ivo/ponzi
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactoring routing and comments.

Browse Source
This commit is contained in:
Taylor Otwell
2011-10-15 14:04:11 -05:00
parent a44ca9d53b
commit a6eaa06981
20 changed files with 368 additions and 265 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
laravel/security/auth.php
View File

@@ -43,7 +43,7 @@ class Auth {
* Get the current user of the application.
*
* This method will call the "user" closure in the authentication configuration file.
* If the user is not authenticated, null will be returned.
* If the user is not authenticated, null will be returned by the methd.
*
* If no user exists in the session, the method will check for a "remember me"
* cookie and attempt to login the user based on the value of that cookie.
@@ -75,6 +75,10 @@ class Auth {
/**
* Attempt to login a user based on a long-lived "remember me" cookie.
*
* We should be able to trust the cookie is valid, since all cookies
* set by Laravel include a fingerprint hash. So, the cookie should
* be safe to use within this method.
*
* @param string $cookie
* @return mixed
*/
@@ -82,14 +86,7 @@ class Auth {
{
$cookie = explode('|', Crypter::decrypt($cookie));
// If there are not at least two elements in the array, the decrypted value
// is not valid and we wil just bail out of the method since the cookie may
// have been tampered with and should not be considered trustworthy.
if (count($cookie) < 2) return;
list($id, $username, $config) = array($cookie[0], $cookie[1], Config::get('auth'));
if ( ! is_null($user = call_user_func($config['user'], $id)) and $user->{$config['username']} === $username)
if ( ! is_null($user = call_user_func(Config::get('auth.user'), $cookie[0])))
{
static::login($user);
@@ -100,14 +97,12 @@ class Auth {
/**
* Attempt to log a user into the application.
*
* If the given credentials are valid, the user will be logged into
* the application and their user ID will be stored in the session
* via the "login" method.
* If the credentials are valid, the user will be logged into the application
* and their user ID will be stored in the session via the "login" method.
*
* The user may also be "remembered". When this option is set, the user
* will be automatically logged into the application for one year via
* an encrypted cookie containing their ID. Of course, if the user logs
* out of the application, they will no longer be remembered.
* The user may also be "remembered", which will keep the user logged into the
* application for one year or until they logout. The user is rememberd via
* an encrypted cookie.
*
* @param string $username
* @param string $password
@@ -139,7 +134,7 @@ class Auth {
{
static::$user = $user;
if ($remember) static::remember($user->id, $user->{Config::get('auth.username')});
if ($remember) static::remember($user->id);
Session::put(Auth::user_key, $user->id);
}
@@ -148,17 +143,16 @@ class Auth {
* Set a cookie so that users are "remembered" and don't need to login.
*
* @param string $id
* @param string $username
* @return void
*/
protected static function remember($id, $username)
protected static function remember($id)
{
$cookie = Crypter::encrypt($id.'|'.$username.'|'.Str::random(40));
$cookie = Crypter::encrypt($id.'|'.Str::random(40));
// This method assumes the "remember me" cookie should have the
// same configuration as the session cookie. Since this cookie,
// like the session cookie, should be kept very secure, it's
// probably safe to assume the settings are the same.
// This method assumes the "remember me" cookie should have the same
// configuration as the session cookie. Since this cookie, like the
// session cookie, should be kept very secure, it's probably safe
// to assume the settings are the same.
$config = Config::get('session');
Cookie::forever(Auth::remember_key, $cookie, $config['path'], $config['domain'], $config['secure']);
@@ -167,9 +161,9 @@ class Auth {
/**
* Log the current user out of the application.
*
* The "logout" closure in the authenciation configuration file
* will be called. All authentication cookies will be deleted
* and the user ID will be removed from the session.
* The "logout" closure in the authenciation configuration file will be
* called. All authentication cookies will be deleted and the user ID
* will be removed from the session.
*
* @return void
*/

15
laravel/security/crypter.php
View File

@@ -1,6 +1,6 @@
<?php namespace Laravel\Security; use Laravel\Config;
if (trim(Config::get('application.key')) === '')
if (trim(Config::$items['application']['key']) === '')
{
throw new \Exception('The encryption class may not be used without an application key.');
}
@@ -24,9 +24,8 @@ class Crypter {
/**
* Encrypt a string using Mcrypt.
*
* The string will be encrypted using the cipher and mode specified
* when the crypter instance was created, and the final result will
* be base64 encoded.
* The string will be encrypted using the cipher and mode specified when the
* crypter instance was created, and the final result will be base64 encoded.
*
* <code>
* // Encrypt a string using the Mcrypt PHP extension
@@ -55,7 +54,9 @@ class Crypter {
$iv = mcrypt_create_iv(static::iv_size(), $randomizer);
return base64_encode($iv.mcrypt_encrypt(static::$cipher, Config::get('application.key'), $value, static::$mode, $iv));
$key = Config::$items['application']['key'];
return base64_encode($iv.mcrypt_encrypt(static::$cipher, $key, $value, static::$mode, $iv));
}
/**
@@ -85,7 +86,9 @@ class Crypter {
$value = substr($value, static::iv_size());
return rtrim(mcrypt_decrypt(static::$cipher, Config::get('application.key'), $value, static::$mode, $iv), "\0");
$key = Config::$items['application']['key'];
return rtrim(mcrypt_decrypt(static::$cipher, $key, $value, static::$mode, $iv), "\0");
}
/**

17
laravel/security/hasher.php
View File

@@ -5,10 +5,11 @@ class Hasher {
/**
* Hash a password using the Bcrypt hashing scheme.
*
* Bcrypt provides a future-proof hashing algorithm by allowing the number
* of "rounds" to be increased, thus increasing the time is takes to generate
* the hashed value. The longer is takes to generate the hash, the more
* impractical a rainbow table attack against the hashes becomes.
* Bcrypt provides a future-proof hashing algorithm by allowing the
* number of "rounds" to be increased, thus increasing the time it
* takes to generate the hashed value. The longer it takes takes
* to generate the hash, the more impractical a rainbow table
* attack against the hashes becomes.
*
* <code>
* // Create a Bcrypt hash of a value
@@ -42,14 +43,14 @@ class Hasher {
/**
* Get a salt for use during Bcrypt hashing.
*
* Bcrypt expects salts to be 22 alpha-numeric characters including
* dots and forward slashes. OpenSSL will be used if available and
* the Str::random method will be used if it isn't.
*
* @return string
*/
protected static function salt()
{
// If OpenSSL is installed, we will use it to gather random bytes for generating
// the salt value. Otherwise, we will use the Str::random method. Bcrypt expects
// the salt to be a 22 character alpha-numeric string. The salt may also contain
// dots, plus signs, and forward slashes.
if (function_exists('openssl_random_pseudo_bytes'))
{
return substr(strtr(base64_encode(openssl_random_pseudo_bytes(16)), '+', '.'), 0 , 22);