[Summary view] [Print] [Text view]

   1  <?php
   2  
   3  /**
   4   * @package     Joomla.Plugin
   5   * @subpackage  Apiauthentication.basic
   6   *
   7   * @copyright   (C) 2019 Open Source Matters, Inc. <https://www.joomla.org>
   8   * @license     GNU General Public License version 2 or later; see LICENSE.txt
   9   */
  10  
  11  namespace Joomla\Plugin\ApiAuthentication\Basic\Extension;
  12  
  13  use Joomla\CMS\Authentication\Authentication;
  14  use Joomla\CMS\Plugin\CMSPlugin;
  15  use Joomla\CMS\User\UserFactoryInterface;
  16  use Joomla\CMS\User\UserHelper;
  17  use Joomla\Database\DatabaseAwareTrait;
  18  use Joomla\Event\DispatcherInterface;
  19  
  20  // phpcs:disable PSR1.Files.SideEffects
  21  \defined('_JEXEC') or die;
  22  // phpcs:enable PSR1.Files.SideEffects
  23  
  24  /**
  25   * Joomla Authentication plugin
  26   *
  27   * @since  4.0.0
  28   */
  29  final class Basic extends CMSPlugin
  30  {
  31      use DatabaseAwareTrait;
  32  
  33      /**
  34       * The user factory
  35       *
  36       * @var    UserFactoryInterface
  37       * @since  4.2.0
  38       */
  39      private $userFactory;
  40  
  41      /**
  42       * Constructor.
  43       *
  44       * @param   DispatcherInterface   $dispatcher   The dispatcher
  45       * @param   array                 $config       An optional associative array of configuration settings
  46       * @param   UserFactoryInterface  $userFactory  The user factory
  47       *
  48       * @since   4.2.0
  49       */
  50      public function __construct(DispatcherInterface $dispatcher, array $config, UserFactoryInterface $userFactory)
  51      {
  52          parent::__construct($dispatcher, $config);
  53  
  54          $this->userFactory = $userFactory;
  55      }
  56  
  57      /**
  58       * This method should handle any authentication and report back to the subject
  59       *
  60       * @param   array   $credentials  Array holding the user credentials
  61       * @param   array   $options      Array of extra options
  62       * @param   object  &$response    Authentication response object
  63       *
  64       * @return  void
  65       *
  66       * @since   4.0.0
  67       */
  68      public function onUserAuthenticate($credentials, $options, &$response)
  69      {
  70          $response->type = 'Basic';
  71  
  72          $username = $this->getApplication()->input->server->get('PHP_AUTH_USER', '', 'USERNAME');
  73          $password = $this->getApplication()->input->server->get('PHP_AUTH_PW', '', 'RAW');
  74  
  75          if ($password === '') {
  76              $response->status        = Authentication::STATUS_FAILURE;
  77              $response->error_message = $this->getApplication()->getLanguage()->_('JGLOBAL_AUTH_EMPTY_PASS_NOT_ALLOWED');
  78  
  79              return;
  80          }
  81  
  82          $db    = $this->getDatabase();
  83          $query = $db->getQuery(true)
  84              ->select($db->quoteName(['id', 'password']))
  85              ->from($db->quoteName('#__users'))
  86              ->where($db->quoteName('username') . ' = :username')
  87              ->bind(':username', $username);
  88  
  89          $db->setQuery($query);
  90          $result = $db->loadObject();
  91  
  92          if ($result) {
  93              $match = UserHelper::verifyPassword($password, $result->password, $result->id);
  94  
  95              if ($match === true) {
  96                  // Bring this in line with the rest of the system
  97                  $user               = $this->userFactory->loadUserById($result->id);
  98                  $response->email    = $user->email;
  99                  $response->fullname = $user->name;
 100                  $response->username = $username;
 101  
 102                  if ($this->getApplication()->isClient('administrator')) {
 103                      $response->language = $user->getParam('admin_language');
 104                  } else {
 105                      $response->language = $user->getParam('language');
 106                  }
 107  
 108                  $response->status        = Authentication::STATUS_SUCCESS;
 109                  $response->error_message = '';
 110              } else {
 111                  // Invalid password
 112                  $response->status        = Authentication::STATUS_FAILURE;
 113                  $response->error_message = $this->getApplication()->getLanguage()->_('JGLOBAL_AUTH_INVALID_PASS');
 114              }
 115          } else {
 116              // Let's hash the entered password even if we don't have a matching user for some extra response time
 117              // By doing so, we mitigate side channel user enumeration attacks
 118              UserHelper::hashPassword($password);
 119  
 120              // Invalid user
 121              $response->status        = Authentication::STATUS_FAILURE;
 122              $response->error_message = $this->getApplication()->getLanguage()->_('JGLOBAL_AUTH_NO_USER');
 123          }
 124      }
 125  }