Diff

mod_auth_phpbb3/mod_auth_phpbb3.lua @ 665:684cc57a49c1

mod_auth_phpbb3: Optionally allow using PHPBB3 session ID as password ( sql = { sessionid_as_password = true, ... } ).
author Waqas Hussain <waqas20@gmail.com>
date Wed, 16 May 2012 17:34:47 +0500
parent 626:f19f723571d9
child 814:881ec9919144
line wrap: on
line diff
--- a/mod_auth_phpbb3/mod_auth_phpbb3.lua	Sun May 06 23:27:28 2012 +0200
+++ b/mod_auth_phpbb3/mod_auth_phpbb3.lua	Wed May 16 17:34:47 2012 +0500
@@ -87,6 +87,19 @@
 		end
 	end
 end
+local function check_sessionids(username, session_id)
+	-- TODO add session expiration and auto-login check
+	local stmt, err = getsql("SELECT phpbb_sessions.session_id FROM phpbb_sessions INNER JOIN phpbb_users ON phpbb_users.user_id = phpbb_sessions.session_user_id WHERE phpbb_users.username_clean =?", username);
+	if stmt then
+		for row in stmt:rows(true) do
+			-- if row.session_id == session_id then return true; end
+
+			-- workaround for possible LuaDBI bug
+			-- The session_id returned by the sql statement has an additional zero at the end. But that is not in the database.
+			if row.session_id == session_id or row.session_id == session_id.."0" then return true; end
+		end
+	end
+end
 
 
 local itoa64 = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
@@ -239,6 +252,14 @@
 			return normalized and provider.test_password(normalized, password) and prepped;
 		end
 		local username = test(authentication) or test(jid_escape(authentication));
+		if not username and params.sessionid_as_password then
+			local function test(authentication)
+				local prepped = nodeprep(authentication);
+				local normalized = jid_unescape(prepped);
+				return normalized and check_sessionids(normalized, password) and prepped;
+			end
+			username = test(authentication) or test(jid_escape(authentication));
+		end
 		if username then
 			self.username = username;
 			return "success";