PersistentLoginService.php

Go to the documentation of this file.

<?php
namespace Elgg;
class PersistentLoginService {

    public function __construct(
            Database $db,
            \ElggSession $session,
            \ElggCrypto $crypto,
            array $cookie_config,
            $cookie_token,
            $time = null) {
        $this->db = $db;
        $this->session = $session;
        $this->crypto = $crypto;
        $this->cookie_config = $cookie_config;
        $this->cookie_token = $cookie_token;

        $prefix = $this->db->getTablePrefix();
        $this->table = "{$prefix}users_remember_me_cookies";
        $this->time = is_numeric($time) ? (int)$time : time();
    }

    public function makeLoginPersistent(\ElggUser $user) {
        $token = $this->generateToken();
        $hash = $this->hashToken($token);

        $this->storeHash($user, $hash);
        $this->setCookie($token);
        $this->setSession($token);
    }

    public function removePersistentLogin() {
        if ($this->cookie_token) {
            $client_hash = $this->hashToken($this->cookie_token);
            $this->removeHash($client_hash);
        }

        $this->setCookie("");
        $this->setSession("");
    }

    public function handlePasswordChange(\ElggUser $subject, \ElggUser $modifier = null) {
        $this->removeAllHashes($subject);
        if (!$modifier || ($modifier->guid !== $subject->guid) || !$this->cookie_token) {
            return;
        }

        $this->makeLoginPersistent($modifier);
    }

    public function bootSession() {
        if (!$this->cookie_token) {
            return null;
        }

        // is this token good?
        $cookie_hash = $this->hashToken($this->cookie_token);
        $user = $this->getUserFromHash($cookie_hash);
        if ($user) {
            $this->setSession($this->cookie_token);
            // note: if the token is legacy, we don't both replacing it here because
            // it will be replaced during the next request boot
            return $user;
        } else {
            if ($this->isLegacyToken($this->cookie_token)) {
                // may be attempt to brute force legacy low-entropy tokens
                call_user_func($this->_callable_sleep, 1);
            }
            $this->setCookie('');
        }
    }

    public function replaceLegacyToken(\ElggUser $logged_in_user) {
        if (!$this->cookie_token || !$this->isLegacyToken($this->cookie_token)) {
            return;
        }

        // replace user's old weaker-entropy code with new one
        $this->removeHash($this->hashToken($this->cookie_token));
        $this->makeLoginPersistent($logged_in_user);
    }

    public function getUserFromHash($hash) {
        if (!$hash) {
            return null;
        }

        $hash = $this->db->sanitizeString($hash);
        $query = "SELECT guid FROM {$this->table} WHERE code = '$hash'";
        try {
            $user_row = $this->db->getDataRow($query);
        } catch (\DatabaseException $e) {
            return $this->handleDbException($e);
        }
        if (!$user_row) {
            return null;
        }

        $user = call_user_func($this->_callable_get_user, $user_row->guid);
        return $user ? $user : null;
    }

    protected function storeHash(\ElggUser $user, $hash) {
        $time = time();
        $hash = $this->db->sanitizeString($hash);

        $query = "
            INSERT INTO {$this->table} (code, guid, timestamp)
            VALUES ('$hash', {$user->guid}, $time)
        ";
        try {
            $this->db->insertData($query);
        } catch (\DatabaseException $e) {
            $this->handleDbException($e);
        }
    }

    protected function removeHash($hash) {
        $hash = $this->db->sanitizeString($hash);

        $query = "DELETE FROM {$this->table} WHERE code = '$hash'";
        try {
            $this->db->deleteData($query);
        } catch (\DatabaseException $e) {
            $this->handleDbException($e);
        }
    }

    protected function handleDbException(\DatabaseException $exception, $default = null) {
        if (false !== strpos($exception->getMessage(), "users_remember_me_cookies' doesn't exist")) {
            // schema has not been updated so we swallow this exception
            return $default;
        } else {
            throw $exception;
        }
    }

    protected function removeAllHashes(\ElggUser $user) {
        $query = "DELETE FROM {$this->table} WHERE guid = '{$user->guid}'";
        try {
            $this->db->deleteData($query);
        } catch (\DatabaseException $e) {
            $this->handleDbException($e);
        }
    }

    protected function hashToken($token) {
        // note: with user passwords, you'd want legit password hashing, but since these are randomly
        // generated and long tokens, rainbow tables aren't any help.
        return md5($token);
    }

    protected function setCookie($token) {
        $cookie = new \ElggCookie($this->cookie_config['name']);
        foreach (array('expire', 'path', 'domain', 'secure', 'httponly') as $key) {
            $cookie->$key = $this->cookie_config[$key];
        }
        $cookie->value = $token;
        if (!$token) {
            $cookie->expire = $this->time - (86400 * 30);
        }
        call_user_func($this->_callable_elgg_set_cookie, $cookie);
    }

    protected function setSession($token) {
        if ($token) {
            $this->session->set('code', $token);
        } else {
            $this->session->remove('code');
        }
    }

    protected function generateToken() {
        return 'z' . $this->crypto->getRandomString(31);
    }

    protected function isLegacyToken($token) {
        return (isset($token[0]) && $token[0] !== 'z');
    }

    protected $db;

    protected $table;

    protected $cookie_config;

    protected $cookie_token;

    protected $session;

    protected $crypto;

    protected $time;

    public $_callable_get_user = 'get_user';

    public $_callable_elgg_set_cookie = 'elgg_set_cookie';

    public $_callable_sleep = 'sleep';
}