From faa17850e1f28caa4fd3f252b06a7b556eaa653b Mon Sep 17 00:00:00 2001 From: Di Elshin Date: Wed, 6 May 2020 20:39:03 +0300 Subject: [PATCH 1/5] Send API token via header Sending an API token via the GET-parameter is not always safe. Need a way to do this safely, for example, through the header. SR: https://developers.webasyst.ru/forum/35999/ispolzovanie-api-s-bezopasnoy-peredachey-tokena/#comment116939 --- wa-system/api/waAPIController.class.php | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/wa-system/api/waAPIController.class.php b/wa-system/api/waAPIController.class.php index 27f20c59c..3ff50d29b 100755 --- a/wa-system/api/waAPIController.class.php +++ b/wa-system/api/waAPIController.class.php @@ -142,6 +142,10 @@ protected function execute($app, $method_name) protected function checkToken() { $token = waRequest::request('access_token'); + if (!$token) { + $token = waRequest::server('Authorization'); + $token = preg_replace('~^(Bearer\s)~ui', '', $token); + } if ($token) { $tokens_model = new waApiTokensModel(); $data = $tokens_model->getById($token); From 1a2d01169b3b992dc96c79304ddd1121b3f81b84 Mon Sep 17 00:00:00 2001 From: Dmitry Elshin Date: Tue, 14 Dec 2021 14:56:21 +0300 Subject: [PATCH 2/5] Calling a custom function to validate the password hash (wa_password_verify) --- wa-system/auth/waAuth.class.php | 2 +- wa-system/contact/waContact.class.php | 19 +++++++++++++++++++ 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/wa-system/auth/waAuth.class.php b/wa-system/auth/waAuth.class.php index 02ad97335..b363c63a1 100644 --- a/wa-system/auth/waAuth.class.php +++ b/wa-system/auth/waAuth.class.php @@ -699,7 +699,7 @@ protected function isOnetimePasswordMode() protected function _authByPassword($contact, $password) { $contact_password = isset($contact['password']) && is_scalar($contact['password']) ? $contact['password'] : ''; - return strlen($contact_password) > 0 && waContact::getPasswordHash($password) === $contact_password; + return strlen($contact_password) > 0 && waContact::verifyPasswordHash($password, $contact_password); } /** diff --git a/wa-system/contact/waContact.class.php b/wa-system/contact/waContact.class.php index 6cad6a2cc..a5eaa23f9 100644 --- a/wa-system/contact/waContact.class.php +++ b/wa-system/contact/waContact.class.php @@ -1324,6 +1324,25 @@ public static function getPasswordHash($password) } } + /** + * Verifies the password hash. + * + * By default, strict comparison is used. If configuration file wa-config/SystemConfig.class.php + * contains information about user-defined function wa_password_verify(), then that function is used for hash verification. + * + * @param string$password + * @param string $hash + * @return bool + */ + public static function verifyPasswordHash($password, $hash) + { + if (function_exists('wa_password_verify')) { + return (bool) wa_password_verify($password, $hash); + } else { + return waContact::getPasswordHash($password) === $hash; + } + } + /** * @param int $len * @param bool $extended - use extended alphabet or only letters and digits From 1ef7b4dc93c804b7e301a0ceb9577854ee86b6a0 Mon Sep 17 00:00:00 2001 From: Di Elshin Date: Thu, 17 Mar 2022 16:57:31 +0300 Subject: [PATCH 3/5] Update waVerificationChannelEmail.class.php --- .../verification/classes/waVerificationChannelEmail.class.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wa-system/verification/classes/waVerificationChannelEmail.class.php b/wa-system/verification/classes/waVerificationChannelEmail.class.php index e1d5544f1..f09f1a4c3 100644 --- a/wa-system/verification/classes/waVerificationChannelEmail.class.php +++ b/wa-system/verification/classes/waVerificationChannelEmail.class.php @@ -866,7 +866,7 @@ protected function isSecretEquals($input_secret, $asset_secret, $asset_name) if ($asset_name === waVerificationChannelAssetsModel::NAME_PASSWORD_RECOVERY_HASH || $asset_name === waVerificationChannelAssetsModel::NAME_SIGNUP_CONFIRM_HASH) { return $input_secret === $asset_secret; } else { - return waContact::getPasswordHash($input_secret) === $asset_secret; + return waContact::verifyPasswordHash($input_secret, $asset_secret); } } From cf440512316fd38ffd5db612234a506a946259f1 Mon Sep 17 00:00:00 2001 From: Di Elshin Date: Thu, 17 Mar 2022 16:58:41 +0300 Subject: [PATCH 4/5] Update waVerificationChannelSMS.class.php --- .../verification/classes/waVerificationChannelSMS.class.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wa-system/verification/classes/waVerificationChannelSMS.class.php b/wa-system/verification/classes/waVerificationChannelSMS.class.php index 7e381220d..39d6aadb3 100644 --- a/wa-system/verification/classes/waVerificationChannelSMS.class.php +++ b/wa-system/verification/classes/waVerificationChannelSMS.class.php @@ -185,7 +185,7 @@ protected function isAddressEquals($address1, $address2) protected function isSecretEquals($input_secret, $asset_secret, $asset_name) { - return waContact::getPasswordHash($input_secret) === $asset_secret; + return waContact::verifyPasswordHash($input_secret, $asset_secret); } From 9999ce95efac0c199f8a1ee8b31fd99f9db641a0 Mon Sep 17 00:00:00 2001 From: Di Elshin Date: Thu, 17 Mar 2022 17:36:57 +0300 Subject: [PATCH 5/5] Update waVerificationChannelSMS.class.php --- .../verification/classes/waVerificationChannelSMS.class.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wa-system/verification/classes/waVerificationChannelSMS.class.php b/wa-system/verification/classes/waVerificationChannelSMS.class.php index 39d6aadb3..e82331db4 100644 --- a/wa-system/verification/classes/waVerificationChannelSMS.class.php +++ b/wa-system/verification/classes/waVerificationChannelSMS.class.php @@ -185,7 +185,7 @@ protected function isAddressEquals($address1, $address2) protected function isSecretEquals($input_secret, $asset_secret, $asset_name) { - return waContact::verifyPasswordHash($input_secret, $asset_secret); + return waContact::verifyPasswordHash($input_secret, $asset_secret); }