Create an insecure bank application
This commit is contained in:
43
webroot/lib/Controller/LoginController.php
Normal file
43
webroot/lib/Controller/LoginController.php
Normal file
@ -0,0 +1,43 @@
|
||||
<?php
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace Controller;
|
||||
|
||||
use Model\Session;
|
||||
use Model\User;
|
||||
use View\LoginRedirection;
|
||||
use View\LoginPage;
|
||||
use View\Sendable;
|
||||
|
||||
class LoginController extends RestrictedPageController
|
||||
{
|
||||
public function __construct()
|
||||
{
|
||||
parent::__construct('/login.php');
|
||||
}
|
||||
|
||||
protected function runLogic(): Sendable
|
||||
{
|
||||
$loginPage = new LoginPage($this->context);
|
||||
if ($loginPage->formWasSent) {
|
||||
$loginPage->fieldUsername = trim($loginPage->fieldUsername);
|
||||
|
||||
// find user
|
||||
$user = User::byName($loginPage->fieldUsername);
|
||||
|
||||
// check password
|
||||
// (use a dummy hash if no user was found, to make timing attacks harder)
|
||||
$pwHash = $user?->pwHash ?? '$argon2id$v=19$m=65536,t=4,p=1$WmxPVmd5aGdkandaNWZTcA$6hcqXkBJIGgWkcGLdqZeHhkV83JKtn5Ke7jXRS31X2s';
|
||||
|
||||
$pwValid = password_verify($loginPage->fieldPassword, $pwHash);
|
||||
|
||||
if ($pwValid && !empty($user)) {
|
||||
$this->context->session = Session::create($user);
|
||||
return new LoginRedirection($this->context);
|
||||
} else {
|
||||
$loginPage->errorLoginDataInvalid = true;
|
||||
}
|
||||
}
|
||||
return $loginPage;
|
||||
}
|
||||
}
|
Reference in New Issue
Block a user