[ Index ] |
PHP Cross Reference of Joomla 4.2.2 documentation |
[Summary view] [Print] [Text view]
1 <?php 2 3 /** 4 * @package Joomla.Plugin 5 * @subpackage Apiauthentication.basic 6 * 7 * @copyright (C) 2019 Open Source Matters, Inc. <https://www.joomla.org> 8 * @license GNU General Public License version 2 or later; see LICENSE.txt 9 */ 10 11 namespace Joomla\Plugin\ApiAuthentication\Basic\Extension; 12 13 use Joomla\CMS\Authentication\Authentication; 14 use Joomla\CMS\Plugin\CMSPlugin; 15 use Joomla\CMS\User\UserFactoryInterface; 16 use Joomla\CMS\User\UserHelper; 17 use Joomla\Database\DatabaseAwareTrait; 18 use Joomla\Event\DispatcherInterface; 19 20 // phpcs:disable PSR1.Files.SideEffects 21 \defined('_JEXEC') or die; 22 // phpcs:enable PSR1.Files.SideEffects 23 24 /** 25 * Joomla Authentication plugin 26 * 27 * @since 4.0.0 28 */ 29 final class Basic extends CMSPlugin 30 { 31 use DatabaseAwareTrait; 32 33 /** 34 * The user factory 35 * 36 * @var UserFactoryInterface 37 * @since 4.2.0 38 */ 39 private $userFactory; 40 41 /** 42 * Constructor. 43 * 44 * @param DispatcherInterface $dispatcher The dispatcher 45 * @param array $config An optional associative array of configuration settings 46 * @param UserFactoryInterface $userFactory The user factory 47 * 48 * @since 4.2.0 49 */ 50 public function __construct(DispatcherInterface $dispatcher, array $config, UserFactoryInterface $userFactory) 51 { 52 parent::__construct($dispatcher, $config); 53 54 $this->userFactory = $userFactory; 55 } 56 57 /** 58 * This method should handle any authentication and report back to the subject 59 * 60 * @param array $credentials Array holding the user credentials 61 * @param array $options Array of extra options 62 * @param object &$response Authentication response object 63 * 64 * @return void 65 * 66 * @since 4.0.0 67 */ 68 public function onUserAuthenticate($credentials, $options, &$response) 69 { 70 $response->type = 'Basic'; 71 72 $username = $this->getApplication()->input->server->get('PHP_AUTH_USER', '', 'USERNAME'); 73 $password = $this->getApplication()->input->server->get('PHP_AUTH_PW', '', 'RAW'); 74 75 if ($password === '') { 76 $response->status = Authentication::STATUS_FAILURE; 77 $response->error_message = $this->getApplication()->getLanguage()->_('JGLOBAL_AUTH_EMPTY_PASS_NOT_ALLOWED'); 78 79 return; 80 } 81 82 $db = $this->getDatabase(); 83 $query = $db->getQuery(true) 84 ->select($db->quoteName(['id', 'password'])) 85 ->from($db->quoteName('#__users')) 86 ->where($db->quoteName('username') . ' = :username') 87 ->bind(':username', $username); 88 89 $db->setQuery($query); 90 $result = $db->loadObject(); 91 92 if ($result) { 93 $match = UserHelper::verifyPassword($password, $result->password, $result->id); 94 95 if ($match === true) { 96 // Bring this in line with the rest of the system 97 $user = $this->userFactory->loadUserById($result->id); 98 $response->email = $user->email; 99 $response->fullname = $user->name; 100 $response->username = $username; 101 102 if ($this->getApplication()->isClient('administrator')) { 103 $response->language = $user->getParam('admin_language'); 104 } else { 105 $response->language = $user->getParam('language'); 106 } 107 108 $response->status = Authentication::STATUS_SUCCESS; 109 $response->error_message = ''; 110 } else { 111 // Invalid password 112 $response->status = Authentication::STATUS_FAILURE; 113 $response->error_message = $this->getApplication()->getLanguage()->_('JGLOBAL_AUTH_INVALID_PASS'); 114 } 115 } else { 116 // Let's hash the entered password even if we don't have a matching user for some extra response time 117 // By doing so, we mitigate side channel user enumeration attacks 118 UserHelper::hashPassword($password); 119 120 // Invalid user 121 $response->status = Authentication::STATUS_FAILURE; 122 $response->error_message = $this->getApplication()->getLanguage()->_('JGLOBAL_AUTH_NO_USER'); 123 } 124 } 125 }
title
Description
Body
title
Description
Body
title
Description
Body
title
Body
Generated: Wed Sep 7 05:41:13 2022 | Chilli.vc Blog - For Webmaster,Blog-Writer,System Admin and Domainer |