// Successful authentication; get additional userdetails from authenticationsource
|
|
$ldapSearchResults = ldap_search($ds, $settings->LDAP['BaseDN'], "sAMAccountName=$sanitizedUsername");
|
|
$commonName = ldap_get_entries($ds, $ldapSearchResults)[0]['cn'][0];
|
|
// Create JWT-payload
|
|
$jwtPayload = [
|
|
'iat' => time(), // Issued at: time when the token was generated
|
|
'iss' => $_SERVER['SERVER_NAME'], // Issuer
|
|
'sub' => $qualifiedUsername, // Subject (ie. username)
|
|
'name' => $commonName // Common name (as retrieved from AD)
|
|
];
|
|
|
|
$secureToken = JWT::encode($jwtPayload, base64_decode($settings->JWT['PrivateKey_base64']));
|
|
return ['status' => 'Success', 'token' => $secureToken];
|
|
} else {
|
|
// LDAP authentication failed!
|
|
return ['status' => 'Fail', 'reason' => '1'];
|
|
}
|
|
} else {
|
|
// Empty username or passwords not allowed!
|
|
return ['status' => 'Fail', 'reason' => '1'];
|
|
}
|
|
}
|
|
|
|
function storeToken (string $username, string $password, object $cookie) {
|
|
global $settings;
|
|
|
|
}
|
|
|
|
function retrieveTokenFromDB (string $username, string $foo) {
|
|
global $settings;
|
|
|
|
}
|
|
|
|
function validateToken (array $cookieData) {
|
|
global $settings;
|
|
|
|
try {
|
|
$jwtPayload = JWT::decode($cookieData['token'], base64_decode($settings->JWT['PrivateKey_base64']), $settings->JWT['Algorithm']);
|
|
} catch (Exception $e) {
|
|
// Invalid token, inform client (client should handle discarding invalid token)
|
|
return ['status' => 'Fail', 'reason' => '3'];
|
|
}
|
|
|
|
$pdoQuery = $pdoDB->prepare('
|
|
SELECT SecureToken.Payload
|
|
FROM SecureToken
|
|
LEFT JOIN User
|
|
ON (User.Id=SecureToken.UserId)
|
|
WHERE User.Username = :username
|
|
');
|
|
$pdoQuery->execute([
|
|
'username' => ($_COOKIE['Sub'] ?? "Danny")
|
|
]);
|
|
foreach($pdoQuery->fetchAll(PDO::FETCH_ASSOC) as $row) {
|
|
$tokens[] = $row['Payload'];
|
|
}
|
|
print_r($tokens);
|
|
# if ($pdoResult['Username'])
|
|
|
|
|
|
If ($cookieData['Exp'] < time()) {
|
|
// Expired cookie (shouldn't the browser disregard it?)
|
|
return ['status' => 'Fail', 'reason' => '3'];
|
|
}
|
|
|
|
}
|
|
|
|
?>
|