Guest User

phpBB 3.x API Registration Mod v6+ ejabberd exauth

a guest
Jun 27th, 2014
225
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <?php
  2.  
  3. // Prepare the script to work within phpBB's environment.
  4. define('IN_PHPBB', true);
  5. $phpbb_root_path = '../';
  6. $phpEx = substr(strrchr(__FILE__, '.'), 1);
  7. include($phpbb_root_path . 'common.' . $phpEx);
  8. include($phpbb_root_path . '/includes/functions_user.' . $phpEx);
  9.  
  10. $doLog = false;
  11. $logHandle = null;
  12. $logfile = "/var/www/forum/xmlrpclog/exauth_phpbb_forumxmlrpc.log";
  13.  
  14. if ($doLog) {
  15.     $logHandle = fopen($logfile, "a") or die("Error opening log file: ". $logfile);
  16. }
  17.  
  18. LogExAuth('Received exauth request from ejabberd');
  19.  
  20. // Hidden secret to confirm we are allowed to request this data (might be handled differently in the future)
  21. $secret = md5(md5($config['eveapi_ejabber_code']));
  22.  
  23. $type = request_var('type', "");
  24. $result = false;
  25.  
  26. LogExAuth('Type detected: ' . $type);
  27.  
  28. if($type != "" && $config['eveapi_jabber_masterswitch'] && $config['eveapi_ejabber_switch'])
  29. {
  30.     LogExAuth('Jabber is enabled on forum. Checking Challenge... ');
  31.     $challenge = request_var('challenge', '');
  32.  
  33.     if($challenge == $secret)
  34.     {
  35.         LogExAuth('Challenge matches. Checking type: ' . $type);
  36.         if($type == "checkAuth")
  37.         {
  38.             $user = sanitizeUser(urldecode(request_var('user', '')));
  39.             $pass = urldecode(request_var('pass', ''));
  40.  
  41.             $pass = base64_decode($pass);
  42.  
  43.             $result = checkAuth($user, $pass);
  44.         }
  45.         elseif($type == "isUser")
  46.         {
  47.             LogExAuth('Received isUser request');
  48.             $user = sanitizeUser(urldecode(request_var('user', '')));
  49.            
  50.             LogExAuth('Checking if "' . $user . '" is a valid user.');
  51.            
  52.             $usernames = array($user);
  53.             $userids = array();
  54.  
  55.             $id = user_get_id_name($userids, $usernames, array(0, 3));
  56.             LogExAuth('Result from user_get_id_name is: ' . $id);
  57.             if($id === false)
  58.             {
  59.                 $result = true;
  60.             } else {
  61.                
  62.             }
  63.         }
  64.     }
  65. }
  66.  
  67. $response_text = ($result) ? "true" : "false"; 
  68.  
  69. header("Content-Type:text/xml");
  70.  
  71. echo "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n";
  72. echo "<result>\n";
  73. echo "<response>{$response_text}</response>\n";
  74. echo "</result>\n";
  75.  
  76. // --------------------------------------------
  77.  
  78. function checkAuth($username, $password)
  79. {
  80.     global $db, $config;
  81.  
  82.     // do not allow empty password
  83.     if (!$password)
  84.     {
  85.         return false;
  86.     }
  87.  
  88.     if (!$username)
  89.     {
  90.         return false;
  91.     }
  92.  
  93.     $username_clean = utf8_clean_string($username);
  94.  
  95.     $sql = 'SELECT user_id, username, user_password, user_passchg, user_pass_convert, user_email, user_type, user_login_attempts
  96.         FROM ' . USERS_TABLE . "
  97.         WHERE username_clean = '" . $db->sql_escape($username_clean) . "'";
  98.     $result = $db->sql_query($sql);
  99.     $row = $db->sql_fetchrow($result);
  100.     $db->sql_freeresult($result);
  101.  
  102.     if (!$row)
  103.     {
  104.         return false;
  105.     }
  106.    
  107.     if($config['max_login_attempts'] && $row['user_login_attempts'] >= $config['max_login_attempts'])
  108.     {
  109.         return false;
  110.     }
  111.  
  112.     // Check password ...
  113.     if (!$row['user_pass_convert'] && phpbb_check_hash($password, $row['user_password']))
  114.     {
  115.         $sql = 'DELETE FROM ' . LOGIN_ATTEMPT_TABLE . '
  116.             WHERE user_id = ' . $row['user_id'];
  117.         $db->sql_query($sql);
  118.  
  119.         if ($row['user_login_attempts'] != 0)
  120.         {
  121.             // Successful, reset login attempts (the user passed all stages)
  122.             $sql = 'UPDATE ' . USERS_TABLE . '
  123.                 SET user_login_attempts = 0
  124.                 WHERE user_id = ' . $row['user_id'];
  125.             $db->sql_query($sql);
  126.         }
  127.  
  128.         // User inactive...
  129.         if ($row['user_type'] == USER_INACTIVE || $row['user_type'] == USER_IGNORE)
  130.         {
  131.             return false;
  132.         }
  133.  
  134.         // Successful login... set user_login_attempts to zero...
  135.         return true;
  136.     }
  137.  
  138.     // Password incorrect - increase login attempts
  139.     $sql = 'UPDATE ' . USERS_TABLE . '
  140.         SET user_login_attempts = user_login_attempts + 1
  141.         WHERE user_id = ' . (int) $row['user_id'] . '
  142.             AND user_login_attempts < ' . LOGIN_ATTEMPTS_MAX;
  143.     $db->sql_query($sql);
  144.  
  145.     // Give status about wrong password...
  146.     return false;
  147. }
  148.  
  149.  
  150. function LogExAuth($msg, $timestamp = true) {
  151.     global $doLog, $logHandle;
  152.    
  153.     $time = "";
  154.     if($timestamp)
  155.     {
  156.         $time = "[" . date("D d M Y H:i:s") . "]";
  157.     }
  158.    
  159.     if($doLog && is_resource($logHandle))
  160.     {
  161.         fwrite($logHandle, $time ." ". $msg ."\n");
  162.     }
  163. }
  164.  
  165. /**
  166.  * Sanitize users
  167.  *
  168.  * Convert a jabber JID to a Forum Username
  169.  * - perform base64 decode of incoming username
  170.  * - replace underscores with spaces
  171.  * - check if the resulting username is one of the difficult cases where special characters
  172.  *   were removed from the JID and convert to the correct forum username.
  173.  *
  174.  * @param string $username Base64-encoded username coming from ejabberd external auth.
  175.  * @return string sanitized username in a format that phpbb should recognize.
  176.  */
  177. function sanitizeUser($username)
  178. {
  179.     $username = strtolower(str_replace("_", " ", base64_decode($username)));
  180.    
  181.     $difficultUsers = array(
  182.         "difficult user" => "difficult 'user",
  183.     );
  184.    
  185.     if (array_key_exists($username, $difficultUsers)) {
  186.         $username = $difficultUsers[$username];
  187.     }
  188.    
  189.     return $username;
  190. }
  191.  
  192.  
  193. //Close log handler
  194. if (is_resource($logHandle)){
  195.     fclose($logHandle);
  196. }
  197.  
  198. ?>
RAW Paste Data