Keine Passwörter mehr in Sessions speichern.

[kivitendo-erp.git] / SL / Auth.pm

diff --git a/SL/Auth.pm b/SL/Auth.pm
index 7df576b1fc5e467eb4e09eb272647ac8bd9263a4..6652aed4b0113cc58527ba2476ec5dde8c7911f1 100644 (file)
--- a/SL/Auth.pm
+++ b/SL/Auth.pm
@@ -23,6 +23,9 @@ use SL::DBUtils;
 
 use strict;
 
+use constant SESSION_KEY_ROOT_AUTH => 'session_auth_status_root';
+use constant SESSION_KEY_USER_AUTH => 'session_auth_status_user';
+
 sub new {
   $main::lxdebug->enter_sub();
 
@@ -146,14 +149,27 @@ sub authenticate_root {
 
   my ($self, $password) = @_;
 
-  $password             = SL::Auth::Password->hash_if_unhashed(login => 'root', password => $password);
+  my $session_root_auth = $self->get_session_value(SESSION_KEY_ROOT_AUTH);
+  if (defined $session_root_auth && $session_root_auth == OK) {
+    $::lxdebug->leave_sub;
+    return OK;
+  }
+
+  if (!defined $password) {
+    $::lxdebug->leave_sub;
+    return ERR_PASSWORD;
+  }
+
+  $password             = SL::Auth::Password->hash(login => 'root', password => $password);
   my $admin_password    = SL::Auth::Password->hash_if_unhashed(login => 'root', password => $self->{admin_password}->());
 
-  $main::lxdebug->leave_sub();
+  my $result = $password eq $admin_password ? OK : ERR_PASSWORD;
+  $self->set_session_value(SESSION_KEY_ROOT_AUTH ,=> $result);
+
+  sleep 5 if $result != OK;
 
-  return OK if $password eq $admin_password;
-  sleep 5;
-  return ERR_PASSWORD;
+  $::lxdebug->leave_sub;
+  return $result;
 }
 
 sub authenticate {
@@ -161,31 +177,24 @@ sub authenticate {
 
   my ($self, $login, $password) = @_;
 
-  $main::lxdebug->leave_sub();
-
-  my $result = $login ? $self->{authenticator}->authenticate($login, $password) : ERR_USER;
-  return OK if $result eq OK;
-  sleep 5;
-  return $result;
-}
-
-sub store_credentials_in_session {
-  my ($self, %params) = @_;
+  my $session_auth = $self->get_session_value(SESSION_KEY_USER_AUTH);
+  if (defined $session_auth && $session_auth == OK) {
+    $::lxdebug->leave_sub;
+    return OK;
+  }
 
-  if (!$self->{authenticator}->requires_cleartext_password) {
-    $params{password} = SL::Auth::Password->hash_if_unhashed(login             => $params{login},
-                                                             password          => $params{password},
-                                                             look_up_algorithm => 1,
-                                                             auth              => $self);
+  if (!defined $password) {
+    $::lxdebug->leave_sub;
+    return ERR_PASSWORD;
   }
 
-  $self->set_session_value(login => $params{login}, password => $params{password});
-}
+  my $result = $login ? $self->{authenticator}->authenticate($login, $password) : ERR_USER;
+  $self->set_session_value(SESSION_KEY_USER_AUTH ,=> $result, login => $login);
 
-sub store_root_credentials_in_session {
-  my ($self, $rpw) = @_;
+  sleep 5 if $result != OK;
 
-  $self->set_session_value(rpw => SL::Auth::Password->hash_if_unhashed(login => 'root', password => $rpw));
+  $::lxdebug->leave_sub;
+  return $result;
 }
 
 sub get_stored_password {
@@ -404,11 +413,6 @@ sub change_password {
 
   my $result = $self->{authenticator}->change_password($login, $new_password);
 
-  $self->store_credentials_in_session(login             => $login,
-                                      password          => $new_password,
-                                      look_up_algorithm => 1,
-                                      auth              => $self);
-
   $main::lxdebug->leave_sub();
 
   return $result;