login: replace unsupported characters in user names

[minimedit.git] / auth.inc.php

<?php
date_default_timezone_set('Europe/Amsterdam');

function login_password_verify($input, $test)
{
        if (substr($test, 0, 1) != '$') {
                # plaintext match for uncrypted passwords
                return $input === $test;
        }
        return password_verify($input, $test);
}

function login_setcookie()
{
        global $User;
        return setcookie('login', $User['auth'], 0, '/');
}

function login($inuser, $inpass = NULL)
{
        if (empty($inuser)) return;
        if (!isset($inpass)) {
                @list ($inuser, $inauth) = explode(':', $inuser, 2);
        }

        # find password data by user name
        $userdir = 'profile/'.preg_replace('/[^a-z0-9]+/', '-', strtolower($inuser));
        $pwfile = "$userdir/.passwd";
        if (!file_exists($pwfile)) return;
        $usertest = trim(file_get_contents($pwfile));
        if (!$usertest) return;

        # verify password
        $authhash = md5($usertest);
        if (isset($inpass)) {
                if (!login_password_verify($inpass, $usertest)) return;
        }
        else {
                if ($inauth !== $authhash) return;
        }

        if (function_exists('apache_note')) apache_note('user', $inuser);

        if ($log = @fopen("$userdir/last.log", 'w')) {
                fwrite($log, "{$_SERVER['REMOTE_ADDR']} {$_SERVER['HTTP_USER_AGENT']}\n");
        }

        return [
                'name'  => $inuser,
                'dir'   => $userdir,
                'admin' => file_exists("$userdir/.admin"),
                'pass'  => $usertest,
                'auth'  => "$inuser:$authhash",
        ];
}

if (isset($_COOKIE['login'])) {
        global $User;
        $User = login($_COOKIE['login']);
}