Skip to content

Instantly share code, notes, and snippets.

@fritids

fritids/auth_clancms.php

Forked from funtimeerror/auth_clancms.php
Created September 28, 2015 00:05
Show Gist options
  • Save fritids/a2d0f342838c482c597f to your computer and use it in GitHub Desktop.
Save fritids/a2d0f342838c482c597f to your computer and use it in GitHub Desktop.
Download ZIP
The Clan CMS Project - PHPBB3 Forum Bridge
Raw
auth_clancms.php
<?php
// clanCMS to phpBB3 bridge by FuntimeError of dfbrigade.org
/**
* @ignore
*/
if (!defined('IN_PHPBB'))
{
// exit;
}
/**
* INSTALL: Replace MYDBNAME with the real name of your database
*/
DEFINE('CLANCMSDB','MYDBNAME');
DEFINE('clancmsEncryptionKey', 'MYCRYPTKEY');
DEFINE('sessionCookieName', 'clancms_session');
DEFINE('clancms_mcrypt',true);
DEFINE('clancms_cookie_encrypted',true);
DEFINE('clancms_mcrypt_mode',MCRYPT_MODE_CBC); //used in 0.6.0
function validate_session_clancms($userrow)
{
global $db;
$sess_info = unserialize(decode($_COOKIE[sessionCookieName],md5(clancmsEncryptionKey)));
$sess_id = $sess_info['session_id'];
$sess_ip = $sess_info['ip_address'];
$sql = "SELECT *
FROM ".CLANCMSDB.".ClanCMS_sessions
WHERE
session_id = '". $db->sql_escape(utf8_clean_string($sess_id)). "' ";
$result = $db->sql_query($sql);
$row = $db->sql_fetchrow($result);
$db->sql_freeresult($result);
//if user logged into main site but not forum
if($row && $userrow['username_clean'] == 'anonymous')
{
$user_info = unserialize($row['user_data']);
if(strlen($user_info['username']))
{
$clancmsuser = $user_info['username'];
$sql = 'SELECT * FROM ' . USERS_TABLE . " WHERE username_clean = '" . $db->sql_escape(utf8_clean_string($clancmsuser)) . "'";
$result = $db->sql_query($sql);
$row = $db->sql_fetchrow($result);
$db->sql_freeresult($result);
//invalidate session
return false;
}
}
//no session mismatch, carry on
return true;
}
/**
* Login function
*/
function login_clancms(&$username, &$password)
{
global $db, $config;
// do not allow empty password
if (!$password)
{
return array(
'status' => LOGIN_ERROR_PASSWORD,
'error_msg' => 'NO_PASSWORD_SUPPLIED',
'user_row' => array('user_id' => ANONYMOUS),
);
}
if (!$username)
{
return array(
'status' => LOGIN_ERROR_USERNAME,
'error_msg' => 'LOGIN_ERROR_USERNAME',
'user_row' => array('user_id' => ANONYMOUS),
);
}
$sql = 'SELECT user_id, username, user_password, user_passchg, user_pass_convert, user_email, user_type, user_login_attempts
FROM ' . USERS_TABLE . "
WHERE username_clean = '" . $db->sql_escape(utf8_clean_string($username)) . "'";
$result = $db->sql_query($sql);
$row = $db->sql_fetchrow($result);
$db->sql_freeresult($result);
//if not in forum database, check main site db.
if (!$row)
{
$sql = "SELECT user_salt FROM ".CLANCMSDB.".ClanCMS_users WHERE user_name = '". $db->sql_escape(utf8_clean_string($username))."'";
$result = $db->sql_query($sql);
$row = $db->sql_fetchrow($result);
$db->sql_freeresult($result);
$salt = $row['user_salt'];
$sql = "SELECT * FROM ".CLANCMSDB.".ClanCMS_users WHERE user_name = '". $db->sql_escape(utf8_clean_string($username))."' and user_password = '". sha1($salt . sha1($password))."'";
$result = $db->sql_query($sql);
$row = $db->sql_fetchrow($result);
$row2 = $db->sql_fetchrow($result);
$db->sql_freeresult($result);
if(!$row)
{
return array(
'status' => LOGIN_ERROR_USERNAME,
'error_msg' => 'LOGIN_ERROR_USERNAME',
'user_row' => array('user_id' => ANONYMOUS),
);
}
else
{
// retrieve default group id
$sql = 'SELECT group_id
FROM ' . GROUPS_TABLE . "
WHERE group_name = '" . $db->sql_escape('REGISTERED') . "'
AND group_type = " . GROUP_SPECIAL;
$result = $db->sql_query($sql);
$row = $db->sql_fetchrow($result);
$db->sql_freeresult($result);
if (!$row)
{
trigger_error('NO_GROUP');
}
// generate user account data
$clancms_user_row = array(
'username' => $username,
'user_password' => phpbb_hash($password),
'user_email' => (!empty($row2['user_email'])) ? utf8_htmlspecialchars(htmlspecialchars_decode($row2['user_email'])): '',
'group_id' => (int) $row['group_id'],
'user_type' => USER_NORMAL,
'user_ip' => $user->ip,
'user_new' => ($config['new_member_post_limit']) ? 1 : 0,
);
unset($row);
// this is the user's first login so create an empty profile
return array(
'status' => LOGIN_SUCCESS_CREATE_PROFILE,
'error_msg' => false,
'user_row' => $clancms_user_row,
);
}
}
$show_captcha = false;
//$config['max_login_attempts'] && $row['user_login_attempts'] >= $config['max_login_attempts'];
// If there are too much login attempts, we need to check for an confirm image
// Every auth module is able to define what to do by itself...
if ($show_captcha)
{
// Visual Confirmation handling
if (!class_exists('phpbb_captcha_factory'))
{
global $phpbb_root_path, $phpEx;
include ($phpbb_root_path . 'includes/captcha/captcha_factory.' . $phpEx);
}
$captcha =& phpbb_captcha_factory::get_instance($config['captcha_plugin']);
$captcha->init(CONFIRM_LOGIN);
$vc_response = $captcha->validate($row);
if ($vc_response)
{
return array(
'status' => LOGIN_ERROR_ATTEMPTS,
'error_msg' => 'LOGIN_ERROR_ATTEMPTS',
'user_row' => $row,
);
}
else
{
$captcha->reset();
}
}
if (phpbb_check_hash($password, $row['user_password']))
{
$sql = 'SELECT user_id, username, user_password, user_passchg, user_pass_convert, user_email, user_type, user_login_attempts
FROM ' . USERS_TABLE . "
WHERE username_clean = '" . $db->sql_escape(utf8_clean_string($username)) . "'";
$result = $db->sql_query($sql);
$row = $db->sql_fetchrow($result);
$db->sql_freeresult($result);
if ($row)
{
if ($row['user_login_attempts'] != 0)
{
// Successful, reset login attempts (the user passed all stages)
$sql = 'UPDATE ' . USERS_TABLE . '
SET user_login_attempts = 0
WHERE user_id = ' . $row['user_id'];
$db->sql_query($sql);
}
// User inactive...
if ($row['user_type'] == USER_INACTIVE || $row['user_type'] == USER_IGNORE)
{
return array(
'status' => LOGIN_ERROR_ACTIVE,
'error_msg' => 'ACTIVE_ERROR',
'user_row' => $row,
);
}
// Successful login... set user_login_attempts to zero...
return array(
'status' => LOGIN_SUCCESS,
'error_msg' => false,
'user_row' => $row,
);
}
}
// Password incorrect - increase login attempts
$sql = 'UPDATE ' . USERS_TABLE . '
SET user_login_attempts = user_login_attempts + 1
WHERE user_id = ' . (int) $row['user_id'] . '
AND user_login_attempts < ' . LOGIN_ATTEMPTS_MAX;
$db->sql_query($sql);
// Give status about wrong password...
return array(
'status' => ($show_captcha) ? LOGIN_ERROR_ATTEMPTS : LOGIN_ERROR_PASSWORD,
'error_msg' => ($show_captcha) ? 'LOGIN_ERROR_ATTEMPTS' : 'LOGIN_ERROR_PASSWORD',
'user_row' => $row,
);
}
function autologin_clancms()
{
global $db;
$sess_info = unserialize(decode($_COOKIE[sessionCookieName],md5(clancmsEncryptionKey)));
$sess_id = $sess_info['session_id'];
$sess_ip = $sess_info['ip_address'];
$sql = "SELECT *
FROM ".CLANCMSDB.".ClanCMS_sessions
WHERE
session_id = '". $db->sql_escape(utf8_clean_string($sess_id)). "' ";
$result = $db->sql_query($sql);
$row = $db->sql_fetchrow($result);
$db->sql_freeresult($result);
//if user found
if($row)
{
$user_info = unserialize($row['user_data']);
if(strlen($user_info['username']))
{
$clancmsuser = $user_info['username'];
$sql = 'SELECT * FROM ' . USERS_TABLE . " WHERE username_clean = '" . $db->sql_escape(utf8_clean_string($clancmsuser)) . "'";
$result = $db->sql_query($sql);
$row = $db->sql_fetchrow($result);
$db->sql_freeresult($result);
return $row;
}
}
//no user forund. phpbb still wants a blank array
return array();
}
function logout_clancms($userrow,$newsession)
{
global $db;
$sess_info = unserialize(decode($_COOKIE[sessionCookieName],md5(clancmsEncryptionKey)));
$sess_id = $sess_info['session_id'];
$sql = "DELETE FROM ".CLANCMSDB.".ClanCMS_sessions WHERE session_id = '". $db->sql_escape(utf8_clean_string($sess_id)). "' ";
$result = $db->sql_query($sql);
$row = $db->sql_fetchrow($result);
$db->sql_freeresult($result);
}
function decode($string, $key = '')
{
if (preg_match('/[^a-zA-Z0-9\/\+=]/', $string))
{
return FALSE;
}
$dec = base64_decode($string);
if (clancms_mcrypt)
{
if (!($dec = mcrypt_decode($dec, $key)))
{
return FALSE;
}
}
else
{
if(clancms_cookie_encrypted)
{
$dec = _xor_decode($dec, $key);
}
}
return $dec;
}
function _xor_decode($string, $key)
{
$string = _xor_merge($string, $key);
$dec = '';
for ($i = 0; $i < strlen($string); $i++)
{
$dec .= (substr($string, $i++, 1) ^ substr($string, $i, 1));
}
return $dec;
}
function _xor_merge($string, $key)
{
$hash = sha1($key);
$str = '';
for ($i = 0; $i < strlen($string); $i++)
{
$str .= substr($string, $i, 1) ^ substr($hash, ($i % strlen($hash)), 1);
}
return $str;
}
function mcrypt_decode($data, $key)
{
$data = _remove_cipher_noise($data, $key);
$init_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, clancms_mcrypt_mode);
if ($init_size > strlen($data))
{
return FALSE;
}
$init_vect = substr($data, 0, $init_size);
$data = substr($data, $init_size);
return rtrim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $data, clancms_mcrypt_mode, $init_vect), "\0");
}
function _remove_cipher_noise($data, $key)
{
$keyhash = sha1($key);
$keylen = strlen($keyhash);
$str = '';
for ($i = 0, $j = 0, $len = strlen($data); $i < $len; ++$i, ++$j)
{
if ($j >= $keylen)
{
$j = 0;
}
$temp = ord($data[$i]) - ord($keyhash[$j]);
if ($temp < 0)
{
$temp = $temp + 256;
}
$str .= chr($temp);
}
return $str;
}
?>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment