Commit d8719b2e authored by Korynkai's avatar Korynkai

Initial commit. SQL.php should be in functional order.

Signed-off-by: Korynkai's avatarKorynkai <matt@qmxtech.com>
parents
Copyright (C) 2015 Matt Schultz (Korynkai) & QuantuMatriX Technologies (qmxtech.com)
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
# Codiad-SQLExternalAuth
SQL Database External Authentication Drop-In for Codiad using PHP Data Objects.
Written by Korynkai (Matt Schultz) of QuantuMatriX Technologies.
## Installation
* Download `SQL.php` here: [SQL.php](https://raw.github.com/QMXTech/Codiad-SQLExternalAuth/master/SQL.php) (right-click -> Save Link As).
* Edit `SQL.php` in a text editor, changing configuration values as needed (see below in "Configuration" for a description of these values). Do not edit the core logic (anything under the "Do not edit anything under..." line) -- you can break functionality, corrupt your users.php file, or even accidentally allow anybody to log in and modify your code. Only edit under the line if you're looking to experiment and have a test environment set up.
* Save `SQL.php` somewhere on the webserver, preferably somewhere within the Codiad root (I created a special directory for External Authentication called `auth` on my setup) and ensure your webserver daemon has permissions to read the file.
* Edit Codiad's `config.php` in a text editor, uncommenting and/or adding the line `define("AUTH_PATH", "/path/to/SQL.php");`. Replace "/path/to" with the actual path. You may use the `BASE_PATH` directive if you saved `SQL.php` to somewhere within the Codiad root. For example, on my setup (with the `auth` directory), this is set to `define("AUTH_PATH", BASE_PATH . "/auth/SQL.php");`
:exclamation: Make sure the database and table specified has a username and password column as specified in the configuration and the password column uses a hash format compatible with PHP's "password_verify()" method. The simplest table for Codiad would be created by executing the following SQL: `CREATE TABLE users ( "user" TEXT NOT NULL, "password" TEXT NOT NULL );`. When in doubt about password hashes, you may use the following command from a shell which has PHP in its path to generate a compatible password hash: `php -r 'print password_hash("<PASSWORD>", PASSWORD_DEFAULT)."\n";'`. _**NEVER** use straight password hashes like MD5, SHA1/2, etc... These should be considered insecure regardless of the implementation. PHP's `password_hash()` and `password_verify()` methods automatically salt the password and use a known-secure algorithm._
## Configuration
The following values should be set in accordance with the specific SQL set-up being used:
* `$server` would be your SQL server's connection DSN (`port` is optional if the default port is used); For example:
* `$server = "pgsql:host=localhost;port=5432;dbname=codiad";` for PostgreSQL running locally with database name `codiad` and port 5432 (default for PostgreSQL, shown as an example).
* `$server = "mysql:host=localhost;dbname=codiad";` for MySQL running locally with database name `codiad`.
* `$server = "sqlite:/path/to/sqlite.db"` for an SQLite database file on the local filesystem at `/path/to/sqlite.db`.
* `$dbuser` and `$dbpass` are the username and password to use for Codiad to connect to a networked database server requiring authentication. These should be left blank if connecting to SQLite or another database that does not require a username and password. Example:
* `$dbuser = "codiad";`
* `$dbpass = "secret";`
* `$users_table` is the database table for Codiad to use when searching for user entries. Example:
* `$users_table = "users";`
* `$username_column` and `$password_column` are the columns within the database table which represent the Codiad username and password fields. The password column _must_ be compatible with PHP's "password_verify" method (as described in the "Installation" section). Example:
* `$username_column = "user";`
* `$password_column = "password";`
* `$createuser` either allows or denies the automatic creation of a Codiad user upon successful authentication. If set to true, a `user` will be created if the user successfully authenticates through the database but is not present within Codiad's `data/users.php` file. If set to `false`, the user will be denied access if they are not present within Codiad's `data/users.php` file, regardless of whether or not the user has successfully authenticated. Default is `true`.
\ No newline at end of file
<?php
/*
* Codiad SQL Database External Authentication Bridge using PHP Data Objects
*
* Copyright (C) 2016 Matt Schultz (Korynkai) & QuantuMatriX Technologies (qmxtech.com)
*
* Permission is hereby granted, free of charge, to any person obtaining
* a copy of this software and associated documentation files (the
* "Software"), to deal in the Software without restriction, including
* without limitation the rights to use, copy, modify, merge, publish,
* distribute, sublicense, and/or sell copies of the Software, and to
* permit persons to whom the Software is furnished to do so, subject to
* the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
* LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
* OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
* WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
*/
///////////////////
// CONFIGURATION //
///////////////////
// Server connection string
// This defines the database connection string (dsn). The 'port' attribute is optional
// unless your database server is running on a non-standard port.
// Examples:
// PostgreSQL (with port): "pgsql:host=localhost;port=5432;dbname=codiad";
// MySQL: "mysql:host=localhost;dbname=codiad";
// SQLite: "sqlite:/path/to/sqlite.db"
// Other database schemes supported by PDO may also work. Your mileage may vary.
$server = "mysql:host=localhost;dbname=codiad";
// Database Connection Username and Password
// Note: leave these blank if attempting to connect to an SQLite or other database
// that does not require a username and password.
$dbuser = "codiad";
$dbpass = "secret";
// User table
// The database table where the Codiad usernames and passwords are stored.
// Default is 'users';
$users_table = "users";
// Table layout
// The columns within the above defined user table which correspond to the Codiad username
// and password.
// Defaults: $username_column = "user";
// $password_column = "password";
$username_column = "user";
$password_column = "password";
// Example simple SQL user table:
// CREATE TABLE "users" ( "user" TEXT NOT NULL, "password" TEXT NOT NULL );
// Note: Passwords should be stored in a manner equivalent to PHP's "password_hash()"
// method and compatible with PHP's "password_verify()" method. When in doubt while
// generating a new password hash, use the following command (from shell or equivalent)
// to generate a password hash (replacing "<PASSWORD>" with your password of choice):
// php -r 'print password_hash("<PASSWORD>", PASSWORD_DEFAULT)."\n";'
// Optionally create Codiad user if it doesn't already exist. This can be set
// to 'false' if the administrator would like to manually control access to
// Codiad from within Codiad itself, rather than let the search filter fully
// dictate user access control.
// Default is 'true'.
$createuser = true;
/////////////////////////////////////////////////////////////////////////////
// DO NOT EDIT ANYTHING UNDER THIS LINE UNLESS YOU KNOW WHAT YOU'RE DOING! //
/////////////////////////////////////////////////////////////////////////////
// Ensure we have class.user.php so we may use this class.
require_once( COMPONENTS . "/user/class.user.php" );
// Check if our session is not logged in.
if ( !isset( $_SESSION['user'] ) ) {
// Check if a username and password were posted.
if ( isset( $_POST['username'] ) && isset( $_POST['password'] ) ) {
// Create user object.
$User = new User();
// Initialize values of user object.
$User->username = $_POST['username'];
$User->password = $_POST['password'];
// Attempt to connect to the database. Die with message on failure.
try {
$socket = new PDO( $server, $dbuser, $dbpass, array( PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION, PDO::ATTR_EMULATE_PREPARES => false ) );
} catch ( RuntimeException $e ) {
// Note: SQLSTATE and JSON do not mix properly... If we do not escape perfectly, Codiad doesn't tell us what's going on...
die( formatJSEND( "error", "Database connection failed: " . str_replace( array( "\t", "\n", "\r\n", "\r" ), " ", addcslashes( $e->getMessage(), '"' ) ) ) );
}
// Construct query string
$query_string = "SELECT " . $password_column . " FROM " . $users_table . " WHERE \"" . $username_column . "\" = :username LIMIT 1";
// Attempt to prepare and execute query
try {
$query = $socket->prepare($query_string);
$query->bindparam(":username", $User->username);
$query->execute();
} catch ( RuntimeException $e ) {
// Note: SQLSTATE and JSON do not mix properly... If we do not escape perfectly, Codiad doesn't tell us what's going on...
die( formatJSEND( "error", "Database query failed: " . str_replace( array( "\t", "\n", "\r\n", "\r" ), " ", addcslashes( $e->getMessage(), '"' ) ) ) );
}
$response = $query->fetch(PDO::FETCH_NUM);
if ( is_array($response) && ( count($response) === 1 ) ) {
// Check password
if ( password_verify( $User->password, $response[0] ) ) {
// Check if user already exists within users.php.
if ( $User->CheckDuplicate() ) {
// Check if we can create a user within users.php.
if ( $createuser == true ) {
// Save array back to JSON and set the session username.
$User->users[] = array( 'username' => $User->username, 'password' => null, 'project' => "" );
saveJSON( "users.php", $User->users );
$_SESSION['user'] = $User->username;
} else {
// Deny login and send message, the user doesn't exist within users.php.
die( formatJSEND( "error", "User " . $User->username . " does not exist within Codiad." ) );
}
} else {
// Set the session username.
$_SESSION['user'] = $User->username;
}
// Set the session language, if given, or set it to english as default.
if ( isset( $_POST['language'] ) ) {
$_SESSION['lang'] = $_POST['language'];
} else {
$_SESSION['lang'] = "en";
}
// Set the session theme and project.
$_SESSION['theme'] = $_POST['theme'];
$_SESSION['project'] = $_POST['project'];
// Respond by sending verification tokens on success.
echo formatJSEND( "success", array( 'username' => $User->username ) );
header( "Location: " . $_SERVER['PHP_SELF'] . "?action=verify" );
} else {
// Invalid login.
die( formatJSEND( "error", "Invalid user name or password." ) );
}
}
}
}
?>
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment