From: Moritz Bunkus Date: Mon, 26 Nov 2012 17:41:50 +0000 (+0100) Subject: Automatische Authentifizierung bestehender Sessions über Session-ID + API-Token X-Git-Tag: release-3.0.0beta3~9 X-Git-Url: http://wagnertech.de/git?a=commitdiff_plain;h=6c21fd13caa00ecee7acac38ac6395948dad20a7;p=kivitendo-erp.git Automatische Authentifizierung bestehender Sessions über Session-ID + API-Token Wird für CRM-Menü benötigt. --- diff --git a/SL/Auth.pm b/SL/Auth.pm index 0a87ca00e..e4d487b78 100644 --- a/SL/Auth.pm +++ b/SL/Auth.pm @@ -592,7 +592,17 @@ sub restore_session { $cookie = $sth->fetchrow_hashref; $sth->finish; - if (!$cookie || $cookie->{is_expired} || ($cookie->{ip_address} ne $ENV{REMOTE_ADDR})) { + # The session ID provided is valid in the following cases: + # 1. session ID exists in the database + # 2. hasn't expired yet + # 3. if form field '{AUTH}api_token' is given: form field must equal database column 'auth.session.api_token' for the session ID + # 4. if form field '{AUTH}api_token' is NOT given then: the requestee's IP address must match the stored IP address + $self->{api_token} = $cookie->{api_token} if $cookie; + my $api_token_cookie = $self->get_api_token_cookie; + my $cookie_is_bad = !$cookie || $cookie->{is_expired}; + $cookie_is_bad ||= $api_token_cookie && ($api_token_cookie ne $cookie->{api_token}) if $api_token_cookie; + $cookie_is_bad ||= $cookie->{ip_address} ne $ENV{REMOTE_ADDR} if !$api_token_cookie; + if ($cookie_is_bad) { $self->destroy_session(); $main::lxdebug->leave_sub(); return $cookie ? SESSION_EXPIRED : SESSION_NONE; @@ -791,6 +801,11 @@ sub save_session { do_query($::form, $dbh, qq|INSERT INTO auth.session (id, ip_address, mtime) VALUES (?, ?, now())|, $session_id, $ENV{REMOTE_ADDR}); } + if ($self->{column_information}->has('api_token', 'session')) { + my ($stored_api_token) = $dbh->selectrow_array(qq|SELECT api_token FROM auth.session WHERE id = ?|, undef, $session_id); + do_query($::form, $dbh, qq|UPDATE auth.session SET api_token = ? WHERE id = ?|, $self->_create_session_id, $session_id) unless $stored_api_token; + } + my @values_to_save = grep { $_->{fetched} } values %{ $self->{SESSION} }; if (@values_to_save) { @@ -927,15 +942,25 @@ sub set_cookie_environment_variable { } sub get_session_cookie_name { - my $self = shift; + my ($self, %params) = @_; - return $self->{cookie_name} || 'lx_office_erp_session_id'; + $params{type} ||= 'id'; + my $name = $self->{cookie_name} || 'lx_office_erp_session_id'; + $name .= '_api_token' if $params{type} eq 'api_token'; + + return $name; } sub get_session_id { return $session_id; } +sub get_api_token_cookie { + my ($self) = @_; + + $::request->{cgi}->cookie($self->get_session_cookie_name(type => 'api_token')); +} + sub session_tables_present { $main::lxdebug->enter_sub(); diff --git a/SL/Auth/ColumnInformation.pm b/SL/Auth/ColumnInformation.pm index e053561b4..64b600dd1 100644 --- a/SL/Auth/ColumnInformation.pm +++ b/SL/Auth/ColumnInformation.pm @@ -23,17 +23,21 @@ sub _fetch { return $self if $self->{info}; - my $query = < 0) - AND NOT a.attisdropped - ORDER BY a.attnum + $self->{info} = {}; + + foreach my $table (qw(session session_content)) { + my $query = < 0) + AND NOT a.attisdropped + ORDER BY a.attnum SQL - $self->{info} = { selectall_as_map($::form, $self->{auth}->dbconnect, $query, 'attname', [ qw(format_type adsrc attnotnull) ]) }; + $self->{info}->{$table} = { selectall_as_map($::form, $self->{auth}->dbconnect, $query, 'attname', [ qw(format_type adsrc attnotnull) ]) }; + } return $self; } @@ -44,8 +48,8 @@ sub info { } sub has { - my ($self, $column) = @_; - return $self->info->{$column}; + my ($self, $column, $table) = @_; + return $self->info->{$table || 'session_content'}->{$column}; } 1; diff --git a/SL/Controller/LoginScreen.pm b/SL/Controller/LoginScreen.pm index 89f21ccfa..81ad8dd5c 100644 --- a/SL/Controller/LoginScreen.pm +++ b/SL/Controller/LoginScreen.pm @@ -34,8 +34,9 @@ sub action_logout { sub action_login { my ($self) = @_; - %::myconfig = $::form->{'{AUTH}login'} ? $::auth->read_user(login => $::form->{'{AUTH}login'}) : (); - %::myconfig = SL::Dispatcher::AuthHandler::User->new->handle(countrycode => $::myconfig{countrycode}); + my $login = $::form->{'{AUTH}login'} || $::auth->get_session_value('login'); + %::myconfig = $login ? $::auth->read_user(login => $login) : (); + SL::Dispatcher::AuthHandler::User->new->handle(countrycode => $::myconfig{countrycode}); $::form->{login} = $::myconfig{login}; $::locale = Locale->new($::myconfig{countrycode}) if $::myconfig{countrycode}; my $user = User->new(login => $::myconfig{login}); diff --git a/SL/Dispatcher/AuthHandler/Admin.pm b/SL/Dispatcher/AuthHandler/Admin.pm index cc13b5d08..a7b649cf2 100644 --- a/SL/Dispatcher/AuthHandler/Admin.pm +++ b/SL/Dispatcher/AuthHandler/Admin.pm @@ -8,6 +8,7 @@ use SL::Layout::Dispatcher; sub handle { %::myconfig = (); + return 1 if $::auth->get_api_token_cookie; return 1 if $::form->{'{AUTH}admin_password'} && ($::auth->authenticate_root($::form->{'{AUTH}admin_password'}) == $::auth->OK()); return 1 if !$::form->{'{AUTH}admin_password'} && ($::auth->authenticate_root($::auth->get_session_value('admin_password')) == $::auth->OK()); diff --git a/SL/Dispatcher/AuthHandler/User.pm b/SL/Dispatcher/AuthHandler/User.pm index e1c080e1f..e126d872f 100644 --- a/SL/Dispatcher/AuthHandler/User.pm +++ b/SL/Dispatcher/AuthHandler/User.pm @@ -18,7 +18,8 @@ sub handle { $::locale = Locale->new($::myconfig{countrycode}); $::request->{layout} = SL::Layout::Dispatcher->new(style => $::myconfig{menustyle}); - my $ok = $::form->{'{AUTH}login'} && (SL::Auth::OK() == $::auth->authenticate($::myconfig{login}, $::form->{'{AUTH}password'})); + my $ok = $::auth->get_api_token_cookie ? 1 : 0; + $ok ||= $::form->{'{AUTH}login'} && (SL::Auth::OK() == $::auth->authenticate($::myconfig{login}, $::form->{'{AUTH}password'})); $ok ||= !$::form->{'{AUTH}login'} && (SL::Auth::OK() == $::auth->authenticate($::myconfig{login}, undef)); return $self->_error(%param) if !$ok; diff --git a/sql/Pg-upgrade2-auth/add_api_token.sql b/sql/Pg-upgrade2-auth/add_api_token.sql new file mode 100644 index 000000000..82375f6dc --- /dev/null +++ b/sql/Pg-upgrade2-auth/add_api_token.sql @@ -0,0 +1,5 @@ +-- @tag: add_api_token +-- @description: Feld 'api_token' in 'session' ergänzen +-- @depends: +-- @charset: utf-8 +ALTER TABLE auth.session ADD COLUMN api_token text;