forked from AuthMe/AuthMeReloaded
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
AuthMe#518 Create injection-safe website integration and demo form
- Loading branch information
Showing
2 changed files
with
119 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,52 @@ | ||
| <!-- | ||
| This is a demo page for AuthMe website integration. | ||
| See integration.php for the PHP code you need. | ||
| --> | ||
| <!DOCTYPE html> | ||
| <html lang="en"> | ||
| <head> | ||
| <title>AuthMe Integration Sample</title> | ||
| <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> | ||
| </head> | ||
| <body> | ||
| <?php | ||
| error_reporting(E_ALL); | ||
|
|
||
| $user = get_from_post_or_empty('username'); | ||
| $pass = get_from_post_or_empty('password'); | ||
|
|
||
| $was_successful = false; | ||
| if ($user && $pass) { | ||
| require_once('integration.php'); | ||
| if (authme_check_password($user, $pass)) { | ||
| printf('<h1>Hello, %s!</h1>', htmlspecialchars($user)); | ||
| echo 'Successful login. Nice to have you back!' | ||
| . '<br /><a href="form.php">Back to form</a>'; | ||
| $was_successful = true; | ||
| } else { | ||
| echo '<h1>Error</h1> Invalid username or password.'; | ||
| } | ||
| } | ||
|
|
||
| if (!$was_successful) { | ||
| echo '<h1>Login sample</h1> | ||
| This is a demo form for AuthMe website integration. Enter your AuthMe login details | ||
| into the following form to test it. | ||
| <form method="post"> | ||
| <table> | ||
| <tr><td>Name</td><td><input type="text" value="' . htmlspecialchars($user) . '" name="username" /></td></tr> | ||
| <tr><td>Pass</td><td><input type="password" value="' . htmlspecialchars($pass) . '" name="password" /></td></tr> | ||
| <tr><td colspan="2"><input type="submit" value=" Log in " /> | ||
| </table> | ||
| </form>'; | ||
| } | ||
|
|
||
| function get_from_post_or_empty($index_name) { | ||
| return trim( | ||
| filter_input(INPUT_POST, $index_name, FILTER_UNSAFE_RAW, FILTER_REQUIRE_SCALAR | FILTER_FLAG_STRIP_LOW) | ||
| ?: ''); | ||
| } | ||
| ?> | ||
|
|
||
| </body> | ||
| </html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,67 @@ | ||
| <?php | ||
| /***************************************************************************** | ||
| * AuthMe website integration logic * | ||
| * -------------------------------- * | ||
| * Check with authme_check_password() whether the received username and * | ||
| * password match the AuthMe MySQL database. Don't forget to adjust the * | ||
| * database info in authme_get_hash(). * | ||
| * * | ||
| * Source: https://github.com/AuthMe-Team/AuthMeReloaded/ * | ||
| *****************************************************************************/ | ||
|
|
||
| /** | ||
| * Entry point function to check supplied credentials against the AuthMe database. | ||
| * | ||
| * @param string $username the username | ||
| * @param string $password the password | ||
| * @return bool true iff the data is correct, false otherwise | ||
| */ | ||
| function authme_check_password($username, $password) { | ||
| if (is_scalar($username) && is_scalar($password)) { | ||
| $hash = authme_get_hash($username); | ||
| if ($hash) { | ||
| return authme_check_hash($password, $hash); | ||
| } | ||
| } | ||
| return false; | ||
| } | ||
|
|
||
| /** | ||
| * Retrieves the hash associated with the given user from the database. | ||
| * | ||
| * @param string $username the username whose hash should be retrieved | ||
| * @return string|null the hash, or null if unavailable (e.g. username doesn't exist) | ||
| */ | ||
| function authme_get_hash($username) { | ||
| // Add here your database host, username, password and database name | ||
| $mysqli = new mysqli('HOST', 'USER', 'PWD', 'DB'); | ||
| $authme_table = 'authme'; | ||
|
|
||
| if (mysqli_connect_error()) { | ||
| printf('Could not connect to AuthMe database. Errno: %d, error: "%s"', | ||
| mysqli_connect_errno(), mysqli_connect_error()); | ||
| } else { | ||
| $stmt = $mysqli->prepare("SELECT password FROM $authme_table WHERE username = ?"); | ||
| $stmt->bind_param('s', $username); | ||
| $stmt->execute(); | ||
| $stmt->bind_result($password); | ||
| if ($stmt->fetch()) { | ||
| return $password; | ||
| } | ||
| } | ||
| return null; | ||
| } | ||
|
|
||
| /** | ||
| * Checks the given clear-text password against the hash. | ||
| * | ||
| * @param string $password the clear-text password to check | ||
| * @param string $hash the hash to check the password against | ||
| * @return bool true iff the password matches the hash, false otherwise | ||
| */ | ||
| function authme_check_hash($password, $hash) { | ||
| // $SHA$salt$hash, where hash := sha256(sha256(password) . salt) | ||
| $parts = explode('$', $hash); | ||
| return count($parts) === 4 | ||
| && $parts[3] === hash('sha256', hash('sha256', $password) . $parts[2]); | ||
| } |