From f8715d54a8d67f8b1b2f429191526f780ab0e045 Mon Sep 17 00:00:00 2001 From: Jocelyn Fiat Date: Fri, 27 Oct 2017 12:26:21 +0200 Subject: [PATCH] Improved credential validation. - added `CMS_USER_API.user_with_credential (...): detachable CMS_USER` that check if credential is valid, and return associated user. - replaced use of `is_valid_credential` by new function `user_with_credential` . - revisited the session auth, to allow other credential validations (other than ROC CMS auth). - added CMS_USER_API.credential_validations to allow authenticating with system other than ROC CMS. Added new permission to allow by-passing the default ROC-CMS user login/register management: - new permission to edit its own account. - new permission to edit its own password. - new permission to view users details (mostly for user managers). --- library/model/src/user/cms_temp_user.e | 14 ++- modules/auth/cms_authentication_api.e | 6 +- modules/auth/cms_authentication_module.e | 100 ++++++++++-------- .../basic_auth/filter/cms_basic_auth_filter.e | 3 +- .../filter/cms_basic_webapi_auth_filter.e | 3 +- .../session_auth/cms_session_auth_module.e | 43 ++------ src/modules/core/cms_core_module.e | 2 +- src/modules/core/cms_user_api.e | 44 ++++++-- .../cms_user_credential_core_validation.e | 60 +++++++++++ .../core/cms_user_credential_validation.e | 28 +++++ .../core/handler/user/cms_user_handler.e | 4 +- .../handler/user/cms_user_view_response.e | 2 +- .../persistence/user/cms_user_storage_i.e | 22 +++- .../persistence/user/cms_user_storage_null.e | 5 +- .../persistence/user/cms_user_storage_sql_i.e | 54 ++++------ 15 files changed, 256 insertions(+), 134 deletions(-) create mode 100644 src/modules/core/cms_user_credential_core_validation.e create mode 100644 src/modules/core/cms_user_credential_validation.e diff --git a/library/model/src/user/cms_temp_user.e b/library/model/src/user/cms_temp_user.e index 21926a2..c4e82b2 100644 --- a/library/model/src/user/cms_temp_user.e +++ b/library/model/src/user/cms_temp_user.e @@ -23,12 +23,18 @@ feature -- Access feature -- Element change - set_personal_information (a_personal_information: like personal_information) - -- Assign `personal_information' with `a_personal_information'. + set_personal_information (a_personal_information: detachable READABLE_STRING_GENERAL) + -- Assign `personal_information` with `a_personal_information`. do - personal_information := a_personal_information + if a_personal_information = Void then + personal_information := Void + else + personal_information := a_personal_information.as_string_32 + end ensure - personal_information_assigned: personal_information = a_personal_information + personal_information_assigned: a_personal_information /= Void + implies (attached personal_information as inf and then + a_personal_information.same_string (inf)) end set_salt (a_salt: like salt) diff --git a/modules/auth/cms_authentication_api.e b/modules/auth/cms_authentication_api.e index c617d18..ffdd696 100644 --- a/modules/auth/cms_authentication_api.e +++ b/modules/auth/cms_authentication_api.e @@ -15,7 +15,7 @@ create {CMS_AUTHENTICATION_MODULE} feature -- Token Generation - register_user (u: CMS_TEMP_USER; a_email: READABLE_STRING_8; a_personal_information: READABLE_STRING_8) + register_user (u: CMS_TEMP_USER; a_email: READABLE_STRING_8; a_personal_information: READABLE_STRING_GENERAL) local l_user_api: CMS_USER_API l_url_activate: STRING @@ -24,7 +24,11 @@ feature -- Token Generation es: CMS_AUTHENTICATION_EMAIL_SERVICE do l_user_api := cms_api.user_api + + -- New temp user + u.set_personal_information (a_personal_information) l_user_api.new_temp_user (u) + -- Create activation token l_token := new_token l_user_api.new_activation (l_token, u.id) diff --git a/modules/auth/cms_authentication_module.e b/modules/auth/cms_authentication_module.e index f26b602..d9d49fd 100644 --- a/modules/auth/cms_authentication_module.e +++ b/modules/auth/cms_authentication_module.e @@ -79,8 +79,10 @@ feature -- Access Result.force ("account activate") Result.force ("account reject") Result.force ("account reactivate") + Result.force ("edit own account") Result.force ("change own username") - Result.force ("view user") + Result.force ("change own password") + Result.force ("view users") end auth_api: detachable CMS_AUTHENTICATION_API @@ -303,9 +305,11 @@ feature -- Handler lnk.set_weight (1) r.add_to_primary_tabs (lnk) - create lnk.make ("Edit", "account/edit") - lnk.set_weight (2) - r.add_to_primary_tabs (lnk) + if r.has_permission ("edit own account") then + create lnk.make ("Edit", "account/edit") + lnk.set_weight (2) + r.add_to_primary_tabs (lnk) + end end a_auth_api.cms_api.hooks.invoke_form_alter (f, Void, r) @@ -327,51 +331,59 @@ feature -- Handler lnk: CMS_LOCAL_LINK l_form: CMS_FORM do - create {GENERIC_VIEW_CMS_RESPONSE} r.make (req, res, a_auth_api.cms_api) - create b.make_empty - l_user := r.user - create l_form.make (r.location, edit_account_form_id) - if attached smarty_template_block (Current, "account_edit", a_auth_api.cms_api) as l_tpl_block then - l_tpl_block.set_weight (-10) - r.add_block (l_tpl_block, "content") - else - debug ("cms") - r.add_warning_message ("Error with block [resources_page]") + if a_auth_api.cms_api.has_permission ("edit own account") then + create {GENERIC_VIEW_CMS_RESPONSE} r.make (req, res, a_auth_api.cms_api) + create b.make_empty + l_user := r.user + create l_form.make (r.location, edit_account_form_id) + if attached smarty_template_block (Current, "account_edit", a_auth_api.cms_api) as l_tpl_block then + l_tpl_block.set_weight (-10) + r.add_block (l_tpl_block, "content") + else + debug ("cms") + r.add_warning_message ("Error with block [resources_page]") + end + -- Build CMS form... end - -- Build CMS form... - end - create lnk.make ("View", "account/") - lnk.set_weight (1) - r.add_to_primary_tabs (lnk) + create lnk.make ("View", "account/") + lnk.set_weight (1) + r.add_to_primary_tabs (lnk) - create lnk.make ("Edit", "account/edit") - lnk.set_weight (2) - r.add_to_primary_tabs (lnk) + create lnk.make ("Edit", "account/edit") + lnk.set_weight (2) + r.add_to_primary_tabs (lnk) - if - r.has_permission ("change own username") and then - attached new_change_username_form (r) as f - then - f.append_to_html (r.wsf_theme, b) - end - if attached new_change_profile_name_form (r) as f then - f.append_to_html (r.wsf_theme, b) - end - if attached new_change_password_form (r) as f then - f.append_to_html (r.wsf_theme, b) - end - if attached new_change_email_form (r) as f then - f.append_to_html (r.wsf_theme, b) - end + if + r.has_permission ("change own username") and then + attached new_change_username_form (r) as f + then + f.append_to_html (r.wsf_theme, b) + end + if attached new_change_profile_name_form (r) as f then + f.append_to_html (r.wsf_theme, b) + end - l_form.append_to_html (r.wsf_theme, b) + if + r.has_permission ("change own password") and then + attached new_change_password_form (r) as f + then + f.append_to_html (r.wsf_theme, b) + end + if attached new_change_email_form (r) as f then + f.append_to_html (r.wsf_theme, b) + end - r.set_main_content (b) + l_form.append_to_html (r.wsf_theme, b) - if l_user = Void then - r.set_redirection ("account") + r.set_main_content (b) + + if l_user = Void then + r.set_redirection ("account") + end + r.execute + else + a_auth_api.cms_api.response_api.send_access_denied ("Can not edit your acocunt", req, res) end - r.execute end handle_login (a_auth_api: CMS_AUTHENTICATION_API; req: WSF_REQUEST; res: WSF_RESPONSE) @@ -486,14 +498,12 @@ feature -- Handler --| reCaptcha is not setup, so no verification l_captcha_passed := True end - if not l_exist then + if l_captcha_passed and then not l_exist then -- New temp user create u.make (l_name) u.set_email (l_email) u.set_password (l_password) u.set_personal_information (l_personal_information) - l_user_api.new_temp_user (u) - a_auth_api.register_user (u, l_email, l_personal_information) else r.set_value (l_name, "name") diff --git a/modules/basic_auth/filter/cms_basic_auth_filter.e b/modules/basic_auth/filter/cms_basic_auth_filter.e index 1c5094e..27fdea1 100644 --- a/modules/basic_auth/filter/cms_basic_auth_filter.e +++ b/modules/basic_auth/filter/cms_basic_auth_filter.e @@ -35,8 +35,7 @@ feature -- Basic operations attached l_auth.password as l_auth_password then if - api.user_api.is_valid_credential (l_auth_login, l_auth_password) and then - attached api.user_api.user_by_name (l_auth_login) as l_user + attached api.user_api.user_with_credential (l_auth_login, l_auth_password) as l_user then if api.user_has_permission (l_user, {CMS_BASIC_AUTH_MODULE}.perm_use_basic_auth) then debug ("refactor_fixme") diff --git a/modules/basic_auth/filter/cms_basic_webapi_auth_filter.e b/modules/basic_auth/filter/cms_basic_webapi_auth_filter.e index 3c13d91..737edce 100644 --- a/modules/basic_auth/filter/cms_basic_webapi_auth_filter.e +++ b/modules/basic_auth/filter/cms_basic_webapi_auth_filter.e @@ -26,8 +26,7 @@ feature -- Basic operations attached l_auth.password as l_auth_password then if - api.user_api.is_valid_credential (l_auth_login, l_auth_password) and then - attached api.user_api.user_by_name (l_auth_login) as l_user + attached api.user_api.user_with_credential (l_auth_login, l_auth_password) as l_user then if api.user_has_permission (l_user, {CMS_BASIC_AUTH_MODULE}.perm_use_basic_auth) then api.set_user (l_user) diff --git a/modules/session_auth/cms_session_auth_module.e b/modules/session_auth/cms_session_auth_module.e index c33ba1c..2997e56 100644 --- a/modules/session_auth/cms_session_auth_module.e +++ b/modules/session_auth/cms_session_auth_module.e @@ -197,38 +197,17 @@ feature {NONE} -- Implementation: routes then l_username_or_email := p_username.value l_password := p_password.value - l_user := api.user_api.user_by_name (l_username_or_email) - if l_user = Void then - l_user := api.user_api.user_by_email (l_username_or_email) - end - if l_user = Void then - l_tmp_user := api.user_api.temp_user_by_name (l_username_or_email) - if l_tmp_user = Void then - l_tmp_user := api.user_api.temp_user_by_email (l_username_or_email) - end - if - l_tmp_user /= Void and then - api.user_api.is_valid_temp_user_credential (l_tmp_user.name, l_password) - then + l_user := api.user_api.user_with_credential (l_username_or_email, l_password) + if l_user /= Void then + if attached {CMS_TEMP_USER} l_user as l_temp_user then create {GENERIC_VIEW_CMS_RESPONSE} r.make (req, res, api) if attached smarty_template_login_block (req, Current, "login", api) as l_tpl_block then l_tpl_block.set_value (l_username_or_email, "username") - l_tpl_block.set_value ("Error: Inactive account (or not yet validated)!", "error") + l_tpl_block.set_value ("Error: the account is inactive, or not yet validated!", "error") r.add_block (l_tpl_block, "content") end else - create {GENERIC_VIEW_CMS_RESPONSE} r.make (req, res, api) - if attached smarty_template_login_block (req, Current, "login", api) as l_tpl_block then - l_tpl_block.set_value (l_username_or_email, "username") - l_tpl_block.set_value ("Wrong username or password ", "error") - r.add_block (l_tpl_block, "content") - end - end - else - l_username := l_user.name - if api.user_api.is_valid_credential (l_username, l_password) then a_session_api.process_user_login (l_user, req, res) - create {GENERIC_VIEW_CMS_RESPONSE} r.make (req, res, api) if attached {WSF_STRING} req.item ("destination") as p_destination and then @@ -239,13 +218,13 @@ feature {NONE} -- Implementation: routes else r.set_redirection ("") end - else - create {GENERIC_VIEW_CMS_RESPONSE} r.make (req, res, api) - if attached smarty_template_login_block (req, Current, "login", api) as l_tpl_block then - l_tpl_block.set_value (l_username_or_email, "username") - l_tpl_block.set_value ("Wrong username or password ", "error") - r.add_block (l_tpl_block, "content") - end + end + else + create {GENERIC_VIEW_CMS_RESPONSE} r.make (req, res, api) + if attached smarty_template_login_block (req, Current, "login", api) as l_tpl_block then + l_tpl_block.set_value (l_username_or_email, "username") + l_tpl_block.set_value ("Wrong username or password ", "error") + r.add_block (l_tpl_block, "content") end end r.execute diff --git a/src/modules/core/cms_core_module.e b/src/modules/core/cms_core_module.e index 5cfe067..24ec7bf 100644 --- a/src/modules/core/cms_core_module.e +++ b/src/modules/core/cms_core_module.e @@ -131,6 +131,7 @@ feature -- Security Result.force ("admin path_alias") Result.force ("edit path_alias") Result.force ("use access_token") + Result.force ("view users") end feature {CMS_EXECUTION} -- Administration @@ -180,7 +181,6 @@ feature -- Hook end end - note copyright: "2011-2017, Jocelyn Fiat, Javier Velilla, Eiffel Software and others" license: "Eiffel Forum License v2 (see http://www.eiffel.com/licensing/forum.txt)" diff --git a/src/modules/core/cms_user_api.e b/src/modules/core/cms_user_api.e index 990354d..7d2dbe8 100644 --- a/src/modules/core/cms_user_api.e +++ b/src/modules/core/cms_user_api.e @@ -29,6 +29,8 @@ feature {NONE} -- Initialization Precursor {CMS_MODULE_API} Precursor {CMS_USER_PROFILE_API} user_storage := storage + create credential_validations.make_caseless (1) + register_credential_validation (create {CMS_USER_CREDENTIAL_CORE_VALIDATION}.make (cms_api, user_storage)) end feature -- Storage @@ -233,12 +235,35 @@ feature -- Change User error_handler.append (user_storage.error_handler) end +feature -- Credential validation + + register_credential_validation (a_validation: CMS_USER_CREDENTIAL_VALIDATION) + do + credential_validations.force (a_validation, a_validation.id) + end + + credential_validations: STRING_TABLE [CMS_USER_CREDENTIAL_VALIDATION] + -- Credential validation items, used by `user_validating_credential`. + feature -- Status report - is_valid_credential (a_auth_login, a_auth_password: READABLE_STRING_GENERAL): BOOLEAN - -- Is the credentials `a_auth_login' and `a_auth_password' valid? + user_with_credential (a_user_identifier, a_password: READABLE_STRING_GENERAL): detachable CMS_USER + -- User validating the credential `a_user_identifier` and `a_password`, if any. + -- note: can be used to check if credentials are valid. do - Result := user_storage.is_valid_credential (a_auth_login, a_auth_password) + across + credential_validations as ic + until + Result /= Void + loop + Result := ic.item.user_with_credential (a_user_identifier, a_password) + end + end + + is_valid_credential (a_user_identifier: READABLE_STRING_GENERAL; a_password: READABLE_STRING_GENERAL): BOOLEAN + -- Is the credentials `a_user_identifier' and `a_password' valid? + do + Result := user_with_credential (a_user_identifier, a_password) /= Void end user_has_permission (a_user: detachable CMS_USER; a_permission: detachable READABLE_STRING_GENERAL): BOOLEAN @@ -501,10 +526,17 @@ feature -- User status feature -- Access - Temp User - is_valid_temp_user_credential (a_auth_login, a_auth_password: READABLE_STRING_GENERAL): BOOLEAN - -- Is the credentials `a_auth_login' and `a_auth_password' valid? + temp_user_with_credential (a_user_identifier, a_password: READABLE_STRING_GENERAL): detachable CMS_USER + -- Temporary user validating the credential `a_user_identifier` and `a_password`, if any. + -- note: can be used to check if credentials are valid. do - Result := user_storage.is_valid_temp_user_credential (a_auth_login, a_auth_password) + Result := user_storage.temp_user_with_credential (a_user_identifier, a_password) + end + + is_valid_temp_user_credential (a_user_name: READABLE_STRING_GENERAL; a_password: READABLE_STRING_GENERAL): BOOLEAN + -- Is the credentials `a_user_name' and `a_password' valid? + do + Result := temp_user_with_credential (a_user_name, a_password) /= Void end temp_users_count: INTEGER diff --git a/src/modules/core/cms_user_credential_core_validation.e b/src/modules/core/cms_user_credential_core_validation.e new file mode 100644 index 0000000..a1e1594 --- /dev/null +++ b/src/modules/core/cms_user_credential_core_validation.e @@ -0,0 +1,60 @@ +note + description: "Summary description for {CMS_USER_CREDENTIAL_CORE_VALIDATION}." + author: "" + date: "$Date$" + revision: "$Revision$" + +class + CMS_USER_CREDENTIAL_CORE_VALIDATION + +inherit + CMS_USER_CREDENTIAL_VALIDATION + +create + make + +feature {NONE} -- Creation + + make (a_api: CMS_API; a_storage: CMS_USER_STORAGE_I) + do + user_storage := a_storage + cms_api := a_api + end + + cms_api: CMS_API + +feature -- Access + + id: STRING = "core" + + user_storage: CMS_USER_STORAGE_I + +feature -- Status report + + user_with_credential (a_user_identifier: READABLE_STRING_GENERAL; a_password: READABLE_STRING_GENERAL): detachable CMS_USER + -- User validating credentials `a_user_identifier` and `a_password`, if any. + do + -- Check by username, by email + -- and also check temp user... + Result := user_storage.user_with_credential (a_user_identifier, a_password) + if Result = Void and then a_user_identifier.has ('@') then + -- Try with email + if attached user_storage.user_by_email (a_user_identifier) as u then + Result := user_storage.user_with_credential (u.name, a_password) + end + end + if Result = Void then + Result := user_storage.temp_user_with_credential (a_user_identifier, a_password) + if Result = Void and then a_user_identifier.has ('@') then + -- Try with email + if attached user_storage.temp_user_by_email (a_user_identifier) as u then + Result := user_storage.temp_user_with_credential (u.name, a_password) + end + end + end + end + +note + copyright: "2011-2017, Jocelyn Fiat, Javier Velilla, Eiffel Software and others" + license: "Eiffel Forum License v2 (see http://www.eiffel.com/licensing/forum.txt)" +end diff --git a/src/modules/core/cms_user_credential_validation.e b/src/modules/core/cms_user_credential_validation.e new file mode 100644 index 0000000..7c72bd9 --- /dev/null +++ b/src/modules/core/cms_user_credential_validation.e @@ -0,0 +1,28 @@ +note + description: "[ + User credential validation. + This provides a simple way to add new source for credentials or users management. + ]" + date: "$Date$" + revision: "$Revision$" + +deferred class + CMS_USER_CREDENTIAL_VALIDATION + +feature -- Access + + id: STRING + deferred + end + +feature -- Status report + + user_with_credential (a_user_identifier: READABLE_STRING_GENERAL; a_password: READABLE_STRING_GENERAL): detachable CMS_USER + -- User validating credential `a_user_identifier` and `a_password`, if any. + deferred + end + +note + copyright: "2011-2017, Jocelyn Fiat, Javier Velilla, Eiffel Software and others" + license: "Eiffel Forum License v2 (see http://www.eiffel.com/licensing/forum.txt)" +end diff --git a/src/modules/core/handler/user/cms_user_handler.e b/src/modules/core/handler/user/cms_user_handler.e index 49e64d9..1cb4752 100644 --- a/src/modules/core/handler/user/cms_user_handler.e +++ b/src/modules/core/handler/user/cms_user_handler.e @@ -83,9 +83,9 @@ feature -- HTTP Methods local l_user: detachable CMS_USER do - if api.has_permission ("view user") then - -- Display existing node + if api.has_permission ("view users") then l_user := user_path_parameter (req) + -- Display existing node if l_user /= Void then diff --git a/src/modules/core/handler/user/cms_user_view_response.e b/src/modules/core/handler/user/cms_user_view_response.e index bb97275..5ac304c 100644 --- a/src/modules/core/handler/user/cms_user_view_response.e +++ b/src/modules/core/handler/user/cms_user_view_response.e @@ -52,7 +52,7 @@ feature -- Process attached associated_user as l_user then if - api.has_permission ("view user") + api.has_permission ("view users") or l_user.same_as (user) -- Same user then f := new_view_form (l_user, request.request_uri, "view-user") diff --git a/src/modules/core/persistence/user/cms_user_storage_i.e b/src/modules/core/persistence/user/cms_user_storage_i.e index c13b5bd..9901517 100644 --- a/src/modules/core/persistence/user/cms_user_storage_i.e +++ b/src/modules/core/persistence/user/cms_user_storage_i.e @@ -70,11 +70,18 @@ feature -- Access password: Result /= Void implies (Result.hashed_password /= Void and Result.password = Void) end - is_valid_credential (a_u, a_p: READABLE_STRING_GENERAL): BOOLEAN - -- Does account with username `a_username' and password `a_password' exist? + user_with_credential (a_user_name, a_password: READABLE_STRING_GENERAL): detachable CMS_USER + -- User validating the credential `a_user_name` and `a_password`, if any. + -- note: can be used to check if credentials are valid. deferred end + is_valid_credential (a_username, a_password: READABLE_STRING_GENERAL): BOOLEAN + -- Does account with username `a_username' and password `a_password' exist? + do + Result := user_with_credential (a_username, a_password) /= Void + end + users_count: INTEGER -- Number of users deferred @@ -212,11 +219,18 @@ feature -- Change: User password recovery feature -- Access: Temp Users - is_valid_temp_user_credential (a_u, a_p: READABLE_STRING_GENERAL): BOOLEAN - -- Does temp account with username `a_username' and password `a_password' exist? + temp_user_with_credential (a_user_identifier, a_password: READABLE_STRING_GENERAL): detachable CMS_TEMP_USER + -- Temp user validating the credential `a_user_identifier` and `a_password`, if any. + -- note: can be used to check if credentials are valid. deferred end + is_valid_temp_user_credential (a_username, a_password: READABLE_STRING_GENERAL): BOOLEAN + -- Does temp account with username `a_username' and password `a_password' exist? + do + Result := temp_user_with_credential (a_username, a_password) /= Void + end + temp_users_count: INTEGER -- Number of pending users --! to be accepted or rejected diff --git a/src/modules/core/persistence/user/cms_user_storage_null.e b/src/modules/core/persistence/user/cms_user_storage_null.e index 0ff2f52..3945b13 100644 --- a/src/modules/core/persistence/user/cms_user_storage_null.e +++ b/src/modules/core/persistence/user/cms_user_storage_null.e @@ -41,7 +41,7 @@ feature -- Access: user do end - is_valid_credential (l_auth_login, l_auth_password: READABLE_STRING_GENERAL): BOOLEAN + user_with_credential (a_user_name, a_password: READABLE_STRING_GENERAL): detachable CMS_USER do end @@ -147,7 +147,8 @@ feature -- Change: User password recovery feature -- Access: Users - is_valid_temp_user_credential (l_auth_login, l_auth_password: READABLE_STRING_GENERAL): BOOLEAN + temp_user_with_credential (a_user_name, a_password: READABLE_STRING_GENERAL): detachable CMS_TEMP_USER + -- do end diff --git a/src/modules/core/persistence/user/cms_user_storage_sql_i.e b/src/modules/core/persistence/user/cms_user_storage_sql_i.e index 330b5f0..ec69c66 100644 --- a/src/modules/core/persistence/user/cms_user_storage_sql_i.e +++ b/src/modules/core/persistence/user/cms_user_storage_sql_i.e @@ -149,23 +149,17 @@ feature -- Access: user sql_finalize_query (select_user_by_password_token) end - is_valid_credential (a_auth_login, a_auth_password: READABLE_STRING_GENERAL): BOOLEAN - local - l_security: SECURITY_PROVIDER + user_with_credential (a_user_name, a_password: READABLE_STRING_GENERAL): detachable CMS_USER do - if attached user_salt (a_auth_login) as l_hash then - if attached user_by_name (a_auth_login) as l_user then - create l_security - if - attached l_user.hashed_password as l_hashed_password and then - l_security.password_hash (a_auth_password, l_hash).is_case_insensitive_equal (l_hashed_password) - then - Result := True - else - write_information_log (generator + ".is_valid_credential User: wrong username or password" ) - end - else - write_information_log (generator + ".is_valid_credential User:" + a_auth_login + "does not exist" ) + if + attached user_by_name (a_user_name) as l_user and then + attached user_salt (a_user_name) as l_hash + then + if + attached l_user.hashed_password as l_hashed_password and then + (create {SECURITY_PROVIDER}).password_hash (a_password, l_hash).is_case_insensitive_equal (l_hashed_password) + then + Result := l_user end end end @@ -1064,23 +1058,19 @@ feature {NONE} -- User Password Recovery feature -- Acess: Temp users - is_valid_temp_user_credential (a_auth_login, a_auth_password: READABLE_STRING_GENERAL): BOOLEAN - local - l_security: SECURITY_PROVIDER + temp_user_with_credential (a_user_name, a_password: READABLE_STRING_GENERAL): detachable CMS_TEMP_USER + -- Temp user validating the credential `a_user_name` and `a_password`, if any. + -- note: can be used to check if credentials are valid. do - if attached temp_user_salt (a_auth_login) as l_hash then - if attached temp_user_by_name (a_auth_login) as l_user then - create l_security - if - attached l_user.hashed_password as l_hashed_password and then - l_security.password_hash (a_auth_password, l_hash).is_case_insensitive_equal (l_hashed_password) - then - Result := True - else - write_information_log (generator + ".is_valid_temp_user_credential User: wrong username or password" ) - end - else - write_information_log (generator + ".is_valid_temp_user_credential User:" + a_auth_login + "does not exist" ) + if + attached temp_user_by_name (a_user_name) as l_user and then + attached temp_user_salt (a_user_name) as l_hash + then + if + attached l_user.hashed_password as l_hashed_password and then + (create {SECURITY_PROVIDER}).password_hash (a_password, l_hash).is_case_insensitive_equal (l_hashed_password) + then + Result := l_user end end end