Replaced account password verification through "sudo doveadm" with password_verify() call
This commit is contained in:
pmkuipers
parent
50f16788f9
commit
1269a40f3f
|
|
@ -1,5 +1,6 @@
|
||||||
<?php
|
<?php
|
||||||
namespace App;
|
namespace App;
|
||||||
|
use App\User;
|
||||||
|
|
||||||
class DovecotPw
|
class DovecotPw
|
||||||
{
|
{
|
||||||
|
|
@ -27,32 +28,4 @@ class DovecotPw
|
||||||
return $lines[0];
|
return $lines[0];
|
||||||
}
|
}
|
||||||
|
|
||||||
public static function Validate($user, $password)
|
|
||||||
{
|
|
||||||
$fp = [];
|
|
||||||
$m = static::$method;
|
|
||||||
$r = static::$rounds;
|
|
||||||
$proc = proc_open( "'sudo' '/usr/bin/doveadm' 'auth' 'test' '-x' 'service=imap' '{$user}'",
|
|
||||||
[0 => ["pipe","r"], 1 => ["pipe", "w"], 2 => ["pipe", "w"]],
|
|
||||||
$fp);
|
|
||||||
|
|
||||||
// write password
|
|
||||||
fwrite($fp[0],$password . "\n");
|
|
||||||
|
|
||||||
// retrieve hash
|
|
||||||
$s = fread($fp[1],512);
|
|
||||||
|
|
||||||
// and only return the parts before the first line end
|
|
||||||
$lines = preg_split("/\r\n|\n|\r/", $s);
|
|
||||||
if(preg_match('/(.*)auth succeeded$/',$lines[0]))
|
|
||||||
{
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
@ -57,13 +57,6 @@ class AccountPwController extends Controller
|
||||||
'newpass' => ['required', 'string',],
|
'newpass' => ['required', 'string',],
|
||||||
]);
|
]);
|
||||||
|
|
||||||
// now validate if proper password credentials were sent
|
|
||||||
$validCredentials = DovecotPw::Validate($validatedData['username'],$validatedData['pass']);
|
|
||||||
if(!$validCredentials)
|
|
||||||
{
|
|
||||||
throw new ErrorException("Username/Password do not match");
|
|
||||||
}
|
|
||||||
|
|
||||||
// split account into user and domain
|
// split account into user and domain
|
||||||
$dparts = explode('@',$validatedData['username'],2);
|
$dparts = explode('@',$validatedData['username'],2);
|
||||||
$username = $dparts[0];
|
$username = $dparts[0];
|
||||||
|
|
@ -71,9 +64,17 @@ class AccountPwController extends Controller
|
||||||
|
|
||||||
// retrieve proper account
|
// retrieve proper account
|
||||||
$account = Account::where('username',$username)->where('domain', $domain)->firstOr(function(){
|
$account = Account::where('username',$username)->where('domain', $domain)->firstOr(function(){
|
||||||
throw new ErrorException('Account not found');
|
throw new ErrorException("Username not recognized");
|
||||||
});
|
});
|
||||||
|
|
||||||
|
// now validate if proper password credentials were sent
|
||||||
|
$hash = preg_replace("/^\{.*?\}/","",$account->password);
|
||||||
|
$validCredentials = password_verify($validatedData['pass'],$hash);
|
||||||
|
if(!$validCredentials)
|
||||||
|
{
|
||||||
|
throw new ErrorException("Username/Password combination not recognized");
|
||||||
|
}
|
||||||
|
|
||||||
// Check if password meets policy and set if so
|
// Check if password meets policy and set if so
|
||||||
|
|
||||||
if(Entropy::Calculate($validatedData['newpass']) < static::MinimumEntropy) {
|
if(Entropy::Calculate($validatedData['newpass']) < static::MinimumEntropy) {
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue
Block a user