Appreciate any feedback
Code: Select all
class Auth {
private $current_user_id = -1;
private $current_user = null;
public $cfg = null;
function __construct($auth_config) {
$this->cfg = $auth_config;
if($this->is_authed()) {
// retrieve user based on session hash
$this->session_get_user();
}
}
function __destruct() {
unset($this->current_user);
unset($this->current_user_id);
unset($this->cfg);
}
public function get_hash($salt, $data) {
return hash('sha256',$this->cfg['pepper'].$salt.$data);
}
public function session_get_user() {
global $session;
$session_id = $session->get_session_id();
$user_id = $this->_get_userid_from_session($session_id);
if($user_id < 0) {
$_SESSION['is_authed'] = false;
return;
}
$this->_login_user($user_id);
}
private function _get_userid_from_session($session_id) {
global $db;
$session_id = $db->sql_escape($session_id);
$ip = $db->sql_escape($_SERVER['REMOTE_ADDR']);
$q = "SELECT {$this->cfg['db']['user_id']} FROM {$this->cfg['db']['table']} WHERE {$this->cfg['db']['session_id']}='$session_id' AND {$this->cfg['db']['session_ip']} BETWEEN INET_ATON('$ip')-255 AND INET_ATON('$ip')+255 AND {$this->cfg['db']['session_time']} > DATE_SUB(NOW(), INTERVAL {$this->cfg['db']['session_duration']} SECOND);";
$r = $db->sql_query($q);
$row = $db->sql_fetchrow($r);
if(!$row) {
return -1;
}
$user_id = $row[$this->cfg['db']['user_id']];
return $user_id;
}
public function validate_login($username, $password) {
global $session, $db;
$userhash = $this->get_hash('',$username);
$passhash = $this->get_hash($userhash, $password);
$username = $db->sql_escape($username);
$q = "SELECT {$this->cfg['db']['user_id']} FROM {$this->cfg['db']['table']} WHERE {$this->cfg['db']['username']}='$username' AND {$this->cfg['db']['password']}='$passhash';";
$r = $db->sql_query($q);
$row = $db->sql_fetchrow($r);
if(!$row) {
return "Invalid username or password";
}
$user_id = $row[$this->cfg['db']['user_id']];
$session->regenerate_id();
$this->_login_user($user_id);
return true;
}
public function create_reset_token($username) {
global $db;
$q = "SELECT {$this->cfg['db']['user_id']} FROM {$this->cfg['db']['table']} WHERE {$this->cfg['db']['username']}='$username';";
$r = $db->sql_query($q);
$row = $db->sql_fetchrow($r);
if(!$row) {
return false;
}
$user_id = $row[$this->cfg['db']['user_id']];
$reset_token = $this->get_hash(time(), $username);
$ip = mysql_real_escape_string($_SERVER['REMOTE_ADDR']);
$q = "UPDATE {$this->cfg['db']['table']} SET {$this->cfg['db']['reset_ip']}=INET_ATON('$ip'), {$this->cfg['db']['reset_expiry']}=DATE_ADD(NOW(),INTERVAL {$this->cfg['db']['reset_duration']} SECOND), {$this->cfg['db']['reset_token']}='$reset_token' WHERE {$this->cfg['db']['user_id']}=$user_id;";
$db->sql_query($q);
if($db->sql_affectedrows()>0) {
return $reset_token;
}
return false;
}
public function validate_reset($username, $token) {
global $db;
$token = $db->sql_escape($token);
$username = $db->sql_escape($username);
$ip = $db->sql_escape($_SERVER['REMOTE_ADDR']);
$q = "SELECT {$this->cfg['db']['user_id']} FROM {$this->cfg['db']['table']} WHERE {$this->cfg['db']['username']}='$username' AND {$this->cfg['db']['reset_token']}='$token' AND {$this->cfg['db']['reset_ip']} BETWEEN INET_ATON('$ip')-255 AND INET_ATON('$ip')+255 AND {$this->cfg['db']['reset_expiry']} > NOW();";
$r = $db->sql_query($q);
$row = $db->sql_fetchrow($r);
if(!$row) {
return false;
}
$user_id = $row[$this->cfg['db']['user_id']];
return $user_id;
}
public function set_user_password($user_id, $password) {
global $db;
$q = "SELECT {$this->cfg['db']['username']} FROM {$this->cfg['db']['table']} WHERE {$this->cfg['db']['user_id']}=$user_id;";
$r = $db->sql_query($q);
$c = $db->sql_rowcount($r);
if($c == 0) {
return false;
}
$row = $db->sql_fetchrow($r);
$username = $row[$this->cfg['db']['username']];
$db->sql_freeresult($r);
$userhash = $this->get_hash('',$username);
$passhash = $this->get_hash($userhash, $password);
$q = "UPDATE {$this->cfg['db']['table']} SET {$this->cfg['db']['password']}='$passhash' WHERE {$this->cfg['db']['user_id']}=$user_id;";
$db->sql_query($q);
if($db->sql_affectedrows() > 0) {
return true;
}
return false;
}
public function create_user($username, $password) {
global $db;
$userhash = $this->get_hash('',$username);
$passhash = $this->get_hash($userhash, $password);
$username = $db->sql_escape($username);
$q = "SELECT {$this->cfg['db']['user_id']} FROM {$this->cfg['db']['table']} WHERE {$this->cfg['db']['username']}='$username';";
$r = $db->sql_query($q);
$c = $db->sql_rowcount($r);
if($c > 0) {
$db->sql_freeresult($r);
return "Username in use";
}
$q = "INSERT INTO {$this->cfg['db']['table']} ({$this->cfg['db']['username']},{$this->cfg['db']['password']}) VALUES ('$username','$passhash');";
$db->sql_query($q);
if($db->sql_affectedrows()>0) {
return $db->sql_insertid();
} else {
return "Error creating user";
}
}
public function _login_user($user_id) {
global $user, $db, $session;
$this->current_user_id = $user_id;
$this->current_user = new User($this, $user_id);
$user = $this->current_user;
$this->current_user->session_id = $session->get_session_id();
$_SESSION['is_authed'] = true;
// Update session IP, ID and time in database:
$ip = $db->sql_escape($_SERVER['REMOTE_ADDR']);
$q = "UPDATE {$this->cfg['db']['table']} SET {$this->cfg['db']['session_ip']}=INET_ATON('$ip'), {$this->cfg['db']['session_time']}=NOW(), {$this->cfg['db']['session_id']}='{$this->current_user->session_id}' WHERE {$this->cfg['db']['user_id']}=$user_id;";
$db->sql_query($q);
}
public function logout() {
global $session, $db, $user;
if($this->is_authed()) {
$_SESSION['is_authed'] = false;
$session->regenerate_id();
// Clear the session details
$q = "UPDATE {$this->cfg['db']['table']} SET {$this->cfg['db']['session_id']}='', {$this->cfg['db']['session_ip']}=0, {$this->cfg['db']['session_time']}='0000-00-00 00:00:00' WHERE {$this->cfg['db']['user_id']}={$this->current_user_id};";
$db->sql_query($q);
// Reset the user
$this->current_user = null;
$this->current_user_id = -1;
$user = null;
}
}
public function is_authed() {
return (isset($_SESSION['is_authed'])) ? $_SESSION['is_authed'] : false;
}
public function get_user() {
return $this->current_user;
}
}