Subversion Repositories phpLibraryV2

Rev

Rev 4 | Go to most recent revision | Blame | Compare with Previous | Last modification | View Log | Download | RSS feed

<?php

   /*
    * Filename: auth.class.php
    * 
    * Description:
    *    Authorization class for web application.
    *    Requires database table with following minimal structure
    *       id           int unsigned not null auto_increment
    *       name         varchar(64)
    *       passwd       varchar(256)
    *       access       text
    *    defaults are table _user, with columns name, passwd and access
    *    name and pass are matched against database entries, then name
    *    and access are stored in instantiation of class
    * 
    *    passwd should be able to handle 256 chars as hashes become
    *    longer.
    *
    * 
    * $Rev:: 1            $: Revision in Repository
    * $Author:: rodolico  $: Last Author
    * $Date:: 2017-07-28 0$: Last Commit
    * 
    * 
    * History:
    * 20170728 - RWR - 1.0
    *    Initial build
    */

   require_once( 'DBQuery.class.php' );

   class Auth {

      // all data stored in $parameters. We will initialize $parameters
      // with some default data
      protected $parameters = array(
                               'table name' => '_user', // table storing auth info
                               'column username' => 'name', // field to match username to
                               'column password' => 'passwd', // field to match password to
                               'column access' => 'access',    // field which contains access information
                               'column id' => '_user_id' // unique user id in table
                            ); 

      // constructor simply loads parameters into array from 
      public function __construct( $parameters = array() ) {
         // first, gather all info from the parameters array
         foreach ( $parameters as $key  => $value )
            $this->parameters[$key] = $value;
      } // construct

      public function __get( $parameter ) {
         return $this->parameters[$parameter];
      } // function get

      public function __set ($parameter, $value ) {
         $oldValuee = get( $parameter );
         $this->parameters[$parameter] = $value;
         return $oldValue;
      } // function set
       

      /* 
      * authorizes access to a resource
      * just a shell at this time.
      */
      public function authorize ( $resource = '' )  {
         if ( isset( $this->parameters['username'] ) ) {
            /* 
            * code here to actually determine if user is authorized
            * for this page
            */
            return true;
         } elseif ( isset( $this->parameters['login page'] ) ) {
            // redirect to login page
            header( "Location: $this->parameters[login page]" );
            exit();
         } else {
            print $this->createLoginPage();
            exit();
         }
      } // function authorize
    
    
      /*
      * Checks if the username and password are valid.
      * username can either be taken from parameters or from $this->parameters
      * on success, sets username, password, user_id and access from
      * database (I know username should not change, but I want the db val
      */
      function verifyLogin( $password, $username = null ) {
         if ( isset( $username ) ) 
            $this->parameters['username'] = $username;
         if ( isset( $this->parameters['username'] ) && isset( $password ) ) {
            $sql = "select 
                     $this->parameters[column id] 'id',
                     $this->parameters[column username] 'username',
                     $this->parameters[column password] 'password',
                     $this->parameters[column access] 'access'
                  from 
                     $this->parameters[table name] 
                  where 
                     $this->parameters[column username] = " . 
                        makeSafeSQL( $this->parameters['username'] );
            $results = new DBQuery( $sql );
            if ( $results->getOneRow() ) {
               // a special case is when the password stored in the database is null
               // in which case we give full access. This allows us to do a manual reset
               // if passwords are lost.
               if ( $results->password == 'null' || password_verify( $password, $results->password ) ) {
                  $this->parameters['username'] = $results->username;
                  $this->parameters['user id'] = $results->id;
                  $this->parameters['access'] = $results->access;
                  return true;
               } // if password verifies
            } // if the query executed
         } // if we have a username and a password
         return false;
      } // function verifyLogin
    
    
      /* update password hash from parameter passed in, saving it in database */
      function setPassword ( $password ) {
         $hash = password_hash( $password, PASSWORD_DEFAULT );
         $sql = "update $this->parameters[table name] 
               set $this->parameters[column password] = '$hash' 
               where $this->parameters[column id] = $this->parameters[user id]";
         return new DBQuery( $sql, true );
      } // setPassword
       
    
      public function createLoginPage () {
       return '<?php
            session_start();
            if (isset( $_POST["submit"])) {
            include_once( "Auth.class.php" );
            $_SESSION["authorization information"] = new Auth();
            ?>
            <html><body>
            <h3 align="center">Enter your username and password below</h3>
                     <FORM action="login.html" method="POST" enctype="multipart/form-data">
                       <table border="1" cellpadding="2" align="center">
                       <tbody>
                         <tr>
                           <td>User Name</td>
                           <td><input type="text" name="login" size="20"></td>
                         </tr>
                         <tr>
                           <td>Password</td>
                           <td><input type="password" name="pass" size="20"></td>
                         </tr>
                         <tr><TD colspan="2" align="center"><INPUT type="submit" name="Login" value="Log In"></TD></tr>
                       </tbody>
                     </table>
                     </FORM></body></html>';
      } // function createLoginPag
       
    
   } // class Auth

?>