Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

A more secure and generalized approach for PDO Basic Auth Backend #1283

Closed
wants to merge 1 commit into from
Closed

A more secure and generalized approach for PDO Basic Auth Backend #1283

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
106 changes: 106 additions & 0 deletions lib/DAV/Auth/Backend/PDOBasicAuth.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,106 @@
<?php

namespace Sabre\DAV\Auth\Backend;

/**
* This is an authentication backend that uses a database to manage passwords.
*
* @copyright Copyright (C) fruux GmbH (https://fruux.com/)
* @author Evert Pot (http://evertpot.com/)
* @license http://sabre.io/license/ Modified BSD License
*/
class PDOBasicAuth extends AbstractBasic {

/**
* Reference to PDO connection
*
* @var PDO
*/
protected $pdo;

/**
* PDO table name we'll be using
*
* @var string
*/
protected $tableName;

/**
* PDO digest column name we'll be using
* (i.e. digest, password, password_hash)
*
* @var string
*/
protected $digestColumn;

/**
* Digest prefix:
* if the backend you are using for is prefixing
* your password hashes set this option to your prefix to
* cut it off before verfiying
*
* @var string
*/
protected $digestPrefix;


/**
* Creates the backend object.
*
* If the filename argument is passed in, it will parse out the specified file fist.
*
* @param \PDO $pdo
*/
function __construct(\PDO $pdo, array $options = []) {

$this->pdo = $pdo;
if(isset($options['tableName'])){
$this->tableName = $options['tableName'];
}
else{
$this->tableName = 'user';
}
if(isset($options['digestColumn'])){
$this->digestColumn = $options['digestColumn'];
}
else{
$this->digestColumn = 'digest';
}
if(isset($options['digestPrefix'])){
$this->digestPrefix = $options['digestPrefix'];
}
}

/**
* Validates a username and password
*
* This method should return true or false depending on if login
* succeeded.
*
* @param string $username
* @param string $password
* @return bool
*/
function validateUserPass($username, $password){
$stmt = $this->pdo->prepare('SELECT ' . $this->digestColumn . ' FROM ' . $this->tableName . ' WHERE email = ?');
$stmt->execute([$username]);
$result = $stmt->fetchAll();

if (!count($result)) {
return false;
}

$digest = $result[0]['password'];

if(isset($this->digestPrefix)){
$digest = substr($digest, strlen($this->digestPrefix));
}

if (password_verify($password, $digest)){
return true;
}
return false;
}

}