From cae9fc70fe05515c42dbdda911a0c640182358e7 Mon Sep 17 00:00:00 2001
From: ljacqu <ljacqu@users.noreply.github.com>
Date: Sat, 13 Feb 2016 10:56:15 +0100
Subject: [PATCH] #518 Create injection-safe website integration and demo form

---
 samples/website_integration/form.php        | 52 ++++++++++++++++
 samples/website_integration/integration.php | 67 +++++++++++++++++++++
 2 files changed, 119 insertions(+)
 create mode 100644 samples/website_integration/form.php
 create mode 100644 samples/website_integration/integration.php

diff --git a/samples/website_integration/form.php b/samples/website_integration/form.php
new file mode 100644
index 00000000..120d4287
--- /dev/null
+++ b/samples/website_integration/form.php
@@ -0,0 +1,52 @@
+<!--
+  This is a demo page for AuthMe website integration.
+  See integration.php for the PHP code you need.
+-->
+<!DOCTYPE html>
+<html lang="en">
+ <head>
+   <title>AuthMe Integration Sample</title>
+   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+ </head>
+ <body>
+<?php
+error_reporting(E_ALL);
+
+$user = get_from_post_or_empty('username');
+$pass = get_from_post_or_empty('password');
+
+$was_successful = false;
+if ($user && $pass) {
+	require_once('integration.php');
+	if (authme_check_password($user, $pass)) {
+		printf('<h1>Hello, %s!</h1>', htmlspecialchars($user));
+		echo 'Successful login. Nice to have you back!'
+			. '<br /><a href="form.php">Back to form</a>';
+		$was_successful = true;
+	} else {
+		echo '<h1>Error</h1> Invalid username or password.';
+	}
+}
+
+if (!$was_successful) {
+	echo '<h1>Login sample</h1>
+This is a demo form for AuthMe website integration. Enter your AuthMe login details
+into the following form to test it.
+<form method="post">
+ <table>
+   <tr><td>Name</td><td><input type="text" value="' . htmlspecialchars($user) . '" name="username" /></td></tr>
+   <tr><td>Pass</td><td><input type="password" value="' . htmlspecialchars($pass) . '" name="password" /></td></tr>
+   <tr><td colspan="2"><input type="submit" value=" Log in " />
+ </table>
+</form>';
+}
+
+function get_from_post_or_empty($index_name) {
+	return trim(
+		filter_input(INPUT_POST, $index_name, FILTER_UNSAFE_RAW, FILTER_REQUIRE_SCALAR | FILTER_FLAG_STRIP_LOW)
+		    ?: '');
+}
+?>
+
+ </body>
+</html>
diff --git a/samples/website_integration/integration.php b/samples/website_integration/integration.php
new file mode 100644
index 00000000..56d51d36
--- /dev/null
+++ b/samples/website_integration/integration.php
@@ -0,0 +1,67 @@
+<?php
+/*****************************************************************************
+ * AuthMe website integration logic                                          *
+ * --------------------------------                                          *
+ * Check with authme_check_password() whether the received username and      *
+ * password match the AuthMe MySQL database. Don't forget to adjust the      *
+ * database info in authme_get_hash().                                       *
+ *                                                                           *
+ * Source: https://github.com/AuthMe-Team/AuthMeReloaded/                    *
+ *****************************************************************************/
+
+/**
+ * Entry point function to check supplied credentials against the AuthMe database.
+ *
+ * @param string $username the username
+ * @param string $password the password
+ * @return bool true iff the data is correct, false otherwise
+ */
+function authme_check_password($username, $password) {
+    if (is_scalar($username) && is_scalar($password)) {
+        $hash = authme_get_hash($username);
+        if ($hash) {
+            return authme_check_hash($password, $hash);
+        }
+    }
+    return false;
+}
+
+/**
+ * Retrieves the hash associated with the given user from the database.
+ *
+ * @param string $username the username whose hash should be retrieved
+ * @return string|null the hash, or null if unavailable (e.g. username doesn't exist)
+ */
+function authme_get_hash($username) {
+    // Add here your database host, username, password and database name
+	$mysqli = new mysqli('HOST', 'USER', 'PWD', 'DB');
+	$authme_table = 'authme';
+
+	if (mysqli_connect_error()) {
+	    printf('Could not connect to AuthMe database. Errno: %d, error: "%s"',
+	        mysqli_connect_errno(), mysqli_connect_error());
+	} else {
+        $stmt = $mysqli->prepare("SELECT password FROM $authme_table WHERE username = ?");
+        $stmt->bind_param('s', $username);
+        $stmt->execute();
+        $stmt->bind_result($password);
+        if ($stmt->fetch()) {
+            return $password;
+        }
+	}
+    return null;
+}
+
+/**
+ * Checks the given clear-text password against the hash.
+ *
+ * @param string $password the clear-text password to check
+ * @param string $hash the hash to check the password against
+ * @return bool true iff the password matches the hash, false otherwise
+ */
+function authme_check_hash($password, $hash) {
+    // $SHA$salt$hash, where hash := sha256(sha256(password) . salt)
+    $parts = explode('$', $hash);
+    return count($parts) === 4
+        && $parts[3] === hash('sha256', hash('sha256', $password) . $parts[2]);
+}