Fixed #295 -- Ajustar mecanismo de autenticação padrão

README.md

@@ -1,5 +1,28 @@
-# Virtual Health Library's Services Platform
+Virtual Health Library's Services Platform
+==========================================
 
 The VHL's Services Platform aims to provide functionality and custom services to the users and applications members of the Virtual Health Library.
 
 Based on a distributed computing concept, the VHL's Services Platform consists on a server side module and a client side module that interoperate through the web services technology.
+
+Generate encryption keys
+------------------------
+
+Generate the `PRIVATE_KEY`:
+
+```
+$ php -r 'echo base64_encode(random_bytes(SODIUM_CRYPTO_SECRETBOX_KEYBYTES)) . PHP_EOL; ?>'
+```
+
+Generate the `INDEX_KEY`:
+
+```
+$ php -r 'echo base64_encode(random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES)) . PHP_EOL; ?>'
+```
+
+Copy the keys and add/change the following settings in the system configuration files (`client/config.php` and `server/config.php`):
+
+```
+define('PRIVATE_KEY',''); // add PRIVATE_KEY here
+define('INDEX_KEY','');   // add INDEX_KEY here
+```

client/business/authentication.php

@@ -57,7 +57,7 @@
 
             $result = Authentication::loginUser($userID,$userPass);
 
-            if (($result["status"] !== false) && ($result !== false)){
+            if ( $result !== false && is_array($result) && array_key_exists('status', $result) && $result["status"] !== false ){
                 $_SESSION["sysUID"] = $result["sysUID"];
                 $_SESSION["userTK"] = $result["userTK"];
                 $_SESSION["userID"] = $result["userID"];

client/business/widgets.php

@@ -57,7 +57,7 @@
 //$resources = OER::get_resources($oer_query);
 
 // My Searches widget
-$obj = new MySearches($_SESSION["userTK"]);
-$retParams = $obj->getParams();
-$searches = $obj->getSearchList($retParams['userID'], $params);
+// $obj = new MySearches($_SESSION["userTK"]);
+// $retParams = $obj->getParams();
+// $searches = $obj->getSearchList($retParams['userID'], $params);
 ?>

client/classes/Authentication.php

@@ -26,8 +26,8 @@ public static function loginUser($userID,$userPass,$socialMedia=array()){
 
         if(!empty($userID) && !empty($userPass)){
             /* encrypt login params using a public key */
-            $cUserID = Crypt::encrypt(trim($userID));
-            $cUserPass = Crypt::encrypt(trim($userPass));
+            $cUserID = Security::encrypt(trim($userID));
+            $cUserPass = Security::encrypt(trim($userPass));
 
             try{
                 $objSoapClient = new SoapClient(null,
@@ -52,7 +52,7 @@ public static function loginUser($userID,$userPass,$socialMedia=array()){
     public static function createNewPassword($userID){
         $retValue = false;
 
-        $cUserID = Crypt::encrypt(trim($userID));
+        $cUserID = Security::encrypt(trim($userID));
 
         if(!empty($cUserID)){
             try{

client/classes/Tools.php

@@ -150,12 +150,13 @@ function build(){
 class Token {
 
     public static function makeUserTK($userID,$userPass,$userSource){
-        return Crypt::encrypt($userID.CRYPT_SEPARATOR.$userPass.CRYPT_SEPARATOR.$userSource, CRYPT_PUBKEY);
+        $token = Security::encrypt($userID.CRYPT_SEPARATOR.$userPass.CRYPT_SEPARATOR.$userSource);
+        return $token;
     }
 
     public static function unmakeUserTK($userTK, $force=null){
         $retValue = false;
-        $tmp1 = explode(CRYPT_SEPARATOR,Crypt::decrypt($userTK, CRYPT_PUBKEY));
+        $tmp1 = explode(CRYPT_SEPARATOR, Security::decrypt($userTK));
         $valid_email = filter_var($tmp1[0], FILTER_VALIDATE_EMAIL);
 
         if($force === true){
@@ -429,4 +430,28 @@ public static function get_highlights() {
 
 }
 
+class Security {
+
+    public static function encrypt($data)
+    {
+        $key        = base64_decode(PRIVATE_KEY);
+        $nonce      = base64_decode(INDEX_KEY);
+        $ciphertext = sodium_crypto_secretbox($data, $nonce, $key);
+        $encoded    = base64_encode($nonce . $ciphertext);
+
+        return $encoded;
+    }
+
+    public static function decrypt($data)
+    {
+        $key        = base64_decode(PRIVATE_KEY);
+        $decoded    = base64_decode($data);
+        $nonce      = mb_substr($decoded, 0, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES, '8bit');
+        $ciphertext = mb_substr($decoded, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES, null, '8bit');
+        $decoded    = sodium_crypto_secretbox_open($ciphertext, $nonce, $key);
+
+        return mb_convert_encoding($decoded, 'UTF-8', 'ISO-8859-1');
+    }
+}
+
 ?>

client/config.php.template

@@ -72,6 +72,8 @@ define("REGEXP_EMAIL","/^[a-z_][a-z0-9_\.]+@[a-z0-9]+(\.[a-z0-9_]+)+$/i");
 /* MCRYPT */
 define('CRYPT_PUBKEY','biremepublicckey'); /* public */
 define('CRYPT_SEPARATOR','');
+define('PRIVATE_KEY','');
+define('INDEX_KEY','');
 
 /* TRIGRAMAS */
 define('DEFAULT_TRIGRAMAS_MODE','LILACS.orgiahx'); /* LILACS.orgiahx|SciELO.orgiahx */

client/includes/queryStringParser.php

@@ -13,11 +13,10 @@
  * Edit this file in UTF-8 - Test String "áéíóú"
  */
 $queryString = strpos($_SERVER['REQUEST_URI'],'controller');
-$queryString = substr($_SERVER['REQUEST_URI'],$queryString
-    ,strlen($_SERVER['REQUEST_URI']));
+$queryString = substr($_SERVER['REQUEST_URI'],$queryString,strlen($_SERVER['REQUEST_URI']));
 $queryString = explode("/",$queryString);
 
-for ($i=0 ; $i<count($queryString) ; $i++){
+for ($i=0; $i<count($queryString); $i++){
     if ($i === 0){
         $_REQUEST["action"]=$queryString[$i+1];
     }else{

client/templates/default/authentication.tpl.php

@@ -49,7 +49,11 @@
                             <span class="helper-text red-text error-text"><?php echo $trans->getTrans($_REQUEST["action"],'INTERNAL_SERVER_ERROR'); ?></span>
                         <?php endif; ?>
                         <?php if ($response['values']['status'] === false) : ?>
-                            <span class="helper-text red-text error-text"><?php echo $trans->getTrans($_REQUEST["action"],'INVALID_LOGIN'); ?></span>
+                            <?php if (array_key_exists('error', $response['values']) && 'nopass' == $response['values']['error']) : ?>
+                                <span class="helper-text red-text error-text"><?php echo $trans->getTrans($_REQUEST["action"],'NO_PASS'); ?></span>
+                            <?php else : ?>
+                                <span class="helper-text red-text error-text"><?php echo $trans->getTrans($_REQUEST["action"],'INVALID_LOGIN'); ?></span>
+                            <?php endif; ?>
                         <?php endif; ?>
                         <?php if ($response['values']['birLDAP'] === false) : ?>
                             <span class="helper-text red-text error-text"><?php echo $trans->getTrans($_REQUEST["action"],'BIREME_LOGIN_LDAP'); ?></span>

client/templates/default/header.tpl.php

@@ -69,7 +69,7 @@
 
         // Password page link
         $password_page = "";
-        if ( empty($_SESSION["source"]) || 'ldap' == $_SESSION["source"] ) {
+        if ( empty($_SESSION["source"]) || ('default' == $_SESSION["source"] || 'ldap' == $_SESSION["source"]) ) {
             $password_page = SERVICES_PLATFORM_DOMAIN . "/pub/changePassword.php?userTK=" . urlencode($_SESSION["userTK"]) . "&c=" . $b64HttpHost;
         }
 

client/templates/default/more.tpl.php

@@ -31,7 +31,7 @@
 		<a href="#email"><span class="white-text email"><?php echo $_SESSION["userID"]; ?></span></a>
 	</div></li>
 	<li><a href="<?php echo SERVICES_PLATFORM_DOMAIN; ?>/pub/userData.php?userTK=<?php echo urlencode($_SESSION["userTK"]); ?>&c=<?php echo $b64HttpHost; ?>"><?php echo $trans->getTrans('menu','MY_DATA'); ?></a></li>
-	<?php if ( empty($_SESSION["source"]) || 'ldap' == $_SESSION["source"] ) : ?>
+	<?php if ( empty($_SESSION["source"]) || ('default' == $_SESSION["source"] || 'ldap' == $_SESSION["source"]) ) : ?>
 	<li><a href="<?php echo SERVICES_PLATFORM_DOMAIN; ?>/pub/changePassword.php?userTK=<?php echo urlencode($_SESSION["userTK"]); ?>&c=<?php echo $b64HttpHost; ?>"><?php echo $trans->getTrans('menu','CHANGE_PASSWORD'); ?></a></li>
 	<?php endif; ?>
 	<li><a href="<?php echo RELATIVE_PATH; ?>/controller/tutorial/control/business"><?php echo $trans->getTrans('menu','TUTORIALS'); ?></a></li>

client/templates/default/nav.tpl.php

@@ -13,7 +13,7 @@
 		<a href='#' id="usuario" class='customize dropdown-trigger' data-target='perfil'><i class="material-icons">face</i> <?php echo $_SESSION["userFirstName"]; ?></a>
 		<ul id='perfil' class='dropdown-content' style="min-width: 200px !important;">
 			<li><a href="<?php echo SERVICES_PLATFORM_DOMAIN; ?>/pub/userData.php?userTK=<?php echo urlencode($_SESSION["userTK"]); ?>&c=<?php echo $b64HttpHost; ?>"><?php echo $trans->getTrans('menu','MY_DATA'); ?></a></li>
-			<?php if ( empty($_SESSION["source"]) || 'ldap' == $_SESSION["source"] ) : ?>
+			<?php if ( empty($_SESSION["source"]) || ('default' == $_SESSION["source"] || 'ldap' == $_SESSION["source"]) ) : ?>
 			<li><a href="<?php echo SERVICES_PLATFORM_DOMAIN; ?>/pub/changePassword.php?userTK=<?php echo urlencode($_SESSION["userTK"]); ?>&c=<?php echo $b64HttpHost; ?>"><?php echo $trans->getTrans('menu','CHANGE_PASSWORD'); ?></a></li>
 			<?php endif; ?>
 			<li><a href="<?php echo RELATIVE_PATH; ?>/controller/tutorial/control/business"><?php echo $trans->getTrans('menu','TUTORIALS'); ?></a></li>

client/templates/myvhl/header.tpl.php

@@ -66,7 +66,7 @@
 
         // Password page link
         $password_page = "";
-        if ( empty($_SESSION["source"]) || 'ldap' == $_SESSION["source"] ) {
+        if ( empty($_SESSION["source"]) || ( 'default' == $_SESSION["source"] || 'ldap' == $_SESSION["source"] ) ) {
             $password_page = SERVICES_PLATFORM_DOMAIN . "/pub/changePassword.php?userTK=" . urlencode($_SESSION["userTK"]) . "&c=" . $b64HttpHost;
         }
 

client/templates/myvhl/sidebar.tpl.php

@@ -127,7 +127,7 @@
                     </a>
                     <ul class="dropdown-menu dropdown-usermenu pull-right" style="width: 100%;">
                       <li><a href="<?=SERVICES_PLATFORM_DOMAIN?>/pub/userData.php?userTK=<?=urlencode($_SESSION["userTK"])?>&c=<?=$b64HttpHost?>"><?=$trans->getTrans('menu','MY_DATA')?></a></li>
-                      <?php if ( empty($_SESSION["source"]) || 'ldap' == $_SESSION["source"] ) : ?>
+                      <?php if ( empty($_SESSION["source"]) || ( 'default' == $_SESSION["source"] || 'ldap' == $_SESSION["source"] ) ) : ?>
                       <li><a href="<?=SERVICES_PLATFORM_DOMAIN?>/pub/changePassword.php?userTK=<?=urlencode($_SESSION["userTK"])?>&c=<?=$b64HttpHost?>"><?=$trans->getTrans('menu','CHANGE_PASSWORD')?></a></li>
                       <?php endif; ?>
                       <?php if ( 'menu' == $_REQUEST["action"] ) : ?>

client/translations/en/Translations.php

@@ -50,6 +50,7 @@ public function translations(){
         self::$trans["authentication"]["PASSWORD"] = 'Password';
         self::$trans["authentication"]["PRESS_HERE"] = 'click here';
         self::$trans["authentication"]["INVALID_LOGIN"] = 'password/user not valid';
+        self::$trans["authentication"]["NO_PASS"] = '<b>access denied</b><br />please generate a new password for your account';
         self::$trans["authentication"]["INVALID_LOGIN_MAIL"] = '
 <div>Authentication Failure</div>
 <ol>

client/translations/es/Translations.php

@@ -50,6 +50,7 @@ public function translations(){
         self::$trans["authentication"]["PASSWORD"] = 'Contraseña';
         self::$trans["authentication"]["PRESS_HERE"] = 'clic aquí';
         self::$trans["authentication"]["INVALID_LOGIN"] = 'usuário o contraseña inválidos';
+        self::$trans["authentication"]["NO_PASS"] = '<b>acceso denegado</b><br />por favor genere una nueva contraseña para su cuenta';
         self::$trans["authentication"]["INVALID_LOGIN_MAIL"] = '
 <div>Error en la autenticación</div>
 <ol>

client/translations/pt/Translations.php

@@ -52,6 +52,7 @@ public function translations(){
         self::$trans["authentication"]["PASSWORD"] = 'Senha';
         self::$trans["authentication"]["PRESS_HERE"] = 'clique aqui';
         self::$trans["authentication"]["INVALID_LOGIN"] = 'usuário ou senha inválidos';
+        self::$trans["authentication"]["NO_PASS"] = '<b>acesso negado</b><br />favor gerar uma nova senha para a sua conta';
         self::$trans["authentication"]["INVALID_LOGIN_MAIL"] = '
 <div>Falha de autenticação</div>
 <ol>

client/view.php

@@ -1,5 +1,6 @@
 <?php
 // VIEW controller
+
 session_start();
 
 if ( $_REQUEST["action"] == 'authentication' or $_REQUEST["action"] == 'requestauth' ) {

index.php

@@ -0,0 +1 @@
+<?php header("Location: /client/controller/authentication"); ?>

server/classes/AccountsDBClass.php

@@ -31,13 +31,13 @@ class AccountsDBClass{
     private $_user = BIR_ACCOUNTS_DB_USERNAME;
     private $_password = BIR_ACCOUNTS_DB_PASSWORD;
     private $_db = BIR_ACCOUNTS_DB_DBNAME;
+    private $_port = BIR_ACCOUNTS_DB_PORT;
 
     /**
      * Create the connection with the database.
      */
     public function AccountsDBClass(){
-        $this->_conn = mysqli_connect($this->_host, $this->_user
-            , $this->_password);
+        $this->_conn = mysqli_connect($this->_host, $this->_user, $this->_password, $this->_db, $this->_port);
         if(!$this->_conn){
             throw new AccountsDBClassException('Err:connect:'.mysqli_error($this->_conn));
         }

server/classes/DBClass.php

@@ -31,13 +31,13 @@ class DBClass{
     private $_user = DB_USERNAME;
     private $_password = DB_PASSWORD;
     private $_db = DB_DBNAME;
+    private $_port = DB_PORT;
 
     /**
      * Create the connection with the database.
      */
-    public function DBClass(){
-        $this->_conn = mysqli_connect($this->_host, $this->_user
-            , $this->_password);
+    public function __construct(){
+        $this->_conn = mysqli_connect($this->_host, $this->_user, $this->_password, $this->_db, $this->_port);
         if(!$this->_conn){
             throw new DBClassException('Err:connect:'.mysqli_error($this->_conn));
         }

server/classes/Tools.php

@@ -158,7 +158,8 @@ class Token {
      * @return string
      */
     public static function makeUserTK($userID,$userPass,$userSource){
-        return Crypt::encrypt($userID.CRYPT_SEPARATOR.$userPass.CRYPT_SEPARATOR.$userSource, CRYPT_PUBKEY);
+        $token = Security::encrypt($userID.CRYPT_SEPARATOR.$userPass.CRYPT_SEPARATOR.$userSource);
+        return $token;
     }
 
     /**
@@ -169,7 +170,7 @@ public static function makeUserTK($userID,$userPass,$userSource){
      */
     public static function unmakeUserTK($userTK, $force=null){
         $retValue = false;
-        $tmp1 = explode(CRYPT_SEPARATOR,Crypt::decrypt($userTK, CRYPT_PUBKEY));
+        $tmp1 = explode(CRYPT_SEPARATOR, Security::decrypt($userTK));
         $valid_email = filter_var($tmp1[0], FILTER_VALIDATE_EMAIL);
 
         if($force === true){
@@ -415,6 +416,30 @@ public static function avatar_upload($userID, $file){
 
 }
 
+class Security {
+
+    public static function encrypt($data)
+    {
+        $key        = base64_decode(PRIVATE_KEY);
+        $nonce      = base64_decode(INDEX_KEY);
+        $ciphertext = sodium_crypto_secretbox($data, $nonce, $key);
+        $encoded    = base64_encode($nonce . $ciphertext);
+
+        return $encoded;
+    }
+
+    public static function decrypt($data)
+    {
+        $key        = base64_decode(PRIVATE_KEY);
+        $decoded    = base64_decode($data);
+        $nonce      = mb_substr($decoded, 0, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES, '8bit');
+        $ciphertext = mb_substr($decoded, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES, null, '8bit');
+        $decoded    = sodium_crypto_secretbox_open($ciphertext, $nonce, $key);
+
+        return mb_convert_encoding($decoded, 'UTF-8', 'ISO-8859-1');
+    }
+}
+
 /** 
  * Logging class:
  * - contains lfile, lwrite and lclose public methods