Subversion Repositories phpLibraryV2

Rev

Rev 4 | Rev 8 | Go to most recent revision | Blame | Compare with Previous | Last modification | View Log | Download | RSS feed

<?php

   /*
    * Filename: auth.class.php
    * 
    * Description:
    *    Authorization class for web application.
    *    Requires database table with following minimal structure
    *       id           int unsigned not null auto_increment
    *       name         varchar(64)
    *       passwd       varchar(256)
    *       access       text
    *    defaults are table _user, with columns name, passwd and access
    *    name and pass are matched against database entries, then name
    *    and access are stored in instantiation of class
    * 
    *    passwd should be able to handle 256 chars as hashes become
    *    longer.
    *
    * 
    * $Rev:: 6            $: Revision in Repository
    * $Author:: rodolico  $: Last Author
    * $Date:: 2017-07-28 0$: Last Commit
    * 
    * 
    * History:
    * 20170728 - RWR - 1.0
    *    Initial build
    */

   require_once( 'DBQuery.class.php' );
   
   global $DEBUG;

   class Auth {

      // all data stored in $parameters. We will initialize $parameters
      // with some default data
      protected $parameters = array(
                               'table name' => '_user', // table storing auth info
                               'column username' => 'username', // field to match username to
                               'column password' => 'passwd', // field to match password to
                               'column access' => 'access',    // field which contains access information
                               'column id' => '_user_id', // unique user id in table
                            );

      
      // constructor simply loads parameters into array from 
      public function __construct( $parameters = array() ) {
         // first, gather all info from the parameters array
         foreach ( $parameters as $key  => $value )
            $this->parameters[$key] = $value;
         $this->logIt( 1, 'Constructed Auth' );
      } // construct
      

      protected function logIt ( $level, $message, $file = null, $class = null, $function = null, $line = null ) {
         global $DEBUG;
         if ( isset( $DEBUG ) ) {
            $DEBUG->writeLog( $level, $message, $file, $class, $function, $line );
         }
      } // logIt
         

      public function save() {
         return $this->parameters;
      } // save
      
      public function load( $parameters ) {
         $this->parameters = $parameters;
      } // load

      public function __get( $parameter ) {
         return $this->parameters[$parameter];
      } // function get

      public function __set ($parameter, $value ) {
         $oldValue = $this->parameters[$parameter];
         $this->parameters[$parameter] = $value;
         return $oldValue;
      } // function set
       

      /* 
      * authorizes access to a resource
      * just a shell at this time.
      */
      public function authorize ( $resource = '' )  {
         if ( isset( $this->parameters['username'] ) ) {
            /* 
            * code here to actually determine if user is authorized
            * for this page
            */
            return true;
         } elseif ( isset( $this->parameters['login page'] ) ) {
            // redirect to login page
            $loginPage = $this->parameters['login page'];
            header( "Location: $loginPage" );
            exit();
         } else {
            print $this->createLoginPage();
            exit();
         }
      } // function authorize
    
    
      /*
      * Checks if the username and password are valid.
      * username can either be taken from parameters or from $this->parameters
      * on success, sets username, password, user_id and access from
      * database (I know username should not change, but I want the db val
      */
      function verifyLogin( $password, $username = null ) {
         if ( isset( $username ) ) 
            $this->parameters['username'] = $username;
         if ( isset( $this->parameters['username'] ) && isset( $password ) ) {
            $sql = "select " . 
                     $this->parameters['column id'] . " 'id'," .
                     $this->parameters['column username'] . " 'username'," .
                     $this->parameters['column password'] . " 'password'," .
                     $this->parameters['column access'] . " 'access' " .
                  " from " .
                     $this->parameters['table name'] .
                  " where " .
                     $this->parameters['column username'] . " = " . 
                        DBQuery::makeSafeSQLConstant( $this->parameters['username'] );
            $this->logIt( 3, "Query = $sql", null, __CLASS__, __FUNCTION__, __LINE__ );
            $results = new DBQuery( $sql );
            if ( $results->getOneRow() ) {
               // a special case is when the password stored in the database is null
               // in which case we give full access. This allows us to do a manual reset
               // if passwords are lost.
               $data = $results->__get( 'returnData' );
               $this->logIt( 4, "Results = " . print_r( $results, true) , null, __CLASS__, __FUNCTION__, __LINE__ );
               $this->logIt( 3, "Data = " . print_r( $data, true) , null, __CLASS__, __FUNCTION__, __LINE__ );
               if ( $data->password == '' || $data->password == null || password_verify( $password, $data->password ) ) {
                  $this->parameters['username'] = $data->username;
                  $this->parameters['user_id'] = $data->id;
                  $this->parameters['access'] = $data->access;
                  return array( 'username' => $data->username, 'user_id' => $data->id, 'access' => $data->access );
               } // if password verifies
            } // if the query executed
         } // if we have a username and a password
         return false;
      } // function verifyLogin
    
    
      /* update password hash from parameter passed in, saving it in database */
      function setPassword ( $password ) {
         $hash = password_hash( $password, PASSWORD_DEFAULT );
         $sql = "update $this->parameters[table name] 
               set $this->parameters[column password] = '$hash' 
               where $this->parameters[column id] = $this->parameters[user id]";
         return new DBQuery( $sql, true );
      } // setPassword
       
    
      public function createLoginPage () {
       return '<?php
            session_start();
            if (isset( $_POST["submit"])) {
            include_once( "Auth.class.php" );
            $_SESSION["authorization information"] = new Auth();
            ?>
            <html><body>
            <h3 align="center">Enter your username and password below</h3>
                     <FORM action="login.html" method="POST" enctype="multipart/form-data">
                       <table border="1" cellpadding="2" align="center">
                       <tbody>
                         <tr>
                           <td>User Name</td>
                           <td><input type="text" name="login" size="20"></td>
                         </tr>
                         <tr>
                           <td>Password</td>
                           <td><input type="password" name="pass" size="20"></td>
                         </tr>
                         <tr><TD colspan="2" align="center"><INPUT type="submit" name="Login" value="Log In"></TD></tr>
                       </tbody>
                     </table>
                     </FORM></body></html>';
      } // function createLoginPag
       
    
   } // class Auth

?>