comparison mod_auth_phpbb3/mod_auth_phpbb3.lua @ 665:684cc57a49c1

mod_auth_phpbb3: Optionally allow using PHPBB3 session ID as password ( sql = { sessionid_as_password = true, ... } ).
author Waqas Hussain <waqas20@gmail.com>
date Wed, 16 May 2012 17:34:47 +0500
parents f19f723571d9
children 881ec9919144
comparison
equal deleted inserted replaced
664:2f11d2473afd 665:684cc57a49c1
82 local function get_password(username) 82 local function get_password(username)
83 local stmt, err = getsql("SELECT `user_password` FROM `phpbb_users` WHERE `username_clean`=?", username); 83 local stmt, err = getsql("SELECT `user_password` FROM `phpbb_users` WHERE `username_clean`=?", username);
84 if stmt then 84 if stmt then
85 for row in stmt:rows(true) do 85 for row in stmt:rows(true) do
86 return row.user_password; 86 return row.user_password;
87 end
88 end
89 end
90 local function check_sessionids(username, session_id)
91 -- TODO add session expiration and auto-login check
92 local stmt, err = getsql("SELECT phpbb_sessions.session_id FROM phpbb_sessions INNER JOIN phpbb_users ON phpbb_users.user_id = phpbb_sessions.session_user_id WHERE phpbb_users.username_clean =?", username);
93 if stmt then
94 for row in stmt:rows(true) do
95 -- if row.session_id == session_id then return true; end
96
97 -- workaround for possible LuaDBI bug
98 -- The session_id returned by the sql statement has an additional zero at the end. But that is not in the database.
99 if row.session_id == session_id or row.session_id == session_id.."0" then return true; end
87 end 100 end
88 end 101 end
89 end 102 end
90 103
91 104
237 local prepped = nodeprep(authentication); 250 local prepped = nodeprep(authentication);
238 local normalized = jid_unescape(prepped); 251 local normalized = jid_unescape(prepped);
239 return normalized and provider.test_password(normalized, password) and prepped; 252 return normalized and provider.test_password(normalized, password) and prepped;
240 end 253 end
241 local username = test(authentication) or test(jid_escape(authentication)); 254 local username = test(authentication) or test(jid_escape(authentication));
255 if not username and params.sessionid_as_password then
256 local function test(authentication)
257 local prepped = nodeprep(authentication);
258 local normalized = jid_unescape(prepped);
259 return normalized and check_sessionids(normalized, password) and prepped;
260 end
261 username = test(authentication) or test(jid_escape(authentication));
262 end
242 if username then 263 if username then
243 self.username = username; 264 self.username = username;
244 return "success"; 265 return "success";
245 end 266 end
246 return "failure", "not-authorized", "Unable to authorize you with the authentication credentials you've sent."; 267 return "failure", "not-authorized", "Unable to authorize you with the authentication credentials you've sent.";