summaryrefslogtreecommitdiffstats
path: root/Bugzilla/Auth/Login/Cookie.pm
blob: 29e2310a0a0a73137579dce74de691eb68ca405f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# This Source Code Form is "Incompatible With Secondary Licenses", as
# defined by the Mozilla Public License, v. 2.0.

package Bugzilla::Auth::Login::Cookie;

use 5.10.1;
use strict;

use base qw(Bugzilla::Auth::Login);
use fields qw(_login_token);

use Bugzilla::Constants;
use Bugzilla::Util;
use Bugzilla::Error;

use List::Util qw(first);

use constant requires_persistence  => 0;
use constant requires_verification => 0;
use constant can_login => 0;

sub is_automatic { return $_[0]->login_token ? 0 : 1; }

# Note that Cookie never consults the Verifier, it always assumes
# it has a valid DB account or it fails.
sub get_login_info {
    my ($self) = @_;
    my $cgi = Bugzilla->cgi;
    my $dbh = Bugzilla->dbh;
    my ($user_id, $login_cookie);

    if (!Bugzilla->request_cache->{auth_no_automatic_login}) {
        $login_cookie = $cgi->cookie("Bugzilla_logincookie");
        $user_id      = $cgi->cookie("Bugzilla_login");

        # If cookies cannot be found, this could mean that they haven't
        # been made available yet. In this case, look at Bugzilla_cookie_list.
        unless ($login_cookie) {
            my $cookie = first {$_->name eq 'Bugzilla_logincookie'}
                                @{$cgi->{'Bugzilla_cookie_list'}};
            $login_cookie = $cookie->value if $cookie;
        }
        unless ($user_id) {
            my $cookie = first {$_->name eq 'Bugzilla_login'}
                                @{$cgi->{'Bugzilla_cookie_list'}};
            $user_id = $cookie->value if $cookie;
        }
    }

    # If no cookies were provided, we also look for a login token
    # passed in the parameters of a webservice
    my $token = $self->login_token;
    if ($token && (!$login_cookie || !$user_id)) {
        ($user_id, $login_cookie) = ($token->{'user_id'}, $token->{'login_token'});
    }

    my $ip_addr = remote_ip();

    if ($login_cookie && $user_id) {
        # Anything goes for these params - they're just strings which
        # we're going to verify against the db
        trick_taint($ip_addr);
        trick_taint($login_cookie);
        detaint_natural($user_id);

        my $db_cookie =
          $dbh->selectrow_array('SELECT cookie
                                   FROM logincookies
                                  WHERE cookie = ?
                                        AND userid = ?
                                        AND (ipaddr = ? OR ipaddr IS NULL)',
                                 undef, ($login_cookie, $user_id, $ip_addr));

        # If the cookie or token is valid, return a valid username.
        # If they were not valid and we are using a webservice, then
        # throw an error notifying the client.
        if (defined $db_cookie && $login_cookie eq $db_cookie) {
            # If we logged in successfully, then update the lastused 
            # time on the login cookie
            $dbh->do("UPDATE logincookies SET lastused = NOW() 
                       WHERE cookie = ?", undef, $login_cookie);
            return { user_id => $user_id };
        }
        elsif (i_am_webservice()) {
            ThrowUserError('invalid_cookies_or_token');
        }
    }

    # Either the cookie or token is invalid and we are not authenticating
    # via a webservice, or we did not receive a cookie or token. We don't
    # want to ever return AUTH_LOGINFAILED, because we don't want Bugzilla to
    # actually throw an error when it gets a bad cookie or token. It should just
    # look like there was no cookie or token to begin with.
    return { failure => AUTH_NODATA };
}

sub login_token {
    my ($self) = @_;
    my $input      = Bugzilla->input_params;
    my $usage_mode = Bugzilla->usage_mode;

    return $self->{'_login_token'} if exists $self->{'_login_token'};

    if (!i_am_webservice()) {
        return $self->{'_login_token'} = undef;
    }

    # Check if a token was passed in via requests for WebServices
    my $token = trim(delete $input->{'Bugzilla_token'});
    return $self->{'_login_token'} = undef if !$token;

    my ($user_id, $login_token) = split('-', $token, 2);
    if (!detaint_natural($user_id) || !$login_token) {
        return $self->{'_login_token'} = undef;
    }

    return $self->{'_login_token'} = {
        user_id     => $user_id,
        login_token => $login_token
    };
}

1;