web/app/lib/App/Core/User.php

<?php

namespace App\Core;

use \Exception;
use \PDO;

/**
 * Represents the current user session
 */
class User 
{
    private const    SESSION_KEY = 'UserClass';
    private Session  $session;
    private Database $database;

    // always initialized
    public bool    $logged_in;

    // initialized only if logged in 
    public string  $username;
    public string  $password;
    public int     $power_level;

    public function __construct(Session $session, Database $database)
    {
        $this->session  = $session;
        $this->database = $database;

        $user = $this->session->get(self::SESSION_KEY);

        // check if user session has been set
        if (!$user)
        {
            $this->logged_in = FALSE;
            return;
        }

        // check if username and password match
        if (!$this->authenticate($user['username'], $user['password']))
        {
            $this->logged_in = FALSE;
            $this->logout();
            $this->session->flash('Kontodetaljer er blitt endret, vennligst logg inn igjen', 'warning');
            return;
        }

        // all is good, we should be logged in now! (hopefully)
        $this->logged_in   = TRUE;
        $this->username    = $user['username'];
        $this->password    = $user['password'];
        $this->power_level = $this->getPowerLevel();
    }

    /**
     * Get current user power level
     */
    private function getPowerLevel(): int
    {
        if (!$this->logged_in)
        {
            throw new Exception("Can't get power level without being logged in!");
        }
        $sth = $this->database->conn->prepare(
            'SELECT Nivå FROM brukertabell WHERE Navn = ? AND Passord = ?'
        );
        $sth->execute([$this->username, $this->password]);
        $row = $sth->fetch(PDO::FETCH_ASSOC);
        return $row['Nivå'];
    }

    /**
     * Set session if username and password match
     */
    public function login(string $username, string $password): bool
    {
        if ($this->authenticate($username, $password))
        {
            $this->session->set(self::SESSION_KEY, [
                'username' => $username,
                'password' => $password
            ]);
            return TRUE;
        }
        return FALSE;
    }

    /**
     * Check if username and password match database
     */
    private function authenticate(string $username, string $password): bool
    {
        $sth = $this->database->conn->prepare(
            'SELECT * FROM brukertabell WHERE Navn = ? AND Passord = ?'
        );
        $sth->execute([$username, $password]);
        if ($sth->rowCount())
        {
            return TRUE;
        }
        return FALSE;
    }

    public function logout(): void
    {
        $this->session->remove(self::SESSION_KEY);
    }
}
Big fat commit 2022-01-23 21:56:36 +00:00			`<?php`

Big fat commit. Now with namespaces! 2022-03-02 06:15:12 +00:00			`namespace App\Core;`

			`use \Exception;`
			`use \PDO;`

			`/**`
			`* Represents the current user session`
			`*/`
Works for now... 2022-01-25 16:50:32 +00:00			`class User`
Big fat commit 2022-01-23 21:56:36 +00:00			`{`
Commit 2022-02-28 03:14:53 +00:00			`private const SESSION_KEY = 'UserClass';`
Commit 2022-02-23 15:45:12 +00:00			`private Session $session;`
Commit 2022-02-02 11:47:06 +00:00			`private Database $database;`
Big fat commit 2022-01-23 21:56:36 +00:00
Commit 2022-03-03 04:11:14 +00:00			`// always initialized`
Housekeeping 2022-04-14 20:59:42 +00:00			`public bool $logged_in;`
Fix some vulns in User.php 2022-02-27 08:05:48 +00:00
Commit 2022-03-03 04:11:14 +00:00			`// initialized only if logged in`
Fix some vulns in User.php 2022-02-27 08:05:48 +00:00			`public string $username;`
Commit 2022-02-23 15:45:12 +00:00			`public string $password;`
Housekeeping 2022-04-14 20:59:42 +00:00			`public int $power_level;`
Big fat commit 2022-01-23 21:56:36 +00:00
Commit 2022-02-02 11:47:06 +00:00			`public function __construct(Session $session, Database $database)`
Big fat commit 2022-01-23 21:56:36 +00:00			`{`
Commit 2022-02-23 15:45:12 +00:00			`$this->session = $session;`
Commit 2022-02-02 11:47:06 +00:00			`$this->database = $database;`
Big fat commit 2022-01-23 21:56:36 +00:00
Commit 2022-02-28 03:14:53 +00:00			`$user = $this->session->get(self::SESSION_KEY);`
Fix some vulns in User.php 2022-02-27 08:05:48 +00:00
Commit 2022-03-03 04:11:14 +00:00			`// check if user session has been set`
Fix some vulns in User.php 2022-02-27 08:05:48 +00:00			`if (!$user)`
Commit 2022-02-23 15:45:12 +00:00			`{`
Housekeeping 2022-04-14 20:59:42 +00:00			`$this->logged_in = FALSE;`
Fix some vulns in User.php 2022-02-27 08:05:48 +00:00			`return;`
Commit 2022-02-23 15:45:12 +00:00			`}`
Works for now... 2022-01-25 16:50:32 +00:00
Commit 2022-03-03 04:11:14 +00:00			`// check if username and password match`
Fix some vulns in User.php 2022-02-27 08:05:48 +00:00			`if (!$this->authenticate($user['username'], $user['password']))`
Commit 2022-01-26 19:28:00 +00:00			`{`
Housekeeping 2022-04-14 20:59:42 +00:00			`$this->logged_in = FALSE;`
Commit 2022-01-26 19:28:00 +00:00			`$this->logout();`
Fix some vulns in User.php 2022-02-27 08:05:48 +00:00			`$this->session->flash('Kontodetaljer er blitt endret, vennligst logg inn igjen', 'warning');`
			`return;`
Works for now... 2022-01-25 16:50:32 +00:00			`}`
Commit 2022-02-02 11:47:06 +00:00
Commit 2022-03-03 04:11:14 +00:00			`// all is good, we should be logged in now! (hopefully)`
Housekeeping 2022-04-14 20:59:42 +00:00			`$this->logged_in = TRUE;`
			`$this->username = $user['username'];`
			`$this->password = $user['password'];`
			`$this->power_level = $this->getPowerLevel();`
Commit 2022-02-28 03:14:53 +00:00			`}`
Commit 2022-02-02 11:47:06 +00:00
Commit 2022-03-03 04:11:14 +00:00			`/**`
			`* Get current user power level`
			`*/`
Commit 2022-02-28 03:14:53 +00:00			`private function getPowerLevel(): int`
			`{`
Housekeeping 2022-04-14 20:59:42 +00:00			`if (!$this->logged_in)`
Commit 2022-02-28 03:14:53 +00:00			`{`
			`throw new Exception("Can't get power level without being logged in!");`
			`}`
Fix some vulns in User.php 2022-02-27 08:05:48 +00:00			`$sth = $this->database->conn->prepare(`
Commit 2022-02-28 03:14:53 +00:00			`'SELECT Nivå FROM brukertabell WHERE Navn = ? AND Passord = ?'`
Fix some vulns in User.php 2022-02-27 08:05:48 +00:00			`);`
			`$sth->execute([$this->username, $this->password]);`
			`$row = $sth->fetch(PDO::FETCH_ASSOC);`
Commit 2022-02-28 03:14:53 +00:00			`return $row['Nivå'];`
Commit 2022-02-23 15:45:12 +00:00			`}`
Works for now... 2022-01-25 16:50:32 +00:00
Commit 2022-03-03 04:11:14 +00:00			`/**`
			`* Set session if username and password match`
			`*/`
Big fat commit 2022-01-23 21:56:36 +00:00			`public function login(string $username, string $password): bool`
			`{`
Works for now... 2022-01-25 16:50:32 +00:00			`if ($this->authenticate($username, $password))`
Big fat commit 2022-01-23 21:56:36 +00:00			`{`
Commit 2022-02-28 03:14:53 +00:00			`$this->session->set(self::SESSION_KEY, [`
Commit 2022-02-23 15:45:12 +00:00			`'username' => $username,`
			`'password' => $password`
			`]);`
Works for now... 2022-01-25 16:50:32 +00:00			`return TRUE;`
			`}`
			`return FALSE;`
			`}`

Commit 2022-03-03 04:11:14 +00:00			`/**`
			`* Check if username and password match database`
			`*/`
Works for now... 2022-01-25 16:50:32 +00:00			`private function authenticate(string $username, string $password): bool`
			`{`
Commit 2022-02-23 15:45:12 +00:00			`$sth = $this->database->conn->prepare(`
			`'SELECT * FROM brukertabell WHERE Navn = ? AND Passord = ?'`
			`);`
Commit 2022-02-02 11:47:06 +00:00			`$sth->execute([$username, $password]);`
			`if ($sth->rowCount())`
Works for now... 2022-01-25 16:50:32 +00:00			`{`
Big fat commit 2022-01-23 21:56:36 +00:00			`return TRUE;`
			`}`
			`return FALSE;`
			`}`
Works for now... 2022-01-25 16:50:32 +00:00
			`public function logout(): void`
			`{`
Commit 2022-02-28 03:14:53 +00:00			`$this->session->remove(self::SESSION_KEY);`
Works for now... 2022-01-25 16:50:32 +00:00			`}`
Big fat commit 2022-01-23 21:56:36 +00:00			`}`