From cf0163f2214b4136059afedcd25f168a1eb596bb Mon Sep 17 00:00:00 2001 From: Ivan Diaz Date: Tue, 2 Feb 2016 18:41:10 -0300 Subject: [PATCH] [Ivan Diaz] - Some improvements to login/session system --- server/controllers/user.php | 39 ++++++++++++++++++++++++------------- server/models/ERRORS.php | 1 + server/models/Session.php | 16 +++++++++++---- server/models/User.php | 14 +++++++++++++ 4 files changed, 52 insertions(+), 18 deletions(-) diff --git a/server/controllers/user.php b/server/controllers/user.php index 66fdf2f4..13eb400d 100644 --- a/server/controllers/user.php +++ b/server/controllers/user.php @@ -5,36 +5,47 @@ $app->group('/user', function () use ($app) { echo "Returns the user with $by = $value as a json"; }); - //TODO: THIS METHOD CAN BE ONLY USED IF IT IS LOGIN AS ADMIN - $app->get('/add/:email/:pass', function ($email, $pass) use ($app) { + $app->post('/create', function () use ($app) { + $email = Controller::request('email'); + $password = Controller::request('password'); + $userInstance = new User(); $userInstance->setProperties(array( 'email' => $email, - 'password' => $pass, + 'password' => User::hashPassword($password), 'admin' => 0 )); - $id = $userInstance->store(); + $userId = $userInstance->store(); + Response::respondSuccess(array( - 'id' => $id + 'userId' => $userId, + 'userEmail' => $email )); }); $app->post('/login', function () use ($app) { + $session = Session::getInstance(); + $email = Controller::request('email'); $password = Controller::request('password'); - if ($userInstance = User::getUser($email, 'email')) { - $pass = $userInstance->password; + if ($session->sessionExists()) { + Response::respondError(ERRORS::SESSION_EXISTS); } - else { + + $userInstance = User::authenticate($email, $password); + + if (!$userInstance) { Response::respondError(ERRORS::INVALID_CREDENTIALS); } - if ($userInstance->password === $password) { - Response::respondSuccess(); - } - else { - Response::respondError(ERRORS::INVALID_CREDENTIALS); - } + $session->createSession($userInstance->id); + + Response::respondSuccess(array( + 'userId' => $userInstance->id, + 'userEmail' => $userInstance->email, + 'userIsAdmin' => $userInstance->admin, + 'token' => $session->getToken() + )); }); }); \ No newline at end of file diff --git a/server/models/ERRORS.php b/server/models/ERRORS.php index 177ef3b8..144914e9 100644 --- a/server/models/ERRORS.php +++ b/server/models/ERRORS.php @@ -1,4 +1,5 @@ store('userid', $userId); + $this->store('userId', $userId); $this->store('token', $this->generateToken()); } @@ -30,17 +30,25 @@ class Session { return $this->getStoredData('token'); } + public function sessionExists() { + return !!$this->getToken(); + } + public function checkAuthentication($data) { - return $this->getStoredData('user_id') === $data['user_id'] && + return $this->getStoredData('userId') === $data['userId'] && $this->getStoredData('token') === $data['token']; } + public function isLoggedWithId($userId) { + return ($this->getStoredData('userId') === $userId); + } + private function store($key, $value) { $_SESSION[$key] = $value; } private function getStoredData($key) { - return $_SESSION[$key]; + return $_SESSION[$key] || null; } private function generateToken() { diff --git a/server/models/User.php b/server/models/User.php index d0ed827a..3837c072 100644 --- a/server/models/User.php +++ b/server/models/User.php @@ -3,6 +3,20 @@ class User extends DataStore { const TABLE = 'users'; + public static function hashPassword($password) { + return password_hash($password); + } + + public static function verifyPassword($password, $hash) { + return password_verify($password, $hash); + } + + public static function authenticate($userEmail, $userPassword) { + $user = static::getUser($userEmail, 'email'); + + return ($user && static::verifyPassword($userPassword, $user->password)) ? $user : null; + } + public static function getProps() { return array( 'email',