diff --git a/apps/maarch_entreprise/log.php b/apps/maarch_entreprise/log.php
index f5fe9bcc5feba478dcef0e1161a6e9182b2be109..7ba922e4a829584d5df3ffee0dd79ba0613d9488 100755
--- a/apps/maarch_entreprise/log.php
+++ b/apps/maarch_entreprise/log.php
@@ -264,7 +264,7 @@ if (! empty($_SESSION['error'])) {
//$core->show_array($res);
$_SESSION['user'] = $res['user'];
if ($res['error'] == '') {
- \Core\Models\SecurityModel::setCookieAuth(['userId' => $login, 'password' => $password]);
+ \Core\Models\SecurityModel::setCookieAuth(['userId' => $login]);
// $businessAppTools->load_app_var_session($_SESSION['user']);
//$core->load_var_session($_SESSION['modules'], $_SESSION['user']);
$core->load_menu($_SESSION['modules']);
diff --git a/core/Controllers/UserController.php b/core/Controllers/UserController.php
index b4b38572a0954d373f7ac68a84d2931da02ec7f9..594b37443b5da320130f5b5be871a839ffb62601 100644
--- a/core/Controllers/UserController.php
+++ b/core/Controllers/UserController.php
@@ -180,7 +180,7 @@ class UserController
if ($data['newPassword'] != $data['reNewPassword']) {
return $response->withStatus(400)->withJson(['errors' => _WRONG_SECOND_PSW]);
- } elseif (!SecurityModel::checkAuthentication(['userId' => $_SESSION['user']['UserId'],'password' => $data['currentPassword']])) {
+ } elseif (!SecurityModel::authentication(['userId' => $_SESSION['user']['UserId'],'password' => $data['currentPassword']])) {
return $response->withJson(['errors' => _WRONG_PSW]);
}
diff --git a/core/Models/DatabasePDO.php b/core/Models/DatabasePDO.php
index e2130f6495651d8b26aa3755662bef2f9dcaf730..d92448cfea4e8354c16a959e87884a8fa50259dc 100644
--- a/core/Models/DatabasePDO.php
+++ b/core/Models/DatabasePDO.php
@@ -95,6 +95,10 @@ class DatabasePDO
public function query($queryString, array $data = [])
{
+ if (self::$driver == 'ORACLE') {
+ $queryString = str_ireplace('CURRENT_TIMESTAMP', 'SYSDATE', $queryString);
+ }
+
if (!empty($data)) {
$tmpData = [];
foreach ($data as $key => $value) {
diff --git a/core/Models/SecurityModelAbstract.php b/core/Models/SecurityModelAbstract.php
index 6e4d66d9f581292304bfffc86aa1dceb3144418e..41472ceaf515c4ee22b3e35574fa17cd7b47fc79 100644
--- a/core/Models/SecurityModelAbstract.php
+++ b/core/Models/SecurityModelAbstract.php
@@ -23,7 +23,7 @@ class SecurityModelAbstract
return password_hash($password, PASSWORD_DEFAULT);
}
- public static function checkAuthentication(array $args)
+ public static function authentication(array $args)
{
ValidatorModel::notEmpty($args, ['userId', 'password']);
ValidatorModel::stringType($args, ['userId', 'password']);
@@ -42,10 +42,29 @@ class SecurityModelAbstract
return password_verify($args['password'], $aReturn[0]['password']);
}
+ public static function cookieAuthentication(array $args)
+ {
+ ValidatorModel::notEmpty($args, ['userId', 'cookieKey']);
+ ValidatorModel::stringType($args, ['userId', 'cookieKey']);
+
+ $aReturn = DatabaseModel::select([
+ 'select' => ['password'],
+ 'table' => ['users'],
+ 'where' => ['user_id = ?', 'cookie_key = ?', 'cookie_date > CURRENT_TIMESTAMP'],
+ 'data' => [$args['userId'], $args['cookieKey']]
+ ]);
+
+ if (empty($aReturn[0])) {
+ return false;
+ }
+
+ return true;
+ }
+
public static function setCookieAuth(array $args)
{
- ValidatorModel::notEmpty($args, ['userId', 'password']);
- ValidatorModel::stringType($args, ['userId', 'password']);
+ ValidatorModel::notEmpty($args, ['userId']);
+ ValidatorModel::stringType($args, ['userId']);
$customId = CoreConfigModel::getCustomId();
@@ -63,11 +82,27 @@ class SecurityModelAbstract
}
}
- $cookiePath = str_replace('apps/maarch_entreprise/index.php', '', $_SERVER['SCRIPT_NAME']);
+ $previousCookie = SecurityModel::getCookieAuth();
+ if (empty($previousCookie)) {
+ $cookieKey = SecurityModel::getPasswordHash($args['userId']);
+ } else {
+ $cookieKey = $previousCookie['cookieKey'];
+ }
+ $cookiePath = str_replace(['apps/maarch_entreprise/index.php', 'rest/index.php'], '', $_SERVER['SCRIPT_NAME']);
+ $cookieTime = time() + 60 * $cookieTime;
+
+ DatabaseModel::update([
+ 'table' => 'users',
+ 'set' => [
+ 'cookie_key' => $cookieKey,
+ 'cookie_date' => date('Y-m-d H:i:s', $cookieTime),
+ ],
+ 'where' => ['user_id = ?'],
+ 'data' => [$args['userId']]
+ ]);
- $cookieData = json_encode(['userId' => $args['userId'], 'password' => $args['password']]);
- $cookieDataEncrypted = openssl_encrypt ($cookieData, 'aes-256-ctr', '12345678910');
- setcookie('maarchCourrierAuth', base64_encode($cookieDataEncrypted), time() + 60 * $cookieTime, $cookiePath, '', false, true);
+ $cookieData = json_encode(['userId' => $args['userId'], 'cookieKey' => $cookieKey]);
+ setcookie('maarchCourrierAuth', base64_encode($cookieData), $cookieTime, $cookiePath, '', false, true);
return true;
}
@@ -78,9 +113,10 @@ class SecurityModelAbstract
if (empty($rawCookie)) {
return [];
}
- $cookieDecrypted = openssl_decrypt(base64_decode($rawCookie), 'aes-256-ctr', '12345678910');
- $cookie = json_decode($cookieDecrypted);
- return $cookie;
+ $cookieDecoded = base64_decode($rawCookie);
+ $cookie = json_decode($cookieDecoded);
+
+ return (array)$cookie;
}
}
diff --git a/core/class/class_security.php b/core/class/class_security.php
index 7f52326fc5c7edf0fb88dfb7cfd3c4088ac62f87..ebd1b1aafc843dd356adafb14bf895b9df29872c 100644
--- a/core/class/class_security.php
+++ b/core/class/class_security.php
@@ -131,7 +131,7 @@ class security extends Database
$params = [];
}
- $check = \Core\Models\SecurityModel::checkAuthentication(['userId' => $s_login, 'password' => $pass]);
+ $check = \Core\Models\SecurityModel::authentication(['userId' => $s_login, 'password' => $pass]);
if ($check) {
$user = $uc->getWithComp($s_login, $comp, $params);
}
@@ -183,21 +183,6 @@ class security extends Database
'cookie_date' => $user->__get('cookie_date'),
);
- $key = md5(
- time() . '%' . $array['FirstName'] . '%' . $array['UserId']
- . '%' . $array['UserId'] . '%' . date('dmYHmi') . '%'
- );
- $user->__set('cookie_key', $key);
- if ($_SESSION['config']['databasetype'] == 'ORACLE') {
- $user->__set('cookie_date', 'SYSDATE');
- } else {
- $user->__set(
- 'cookie_date', date('Y-m-d') . ' ' . date('H:m:i')
- );
- }
- // #TODO : usefull ?
- $uc->save($user, 'up');
-
$array['primarygroup'] = $ugc ->getPrimaryGroup(
$array['UserId']
);
@@ -400,103 +385,8 @@ class security extends Database
*/
public function reopen($s_UserId,$s_key)
{
- $comp = " and cookie_key = '".$s_key."' and STATUS <> 'DEL'";
- $uc = new users_controler();
- $user = users_controler::get($s_login, $comp);
- if(isset($user))
- {
- if($user->__get('enabled') == "Y")
- {
- $serv_controler = new ServiceControler();
- $_SESSION['user']['change_pass'] = $user->__get('change_password');
- $_SESSION['user']['UserId'] = $user->__get('user_id');
- $_SESSION['user']['FirstName'] = $user->__get('firstname');
- $_SESSION['user']['LastName'] = $user->__get('lastname');
- $_SESSION['user']['Phone'] = $user->__get('phone');
- $_SESSION['user']['Mail'] = $user->__get('mail');
- $_SESSION['user']['department'] = $user->__get('department');
- $_SESSION['user']['thumbprint'] = $user->__get('thumbprint');
-
- if (isset($_SESSION['modules_loaded']['visa'])) {
- require_once "modules" . DIRECTORY_SEPARATOR . "visa" . DIRECTORY_SEPARATOR. "class" . DIRECTORY_SEPARATOR. "class_user_signatures.php";
- $us = new UserSignatures();
-
- $db = new Database();
- $query = "select path_template from "
- . _DOCSERVERS_TABLE_NAME
- . " where docserver_id = 'TEMPLATES'";
- $stmt = $db->query($query);
- $resDs = $stmt->fetchObject();
- $pathToDs = $resDs->path_template;
-
- $tab_sign = $us->getForUser($_SESSION['user']['UserId']);
- $_SESSION['user']['pathToSignature'] = array();
- foreach ($tab_sign as $sign) {
- $path = $pathToDs . str_replace(
- "#",
- DIRECTORY_SEPARATOR,
- $sign['signature_path']
- )
- . $sign['signature_file_name'];
- array_push($_SESSION['user']['pathToSignature'], $path);
- }
- }
-
- $_SESSION['error'] = "";
-
- $key = md5(time()."%".$_SESSION['user']['FirstName']."%".$_SESSION['user']['UserId']."%".$_SESSION['user']['UserId']."%".date("dmYHmi")."%");
-
- $user->__set('cookie_key', $key);
- if ($_SESSION['config']['databasetype'] == "ORACLE")
- $user->__set('cookie_date', 'SYSDATE');
- else
- $user->__set('cookie_date',date("Y-m-d")." ".date("H:m:i"));
-
- $uc->save($user, 'up');
-
- $_SESSION['user']['primarygroup'] = $ugc->getPrimaryGroup($_SESSION['user']['UserId']);
- $sec_controler = new SecurityControler();
- $tmp = $sec_controler->load_security($_SESSION['user']['UserId']);
- $_SESSION['user']['collections'] = $tmp['collections'];
- $_SESSION['user']['security'] = $tmp['security'];
- $serv_controler->loadEnabledServices();
-
- $business_app_tools = new business_app_tools();
- $core_tools = new core_tools();
- $business_app_tools->load_app_var_session($array);
- $core_tools->load_var_session($_SESSION['modules'], $array);
-
- $_SESSION['user']['services'] = $serv_controler->loadUserServices($_SESSION['user']['UserId']);
- $core_tools->load_menu($_SESSION['modules']);
-/*
- if($_SESSION['history']['userlogin'] == "true")
- {
- //add new instance in history table for the user's connexion
- $hist = new history();
- $ip = $_SERVER['REMOTE_ADDR'];
- $navigateur = addslashes($_SERVER['HTTP_USER_AGENT']);
-
- $hist->add($_SESSION['tablename']['users'],$_SESSION['user']['UserId'],"LOGIN","IP : ".$ip.", BROWSER : ".$navigateur , $_SESSION['config']['databasetype']);
- }
-*/
- if($_SESSION['user']['change_pass'] == 'Y' && !isset($_SESSION['web_cas_url'])) {
- header("location: ".$_SESSION['config']['businessappurl']."index.php?display=true&page=change_pass");
- exit();
-
- } else {
- header("location: ".$_SESSION['config']['businessappurl']."index.php");
- exit();
- }
- } else {
- $_SESSION['error'] = _SUSPENDED_ACCOUNT;
- header("location: ".$_SESSION['config']['businessappurl']."index.php");
- exit();
- }
- } else {
- $_SESSION['error'] = _ERROR;
- header("location: ".$_SESSION['config']['businessappurl']."index.php?display=true&page=login");
- exit();
- }
+ header("location: ".$_SESSION['config']['businessappurl']."index.php?display=true&page=login");
+ exit();
}
/******************* COLLECTION MANAGEMENT FUNCTIONS *******************/
diff --git a/core/class/web_service/class_web_service.php b/core/class/web_service/class_web_service.php
index 897f1af6039376ace4fee3dbee4b8edb8ca065aa..d6ab3f1682906cae8d9bd846575fe4ca9da75a08 100644
--- a/core/class/web_service/class_web_service.php
+++ b/core/class/web_service/class_web_service.php
@@ -181,7 +181,7 @@ class webService {
$userID = str_replace('>', '', $userID);
$userID = str_replace('<', '', $userID);
- $authenticated = \Core\Models\SecurityModel::checkAuthentication(['userId' => $userID, 'password' => $password]);
+ $authenticated = \Core\Models\SecurityModel::authentication(['userId' => $userID, 'password' => $password]);
}
return $authenticated;
}
diff --git a/rest/index.php b/rest/index.php
index 59424fb1384d361515cf7f189b3b115c8210e5f9..e91c7360d3db42cd3e103752150d9b795fd68028 100644
--- a/rest/index.php
+++ b/rest/index.php
@@ -85,11 +85,13 @@ if ($_SESSION['error']) {
exit();
}
-$cookie = (array)\Core\Models\SecurityModel::getCookieAuth(); // New Authentication System
+$cookie = \Core\Models\SecurityModel::getCookieAuth(); // New Authentication System
if (!empty($cookie)) {
- if (!\Core\Models\SecurityModel::checkAuthentication($cookie)) {
- echo 'Authentication Failed';
- exit();
+ if (\Core\Models\SecurityModel::cookieAuthentication($cookie)) {
+ \Core\Models\SecurityModel::setCookieAuth(['userId' => $cookie['userId']]);
+// } else {
+// echo 'Authentication Failed';
+// exit();
}
}
diff --git a/sql/17_xx.sql b/sql/17_xx.sql
index ff19b001e9cd2d6189f8132e7028340047eb684a..6462b505db4b682dc5f2a86f760dd81ecf586a51 100644
--- a/sql/17_xx.sql
+++ b/sql/17_xx.sql
@@ -79,6 +79,6 @@ END$$;
ALTER TABLE sendmail DROP COLUMN IF EXISTS res_version_att_id_list;
ALTER TABLE sendmail ADD COLUMN res_version_att_id_list character varying(255);
-//SALT
+/*SALT*/
UPDATE users set password = '$2y$10$C.QSslBKD3yNMfRPuZfcaubFwPKiCkqqOUyAdOr5FSGKPaePwuEjG', change_password = 'Y' WHERE user_id != 'superadmin';
UPDATE users set password = '$2y$10$Vq244c5s2zmldjblmMXEN./Q2qZrqtGVgrbz/l1WfsUJbLco4E.e.' where user_id = 'superadmin';
\ No newline at end of file
diff --git a/sql/data_fr.sql b/sql/data_fr.sql
index fff039865f66127ede2fd0da3ef00a592eb0efc8..f3fff71b214d53ad9080ab98992b3c39cb41f481 100644
--- a/sql/data_fr.sql
+++ b/sql/data_fr.sql
@@ -997,7 +997,7 @@ INSERT INTO docservers (docserver_id, docserver_type_id, device_label, is_readon
--SUPERADMIN USER
------------
DELETE FROM users WHERE user_id='superadmin';
-INSERT INTO users (user_id, password, firstname, lastname, phone, mail, department, custom_t1, custom_t2, custom_t3, cookie_key, cookie_date, enabled, change_password, delay_number, status, loginmode, docserver_location_id) VALUES ('superadmin', '964a5502faec7a27f63ab5f7bddbe1bd8a685616a90ffcba633b5ad404569bd8fed4693cc00474a4881f636f3831a3e5a36bda049c568a89cfe54b1285b0c13e', 'Super', 'ADMIN', '0147245159', 'info@maarch.org', 'Maarch', '11', NULL, NULL, 'e657b3542b0362910db9195cb0fd0fb5', '2012-02-28 10:02:08', 'Y', 'N', NULL, 'OK', 'standard', NULL);
+INSERT INTO users (user_id, password, firstname, lastname, phone, mail, department, custom_t1, custom_t2, custom_t3, enabled, change_password, delay_number, status, loginmode, docserver_location_id) VALUES ('superadmin', '964a5502faec7a27f63ab5f7bddbe1bd8a685616a90ffcba633b5ad404569bd8fed4693cc00474a4881f636f3831a3e5a36bda049c568a89cfe54b1285b0c13e', 'Super', 'ADMIN', '0147245159', 'info@maarch.org', 'Maarch', '11', NULL, NULL, 'Y', 'N', NULL, 'OK', 'standard', NULL);
------------
-- CONTACTS
------------
diff --git a/sql/structure.sql b/sql/structure.sql
index a3e292af396a1d334d01aa8429946796dfa6df11..72cb33c89315bf718411f72d246a715d2cce23cc 100644
--- a/sql/structure.sql
+++ b/sql/structure.sql
@@ -254,6 +254,7 @@ WITH (OIDS=FALSE);
CREATE TABLE users
(
+ id serial,
user_id character varying(128) NOT NULL,
"password" character varying(255) DEFAULT NULL::character varying,
firstname character varying(255) DEFAULT NULL::character varying,
@@ -273,12 +274,11 @@ CREATE TABLE users
loginmode character varying(50) DEFAULT NULL::character varying,
docserver_location_id character varying(32) DEFAULT NULL::character varying,
thumbprint text DEFAULT NULL::character varying,
- signature_path character varying(255) DEFAULT NULL::character varying,
- signature_file_name character varying(255) DEFAULT NULL::character varying,
initials character varying(32) DEFAULT NULL::character varying,
ra_code character varying(255) DEFAULT NULL::character varying,
ra_expiration_date timestamp without time zone,
- CONSTRAINT users_pkey PRIMARY KEY (user_id)
+ CONSTRAINT users_pkey PRIMARY KEY (user_id),
+ CONSTRAINT users_id_key UNIQUE (id)
)
WITH (OIDS=FALSE);