From eadf7066e0e9ed55fac7f54b06780ec5389c9bf1 Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Fri, 1 Dec 2017 23:03:49 -0500 Subject: [PATCH] Use User::authenticate in addons - dav - jappixmini - windowsphonepush --- dav/friendica/dav_friendica_auth.inc.php | 15 +++++---------- jappixmini/jappixmini.php | 6 +----- windowsphonepush/windowsphonepush.php | 15 +++------------ 3 files changed, 9 insertions(+), 27 deletions(-) diff --git a/dav/friendica/dav_friendica_auth.inc.php b/dav/friendica/dav_friendica_auth.inc.php index 31a88b68..9b42ab8a 100644 --- a/dav/friendica/dav_friendica_auth.inc.php +++ b/dav/friendica/dav_friendica_auth.inc.php @@ -67,7 +67,7 @@ class Sabre_DAV_Auth_Backend_Std extends Sabre_DAV_Auth_Backend_AbstractBasic } // Authenticates the user - if (!$this->validateUserPass($userpass[0],$userpass[1])) { + if (!$this->validateUserPass($userpass[0], $userpass[1])) { $auth->requireLogin(); throw new Sabre_DAV_Exception_NotAuthenticated('Username or password does not match'); } @@ -80,13 +80,8 @@ class Sabre_DAV_Auth_Backend_Std extends Sabre_DAV_Auth_Backend_AbstractBasic * @param string $password * @return bool */ - protected function validateUserPass($username, $password) { - $encrypted = hash('whirlpool',trim($password)); - $r = q("SELECT COUNT(*) anz FROM `user` WHERE `nickname` = '%s' AND `password` = '%s' AND `blocked` = 0 AND `account_expired` = 0 AND `verified` = 1 LIMIT 1", - dbesc(trim($username)), - dbesc($encrypted) - ); - return ($r[0]["anz"] == 1); - } - + protected function validateUserPass($username, $password) + { + return User::authenticate($username, $password); + } } diff --git a/jappixmini/jappixmini.php b/jappixmini/jappixmini.php index ba82a076..faac6a81 100644 --- a/jappixmini/jappixmini.php +++ b/jappixmini/jappixmini.php @@ -429,11 +429,7 @@ function jappixmini_settings_post(App $a, &$b) if ($encrypt) { // check that Jabber password was encrypted with correct Friendica password $friendica_password = trim($b['jappixmini-friendica-password']); - $encrypted = hash('whirlpool',$friendica_password); - $r = q("SELECT * FROM `user` WHERE `uid`=$uid AND `password`='%s'", - dbesc($encrypted) - ); - if (!count($r)) { + if (!User::authenticate((int) $uid, $friendica_password)) { info("Wrong friendica password!"); return; } diff --git a/windowsphonepush/windowsphonepush.php b/windowsphonepush/windowsphonepush.php index ffebd410..baa4c656 100644 --- a/windowsphonepush/windowsphonepush.php +++ b/windowsphonepush/windowsphonepush.php @@ -455,19 +455,10 @@ function windowsphonepush_login(App $a) die('This api requires login'); } - $user = $_SERVER['PHP_AUTH_USER']; - $encrypted = hash('whirlpool',trim($_SERVER['PHP_AUTH_PW'])); + $user_id = User::authenticate($_SERVER['PHP_AUTH_USER'], trim($_SERVER['PHP_AUTH_PW'])); - // check if user specified by app is available in the user table - $r = q("SELECT * FROM `user` WHERE ( `email` = '%s' OR `nickname` = '%s' ) - AND `password` = '%s' AND `blocked` = 0 AND `account_expired` = 0 AND `account_removed` = 0 AND `verified` = 1 LIMIT 1", - dbesc(trim($user)), - dbesc(trim($user)), - dbesc($encrypted) - ); - - if(count($r)){ - $record = $r[0]; + if ($user_id) { + $record = dba::select('user', [], ['uid' => $user_id], ['limit' => 1]); } else { logger('API_login failure: ' . print_r($_SERVER, true), LOGGER_DEBUG); header('WWW-Authenticate: Basic realm="Friendica"');