From 37b29231e47a0c4458dc1c15d98588f16f07e1e2 Mon Sep 17 00:00:00 2001
From: Marius Cramer <m.cramer@pixcept.de>
Date: Thu, 06 Aug 2015 03:18:44 -0400
Subject: [PATCH] - don't set password via remoting if field is empty

---
 install/apps/metronome_libs/mod_auth_external/db_auth.php |   58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 files changed, 58 insertions(+), 0 deletions(-)

diff --git a/install/apps/metronome_libs/mod_auth_external/db_auth.php b/install/apps/metronome_libs/mod_auth_external/db_auth.php
new file mode 100644
index 0000000..3df135b
--- /dev/null
+++ b/install/apps/metronome_libs/mod_auth_external/db_auth.php
@@ -0,0 +1,58 @@
+<?php
+ini_set('display_errors', false);
+require_once('db_conf.inc.php');
+
+try{
+    // Connect database
+    $db = new mysqli($db_host, $db_user, $db_pass, $db_name);
+    result_false(mysqli_connect_errno());
+
+    // Get arguments
+    $arg_email = '';
+    $arg_password = '';
+
+    result_false(count($argv) != 4);
+    $arg_email = $argv[1].'@'.$argv[2];
+    $arg_password = $argv[3];
+
+    // check for existing user
+    $dbmail = $db->real_escape_string($arg_email);
+    $result = $db->query("SELECT jid, password FROM xmpp_user WHERE jid LIKE ? AND active='y' AND server_id=?", $dbmail, $isp_server_id);
+    result_false($result->num_rows != 1);
+
+    $user = $result->fetch_object();
+
+    // check for domain autologin api key
+    $domain_key = 'f47kmm5Yh5hJzSws2KTS';
+
+    checkAuth($argv[1], $argv[2], $arg_password, $user->password, $domain_key);
+}catch(Exception $ex){
+    echo 0;
+    exit();
+}
+
+function result_false($cond = true){
+    if(!$cond) return;
+    echo 0;
+    exit();
+}
+function result_true(){
+    echo 1;
+    exit();
+}
+function checkAuth($user, $domain, $pw_arg, $pw_db, $domain_key){
+    if(crypt($pw_arg, $pw_db) == $pw_db)
+        result_true();
+
+    if($domain_key){
+        $datetime = new DateTime();
+        $datetime->setTimezone(new DateTimeZone("UTC"));
+        for($t = $datetime->getTimestamp(); $t >= $datetime->getTimestamp()-30; $t--){
+            $pw_api = md5($domain.'@'.$domain_key.'@'.$user.'@'.$t);
+            if($pw_api == $pw_arg)
+                result_true();
+        }
+    }
+    result_false();
+}
+?>
\ No newline at end of file

--
Gitblit v1.9.1