Elgg  Version master
PersistentLoginService.php
Go to the documentation of this file.
1 <?php
2 
3 namespace Elgg;
4 
7 
18 
19  use TimeUsing;
20 
21  protected array $cookie_config;
22 
23  protected string $cookie_token;
24 
29  public $_callable_elgg_set_cookie = 'elgg_set_cookie';
30 
40  public function __construct(
41  protected UsersRememberMeCookiesTable $cookie_table,
42  protected \ElggSession $session,
43  protected \Elgg\Security\Crypto $crypto,
45  \Elgg\Http\Request $request
46  ) {
47  $global_cookies_config = $config->getCookieConfig();
48 
49  $this->cookie_config = $global_cookies_config['remember_me'];
50  $this->cookie_token = $request->cookies->get($this->cookie_config['name'], '');
51  }
52 
60  public function makeLoginPersistent(\ElggUser $user): void {
61  $token = $this->generateToken();
62  $hash = $this->hashToken($token);
63 
64  $this->cookie_table->insertHash($user, $hash);
65  $this->setCookie($token);
66  $this->setSessionToken($token);
67  }
68 
74  public function removePersistentLogin(): void {
75  if ($this->cookie_token) {
76  $client_hash = $this->hashToken($this->cookie_token);
77  $this->cookie_table->deleteHash($client_hash);
78  }
79 
80  $this->setCookie('');
81  $this->setSessionToken('');
82  }
83 
92  public function handlePasswordChange(\ElggUser $subject, \ElggUser $modifier = null): void {
93  $this->cookie_table->deleteAllHashes($subject);
94  if (!$modifier || ($modifier->guid !== $subject->guid) || !$this->cookie_token) {
95  return;
96  }
97 
98  $this->makeLoginPersistent($subject);
99  }
100 
107  public function bootSession(): ?\ElggUser {
108  if (!$this->cookie_token) {
109  return null;
110  }
111 
112  // is this token good?
113  $user = $this->getUserFromToken($this->cookie_token);
114  if ($user) {
115  $this->setSessionToken($this->cookie_token);
116 
117  return $user;
118  }
119 
120  $this->setCookie('');
121  return null;
122  }
123 
131  public function getUserFromToken(string $token): ?\ElggUser {
132  if (empty($token)) {
133  return null;
134  }
135 
136  $hash = $this->hashToken($token);
137  if (empty($hash)) {
138  return null;
139  }
140 
141  $user_row = $this->cookie_table->getRowFromHash($hash);
142  if (empty($user_row)) {
143  return null;
144  }
145 
146  $user = get_user($user_row->guid);
147  return ($user instanceof \ElggUser) ? $user : null;
148  }
149 
157  public function updateTokenUsage(\ElggUser $user): ?bool {
158  if (!$this->cookie_token) {
159  return null;
160  }
161 
162  // update the database record
163  // not interested in number of updated rows, as an update in the same second won't update the row
164  $this->cookie_table->updateHash($user, $this->hashToken($this->cookie_token));
165 
166  // also update the cookie lifetime client-side
167  $this->setCookie($this->cookie_token);
168 
169  return true;
170  }
171 
179  public function removeExpiredTokens($time): bool {
180  $time = Values::normalizeTime($time);
181 
182  $expires = Values::normalizeTime($this->cookie_config['expire']);
183  $diff = $time->diff($expires);
184 
185  $time->sub($diff);
186  if ($time->getTimestamp() > time()) {
187  return false;
188  }
189 
190  return (bool) $this->cookie_table->deleteExpiredHashes($time->getTimestamp());
191  }
192 
200  protected function hashToken(string $token): string {
201  // note: with user passwords, you'd want legit password hashing, but since these are randomly
202  // generated and long tokens, rainbow tables aren't any help.
203  return md5($token);
204  }
205 
213  protected function setCookie(string $token): void {
214  $cookie = new \ElggCookie($this->cookie_config['name']);
215  foreach (['expire', 'path', 'domain', 'secure', 'httpOnly'] as $key) {
216  $cookie->$key = $this->cookie_config[strtolower($key)];
217  }
218 
219  $cookie->value = $token;
220  if (!$token) {
221  $cookie->expire = $this->getCurrentTime('-30 days')->getTimestamp();
222  }
223 
224  call_user_func($this->_callable_elgg_set_cookie, $cookie);
225  }
226 
234  protected function setSessionToken(string $token): void {
235  if ($token) {
236  $this->session->set('code', $token);
237  } else {
238  $this->session->remove('code');
239  }
240  }
241 
250  protected function generateToken(): string {
251  return 'z' . $this->crypto->getRandomString(31);
252  }
253 }
makeLoginPersistent(\ElggUser $user)
Make the user&#39;s login persistent.
bootSession()
Boot the persistent login session, possibly returning the user who should be silently logged in...
$request
Definition: livesearch.php:12
c Accompany it with the information you received as to the offer to distribute corresponding source complete source code means all the source code for all modules it plus any associated interface definition plus the scripts used to control compilation and installation of the executable as a special the source code distributed need not include anything that is normally and so on of the operating system on which the executable unless that component itself accompanies the executable If distribution of executable or object code is made by offering access to copy from a designated then offering equivalent access to copy the source code from the same place counts as distribution of the source even though third parties are not compelled to copy the source along with the object code You may not or distribute the Program except as expressly provided under this License Any attempt otherwise to sublicense or distribute the Program is void
Definition: LICENSE.txt:215
if(!$annotation instanceof ElggAnnotation) $time
Definition: time.php:20
trait TimeUsing
Adds methods for setting the current time (for testing)
Definition: TimeUsing.php:10
setSessionToken(string $token)
Store the token in the session (or remove it from the session)
Elgg Session Management.
Definition: ElggSession.php:19
Manage the users_remember_me_cookies table.
$config
Advanced site settings, debugging section.
Definition: debugging.php:6
getCurrentTime($modifier= '')
Get the (cloned) time.
Definition: TimeUsing.php:25
$user
Definition: ban.php:7
$expires
removeExpiredTokens($time)
Remove all persistent codes from the database which have expired based on the cookie config...
$token
get_user(int $guid)
Elgg users Functions to manage multiple or single users in an Elgg install.
Definition: users.php:16
if($container instanceof ElggGroup &&$container->guid!=elgg_get_page_owner_guid()) $key
Definition: summary.php:44
generateToken()
Generate a random token (base 64 URL)
if(isset($_COOKIE['elggperm'])) $session
Definition: login_as.php:29
updateTokenUsage(\ElggUser $user)
Update the timestamp linked to a persistent cookie code, this indicates that the code was used recent...
Request container.
Definition: Request.php:12
removePersistentLogin()
Remove the persisted login token from client and server.
setCookie(string $token)
Store the token in the client cookie (or remove the cookie)
hashToken(string $token)
Create a hash from the token.
handlePasswordChange(\ElggUser $subject,\ElggUser $modifier=null)
Handle a password change.
__construct(protected UsersRememberMeCookiesTable $cookie_table, protected\ElggSession $session, protected\Elgg\Security\Crypto $crypto,\Elgg\Config $config,\Elgg\Http\Request $request)
Constructor.
$subject
Definition: useradd.php:54
getUserFromToken(string $token)
Get a user from a persistent cookie token.