Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

A more secure and generalized approach for PDO Basic Auth Backend #1284

Merged
merged 6 commits into from
Dec 13, 2021
Merged

A more secure and generalized approach for PDO Basic Auth Backend #1284

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
07a4b68
Added PDOBasicAuth Backend
Jul 15, 2020
bc7a8c0
Added Unit Test
tom-nslt Jul 18, 2020
8f1ec2b
Extended tests with uuidColumn
tom-nslt Jul 18, 2020
48d979f
Improved Coverage
tom-nslt Jul 18, 2020
ef009c5
Added More Tests
tom-nslt Jul 20, 2020
590e9dc
Merge branch 'master' into general-approach-for-pdo-basic-auth
lightbluetom Aug 11, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
114 changes: 114 additions & 0 deletions lib/DAV/Auth/Backend/PDOBasicAuth.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,114 @@
<?php

namespace Sabre\DAV\Auth\Backend;

/**
* This is an authentication backend that uses a database to manage passwords.
*
* @copyright Copyright (C) fruux GmbH (https://fruux.com/)
* @license http://sabre.io/license/ Modified BSD License
*/
class PDOBasicAuth extends AbstractBasic
{
/**
* Reference to PDO connection.
*
* @var PDO
*/
protected $pdo;

/**
* PDO table name we'll be using.
*
* @var string
*/
protected $tableName;

/**
* PDO digest column name we'll be using
* (i.e. digest, password, password_hash).
*
* @var string
*/
protected $digestColumn;

/**
* PDO uuid(unique user identifier) column name we'll be using
* (i.e. username, email).
*
* @var string
*/
protected $uuidColumn;

/**
* Digest prefix:
* if the backend you are using for is prefixing
* your password hashes set this option to your prefix to
* cut it off before verfiying.
*
* @var string
*/
protected $digestPrefix;

/**
* Creates the backend object.
*
* If the filename argument is passed in, it will parse out the specified file fist.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This comment does not make sense to me. I will make a comments-only PR to sort it out.

*/
public function __construct(\PDO $pdo, array $options = [])
{
$this->pdo = $pdo;
if (isset($options['tableName'])) {
$this->tableName = $options['tableName'];
} else {
$this->tableName = 'users';
}
if (isset($options['digestColumn'])) {
$this->digestColumn = $options['digestColumn'];
} else {
$this->digestColumn = 'digest';
}
if (isset($options['uuidColumn'])) {
$this->uuidColumn = $options['uuidColumn'];
} else {
$this->uuidColumn = 'username';
}
if (isset($options['digestPrefix'])) {
$this->digestPrefix = $options['digestPrefix'];
}
}

/**
* Validates a username and password.
*
* This method should return true or false depending on if login
* succeeded.
*
* @param string $username
* @param string $password
*
* @return bool
*/
public function validateUserPass($username, $password)
{
$stmt = $this->pdo->prepare('SELECT '.$this->digestColumn.' FROM '.$this->tableName.' WHERE '.$this->uuidColumn.' = ?');
$stmt->execute([$username]);
$result = $stmt->fetchAll();

if (!count($result)) {
return false;
} else {
$digest = $result[0][$this->digestColumn];

if (isset($this->digestPrefix)) {
$digest = substr($digest, strlen($this->digestPrefix));
}

if (password_verify($password, $digest)) {
return true;
}

return false;
}
}
}
160 changes: 160 additions & 0 deletions tests/Sabre/DAV/Auth/Backend/AbstractPDOBasicAuthTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,160 @@
<?php

declare(strict_types=1);

namespace Sabre\DAV\Auth\Backend;

use Sabre\HTTP;

abstract class AbstractPDOBasicAuthTest extends \PHPUnit\Framework\TestCase
{
use \Sabre\DAV\DbTestHelperTrait;

public function setup(): void
{
$this->dropTables('users');
$this->createSchema('users');

// The supplied hash is a salted bcrypt hash of the plaintext : 'password'
$this->getPDO()->query(
"INSERT INTO users (username,digesta1) VALUES ('user','\$2b\$12\$IwetRH4oj6.AWFGGVy8fpet7Pgp1TafspB6iq1/fiLDxfsGZfi2jS')"
);
$this->getPDO()->query(
"INSERT INTO users (username,digesta1) VALUES ('prefix_user','bcrypt\$\$2b\$12\$IwetRH4oj6.AWFGGVy8fpet7Pgp1TafspB6iq1/fiLDxfsGZfi2jS')"
);
}

public function testConstruct()
{
$pdo = $this->getPDO();
$backend = new PDOBasicAuth($pdo);
$this->assertTrue($backend instanceof PDOBasicAuth);
}

public function testCheckNoHeaders()
{
$request = new HTTP\Request('GET', '/');
$response = new HTTP\Response();

$options = [
'tableName' => 'users',
'digestColumn' => 'digesta1',
'uuidColumn' => 'username',
];
$pdo = $this->getPDO();
$backend = new PDOBasicAuth($pdo, $options);

$this->assertFalse(
$backend->check($request, $response)[0]
);
}

public function testCheckUnknownUser()
{
$request = HTTP\Sapi::createFromServerArray([
'REQUEST_METHOD' => 'GET',
'REQUEST_URI' => '/',
'PHP_AUTH_USER' => 'unkown_user',
'PHP_AUTH_PW' => 'wrongpassword',
]);
$response = new HTTP\Response();

$options = [
'tableName' => 'users',
'digestColumn' => 'digesta1',
'uuidColumn' => 'username',
];
$pdo = $this->getPDO();
$backend = new PDOBasicAuth($pdo, $options);

$this->assertFalse(
$backend->check($request, $response)[0]
);
}

public function testCheckAuthenticationFailure()
{
$request = HTTP\Sapi::createFromServerArray([
'REQUEST_METHOD' => 'GET',
'REQUEST_URI' => '/',
'PHP_AUTH_USER' => 'user',
'PHP_AUTH_PW' => 'wrongpassword',
]);
$response = new HTTP\Response();

$options = [
'tableName' => 'users',
'digestColumn' => 'digesta1',
'uuidColumn' => 'username',
];
$pdo = $this->getPDO();
$backend = new PDOBasicAuth($pdo, $options);

$this->assertFalse(
$backend->check($request, $response)[0]
);
}

public function testCheckSuccess()
{
$request = HTTP\Sapi::createFromServerArray([
'REQUEST_METHOD' => 'GET',
'REQUEST_URI' => '/',
'PHP_AUTH_USER' => 'user',
'PHP_AUTH_PW' => 'password',
]);
$response = new HTTP\Response();

$options = [
'tableName' => 'users',
'digestColumn' => 'digesta1',
'uuidColumn' => 'username',
];
$pdo = $this->getPDO();
$backend = new PDOBasicAuth($pdo, $options);
$this->assertEquals(
[true, 'principals/user'],
$backend->check($request, $response)
);
}

public function testPrefixSuccess()
{
$request = HTTP\Sapi::createFromServerArray([
'REQUEST_METHOD' => 'GET',
'REQUEST_URI' => '/',
'PHP_AUTH_USER' => 'prefix_user',
'PHP_AUTH_PW' => 'password',
]);
$response = new HTTP\Response();

$options = [
'tableName' => 'users',
'digestColumn' => 'digesta1',
'uuidColumn' => 'username',
'digestPrefix' => 'bcrypt$',
];
$pdo = $this->getPDO();
$backend = new PDOBasicAuth($pdo, $options);
$this->assertEquals(
[true, 'principals/prefix_user'],
$backend->check($request, $response)
);
}

public function testRequireAuth()
{
$request = new HTTP\Request('GET', '/');
$response = new HTTP\Response();

$pdo = $this->getPDO();
$backend = new PDOBasicAuth($pdo);
$backend->setRealm('writing unittests on a saturday night');
$backend->challenge($request, $response);

$this->assertEquals(
'Basic realm="writing unittests on a saturday night", charset="UTF-8"',
$response->getHeader('WWW-Authenticate')
);
}
}
10 changes: 10 additions & 0 deletions tests/Sabre/DAV/Auth/Backend/PDOBasicAuthSqliteTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
<?php

declare(strict_types=1);

namespace Sabre\DAV\Auth\Backend;

class PDOBasicAuthSqliteTest extends AbstractPDOBasicAuthTest
{
public $driver = 'sqlite';
}