5 use wcf\data\user\User
;
6 use wcf\system\exception\IllegalLinkException
;
7 use wcf\system\session\SessionHandler
;
11 * Automatically authes the user for the current request via an access-token.
12 * A missing token will be ignored, an invalid token results in a throw of a IllegalLinkException.
14 * @author Tim Duesterhus
15 * @copyright 2001-2020 WoltLab GmbH
16 * @license GNU Lesser General Public License <http://opensource.org/licenses/lgpl-license.php>
18 abstract class AbstractAuthedPage
extends AbstractPage
23 public function readParameters()
25 parent
::readParameters();
27 // check security token
28 $this->checkAccessToken();
32 * Validates the access-token and performs the login.
34 protected function checkAccessToken()
36 if (isset($_REQUEST['at'])) {
37 if (\
preg_match('~^(?P<userID>\d{1,10})-(?P<token>[a-f0-9]{40})$~', $_REQUEST['at'], $matches)) {
38 $userID = $matches['userID'];
39 $token = $matches['token'];
41 if (WCF
::getUser()->userID
) {
42 if ($userID == WCF
::getUser()->userID
&& \
hash_equals(WCF
::getUser()->accessToken
, $token)) {
43 // everything is fine, but we are already logged in
47 throw new IllegalLinkException();
50 $user = new User($userID);
52 $user->userID
&& $user->accessToken
&& \
hash_equals(
57 // token is valid and user is not banned -> change user
58 SessionHandler
::getInstance()->changeUser($user, true);
61 throw new IllegalLinkException();
65 throw new IllegalLinkException();