diff --git a/api/functions.php b/api/functions.php index b0e6d09..1f41d85 100644 --- a/api/functions.php +++ b/api/functions.php @@ -55,24 +55,22 @@ function authenticate(): bool { global $VARS; // HTTP basic auth if (!empty($_SERVER['PHP_AUTH_USER']) && !empty($_SERVER['PHP_AUTH_PW'])) { - $user = User::byUsername($_SERVER['PHP_AUTH_USER']); - if (!$user->checkPassword($_SERVER['PHP_AUTH_PW'])) { - return false; - } - return true; - } - // Form auth - if (empty($VARS['username']) || empty($VARS['password'])) { - return false; - } else { + $username = $_SERVER['PHP_AUTH_USER']; + $password = $_SERVER['PHP_AUTH_PW']; + } else if (!empty($VARS['username']) && !empty($VARS['password'])) { $username = $VARS['username']; $password = $VARS['password']; - $user = User::byUsername($username); - if ($user->exists() !== true || Login::auth($username, $password) !== Login::LOGIN_OK) { - return false; - } + } else { + return false; + } + $user = User::byUsername($username); + if (!$user->exists()) { + return false; + } + if ($user->checkPassword($password, true)) { + return true; } - return true; + return false; } /** diff --git a/lib/User.lib.php b/lib/User.lib.php index 763acc5..adaeb28 100644 --- a/lib/User.lib.php +++ b/lib/User.lib.php @@ -88,10 +88,11 @@ class User { /** * Check the given plaintext password against the stored hash. * @param string $password + * @param bool $apppass Set to true to enforce app passwords when 2fa is on. * @return bool */ - function checkPassword(string $password): bool { - $resp = AccountHubApi::get("auth", ['username' => $this->username, 'password' => $password]); + function checkPassword(string $password, bool $apppass = false): bool { + $resp = AccountHubApi::get("auth", ['username' => $this->username, 'password' => $password, 'apppass' => ($apppass ? "1" : "0")]); if ($resp['status'] == "OK") { return true; } else { @@ -99,6 +100,7 @@ class User { } } + function check2fa(string $code): bool { if (!$this->has2fa) { return true;