lib/Authentication.php


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87

<?php

/**
 * This file is part of RSS-Bridge, a PHP project capable of generating RSS and
 * Atom feeds for websites that don't have one.
 *
 * For the full license information, please view the UNLICENSE file distributed
 * with this source code.
 *
 * @package Core
 * @license http://unlicense.org/ UNLICENSE
 * @link    https://github.com/rss-bridge/rss-bridge
 */

/**
 * Authentication module for RSS-Bridge.
 *
 * This class implements an authentication module for RSS-Bridge, utilizing the
 * HTTP authentication capabilities of PHP.
 *
 * _Notice_: Authentication via HTTP does not prevent users from accessing files
 * on your server. If your server supports `.htaccess`, you should globally restrict
 * access to files instead.
 *
 * @link https://php.net/manual/en/features.http-auth.php HTTP authentication with PHP
 * @link https://httpd.apache.org/docs/2.4/howto/htaccess.html Apache HTTP Server
 * Tutorial: .htaccess files
 *
 * @todo Configuration parameters should be stored internally instead of accessing
 * the configuration class directly.
 * @todo Add functions to detect if a user is authenticated or not. This can be
 * utilized for limiting access to authorized users only.
 */
class Authentication
{
    /**
     * Throw an exception when trying to create a new instance of this class.
     * Use {@see Authentication::showPromptIfNeeded()} instead!
     *
     * @throws \LogicException if called.
     */
    public function __construct()
    {
        throw new \LogicException('Use ' . __CLASS__ . '::showPromptIfNeeded()!');
    }

    /**
     * Requests the user for login credentials if necessary.
     *
     * Responds to an authentication request or returns the `WWW-Authenticate`
     * header if authentication is enabled in the configuration of RSS-Bridge
     * (`[authentication] enable = true`).
     *
     * @return void
     */
    public static function showPromptIfNeeded()
    {
        if (Configuration::getConfig('authentication', 'enable') === true) {
            if (!Authentication::verifyPrompt()) {
                header('WWW-Authenticate: Basic realm="RSS-Bridge"', true, 401);
                die('Please authenticate in order to access this instance !');
            }
        }
    }

    /**
     * Verifies if an authentication request was received and compares the
     * provided username and password to the configuration of RSS-Bridge
     * (`[authentication] username` and `[authentication] password`).
     *
     * @return bool True if authentication succeeded.
     */
    public static function verifyPrompt()
    {
        if (isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW'])) {
            if (
                Configuration::getConfig('authentication', 'username') === $_SERVER['PHP_AUTH_USER']
                && Configuration::getConfig('authentication', 'password') === $_SERVER['PHP_AUTH_PW']
            ) {
                return true;
            } else {
                error_log('[RSS-Bridge] Failed authentication attempt from ' . $_SERVER['REMOTE_ADDR']);
            }
        }
        return false;
    }
}