[ Index ]

PHP Cross Reference of YOURLS

title

Body

[close]

/includes/ -> functions-auth.php (summary)

Function related to authentication functions and nonces

File Size: 747 lines (25 kb)
Included or required:0 times
Referenced: 0 times
Includes or requires: 1 file
 includes/auth.php

Defines 32 functions

  yourls_maybe_require_auth()
  yourls_is_valid_user()
  yourls_check_username_password()
  yourls_check_password_hash()
  yourls_hash_passwords_now()
  yourls_phpass_hash()
  yourls_phpass_check()
  yourls_has_cleartext_passwords()
  yourls_has_md5_password()
  yourls_has_phpass_password()
  yourls_check_auth_cookie()
  yourls_check_signature_timestamp()
  yourls_check_signature()
  yourls_auth_signature()
  yourls_check_timestamp()
  yourls_store_cookie()
  yourls_setcookie()
  yourls_set_user()
  yourls_get_cookie_life()
  yourls_get_nonce_life()
  yourls_cookie_name()
  yourls_cookie_value()
  yourls_tick()
  yourls_salt()
  yourls_hmac_algo()
  yourls_create_nonce()
  yourls_nonce_field()
  yourls_nonce_url()
  yourls_verify_nonce()
  yourls_is_user_from_env()
  yourls_maybe_hash_passwords()
  yourls_skip_password_hashing()

Functions
Functions that are not part of a class:

yourls_maybe_require_auth()   X-Ref
Show login form if required

return: void

yourls_is_valid_user()   X-Ref
Check for valid user via login form or stored cookie. Returns true or an error message

return: bool|string|mixed true if valid user, error message otherwise. Can also call yourls_die() or redirect to login page. Oh my.

yourls_check_username_password()   X-Ref
Check auth against list of login=>pwd. Sets user if applicable, returns bool

return: bool  true if login/pwd pair is valid (and sets user if applicable), false otherwise

yourls_check_password_hash($user, $submitted_password )   X-Ref
Check a submitted password sent in plain text against stored password which can be a salted hash

return: bool
param: string $user
param: string $submitted_password

yourls_hash_passwords_now( $config_file )   X-Ref
Overwrite plaintext passwords in config file with hashed versions.

since: 1.7
return: true|string  if overwrite was successful, an error message otherwise
param: string $config_file Full path to file

yourls_phpass_hash( $password )   X-Ref
Create a password hash

since: 1.7
return: string hashed password
param: string $password password to hash

yourls_phpass_check( $password, $hash )   X-Ref
Verify that a password matches a hash

since: 1.7
return: bool true if the hash matches the password, false otherwise
param: string $password clear (eg submitted in a form) password
param: string $hash hash

yourls_has_cleartext_passwords()   X-Ref
Check to see if any passwords are stored as cleartext.

since: 1.7
return: bool true if any passwords are cleartext

yourls_has_md5_password( $user )   X-Ref
Check if a user has a md5 hashed password

Check if a user password is 'md5:[38 chars]'.
TODO: deprecate this when/if we have proper user management with password hashes stored in the DB

since: 1.7
return: bool true if password hashed, false otherwise
param: string $user user login

yourls_has_phpass_password( $user )   X-Ref
Check if a user's password is hashed with password_hash

Check if a user password is 'phpass:[lots of chars]'.
(For historical reason we're using 'phpass' as an identifier.)
TODO: deprecate this when/if we have proper user management with password hashes stored in the DB

since: 1.7
return: bool true if password hashed with password_hash, otherwise false
param: string $user user login

yourls_check_auth_cookie()   X-Ref
Check auth against encrypted COOKIE data. Sets user if applicable, returns bool

return: bool true if authenticated, false otherwise

yourls_check_signature_timestamp()   X-Ref
Check auth against signature and timestamp. Sets user if applicable, returns bool

Original usage :
http://sho.rt/yourls-api.php?timestamp=<timestamp>&signature=<md5 hash>&action=...
Since 1.7.7 we allow a `hash` parameter and an arbitrary hashed signature, hashed
with the `hash` function. Examples :
http://sho.rt/yourls-api.php?timestamp=<timestamp>&signature=<sha512 hash>&hash=sha512&action=...
http://sho.rt/yourls-api.php?timestamp=<timestamp>&signature=<crc32 hash>&hash=crc32&action=...

since: 1.4.1
return: bool False if signature or timestamp missing or invalid, true if valid

yourls_check_signature()   X-Ref
Check auth against signature. Sets user if applicable, returns bool

since: 1.4.1
return: bool False if signature missing or invalid, true if valid

yourls_auth_signature( $username = false )   X-Ref
Generate secret signature hash

return: string                 Signature
param: false|string $username  Username to generate signature for, or false to use current user

yourls_check_timestamp( $time )   X-Ref
Check if timestamp is not too old

return: bool      True if timestamp is valid
param: int $time  Timestamp to check

yourls_store_cookie( $user = '' )   X-Ref
Store new cookie. No $user will delete the cookie.

return: void
param: string $user  User login, or empty string to delete cookie

yourls_setcookie($name, $value, $expire, $path, $domain, $secure, $httponly)   X-Ref
Replacement for PHP's setcookie(), with support for SameSite cookie attribute

since: 1.7.7
return: bool                setcookie() result : false if output sent before, true otherwise. This does not indicate whether the user accepted the cookie.
param: string  $name       cookie name
param: string  $value      cookie value
param: int     $expire     time the cookie expires as a Unix timestamp (number of seconds since the epoch)
param: string  $path       path on the server in which the cookie will be available on
param: string  $domain     (sub)domain that the cookie is available to
param: bool    $secure     if cookie should only be transmitted over a secure HTTPS connection
param: bool    $httponly   if cookie will be made accessible only through the HTTP protocol

yourls_set_user( $user )   X-Ref
Set user name

return: void
param: string $user  Username

yourls_get_cookie_life()   X-Ref
Get YOURLS_COOKIE_LIFE value (ie the life span of an auth cookie in seconds)

Use this function instead of directly using the constant. This way, its value can be modified by plugins
on a per case basis

since: 1.7.7
return: integer     cookie life span, in seconds

yourls_get_nonce_life()   X-Ref
Get YOURLS_NONCE_LIFE value (ie life span of a nonce in seconds)

Use this function instead of directly using the constant. This way, its value can be modified by plugins
on a per case basis

since: 1.7.7
return: integer     nonce life span, in seconds

yourls_cookie_name()   X-Ref
Get YOURLS cookie name

The name is unique for each install, to prevent mismatch between sho.rt and very.sho.rt -- see #1673

TODO: when multi user is implemented, the whole cookie stuff should be reworked to allow storing multiple users

since: 1.7.1
return: string  unique cookie name for a given YOURLS site

yourls_cookie_value( $user )   X-Ref
Get auth cookie value

since: 1.7.7
return: string          cookie value
param: string $user     user name

yourls_tick()   X-Ref
Return a time-dependent string for nonce creation

Actually, this returns a float: ceil rounds up a value but is of type float, see https://www.php.net/ceil

return: float

yourls_salt( $string )   X-Ref
Return hashed string

This function is badly named, it's not a salt or a salted string : it's a cryptographic hash.

since: 1.4.1
return: string          hashed string
param: string $string   string to salt

yourls_hmac_algo()   X-Ref
Return an available hash_hmac() algorithm

since: 1.8.3
return: string  hash_hmac() algorithm

yourls_create_nonce($action, $user = false )   X-Ref
Create a time limited, action limited and user limited token

return: string             Nonce token
param: string $action      Action to create nonce for
param: false|string $user  Optional user string, false for current user

yourls_nonce_field($action, $name = 'nonce', $user = false, $echo = true )   X-Ref
Echoes or returns a nonce field for inclusion into a form

return: string             Nonce field
param: string $action      Action to create nonce for
param: string $name        Optional name of nonce field -- defaults to 'nonce'
param: false|string $user  Optional user string, false if unspecified
param: bool $echo          True to echo, false to return nonce field

yourls_nonce_url($action, $url = false, $name = 'nonce', $user = false )   X-Ref
Add a nonce to a URL. If URL omitted, adds nonce to current URL

return: string             URL with nonce added
param: string $action      Action to create nonce for
param: string $url         Optional URL to add nonce to -- defaults to current URL
param: string $name        Optional name of nonce field -- defaults to 'nonce'
param: false|string $user  Optional user string, false if unspecified

yourls_verify_nonce($action, $nonce = false, $user = false, $return = '' )   X-Ref
Check validity of a nonce (ie time span, user and action match).

Returns true if valid, dies otherwise (yourls_die() or die($return) if defined).
If $nonce is false or unspecified, it will use $_REQUEST['nonce']

return: bool|void           True if valid, dies otherwise
param: string $action
param: false|string $nonce  Optional, string: nonce value, or false to use $_REQUEST['nonce']
param: false|string $user   Optional, string user, false for current user
param: string $return       Optional, string: message to die with if nonce is invalid

yourls_is_user_from_env()   X-Ref
Check if YOURLS_USER comes from environment variables

since: 1.8.2
return: bool  true if YOURLS_USER and YOURLS_PASSWORD are defined as environment variables

yourls_maybe_hash_passwords()   X-Ref
Check if we should hash passwords in the config file

By default, passwords are hashed. They are not if
- there is no password in clear text in the config file (ie everything is already hashed)
- the user defined constant YOURLS_NO_HASH_PASSWORD is true, see https://docs.yourls.org/guide/essentials/credentials.html#i-don-t-want-to-encrypt-my-password
- YOURLS_USER and YOURLS_PASSWORD are provided by the environment, not the config file

since: 1.8.2
return: bool

yourls_skip_password_hashing()   X-Ref
Check if user setting for skipping password hashing is set

since: 1.8.2
return: bool



Generated: Wed Sep 28 05:10:02 2022 Cross-referenced by PHPXref 0.7.1