mirror/moodle-auth_emailotp
1
0
Fork 0
mirror of https://github.com/PawelSuwinski/moodle-auth_emailotp.git synced 2026-05-16 21:41:27 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
moodle-auth_emailotp/auth.php
Paweł Suwiński 50699c4caa fix notice only variables should be passed by reference
2020-11-26 09:10:36 +01:00

273 lines
9.3 KiB
PHP
Raw Permalink Blame History

<?php
// This file is part of Moodle - http://moodle.org/
//
// Moodle is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// Moodle is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with Moodle. If not, see <http://www.gnu.org/licenses/>.
/**
* Email OTP authentication plugin.
*
* @see self::user_login()
* @see self::get_user_field()
* @package auth_emailotp
* @copyright 2020 Pawel Suwinski <psuw@wp.pl>
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
defined('MOODLE_INTERNAL') || die();
require_once($CFG->libdir.'/authlib.php');
use core\output\notification;
/**
* Email OTP authentication plugin.
*
* @see self::user_login()
* @see self::get_user_field()
* @package auth_emailotp
* @copyright 2020 Pawel Suwinski <psuw@wp.pl>
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
class auth_plugin_emailotp extends auth_plugin_base {
/**
* The name of the component. Used by the configuration.
*/
const COMPONENT_NAME = 'auth_emailotp';
/**
* Constructor.
*/
public function __construct() {
$this->authtype = 'emailotp';
$this->config = get_config(self::COMPONENT_NAME);
}
/**
* Old syntax of class constructor. Deprecated in PHP7.
*
* @deprecated since Moodle 3.1
*/
public function auth_plugin_emailotp() {
debugging('Use of class name as constructor is deprecated', DEBUG_DEVELOPER);
self::__construct();
}
/**
* Matches only valid email from allowed domains. Validates credentials and
* password if exists in current session or generates ones for session time
* on empty password treated as one-time password request.
*
* @param string $username The username
* @param string $password The password
* @return bool Authentication success or failure.
*/
public function user_login($username, $password) {
global $CFG, $DB;
$email = validate_email($username)
? $username // Email as username or signup on first login.
: $this->get_user_field($username, 'email'); // Standard login, existing user.
if (empty($email) || email_is_not_allowed($email)) {
return false;
}
// OTP already generated and base credentials matches.
if (isset($_SESSION[self::COMPONENT_NAME]) &&
$_SESSION[self::COMPONENT_NAME]['credentials'] === static::get_credentials($username)) {
if (empty($password)) {
return (bool) $this->redirect($username, 'otpsent', notification::NOTIFY_INFO);
} else if (password_verify($password, $_SESSION[self::COMPONENT_NAME]['password'])) {
return true;
}
}
// OTP request - do not proceed on preventaccountcreation when user not exits.
if (!isset($_SESSION[self::COMPONENT_NAME]) && empty($password) && (
empty($CFG->authpreventaccountcreation) || $this->get_user_field($username, 'id'))) {
if (!$this->min_request_period_fulfilled($email)) {
$this->redirect($username, 'otpperiod', notification::NOTIFY_WARNING);
} else if ($this->gen_otp($username, $email)) {
\auth_emailotp\event\otp_generated::create(array(
'other' => array('email' => $email),
))->trigger();
$this->redirect($username, 'otpsent', notification::NOTIFY_SUCCESS);
} else {
$this->redirect($username, 'otpsent', notification::NOTIFY_ERROR);
}
}
// OTP exits but validation failed - reset if revoke threshold is set.
if (isset($_SESSION[self::COMPONENT_NAME])) {
$_SESSION[self::COMPONENT_NAME]['login_failed_count']++;
if (!empty($this->config->revokethreshold) &&
$_SESSION[self::COMPONENT_NAME]['login_failed_count'] >= $this->config->revokethreshold) {
unset($_SESSION[self::COMPONENT_NAME]);
\core\notification::add(get_string('otprevoked', self::COMPONENT_NAME),
notification::NOTIFY_WARNING
);
\auth_emailotp\event\otp_revoked::create(array(
'other' => array('email' => $email),
))->trigger();
}
}
return false;
}
public function is_synchronised_with_external() {
return false;
}
public function is_internal() {
return false;
}
public function can_be_manually_set() {
return true;
}
public function user_authenticated_hook(&$user, $username, $password) {
// Destroy credentials - is already used.
if (isset($_SESSION[self::COMPONENT_NAME])) {
unset($_SESSION[self::COMPONENT_NAME]);
}
}
/**
* get_userinfo
*
* Signup and user creation on first login takes place only in case of
* using email address as username.
*
* @param string $username
* @return array
*/
public function get_userinfo($username) {
$this->get_custom_user_profile_fields();
$fields = array('email' => $username);
if ($this->config->fieldsmapping_pattern &&
$this->config->fieldsmapping_mapping) {
$fields += array_filter(
(new \auth_emailotp\fields_mapper(
$this->config->fieldsmapping_pattern,
strtolower($username)
))->map(array_map(function($mapping) {
return trim($mapping);
}, explode(PHP_EOL, $this->config->fieldsmapping_mapping))),
function($key) {
return in_array($key, $this->userfields) ||
in_array($key, $this->customfields);
},
ARRAY_FILTER_USE_KEY
);
}
return $fields;
}
/**
* get_credentials
*
* @param string $username
* @return void
*/
protected static function get_credentials($username) {
return array(
'username' => $username,
'user_agent' => $_SERVER['HTTP_USER_AGENT'],
'ip' => getremoteaddr(),
);
}
/**
* gen_otp
*
* @param string $username
* @param string $email
* @return bool
*/
protected function gen_otp(string $username, string $email) {
global $CFG;
$newpassword = generate_password();
$_SESSION[self::COMPONENT_NAME] = array(
'credentials' => static::get_credentials($username),
'password' => password_hash($newpassword, PASSWORD_DEFAULT),
'login_failed_count' => 0,
);
$user = (object)array(
'id' => -1, // Fake due email_to_user() requirements.
'auth' => $this->authtype,
'username' => $username,
'email' => $email,
'password' => $newpassword,
);
return email_to_user($user, core_user::get_support_user(),
format_string(get_site()->fullname).': '.
get_string('otpgeneratedsubj', self::COMPONENT_NAME, $user),
get_string('otpgeneratedtext', self::COMPONENT_NAME, $user)
);
}
/**
* redirect
*
* @param string $username
* @param string $msg
* @return void
*/
protected function redirect(string $username, string $msg, string $level) {
global $CFG;
redirect(get_login_url().'?username='.urlencode($username),
get_string($msg.$level, self::COMPONENT_NAME), null, $level);
}
/**
* min_request_period_fulfilled
*
* @param string $email
* @return bool
*/
protected function min_request_period_fulfilled(string $email) {
// Min request period security disabled.
if (empty($this->config->minrequestperiod)) {
return true;
}
// Log reader required - silently return failure on absence.
$readers = get_log_manager()->get_readers('\core\log\sql_reader');
$reader = reset($readers);
return $reader && $reader->get_events_select_count(
'component = ? AND action = ? AND timecreated >= ? AND other = ?',
array(
self::COMPONENT_NAME,
'generated',
time() - $this->config->minrequestperiod,
json_encode(['email' => $email]),
)
) === 0;
}
/**
* get_user_field
*
* @see moodle_database::get_field()
* @param string $username
* @param string $field
* @return mixed
*/
protected function get_user_field(string $username, string $field) {
global $CFG, $DB;
return $DB->get_field('user', $field, array(
'username' => $username,
'mnethostid' => $CFG->mnet_localhost_id,
'auth' => $this->authtype,
'deleted' => 0,
));
}
}
Reference in New Issue View Git Blame Copy Permalink