fixes #1419 - hash token_auth in the login cookie; I'm deferring implementation of the Miller/Jaspan recommendations for the time being (at least until we've looked at #906 OAuth and have a better sense of what needs to be refactored)

git-svn-id: http://dev.piwik.org/svn/trunk@2904 59fd770c-687e-43c8-a1e3-f5a4ff64c105

2 files changed, 41 insertions, 13 deletions

diff --git a/plugins/Login/Auth.php b/plugins/Login/Auth.php
index 2917727414..7567404b92 100644
--- a/plugins/Login/Auth.php
+++ b/plugins/Login/Auth.php
@@ -30,26 +30,50 @@ class Piwik_Login_Auth implements Piwik_Auth
 		$rootPassword = Zend_Registry::get('config')->superuser->password;
 		$rootToken = Piwik_UsersManager_API::getInstance()->getTokenAuth($rootLogin, $rootPassword);
 
-		if(($this->login == $rootLogin || is_null($this->login))
-			&& $this->token_auth == $rootToken)
+		if(is_null($this->login))
 		{
-			return new Piwik_Auth_Result(Piwik_Auth_Result::SUCCESS_SUPERUSER_AUTH_CODE, $rootLogin, $rootToken );
-		}
+			if($this->token_auth == $rootToken)
+			{
+				return new Piwik_Auth_Result(Piwik_Auth_Result::SUCCESS_SUPERUSER_AUTH_CODE, $rootLogin, $this->token_auth );
+			}
 
-		$login = Piwik_FetchOne(
-					'SELECT login 
+			$login = Piwik_FetchOne(
+					'SELECT login
 					FROM '.Piwik_Common::prefixTable('user').' 
 					WHERE token_auth = ?',
 					array($this->token_auth)
-		);
-		if($login !== false)
-		{
-			if(is_null($this->login)
-				|| $this->login == $login)
+			);
+			if(!$login !== false)
 			{
 				return new Piwik_Auth_Result(Piwik_Auth_Result::SUCCESS, $login, $this->token_auth );
 			}
 		}
+		else if(!empty($this->login))
+		{
+			if($this->login == $rootLogin
+				&& ($this->getHashTokenAuth($rootLogin, $rootToken) == $this->token_auth)
+				|| $rootToken == $this->token_auth)
+			{
+				$this->setTokenAuth($rootToken);
+				return new Piwik_Auth_Result(Piwik_Auth_Result::SUCCESS_SUPERUSER_AUTH_CODE, $rootLogin, $this->token_auth );
+			}
+
+			$login = $this->login;
+			$userToken = Piwik_FetchOne(
+					'SELECT token_auth
+					FROM '.Piwik_Common::prefixTable('user').' 
+					WHERE login = ?',
+					array($login)
+			);
+			if($userToken !== false
+				&& ($this->getHashTokenAuth($login, $userToken) == $this->token_auth)
+				|| $userToken == $this->token_auth)
+			{
+				$this->setTokenAuth($userToken);
+				return new Piwik_Auth_Result(Piwik_Auth_Result::SUCCESS, $login, $userToken );
+			}
+		}
+
 		return new Piwik_Auth_Result( Piwik_Auth_Result::FAILURE, $this->login, $this->token_auth );
 	}
 
@@ -62,4 +86,9 @@ class Piwik_Login_Auth implements Piwik_Auth
 	{
 		$this->token_auth = $token_auth;
 	}
+
+	public function getHashTokenAuth($login, $token_auth)
+	{
+		return md5($login . $token_auth);
+	}
 }
diff --git a/plugins/Login/Login.php b/plugins/Login/Login.php
index f49965e639..fac3dadc30 100644
--- a/plugins/Login/Login.php
+++ b/plugins/Login/Login.php
@@ -93,7 +93,6 @@ class Piwik_Login extends Piwik_Plugin
 		$auth = Zend_Registry::get('auth');
 		$auth->setLogin($login);
 		$auth->setTokenAuth($tokenAuth);
-
 		$authResult = $auth->authenticate();
 		if(!$authResult->isValid())
 		{
@@ -108,7 +107,7 @@ class Piwik_Login extends Piwik_Plugin
 		$authCookiePath = Zend_Registry::get('config')->General->login_cookie_path;
 		$cookie = new Piwik_Cookie($authCookieName, $authCookieExpiry, $authCookiePath);
 		$cookie->set('login', $login);
-		$cookie->set('token_auth', $authResult->getTokenAuth());
+		$cookie->set('token_auth', $auth->getHashTokenAuth($login, $authResult->getTokenAuth()));
 		$cookie->save();
 
 		Zend_Session::regenerateId();