interkollektives/lichterei-web
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Upgrade to 3.6.0

Browse Source
This commit is contained in:
Bastian Allgeier
2021-11-16 14:53:37 +01:00
parent 7388fa4d24
commit 92b7a330fa
318 changed files with 20017 additions and 6878 deletions
Download Patch File Download Diff File Expand all files Collapse all files

74
kirby/src/Cms/Auth.php
View File

@@ -8,10 +8,10 @@ use Kirby\Exception\InvalidArgumentException;
use Kirby\Exception\LogicException;
use Kirby\Exception\NotFoundException;
use Kirby\Exception\PermissionException;
use Kirby\Filesystem\F;
use Kirby\Http\Idn;
use Kirby\Http\Request\Auth\BasicAuth;
use Kirby\Toolkit\A;
use Kirby\Toolkit\F;
use Throwable;
/**
@@ -95,21 +95,7 @@ class Auth
*/
public function createChallenge(string $email, bool $long = false, string $mode = 'login')
{
// ensure that email addresses with IDN domains are in Unicode format
$email = Idn::decodeEmail($email);
if ($this->isBlocked($email) === true) {
$this->kirby->trigger('user.login:failed', compact('email'));
if ($this->kirby->option('debug') === true) {
$message = 'Rate limit exceeded';
} else {
// avoid leaking security-relevant information
$message = ['key' => 'access.login'];
}
throw new PermissionException($message);
}
$email = $this->validateEmail($email);
// rate-limit the number of challenges for DoS/DDoS protection
$this->track($email, false);
@@ -190,7 +176,7 @@ class Auth
$fromHeader = $this->kirby->request()->csrf();
// check for a predefined csrf or use the one from session
$fromSession = $this->kirby->option('api.csrf', csrf());
$fromSession = $this->csrfFromSession();
// compare both tokens
if (hash_equals((string)$fromSession, (string)$fromHeader) !== true) {
@@ -200,6 +186,18 @@ class Auth
return $fromSession;
}
/**
* Returns either predefined csrf or the one from session
* @since 3.6.0
*
* @return string
*/
public function csrfFromSession(): string
{
$isDev = $this->kirby->option('panel.dev', false) !== false;
return $this->kirby->option('api.csrf', $isDev ? 'dev' : csrf());
}
/**
* Returns the logged in user by checking
* for a basic authentication header with
@@ -384,7 +382,7 @@ class Auth
* @param bool $long
* @return \Kirby\Cms\User
*
* @throws \Kirby\Exception\PermissionException If the rate limit was exceeded or if any other error occured with debug mode off
* @throws \Kirby\Exception\PermissionException If the rate limit was exceeded or if any other error occurred with debug mode off
* @throws \Kirby\Exception\NotFoundException If the email was invalid
* @throws \Kirby\Exception\InvalidArgumentException If the password is not valid (via `$user->login()`)
*/
@@ -415,7 +413,7 @@ class Auth
* @param bool $long
* @return \Kirby\Cms\Auth\Status
*
* @throws \Kirby\Exception\PermissionException If the rate limit was exceeded or if any other error occured with debug mode off
* @throws \Kirby\Exception\PermissionException If the rate limit was exceeded or if any other error occurred with debug mode off
* @throws \Kirby\Exception\NotFoundException If the email was invalid
* @throws \Kirby\Exception\InvalidArgumentException If the password is not valid (via `$user->login()`)
*/
@@ -493,18 +491,15 @@ class Auth
}
/**
* Validates the user credentials and returns the user object on success;
* otherwise logs the failed attempt
* Ensures that email addresses with IDN domains are in Unicode format
* and that the rate limit was not exceeded
*
* @param string $email
* @param string $password
* @return \Kirby\Cms\User
* @return string The normalized Unicode email address
*
* @throws \Kirby\Exception\PermissionException If the rate limit was exceeded or if any other error occured with debug mode off
* @throws \Kirby\Exception\NotFoundException If the email was invalid
* @throws \Kirby\Exception\InvalidArgumentException If the password is not valid (via `$user->login()`)
* @throws \Kirby\Exception\PermissionException If the rate limit was exceeded
*/
public function validatePassword(string $email, string $password)
protected function validateEmail(string $email): string
{
// ensure that email addresses with IDN domains are in Unicode format
$email = Idn::decodeEmail($email);
@@ -523,6 +518,25 @@ class Auth
throw new PermissionException($message);
}
return $email;
}
/**
* Validates the user credentials and returns the user object on success;
* otherwise logs the failed attempt
*
* @param string $email
* @param string $password
* @return \Kirby\Cms\User
*
* @throws \Kirby\Exception\PermissionException If the rate limit was exceeded or if any other error occurred with debug mode off
* @throws \Kirby\Exception\NotFoundException If the email was invalid
* @throws \Kirby\Exception\InvalidArgumentException If the password is not valid (via `$user->login()`)
*/
public function validatePassword(string $email, string $password)
{
$email = $this->validateEmail($email);
// validate the user
try {
if ($user = $this->kirby->users()->find($email)) {
@@ -724,7 +738,7 @@ class Auth
* logged in user will be returned
* @return \Kirby\Cms\User|null
*
* @throws \Throwable If an authentication error occured
* @throws \Throwable If an authentication error occurred
*/
public function user($session = null, bool $allowImpersonation = true)
{
@@ -770,7 +784,7 @@ class Auth
* @return \Kirby\Cms\User User object of the logged-in user
*
* @throws \Kirby\Exception\PermissionException If the rate limit was exceeded, the challenge timed out, the code
* is incorrect or if any other error occured with debug mode off
* is incorrect or if any other error occurred with debug mode off
* @throws \Kirby\Exception\NotFoundException If the user from the challenge doesn't exist
* @throws \Kirby\Exception\InvalidArgumentException If no authentication challenge is active
* @throws \Kirby\Exception\LogicException If the authentication challenge is invalid
@@ -830,7 +844,7 @@ class Auth
throw new LogicException('Invalid authentication challenge: ' . $challenge);
} catch (Throwable $e) {
if ($e->getMessage() !== 'Rate limit exceeded') {
if (empty($email) === false && $e->getMessage() !== 'Rate limit exceeded') {
$this->track($email);
}