Merge pull request #1284 from lightbluetom/general-approach-for-pdo-basic-auth

A more secure and generalized approach for PDO Basic Auth Backend

Author: DeepDiver1975

lib/DAV/Auth/Backend/PDOBasicAuth.php

@@ -0,0 +1,114 @@
+<?php
+
+namespace Sabre\DAV\Auth\Backend;
+
+/**
+ * This is an authentication backend that uses a database to manage passwords.
+ *
+ * @copyright Copyright (C) fruux GmbH (https://fruux.com/)
+ * @license http://sabre.io/license/ Modified BSD License
+ */
+class PDOBasicAuth extends AbstractBasic
+{
+    /**
+     * Reference to PDO connection.
+     *
+     * @var PDO
+     */
+    protected $pdo;
+
+    /**
+     * PDO table name we'll be using.
+     *
+     * @var string
+     */
+    protected $tableName;
+
+    /**
+     * PDO digest column name we'll be using
+     * (i.e. digest, password, password_hash).
+     *
+     * @var string
+     */
+    protected $digestColumn;
+
+    /**
+     * PDO uuid(unique user identifier) column name we'll be using
+     * (i.e. username, email).
+     *
+     * @var string
+     */
+    protected $uuidColumn;
+
+    /**
+     * Digest prefix:
+     * if the backend you are using for is prefixing
+     * your password hashes set this option to your prefix to
+     * cut it off before verfiying.
+     *
+     * @var string
+     */
+    protected $digestPrefix;
+
+    /**
+     * Creates the backend object.
+     *
+     * If the filename argument is passed in, it will parse out the specified file fist.
+     */
+    public function __construct(\PDO $pdo, array $options = [])
+    {
+        $this->pdo = $pdo;
+        if (isset($options['tableName'])) {
+            $this->tableName = $options['tableName'];
+        } else {
+            $this->tableName = 'users';
+        }
+        if (isset($options['digestColumn'])) {
+            $this->digestColumn = $options['digestColumn'];
+        } else {
+            $this->digestColumn = 'digest';
+        }
+        if (isset($options['uuidColumn'])) {
+            $this->uuidColumn = $options['uuidColumn'];
+        } else {
+            $this->uuidColumn = 'username';
+        }
+        if (isset($options['digestPrefix'])) {
+            $this->digestPrefix = $options['digestPrefix'];
+        }
+    }
+
+    /**
+     * Validates a username and password.
+     *
+     * This method should return true or false depending on if login
+     * succeeded.
+     *
+     * @param string $username
+     * @param string $password
+     *
+     * @return bool
+     */
+    public function validateUserPass($username, $password)
+    {
+        $stmt = $this->pdo->prepare('SELECT '.$this->digestColumn.' FROM '.$this->tableName.' WHERE '.$this->uuidColumn.' = ?');
+        $stmt->execute([$username]);
+        $result = $stmt->fetchAll();
+
+        if (!count($result)) {
+            return false;
+        } else {
+            $digest = $result[0][$this->digestColumn];
+
+            if (isset($this->digestPrefix)) {
+                $digest = substr($digest, strlen($this->digestPrefix));
+            }
+
+            if (password_verify($password, $digest)) {
+                return true;
+            }
+
+            return false;
+        }
+    }
+}

tests/Sabre/DAV/Auth/Backend/AbstractPDOBasicAuthTest.php

@@ -0,0 +1,160 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Sabre\DAV\Auth\Backend;
+
+use Sabre\HTTP;
+
+abstract class AbstractPDOBasicAuthTest extends \PHPUnit\Framework\TestCase
+{
+    use \Sabre\DAV\DbTestHelperTrait;
+
+    public function setup(): void
+    {
+        $this->dropTables('users');
+        $this->createSchema('users');
+
+        // The supplied hash is a salted bcrypt hash of the plaintext : 'password'
+        $this->getPDO()->query(
+            "INSERT INTO users (username,digesta1) VALUES ('user','\$2b\$12\$IwetRH4oj6.AWFGGVy8fpet7Pgp1TafspB6iq1/fiLDxfsGZfi2jS')"
+        );
+        $this->getPDO()->query(
+            "INSERT INTO users (username,digesta1) VALUES ('prefix_user','bcrypt\$\$2b\$12\$IwetRH4oj6.AWFGGVy8fpet7Pgp1TafspB6iq1/fiLDxfsGZfi2jS')"
+        );
+    }
+
+    public function testConstruct()
+    {
+        $pdo = $this->getPDO();
+        $backend = new PDOBasicAuth($pdo);
+        $this->assertTrue($backend instanceof PDOBasicAuth);
+    }
+
+    public function testCheckNoHeaders()
+    {
+        $request = new HTTP\Request('GET', '/');
+        $response = new HTTP\Response();
+
+        $options = [
+            'tableName' => 'users',
+            'digestColumn' => 'digesta1',
+            'uuidColumn' => 'username',
+        ];
+        $pdo = $this->getPDO();
+        $backend = new PDOBasicAuth($pdo, $options);
+
+        $this->assertFalse(
+            $backend->check($request, $response)[0]
+        );
+    }
+
+    public function testCheckUnknownUser()
+    {
+        $request = HTTP\Sapi::createFromServerArray([
+            'REQUEST_METHOD' => 'GET',
+            'REQUEST_URI' => '/',
+            'PHP_AUTH_USER' => 'unkown_user',
+            'PHP_AUTH_PW' => 'wrongpassword',
+        ]);
+        $response = new HTTP\Response();
+
+        $options = [
+            'tableName' => 'users',
+            'digestColumn' => 'digesta1',
+            'uuidColumn' => 'username',
+        ];
+        $pdo = $this->getPDO();
+        $backend = new PDOBasicAuth($pdo, $options);
+
+        $this->assertFalse(
+            $backend->check($request, $response)[0]
+        );
+    }
+
+    public function testCheckAuthenticationFailure()
+    {
+        $request = HTTP\Sapi::createFromServerArray([
+            'REQUEST_METHOD' => 'GET',
+            'REQUEST_URI' => '/',
+            'PHP_AUTH_USER' => 'user',
+            'PHP_AUTH_PW' => 'wrongpassword',
+        ]);
+        $response = new HTTP\Response();
+
+        $options = [
+            'tableName' => 'users',
+            'digestColumn' => 'digesta1',
+            'uuidColumn' => 'username',
+        ];
+        $pdo = $this->getPDO();
+        $backend = new PDOBasicAuth($pdo, $options);
+
+        $this->assertFalse(
+            $backend->check($request, $response)[0]
+        );
+    }
+
+    public function testCheckSuccess()
+    {
+        $request = HTTP\Sapi::createFromServerArray([
+            'REQUEST_METHOD' => 'GET',
+            'REQUEST_URI' => '/',
+            'PHP_AUTH_USER' => 'user',
+            'PHP_AUTH_PW' => 'password',
+        ]);
+        $response = new HTTP\Response();
+
+        $options = [
+            'tableName' => 'users',
+            'digestColumn' => 'digesta1',
+            'uuidColumn' => 'username',
+        ];
+        $pdo = $this->getPDO();
+        $backend = new PDOBasicAuth($pdo, $options);
+        $this->assertEquals(
+            [true, 'principals/user'],
+            $backend->check($request, $response)
+        );
+    }
+
+    public function testPrefixSuccess()
+    {
+        $request = HTTP\Sapi::createFromServerArray([
+            'REQUEST_METHOD' => 'GET',
+            'REQUEST_URI' => '/',
+            'PHP_AUTH_USER' => 'prefix_user',
+            'PHP_AUTH_PW' => 'password',
+        ]);
+        $response = new HTTP\Response();
+
+        $options = [
+            'tableName' => 'users',
+            'digestColumn' => 'digesta1',
+            'uuidColumn' => 'username',
+            'digestPrefix' => 'bcrypt$',
+        ];
+        $pdo = $this->getPDO();
+        $backend = new PDOBasicAuth($pdo, $options);
+        $this->assertEquals(
+            [true, 'principals/prefix_user'],
+            $backend->check($request, $response)
+        );
+    }
+
+    public function testRequireAuth()
+    {
+        $request = new HTTP\Request('GET', '/');
+        $response = new HTTP\Response();
+
+        $pdo = $this->getPDO();
+        $backend = new PDOBasicAuth($pdo);
+        $backend->setRealm('writing unittests on a saturday night');
+        $backend->challenge($request, $response);
+
+        $this->assertEquals(
+            'Basic realm="writing unittests on a saturday night", charset="UTF-8"',
+            $response->getHeader('WWW-Authenticate')
+        );
+    }
+}

tests/Sabre/DAV/Auth/Backend/PDOBasicAuthSqliteTest.php

@@ -0,0 +1,10 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Sabre\DAV\Auth\Backend;
+
+class PDOBasicAuthSqliteTest extends AbstractPDOBasicAuthTest
+{
+    public $driver = 'sqlite';
+}