Accept timestamped signature with arbitrary hash (#2644)

* Allow arbitrary hashed signatures
* Force timestamps to int
* Improve comment
* Test new feature and add more tests

3 files changed, 211 insertions, 4 deletions

diff --git a/tests/tests/auth/login_cookie.php b/tests/tests/auth/login_cookie.php
new file mode 100644
index 00000000..e26463ef
--- /dev/null
+++ b/tests/tests/auth/login_cookie.php
@@ -0,0 +1,78 @@
+<?php
+/**
+ * Login tests - via Cookies
+ *
+ * @group auth
+ * @group login
+ * @group cookies
+ * @since 0.1
+ */
+class Auth_Login_Cookie_Tests extends PHPUnit_Framework_TestCase {
+
+    protected $cookie;
+    protected $request;
+
+    protected function setUp() {
+        $this->cookie = $_COOKIE;
+        $this->request = $_REQUEST;
+    }
+
+    protected function tearDown() {
+        $_COOKIE = $this->cookie;
+        $_REQUEST = $this->request;
+    }
+
+    public static function setUpBeforeClass() {
+        yourls_add_filter( 'is_API', 'yourls_return_false' );
+    }
+
+    public static function tearDownAfterClass() {
+        yourls_remove_filter( 'is_API', 'yourls_return_false' );
+    }
+
+	/**
+	 * Check for valid cookie name
+	 */
+	public function test_cookie_name() {
+        $this->assertTrue( is_string(yourls_cookie_name()) );
+    }
+
+	/**
+	 * Check for valid cookie value
+	 */
+	public function test_cookie_value() {
+        $this->assertTrue( is_string(yourls_cookie_value(rand_str())) );
+    }
+
+	/**
+	 * Check for valid cookie life
+	 */
+	public function test_cookie_life() {
+        $this->assertTrue( is_int(yourls_get_cookie_life()) );
+    }
+
+	/**
+	 * Test login with valid cookie
+	 */
+	public function test_login_valid_cookie() {
+        global $yourls_user_passwords;
+        $random_user = array_rand($yourls_user_passwords);
+        $_COOKIE[yourls_cookie_name()] = yourls_cookie_value( $random_user );
+        unset($_REQUEST);
+
+        $this->assertTrue(yourls_check_auth_cookie());
+        $this->assertTrue(yourls_is_valid_user());
+    }
+
+	/**
+	 * Test login with invalid cookie
+	 */
+	public function test_login_invalid_cookie() {
+        $_COOKIE[yourls_cookie_name()] = yourls_cookie_value( rand_str() );
+        unset($_REQUEST);
+
+        $this->assertFalse(yourls_check_auth_cookie());
+        $this->assertNotTrue(yourls_is_valid_user());
+    }
+
+}
diff --git a/tests/tests/auth/nonces.php b/tests/tests/auth/nonces.php
new file mode 100644
index 00000000..96456d4a
--- /dev/null
+++ b/tests/tests/auth/nonces.php
@@ -0,0 +1,78 @@
+<?php
+/**
+ * Nonce tests
+ *
+ * @group auth
+ * @group nonces
+ * @since 0.1
+ */
+class Auth_Nonce_Tests extends PHPUnit_Framework_TestCase {
+
+    protected function tearDown() {
+        yourls_remove_all_actions('pre_yourls_die');
+    }
+
+	/**
+	 * Check for valid nonce life
+	 */
+	public function test_nonce_life() {
+        $this->assertTrue( is_int(yourls_get_cookie_life()) );
+    }
+
+	/**
+	 * Check for valid tick
+	 */
+	public function test_tick() {
+        $this->assertTrue( is_float(yourls_tick()) );
+    }
+
+	/**
+	 * Check nonce creation
+	 */
+	public function test_create_nonce() {
+        $this->assertTrue( is_string(yourls_create_nonce(rand_str(), rand_str())) );
+    }
+
+	/**
+	 * Check nonce field creation
+	 */
+	public function test_create_nonce_field() {
+        $field = yourls_nonce_field( rand_str(), rand_str(), rand_str(), false );
+        $this->assertTrue( is_string($field) );
+    }
+
+	/**
+	 * Check nonce URL creation
+	 */
+	public function test_create_nonce_url() {
+        $url = yourls_nonce_url( rand_str(), rand_str(), rand_str(), rand_str() );
+        $this->assertTrue( is_string($url) );
+        // $this->assertIsString($url);
+    }
+
+	/**
+	 * Test valid nonce
+	 */
+	public function test_valid_nonce() {
+        $action = rand_str();
+        $user   = rand_str();
+
+        // what nonce should be
+        $valid = yourls_create_nonce( $action, $user );
+
+        $this->assertTrue(yourls_verify_nonce($action, $valid, $user));
+    }
+
+	/**
+	 * Test invalid nonce
+     * @expectedException Exception
+	 */
+	public function test_invalid_nonce() {
+        // intercept yourls_die() before it actually dies
+        yourls_add_action( 'pre_yourls_die', function() { throw new Exception( 'I have died' ); } );
+
+        // This should trigger yourls_die()
+        $this->assertTrue(yourls_verify_nonce(rand_str(), rand_str(), rand_str()));
+    }
+
+}
diff --git a/tests/tests/auth/signatures.php b/tests/tests/auth/signatures.php
index 94dae481..caa8b595 100644
--- a/tests/tests/auth/signatures.php
+++ b/tests/tests/auth/signatures.php
@@ -9,7 +9,7 @@
 class Auth_Sig_Tests extends PHPUnit_Framework_TestCase {
 
     protected $backup_request;
-    
+
     protected function setUp() {
         $this->backup_request = $_REQUEST;
     }
@@ -17,7 +17,7 @@ class Auth_Sig_Tests extends PHPUnit_Framework_TestCase {
     protected function tearDown() {
         $_REQUEST = $this->backup_request;
     }
-    
+
     /**
      * Check that empty signature isn't valid
      *
@@ -59,7 +59,58 @@ class Auth_Sig_Tests extends PHPUnit_Framework_TestCase {
         $_REQUEST['timestamp'] = rand_str();
         $this->assertFalse( yourls_check_signature_timestamp() );
     }
-    
+
+    /**
+     * Check that valid md5 timestamped sig is valid
+     *
+     * @since 0.1
+     */
+    public function test_signature_timestamp_md5() {
+        $timestamp = time();
+        $_REQUEST['timestamp'] = $timestamp;
+
+        global $yourls_user_passwords;
+        $random_user = array_rand($yourls_user_passwords);
+        $signature = yourls_auth_signature($random_user);
+
+        $md5 = md5( $timestamp . $signature );
+        $_REQUEST['signature'] = $md5;
+        $this->assertTrue( yourls_check_signature_timestamp() );
+
+        $md5 = md5( $signature . $timestamp );
+        $_REQUEST['signature'] = $md5;
+        $this->assertTrue( yourls_check_signature_timestamp() );
+    }
+
+    /**
+     * Check that valid hashed timestamped sig is valid
+     *
+     * @since 0.1
+     */
+    public function test_signature_timestamp_hash() {
+        $timestamp = time();
+        $_REQUEST['timestamp'] = $timestamp;
+
+        global $yourls_user_passwords;
+        $random_user = array_rand($yourls_user_passwords);
+        $signature = yourls_auth_signature($random_user);
+
+        $algos = hash_algos();
+        $random_algo = $algos[array_rand($algos)];
+        $_REQUEST['hash'] = $random_algo;
+
+        $hash = hash($random_algo, $timestamp . $signature );
+        $_REQUEST['signature'] = $hash;
+        $this->assertTrue( yourls_check_signature_timestamp() );
+
+        $hash = hash($random_algo, $signature . $timestamp );
+        $_REQUEST['signature'] = $hash;
+        $this->assertTrue( yourls_check_signature_timestamp() );
+
+        $_REQUEST['hash'] = rand_str();
+        $this->assertFalse( yourls_check_signature_timestamp() );
+    }
+
     /**
      * Provide valid and invalid timestamps as compared to current time and nonce life
      */
@@ -69,7 +120,7 @@ class Auth_Sig_Tests extends PHPUnit_Framework_TestCase {
         $little_in_the_past   = $now - ( YOURLS_NONCE_LIFE / 2 );
         $far_in_the_future    = $now + ( YOURLS_NONCE_LIFE * 2 );
         $far_in_the_past      = $now - ( YOURLS_NONCE_LIFE * 2 );
-        
+
         return array(
             array( 0, false ),
             array( $now, true ),