wcfsetup/install/files/lib/page/AbstractAuthedPage.class.php

   1 <?php
   2
   3 namespace wcf\page;
   4
   5 use wcf\data\user\User;
   6 use wcf\system\exception\IllegalLinkException;
   7 use wcf\system\session\SessionHandler;
   8 use wcf\system\WCF;
   9
  10 /**
  11  * Automatically authes the user for the current request via an access-token.
  12  * A missing token will be ignored, an invalid token results in a throw of a IllegalLinkException.
  13  *
  14  * @author  Tim Duesterhus
  15  * @copyright   2001-2020 WoltLab GmbH
  16  * @license GNU Lesser General Public License <http://opensource.org/licenses/lgpl-license.php>
  17  */
  18 abstract class AbstractAuthedPage extends AbstractPage
  19 {
  20     /**
  21      * @inheritDoc
  22      */
  23     public function readParameters()
  24     {
  25         parent::readParameters();
  26
  27         // check security token
  28         $this->checkAccessToken();
  29     }
  30
  31     /**
  32      * Validates the access-token and performs the login.
  33      */
  34     protected function checkAccessToken()
  35     {
  36         if (isset($_REQUEST['at'])) {
  37             if (\preg_match('~^(?P<userID>\d{1,10})-(?P<token>[a-f0-9]{40})$~', $_REQUEST['at'], $matches)) {
  38                 $userID = $matches['userID'];
  39                 $token = $matches['token'];
  40
  41                 if (WCF::getUser()->userID) {
  42                     if ($userID == WCF::getUser()->userID && \hash_equals(WCF::getUser()->accessToken, $token)) {
  43                         // everything is fine, but we are already logged in
  44                         return;
  45                     } else {
  46                         // token is invalid
  47                         throw new IllegalLinkException();
  48                     }
  49                 } else {
  50                     $user = new User($userID);
  51                     if (
  52                         $user->userID && $user->accessToken && \hash_equals(
  53                             $user->accessToken,
  54                             $token
  55                         ) && !$user->banned
  56                     ) {
  57                         // token is valid and user is not banned -> change user
  58                         SessionHandler::getInstance()->changeUser($user, true);
  59                     } else {
  60                         // token is invalid
  61                         throw new IllegalLinkException();
  62                     }
  63                 }
  64             } else {
  65                 throw new IllegalLinkException();
  66             }
  67         }
  68     }
  69 }