login/edit: prepare input restriction for user names

[minimedit.git] / auth.inc.php

diff --git a/auth.inc.php b/auth.inc.php
index 94f0dcc8547f190d5758e7fdad1881a56ce72717..030a394e0b7904db90320b5643d5f274ddbeda4f 100644 (file)
--- a/auth.inc.php
+++ b/auth.inc.php
@@ -1,4 +1,21 @@
 <?php
+date_default_timezone_set('Europe/Amsterdam');
+
+function login_password_verify($input, $test)
+{
+       if (substr($test, 0, 1) != '$') {
+               # plaintext match for uncrypted passwords
+               return $input === $test;
+       }
+       return password_verify($input, $test);
+}
+
+function login_setcookie()
+{
+       global $User;
+       return setcookie('login', $User['auth'], 0, '/');
+}
+
 function login($inuser, $inpass = NULL)
 {
        if (empty($inuser)) return;
@@ -7,7 +24,7 @@ function login($inuser, $inpass = NULL)
        }
 
        # find password data by user name
-       $userdir = 'login/'.strtolower($inuser);
+       $userdir = 'profile/'.preg_replace('/[^a-z0-9]+/', '-', strtolower($inuser));
        $pwfile = "$userdir/.passwd";
        if (!file_exists($pwfile)) return;
        $usertest = trim(file_get_contents($pwfile));
@@ -16,12 +33,7 @@ function login($inuser, $inpass = NULL)
        # verify password
        $authhash = md5($usertest);
        if (isset($inpass)) {
-               if (substr($usertest, 0, 1) == '$') {
-                       if (!password_verify($inpass, $usertest)) return;
-               }
-               else {
-                       if ($inpass !== $usertest) return;
-               }
+               if (!login_password_verify($inpass, $usertest)) return;
        }
        else {
                if ($inauth !== $authhash) return;
@@ -35,7 +47,9 @@ function login($inuser, $inpass = NULL)
 
        return [
                'name'  => $inuser,
+               'dir'   => $userdir,
                'admin' => file_exists("$userdir/.admin"),
+               'pass'  => $usertest,
                'auth'  => "$inuser:$authhash",
        ];
 }