/* Callback from httpLogin to verify credentials using the password defined in the database. */ static bool verifyUser(HttpStream *stream, cchar *username, cchar *password) { HttpAuth *auth; HttpUser *user; HttpRx *rx; EdiRec *urec; rx = stream->rx; auth = rx->route->auth; if ((urec = readRecWhere("user", "username", "==", username)) == 0) { httpLog(stream->trace, "auth.login.error", "error", "msg: 'Cannot verify user', username: '******'", username); return 0; } if (!mprCheckPassword(password, getField(urec, "password"))) { httpLog(stream->trace, "auth.login.error", "error", "msg: 'Password failed to authenticate', username: '******'", username); mprSleep(500); return 0; } /* Cache the user and define the user roles. Thereafter, the app can use "httpCanUser" to test if the user has the required abilities (defined by their roles) to perform a given request or operation. */ if ((user = httpLookupUser(auth, username)) == 0) { user = httpAddUser(auth, username, 0, ediGetFieldValue(urec, "roles")); } /* Define this as the authenticated and authorized user for this session */ httpSetStreamUser(stream, user); httpLog(stream->trace, "auth.login.authenticated", "context", "msg: 'User authenticated', username: '******'", username); return 1; }
static void retractPackage() { EdiRec *rec; cchar *password, *name; name = param("name"); password = param("password"); if (!name || !*name || !password || !*password) { sendResult(feedback("error", "Missing name or password parameters")); return; } if ((rec = readRecWhere("pak", "name", "==", name)) == 0) { sendResult(feedback("error", "Cannot find package")); return; } else if (!mprCheckPassword(password, getField(rec, "password"))) { sendResult(feedback("error", "Invalid password")); return; } sendResult(removeRec("pak", rec->id)); }
/* Verify the user password for the "config" store based on the users defined via configuration directives. Password may be NULL only if using auto-login. */ static bool configVerifyUser(HttpConn *conn, cchar *username, cchar *password) { HttpRx *rx; HttpAuth *auth; bool success; char *requiredPassword; rx = conn->rx; auth = rx->route->auth; if (!conn->user && (conn->user = mprLookupKey(auth->userCache, username)) == 0) { httpTrace(conn, "auth.login.error", "error", "msg: 'Unknown user', username:'******'", username); return 0; } if (password) { if (auth->realm == 0 || *auth->realm == '\0') { mprLog("error http auth", 0, "No AuthRealm defined"); } requiredPassword = (rx->passwordDigest) ? rx->passwordDigest : conn->user->password; if (sncmp(requiredPassword, "BF", 2) == 0 && slen(requiredPassword) > 4 && isdigit(requiredPassword[2]) && requiredPassword[3] == ':') { /* Blowifsh */ success = mprCheckPassword(sfmt("%s:%s:%s", username, auth->realm, password), conn->user->password); } else { if (!conn->encoded) { password = mprGetMD5(sfmt("%s:%s:%s", username, auth->realm, password)); conn->encoded = 1; } success = smatch(password, requiredPassword); } if (success) { httpTrace(conn, "auth.login.authenticated", "context", "msg:'User authenticated', username:'******'", username); } else { httpTrace(conn, "auth.login.error", "error", "msg:'Password failed to authenticate', username:'******'", username); } return success; } return 1; }
/* Can call this without being authenticated */ static void publishPackage() { HttpConn *conn; EdiRec *rec; cchar *email, *password, *name, *endpoint; bool checkPassword; name = param("name"); endpoint = param("endpoint"); password = param("password"); email = param("email"); conn = getConn(); if (!name || !*name || !endpoint || !*endpoint) { sendResult(feedback("error", "Missing name or endpoint parameters")); return; } if (!email || !*email) { sendResult(feedback("error", "Missing email parameter")); return; } if (canUser("edit", 0) && smatch(conn->username, name)) { checkPassword = 0; httpTrace(conn, "auth.login.authenticated", "context", "msg=\"Authenticated for package\", pak=%s", name); } else { if (!password || !*password) { sendResult(feedback("error", "Missing password parameter")); return; } checkPassword = 1; } if ((rec = readRecWhere("pak", "name", "==", name)) != 0) { if (checkPassword && !mprCheckPassword(password, getField(rec, "password"))) { sendResult(feedback("error", "Package already exists but invalid password")); return; } setFields(rec, params()); } else { #if FUTURE cchar *uri, *response, *err; uri = strim(endpoint, ".git", MPR_TRIM_END); uri = sjoin(uri, "/raw/master/package.json", NULL); status = httpRequest("GET", uri, NULL, &response, &err); if (status != 200) { feedback("warn", "Could not verify endpoint"); } else { if (!response || mprParseJson(response) == 0) { feedback("warn", "Could not verify endpoint package.json"); } } #endif if ((rec = createRec("pak", params())) == 0) { sendResult(feedback("error", "Cannot create package record")); return; } } setField(rec, "password", mprMakePassword(password, PASSWORD_SALT, PASSWORD_ROUNDS)); if (!(updateRec(rec))) { sendResult(feedback("error", "Cannot save package details")); return; } sendRec(rec); }