UserLogin_8php_source.html

 <?php

 /**
  * PHP User Login Class
  *
  * Handles username and password validation, challenge questions, etc.
  *
  * Written: 10/2019
  *
  */

 class UserLogin {

   //the CU to use
   private $cu = NULL;

   //a string holding the cookie prefix
   private $cookie_prefix = '';

   //user is new
   public $new_user = false;

   //array to hold all of the errors
   public $errors = NULL;

   /*
     * Class Constructor
     *
   * user                    - User object
   * cuadmin         - CuAdmin object
     * cookie_prefix     - str - unique cookie prefix
     */
     function __construct(User $user, CuAdmin $cuAdmin, $cookie_prefix = 'usr'){

     if (!$user instanceof User) {
       throw new InvalidArgumentException(static::class . ': User object required.');
     }
     if (!$cuAdmin instanceof CuAdmin) {
         throw new InvalidArgumentException(static::class . ': CuAdmin object required.');
     }

     $this->user = $user;
     $this->cuAdmin = $cuAdmin;
   }

   /*
   * IsAccountLocked
   *
   * Check to see if the member's account is locked
   *
   * @return bool
   */
   public function IsAccountLocked() {
     if (!$this->user->isUserLoaded) {
       throw new Exception(static::class . ': User is unvalidated.');
     }
     switch (true) {
       // Challenge questions need setup
       case (boolval($this->cuAdmin->admininfo['flagset3'] & CuAdmin::CU3_MFA_AUTHCODE) == 0 && ($this->user->data['freset'] === User::MEM_FORCE_RESET || $this->user->mfaquest['mfacount'] < $this->cuAdmin->admininfo['min_chlng_qst'])):
         $this->new_user = true;
         $forceUpdate = true;
       break;
       // Password
       case $this->user->data['fchange'] === 'Y':
         $forceUpdate = true;
       break;
       // Member Reset Password
       case (boolval($this->cuAdmin->admininfo['flagset'] & CuAdmin::CU_MEMRESET)):
         $forceUpdate = true;
       break;
       // Force Reset Password
       case $this->user->data['userflags'] & User::MEM_FORCE_RESET:
         $forceUpdate = true;
       break;
       // Phone numbers
       case (boolval($this->cuAdmin->admininfo['flagset3'] & CuAdmin::CU3_MFA_AUTHCODE > 0
       ) && ($this->user->data['freset'] === 2)):
         $forceUpdate = true;
       break;
       // User alias
       case $this->cuAdmin->admininfo['flagset2'] & CuAdmin::CU2_ALIAS_REQ && !preg_match("/\D/",$this->user->user_name):
         $forceUpdate = true;
       break;
       default:
         $forceUpdate = false;
     }
     return $this->user->data['failedremain'] <= 0 || ($forceUpdate && $this->user->data['fremain'] <= 0);

   }

   /*
   * IsValidDeviceCookie
   *
   * Check to see if the member's device cookie is valid
   * $cu         - Credit Union Code
   * @return bool
   */
   public function IsValidDeviceCookie($cu) {
     $cookiename = Return2FactorName($cu, Get2FactorKeyString(), $this->user->user_name);
     $mfaMode = intval($this->cuAdmin->admininfo['flagset3'] & CuAdmin::CU3_MFA_AUTHCODE);

     // Check if user has confidence word or not
     $mfaDate = $this->user->mfaquest['mfadate'];

     if ($this->user->data['confidence'] != '') {
       $cookiecontent = hash_hmac('sha384', GetDeviceCookieContentString(),trim($this->user->data['passwd']) . trim(strtolower($this->user->data['email'])) . trim(strtolower($this->user->data['confidence'])) . $mfaMode . $mfaDate);
     } else {
       $cookiecontent = hash_hmac('sha384', GetDeviceCookieContentString(),trim($this->user->data['passwd']) . trim(strtolower($this->user->data['email'])) . $mfaMode . $mfaDate);
     }

     if (!empty($_COOKIE[$cookiename]) && $cookiecontent == $_COOKIE[$cookiename] && $this->user->data['freset'] != User::MEM_FORCE_RESET) {
       $return_val = true;
     } else {
       $return_val = false;
     }
     return $return_val;
   }

   /*
   * IsValidMammothDeviceCookie
   *
   * Check to see if the member's old Mammoth device cookie is valid
   * $cu         - Credit Union Code
   * @return bool
   */
   public function IsValidMammothDeviceCookie($cu, $hbenv) {
     $return_val = false;    // assume not valid
     // check if allowed
     if (($this->cuAdmin->admininfo['flagset3'] & CuAdmin::CU3_ALLOW_COOKIE_MIGRATION) > 0 &&
     $this->user->data['freset'] != User::MEM_FORCE_RESET) {
       // get the possible account numbers

       $username = $this->user->data['user_name'];
       $sql = "SELECT DISTINCT ua.accountnumber
               FROM {$cu}user u
               INNER JOIN {$cu}useraccounts ua on ua.user_id = u.user_id
               WHERE u.user_name = '{$username}'";

       $rs = db_query($sql, $hbenv["dbh"]);

       $row = 0;
       while ($aRow = db_fetch_array($rs, $row++)) {
         $thisAccount = $aRow["accountnumber"];
         $mammothCookieName = Return2FactorName($cu, $hbenv['2factorkey'], trim($thisAccount));

         if (isset($_COOKIE[$mammothCookieName])) {
           // check the contents
           $mammothCookieContent = sha1(trim($this->user->data['passwd']) . trim($this->user->data['email']) . trim($this->user->data['confidence']));

           $return_val = $mammothCookieContent == $_COOKIE[$mammothCookieName];

           if ($return_val) {
             // update the cookie for odyssey
             $this->UpdateMammothDeviceCookie($cu, $hbenv, $mammothCookieName);
           }
           // exit the loop
           break;
         }
       }
     }
     return $return_val;
   }

   /*
     * UpdateMammothDeviceCookie
     *
   *
     */
   private function UpdateMammothDeviceCookie($cu, $hbenv, $mammothCookieName){
     // we need to set up some variables the new device cookie will need
     $hbenv["cu"] = $cu;
     $hbenv['confidence'] = trim($this->user->data['confidence']);
     $hbenv["Cn"] = $this->user->data['user_name'];
     $hbenv["Fset3"] = $this->cuAdmin->admininfo['flagset3'];
     $hbenv["savepass"] = $this->user->data["passwd"];
     $hbenv["savemail"] = $this->user->data["email"];

     // remove the old one first in case the cookie names are the same
     $inThePast = time() - 3600 * 24;
     HCU_setcookie_env($hbenv['SYSENV'], $mammothCookieName, "", $inThePast);

     // replace the old device cookie with a new one
     $this->SetLoginDeviceCookie($hbenv);
   }

   /*
  * Function: SetLoginDeviceCookie
  * Purpose:  To manage the 2Factor Device cookie -- At this time it is Browser
  * based
  *
  * @param array hbenv -- The current HB_ENV value
  * @return false
  */
 function SetLoginDeviceCookie($hbenv) {

   $now = time();

   if (sizeof($_COOKIE) > 6
     && !preg_match("/^199.184.207/",$_SERVER['REMOTE_ADDR'])
     && !preg_match("/^192.168/",$_SERVER['REMOTE_ADDR'])) {

     $emsg = "{$_SERVER['REMOTE_ADDR']} {$hbenv['cu']}:{$hbenv['Cn']} " . date('Y-m-d H:i:s') .   " " . sizeof($_COOKIE) .  " Cookies";
     $hbenv['SYSENV']['logger']->warning($emsg);
   }

   // ** Make sure the COOKIES ARE KEPT TO MINIMUM FOR the browser, these add to
   // * size of packet being sent back to server from client

   if (sizeof($_COOKIE) > 23) {
     reset ($_COOKIE);
     $persists = ($now - 3600);
     foreach ($_COOKIE as $cookiename => $cookiecontent) {
       if (!preg_match("/^(Tx_mURI|Ticket|webconnect)/",$cookiename)) {
         HCU_setcookie_env($hbenv['SYSENV'], $cookiename, "", $persists);
       }
     }
   }

   $cookiename = Return2FactorName($hbenv["cu"], Get2FactorKeyString(), $this->user->user_name);
   $mfaMode = intval($this->cuAdmin->admininfo['flagset3'] & CuAdmin::CU3_MFA_AUTHCODE);

   // Check if user has confidence word or not
   $mfaDate = $this->user->mfaquest['mfadate'];

   if ($this->user->data['confidence'] != '') {
     $cookiecontent = hash_hmac('sha384', GetDeviceCookieContentString(),trim($this->user->data['passwd']) . trim(strtolower($this->user->data['email'])) . trim(strtolower($this->user->data['confidence'])) . $mfaMode . $mfaDate);
   } else {
     $cookiecontent = hash_hmac('sha384', GetDeviceCookieContentString(),trim($this->user->data['passwd']) . trim(strtolower($this->user->data['email'])) . $mfaMode . $mfaDate);
   }

   $persists = $now + $hbenv['SYSENV']['ticket']['persists'];

   HCU_setcookie_env($hbenv['SYSENV'], $cookiename, $cookiecontent, $persists);
 }

   /**
    * CreateSessionTicket
    *
    */
   public function CreateSessionTicket($hbenv, $mc, $cu) {
     $hbenv['cu'] = $cu;
     $hbenv['platform'] = $hbenv['platform'];
     $hbenv['Uid'] = $this->user->data['user_id'];
     $hbenv['Cn'] = $this->user->data['user_name'];
     $hbenv['Ce'] = time() + $hbenv['SYSENV']['ticket']['expires'];
     $hbenv['Clw'] = $this->cuAdmin->admininfo['livewait'];
     $hbenv['Clu'] = (empty($this->user->data['lastupdate']) ? $mc->msg("Unknown") : urlencode(trim($this->user->data['lastupdate'])));
     $hbenv['lastupdate'] = (empty($this->user->data['lastupdate']) ? "Unknown" : urlencode(trim($this->user->data['lastupdate'])));
     $hbenv['Fplog'] = (empty($this->user->data['llog']) ? $mc->msg("None") : urlencode(trim($this->user->data['llog'])));
     $hbenv['Fflog'] = (empty($this->user->data['flog']) ? $mc->msg("None") : urlencode(trim($this->user->data['flog'])));
     $hbenv['Ffchg'] = (is_null($this->user->data['fchange']) ? 'N' : $this->user->data['fchange']);
     $hbenv['Ffremain'] = (is_null($this->user->data['fremain']) || $this->user->data['fremain'] == 0 ? $this->cuAdmin->admininfo['grace'] : $this->user->data['fremain']);
     $hbenv['Fmsg_tx'] = $this->user->data['msg_tx'];
     $hbenv['Fset'] = $this->cuAdmin->admininfo['flagset'];
     $hbenv['Fset2'] = $this->cuAdmin->admininfo['flagset2'];
     $hbenv['Fset3'] = $this->cuAdmin->admininfo['flagset3'];
     $hbenv['Fhdays'] = $this->cuAdmin->admininfo['fhdays'];
     $hbenv['Ml'] = $this->user->data['email'];
     $hbenv['Ffreset'] = $this->user->data['freset'];

     // * Add this for use later possibly in 2Factor cookie
     $hbenv['savepass'] = $this->user->data['passwd'];
     $hbenv['savemail'] = $this->user->data['email'];

     // Set the sid at this point.  It is not updated from this point.
     $hbenv["sid"] = strval(time());
     // SET THE MEMBER COOKIE
     $now = time();

     $baseCookie = BuildBaseSessionTicket($hbenv);
     $mycookie = "Ctime=$now&Cn={$this->user->data['user_name']}&Uid={$this->user->data['user_id']}&Ml=" . urlencode($this->user->data['email']) . "&Ca=";

     // ** Check for testmenu param -- If set to 1, then I want to add it to cookie
     // if (intval(HCU_array_key_value('testmenu', $hbenv['HCUPOST'])) == 1) {
     //   $mycookie .= "&testmenu=1";
     // }
     // ** SET THE COOKIE
     SetTicket($hbenv, $baseCookie, $mycookie);
   }

   /*
     * ValidateUser
     *
     * Verify the username and password against the database
     * and log the user in if successful.
     *
     * Arguments:
   * password        - str - The user's password (only passing raw currently)
     * remember_me   - bool - Whether to remember this user or not (not using yet)
   *
     */
     function ValidateUser($password = '', $remember_me = false) {
         if (empty($password)) {
       throw new InvalidArgumentException(static::class . ': Invalid password.');
     }
     // if (!password_verify($password, $this->user->data['passwd'])) {
     //   throw new InvalidArgumentException(static::class . ': Invalid password.');
     // }
     return password_verify($password, $this->user->data['passwd']);
   }

   /*
    * IsMFAMode
    *
    * @return bool
    *
    */
   function IsMFAMode() {
         return boolval($this->cuAdmin->admininfo['flagset3'] & CuAdmin::CU3_MFA_AUTHCODE);
   }


 }

CuAdmin
Definition: CuAdmin.php:7

UserLogin
Definition: UserLogin.php:12

UserLogin\CreateSessionTicket
CreateSessionTicket($hbenv, $mc, $cu)
Definition: UserLogin.php:240

User
Definition: User.php:7