Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <?php
- /**
- * Login Controller
- * @author: Rogier Fischer
- * @version: 1.2
- * @last edit: 19-12-2015
- **/
- class login_controller extends Controller {
- public function __construct() {
- // If a user is already logged in, we redirect them to the homepage
- if(User::session_exists()) {
- Auth::redirect('/' . Language::l() . '/account/home');
- }
- try {
- if($_SERVER['REQUEST_METHOD'] === 'POST') {
- // security, spam prevention and CSRF
- Auth::decodeFormNames($_POST, 'login');
- // validate login form
- if($this->validateForm()) {
- // load user model
- $this->model = $this->loadModel('login');
- // perform login logic
- $this->login();
- // security, reset PHP session
- session_regenerate_id();
- // after login, send user to previous page
- if(isset($_GET['next'])) {
- Auth::redirect('/' . Auth::esc(str_replace('-', '/', $_GET['next'])));
- }
- else {
- Auth::redirect('/' . Language::l() . '/account/home');
- }
- }
- }
- }
- catch(Exception $e) {
- $error = $e->getMessage();
- // check wether there exists an translation for the given error
- if(Language::g($error) === false) {
- $error = 'error_unknown';
- }
- $this->loadView('login/content', [
- 'error' => Language::g($error)
- ]);
- }
- $this->loadView('login/content');
- }
- private function validateForm() {
- // initialize form class which handles basic security like XSS and CSRF
- $form = new Form();
- // define expected fields, 'csrf-token' is also an expected field.
- // The Form class does not accept more or less POST defined in the fields variable.
- $fields = array(
- 'email' => array(
- 'default_error_message' => 'email_invalid',
- 'validators' => array(
- 'email' => array(
- 'error_message' => 'email_incorrect'
- )
- )
- ),
- 'password' => array(
- 'default_error_message' => 'password_invalid',
- 'validators' => array(
- 'minLength' => array(
- 'helper' => 6,
- 'error_message' => 'password_short'
- )
- )
- ),
- 'two-fa-code' => array(
- 'default_error_message' => 'auth_invalid',
- 'validators' => array(
- 'maxLength' => array(
- 'helper' => 6,
- 'error_message' => 'auth_incorrect'
- )
- )
- )
- );
- // check wether the currect _POST variable complies with the field variable
- try {
- $form->isValidPost($fields);
- }
- catch(Exception $e) {
- throw new Exception($e->getMessage());
- }
- return true;
- }
- private function login() {
- // search user row
- $user_row = $this->model->searchUserByEmail($_POST['email']);
- // unknown email
- if(!$user_row) {
- throw new UserException('login_incorrect');
- }
- // 2 factor authentication
- if($user_row['user_2fa_enabled']) {
- if(!isset($_POST['two-fa-code'])) {
- throw new UserException('illegal_2fa_code');
- }
- if(!googleAuthenticator::verifyCode($user_row['user_2fa_secret'], $_POST['two-fa-code'], 2)) {
- throw new UserException('illegal_2fa_code');
- }
- }
- // not activated
- if(!$user_row['user_activated']) {
- throw new UserException('account_not_activated');
- }
- // save password hashing
- $salt = Auth::getSalt($user_row['user_password']);
- $password = Auth::hash_password($_POST['password'], $salt);
- // create session and save it
- if($password === $user_row['user_password']) {
- $token = Auth::createCode(64);
- $_SESSION['user']['session_token'] = $token;
- $_SESSION['user']['session_exists'] = true;
- $_SESSION['user']['data'] = $user_row;
- $this->model->saveSession($user_row['user_id'], $token);
- }
- else {
- throw new UserException('login_incorrect');
- }
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement