Commit graph

297 commits

Author SHA1 Message Date
VirtualTam
704637bfeb Add test coverage for LoginManager methods
Signed-off-by: VirtualTam <virtualtam@flibidi.net>
2018-06-02 16:46:26 +02:00
VirtualTam
ebf6151738 SessionManager: remove unused UID token
There already are dedicated tokens for:
- CSRF protection
- user stay-signed-in feature, via cookie

This token was most likely intended as a randomly generated,
server-side, secret key to be used when generating hashes.

See http://sebsauvage.net/wiki/doku.php?id=php:session [FR]

Relevant section:

  Une clé secrète unique aléatoire est générée côté serveur (et jamais
  envoyée). Elle peut servir pour signer les formulaires (HMAC) ou
  générer des token de formulaires (protection contre XSRF).
  Voir $_SESSION['uid'].

Translation:

  A unique, server-side secret key is randomly generated (and never
  transmitted). It can be used to sign forms (HMAC) or generate form
  tokens (protection against XSRF).
  See $_SESSION['uid']

Signed-off-by: VirtualTam <virtualtam@flibidi.net>
2018-06-02 16:46:06 +02:00
VirtualTam
c689e10863 Refactor LoginManager stay-signed-in token management
Signed-off-by: VirtualTam <virtualtam@flibidi.net>
2018-06-02 16:46:06 +02:00
VirtualTam
51f0128cdb Refactor session and cookie timeout control
Signed-off-by: VirtualTam <virtualtam@flibidi.net>
2018-06-02 16:46:06 +02:00
VirtualTam
fab87c2696 Move LoginManager and SessionManager to the Security namespace
Signed-off-by: VirtualTam <virtualtam@flibidi.net>
2018-06-02 16:46:06 +02:00
VirtualTam
68dcaccfa4 LoginManager: remove unused parameter
Signed-off-by: VirtualTam <virtualtam@flibidi.net>
2018-06-02 16:46:06 +02:00
VirtualTam
89ccc83ba4 Login: update PageBuilder and default/vintage templates
Signed-off-by: VirtualTam <virtualtam@flibidi.net>
2018-06-02 16:46:06 +02:00
VirtualTam
8474208474 Pass the client IP ID to LoginManager
Signed-off-by: VirtualTam <virtualtam@flibidi.net>
2018-06-02 16:46:06 +02:00
VirtualTam
c7721487b2 Delegate session operations to SessionManager
Signed-off-by: VirtualTam <virtualtam@flibidi.net>
2018-06-02 16:45:54 +02:00
VirtualTam
1b28c66cc7 Document LoginManager properties
Signed-off-by: VirtualTam <virtualtam@flibidi.net>
2018-05-29 22:53:54 +02:00
VirtualTam
63ea23c2a6 Refactor user credential validation at login time
Changed:
- move login/password verification to LoginManager
- code cleanup

Signed-off-by: VirtualTam <virtualtam@flibidi.net>
2018-05-29 22:53:54 +02:00
VirtualTam
49f1832316 Refactor PHP session handling during login/logout
Changed:
- move $_SESSION handling to SessionManager
- code cleanup

Signed-off-by: VirtualTam <virtualtam@flibidi.net>
2018-05-29 22:53:54 +02:00
VirtualTam
db45a36a53 Refactor SessionManager::$INACTIVITY_TIMEOUT
Changed:
- move INACTIVITY_TIMEOUT to SessionManager
- inject a dependency to a SessionManager instance in:
  - fillSessionInfo()
  - setup_login_state()
  - check_auth()
- cleanup related code and comments

Signed-off-by: VirtualTam <virtualtam@flibidi.net>
2018-05-29 22:53:54 +02:00
VirtualTam
88110550b8 Refactor client session hijacking protection
Signed-off-by: VirtualTam <virtualtam@flibidi.net>
2018-05-29 22:53:54 +02:00
ArthurHoaro
a1b727efb7 Support redirection in cURL download callback 2018-05-01 16:44:51 +02:00
Buster One
7ca124079e German language created (#1114)
* Added german language selection

* German language file created

* typo

* extra space removed and typo corrected

* lines 1314 through 1408 removed as suggested
2018-04-15 14:53:09 +02:00
ArthurHoaro
9b2bd66fb6
Merge pull request #1093 from ArthurHoaro/feature/theme-translation
Load theme translations files automatically
2018-03-26 20:26:10 +02:00
ArthurHoaro
68c6afc56f Load theme translations files automatically
Fixes #1077

Take a look at the docs update to see how it works
2018-03-26 19:20:25 +02:00
ArthurHoaro
4294bc7b98
Merge pull request #1096 from ArthurHoaro/feature/download-params
Make max download size and timeout configurable
2018-03-13 18:02:49 +01:00
ArthurHoaro
4ff3ed1c47 Make max download size and timeout configurable
Fixes #1061
2018-03-07 23:03:21 +01:00
ArthurHoaro
d2d4f993e1 PSR: use elseif instead of else if
See https://www.php-fig.org/psr/psr-2/\#51-if-elseif-else
2018-02-28 22:34:40 +01:00
ArthurHoaro
bc4a0a672c
Merge pull request #1092 from ArthurHoaro/fix/scuttle-doctype-case
Ignore the case while checking DOCTYPE during the file import
2018-02-24 13:29:11 +01:00
ArthurHoaro
980efd6cf8 Use a specific page title in all pages
Also fixed a few French translation issues

Fixes #954 #955
2018-02-24 12:48:49 +01:00
ArthurHoaro
3ff1ce47bc Ignore the case while checking DOCTYPE during the file import
Fixes #1091
2018-02-23 20:34:06 +01:00
VirtualTam
44acf70681 Refactor login / ban authentication steps
Relates to https://github.com/shaarli/Shaarli/issues/324

Added:
- Add the `LoginManager` class to manage logins and bans

Changed:
- Refactor IP ban management
- Simplify logic
- Avoid using globals, inject dependencies

Fixed:
- Use `ban_duration` instead of `ban_after` when setting a new ban

Signed-off-by: VirtualTam <virtualtam@flibidi.net>
2018-02-05 18:12:09 +01:00
ArthurHoaro
bc3ce7ec2a
Merge pull request #1038 from ArthurHoaro/feature/public-only-filter
Add a filter to only display public links
2018-02-02 19:22:37 +01:00
ArthurHoaro
28df9fa4f7 INTL_IDNA_VARIANT_2003 is deprecated
See https://wiki.php.net/rfc/deprecate-and-remove-intl_idna_variant_2003
2018-02-02 19:15:47 +01:00
ArthurHoaro
b7c412d4d0 Use LC_COLLATE instead of LC_MESSAGES if php-intl is not installed
As stated in the docs:

> LC_MESSAGES for system responses (available if PHP was compiled with libintl)

Fixes #1067
2018-01-31 12:39:17 +01:00
ArthurHoaro
cb4ddbe4e7 Fix warnings when upgrading from legacy SebSauvage version
Fixes #1040
2018-01-25 19:55:31 +01:00
ArthurHoaro
d2f6d909e5 Public/private filter: use two separate buttons
#1038
2018-01-24 18:46:31 +01:00
ArthurHoaro
d449f79a0d
Merge pull request #977 from ArthurHoaro/feature/dl-filter
Extract the title/charset during page download, and check content type
2018-01-23 18:41:38 +01:00
ArthurHoaro
9d4736a3e9 Add a filter to only display public links
When the key filter is clicked once, it only displays private link. When it is clicked on again, it becomes red and only public links are displayed. Another click and all links are displayed. The current visibility status is shown in the search banner

Fixes #1030
2017-12-16 14:32:56 +01:00
ArthurHoaro
101b935de4
Merge pull request #1025 from ArthurHoaro/hotfix/proxy-443
Force HTTPS if the original port is 443 behind a reverse proxy
2017-12-03 12:46:43 +01:00
ArthurHoaro
8e9fc6f6e6 Force HTTPS if the original port is 443 behind a reverse proxy
Fixes #1022
2017-12-02 15:24:35 +01:00
ArthurHoaro
877491b4ad
Merge pull request #1020 from ArthurHoaro/feature/curl-chunk
Increase buffer size for cURL download
2017-11-26 11:34:44 +01:00
VirtualTam
d9514becc4
Merge pull request #1016 from virtualtam/refactor/session
Improve SessionManager constructor and tests
2017-11-24 23:53:15 +01:00
ArthurHoaro
270da70532 Return true after update ReorderDatastore to complete it 2017-11-11 16:51:10 +01:00
ArthurHoaro
91c807d275 Increase buffer size for cURL download
1kB chunk size has caused me a lot of trouble with Travis which wasn't completing the download
2017-11-11 16:49:57 +01:00
VirtualTam
dd883aaf09 Improve SessionManager constructor and tests
Relates to https://github.com/shaarli/Shaarli/pull/1005

Changed:
- pass a copy of the ConfigManager instance instead of a reference
- move FakeConfigManager to a dedicated file
- update tests

Signed-off-by: VirtualTam <virtualtam@flibidi.net>
2017-11-08 20:26:03 +01:00
ArthurHoaro
fd08b50a80 Don't URL encode description links if parameter 'redirector.encode_url' is set to false 2017-11-07 20:23:58 +01:00
ArthurHoaro
d65342e304 Extract the title/charset during page download, and check content type
Use CURLOPT_WRITEFUNCTION to check the response code and content type (only allow HTML).
Also extract the title and charset during downloading chunk of data, and stop it when everything has been extracted.

Closes #579
2017-10-28 14:35:49 +02:00
ArthurHoaro
0926d26390
Merge pull request #962 from ArthurHoaro/feature/perfs2
Performances: reorder links when they're written instead of read
2017-10-28 12:44:44 +02:00
VirtualTam
fd7d84616d Move session ID check to SessionManager
Relates to https://github.com/shaarli/Shaarli/issues/324

Changed:
- `is_session_id_valid()` -> `SessionManager::checkId()`
- update tests

Signed-off-by: VirtualTam <virtualtam@flibidi.net>
2017-10-22 19:54:44 +02:00
VirtualTam
ebd650c06c Refactor session token management
Relates to https://github.com/shaarli/Shaarli/issues/324

Added:
- `SessionManager` class to group session-related features
- unit tests

Changed:
- `getToken()` -> `SessionManager->generateToken()`
- `tokenOk()` -> `SessionManager->checkToken()`
- inject a `$token` parameter to `PageBuilder`'s constructor

Signed-off-by: VirtualTam <virtualtam@flibidi.net>
2017-10-22 19:19:46 +02:00
ArthurHoaro
6a65bc5798 Translations : Working demo example of translation extension 2017-10-22 13:16:56 +02:00
ArthurHoaro
f39580c6fd Add language selection in the configure page of the default theme 2017-10-22 13:16:53 +02:00
ArthurHoaro
12266213d0 Shaarli's translation
* translation system and unit tests
 * Translations everywhere

Dont use translation merge

It is not available with PHP builtin gettext, so it would have lead to inconsistency.
2017-10-22 12:55:03 +02:00
ArthurHoaro
66e74d50d3 Don't write History for link import
With large imports it has a large impact on performances and isn't really useful.

Instead, write an IMPORT event, which let client using the history service resync its DB.

-> 15k link import done in 6 seconds.

Fixes #985
2017-10-07 16:40:16 +02:00
VirtualTam
c8d96b4729 Merge pull request #979 from ArthurHoaro/feature/assets-cache-version
Add a version hash for asset loading to prevent browser's cache issue
2017-10-06 14:32:07 +02:00
Mark Gerarts
722caa2090 Allow setting of a default note title, see #963 2017-10-01 14:19:57 +02:00