From: Artem Daniliants Date: Tue, 16 Mar 2010 13:15:54 +0000 (+0200) Subject: Login functionality now works and passwords are stored securely X-Git-Tag: v0.1~50 X-Git-Url: http://git.maemo.org/git/?p=speedfreak;a=commitdiff_plain;h=9cddbaf57a215186fee6ed1345adf2a1d066d921 Login functionality now works and passwords are stored securely --- diff --git a/Server/application/config/api.php b/Server/application/config/api.php index 95ba7a7..c61e18c 100644 --- a/Server/application/config/api.php +++ b/Server/application/config/api.php @@ -6,4 +6,9 @@ /* * URL where to redirect if no parameters are given to API controller */ - $config['default_redirect'] = 'http://www.speedfreak-app.com'; \ No newline at end of file + $config['default_redirect'] = 'http://www.speedfreak-app.com'; + +/* + * Salt for hashing (should always be changed on deployment!) + */ +$config['salf'] = 'klzdjkhI/&/567Û%#ÛgbnkBJHVTVjdhiuhdbmzcss-__FDHSYUWYUTUDGBZ'; \ No newline at end of file diff --git a/Server/application/controllers/api.php b/Server/application/controllers/api.php index d8f8e6a..9692244 100644 --- a/Server/application/controllers/api.php +++ b/Server/application/controllers/api.php @@ -48,4 +48,27 @@ class Api_Controller extends Controller{ } return $xml; } + + /* + * Check that supplied credentials are valid using basic authentication + * + */ + public function login(){ + if (isset($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'])){ + $user = new User_Model(); + if ($user->login($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'])) + print "OK"; + else { + header('HTTP/1.0 401 Unauthorized'); + print "Invalid credentials"; + die; + } + } + else { + header('HTTP/1.0 401 Unauthorized'); + print "No credentials supplied"; + die; + } + + } } \ No newline at end of file diff --git a/Server/application/models/user.php b/Server/application/models/user.php index d408574..95daac7 100644 --- a/Server/application/models/user.php +++ b/Server/application/models/user.php @@ -22,7 +22,7 @@ class User_Model extends Model { // load database library into $this->db parent::__construct(); - if (isset($username, $password, $email)){ + if ($username!='' and $password!='' and $email!=''){ if (strlen($username)<3) throw new Exception('Username too short'); elseif (strlen($username)>12) @@ -53,8 +53,25 @@ class User_Model extends Model { * @return bool Returns True if operation was successfull and exception otherwise */ private function register($username, $password, $email){ - return $this->db->query('INSERT into users SET username = ?, password = ?, email = ?', - $this->db->escape($username), $this->db->escape($password), $this->db->escape($email)); + // hash password + $password = $this->hash($password); + + // @todo I can't seem to get query working when password binding has '' around it like others + if ($this->user_exists($username, $email)==false) + return $this->db->query("INSERT into users SET username = '?', password = ?, email = '?'", + $username, $password, $email); + else + return false; + } + + /* + * Hash password supplied by user using salt stored in config file + * + * @param string $password Password in plain text format + * @return string Returns string containing hash generated from password + */ + private function hash($password){ + return sha1($password.Kohana::config('api.salt')); } /* @@ -65,8 +82,26 @@ class User_Model extends Model { * @return bool Returns True if user exists and false otherwise */ private function user_exists($username, $email){ - if ($this->db->query('SELECT id FROM users WHERE username = ? OR email = ?', - $this->db->escape($username), $this->db->escape($email))->count()>0) + if ($this->db->query("SELECT id FROM users WHERE username = '?' OR email = '?'", + $username, $email)->count()>0) + return true; + else + return false; + } + + /* + * Check if supplied credentials are valid + * + * @param string $username Username + * @param string $password Password in plain text format + * @return bool True if credentials match and false if supplied credentials are invalid + */ + public function login($username, $password){ + // hash password + $password = $this->hash($password); + + if ($this->db->query("SELECT id FROM users WHERE username = ? AND password = ?", + $username, $password)->count()>0) return true; else return false;