| [ Index ] |
PHP Cross Reference of YOURLS |
[Source view] [Print] [Project Stats]
Function related to authentication functions and nonces
| File Size: | 875 lines (31 kb) |
| Included or required: | 0 times |
| Referenced: | 0 times |
| Includes or requires: | 1 file includes/auth.php |
| yourls_maybe_require_auth() X-Ref |
| Show login form if required return: void |
| yourls_is_valid_user() X-Ref |
| Check for valid user via login form or stored cookie. Returns true or an error message return: bool|string|mixed true if valid user, error message otherwise. Can also call yourls_die() or redirect to login page. Oh my. |
| yourls_check_username_password() X-Ref |
| Check auth against list of login=>pwd. Sets user if applicable, returns bool return: bool true if login/pwd pair is valid (and sets user if applicable), false otherwise |
| yourls_check_password_hash($user, $submitted_password ) X-Ref |
| Check a submitted password sent in plain text against stored password which can be a salted hash return: bool param: string $user param: string $submitted_password |
| yourls_hash_passwords_now( $config_file ) X-Ref |
| Overwrite plaintext passwords in config file with hashed versions. since: 1.7 return: true|string if overwrite was successful, an error message otherwise param: string $config_file Full path to file |
| yourls_phpass_hash(string $password ) X-Ref |
| Create a password hash since: 1.7 return: string hashed password param: string $password password to hash |
| yourls_phpass_check( $password, $hash ) X-Ref |
| Verify that a password matches a hash since: 1.7 return: bool true if the hash matches the password, false otherwise param: string $password clear (eg submitted in a form) password param: string $hash hash |
| yourls_has_cleartext_passwords() X-Ref |
| Check to see if any passwords are stored as cleartext. since: 1.7 return: bool true if any passwords are cleartext |
| yourls_has_md5_passwords() X-Ref |
| Check to see if any password is stored as md5. since: 1.10.5 return: bool true if any passwords are md5 |
| yourls_has_md5_password(string $user ) X-Ref |
| Check if a user has a md5 hashed password Check if a user password is 'md5:[38 chars]'. TODO: deprecate this when/if we have proper user management with password hashes stored in the DB since: 1.7 return: bool true if password hashed, false otherwise param: string $user user login |
| yourls_has_phpass_password( $user ) X-Ref |
| Check if a user's password is hashed with password_hash Check if a user password is 'phpass:[lots of chars]'. (For historical reason we're using 'phpass' as an identifier.) TODO: deprecate this when/if we have proper user management with password hashes stored in the DB In such case, check password_needs_rehash() since: 1.7 return: bool true if password hashed with password_hash, otherwise false param: string $user user login |
| yourls_check_auth_cookie() X-Ref |
| Check auth against encrypted COOKIE data. Sets user if applicable, returns bool return: bool true if authenticated, false otherwise |
| yourls_check_signature_timestamp() X-Ref |
| Check auth against signature and timestamp. Sets user if applicable, returns bool Original usage : http://sho.rt/yourls-api.php?timestamp=<timestamp>&signature=<md5 hash>&action=... Since 1.7.7 we allow a `hash` parameter and an arbitrary hashed signature, hashed with the `hash` function. Examples : http://sho.rt/yourls-api.php?timestamp=<timestamp>&signature=<sha512 hash>&hash=sha512&action=... Since 1.10.5, the hash must be one of: sha256, sha384, or sha512, unless explicitly allowed by a plugin via the `allowed_hash_algos` filter. since: 1.4.1 return: bool False if signature or timestamp missing or invalid, true if valid |
| yourls_default_hash_algo() X-Ref |
| Helper function: return default hash algorithm for signature hashing, which is sha256 unless filtered since: 1.10.5 return: string default hash algorithm for signature hashing |
| yourls_allowed_hash_algos() X-Ref |
| Helper function: return list of allowed hash algorithms for signature hashing, which by default are sha256, sha384, and sha512 unless filtered since: 1.10.5 return: array list of allowed hash algorithms for signature hashing |
| yourls_check_signature() X-Ref |
| Check auth against signature. Sets user if applicable, returns bool since: 1.4.1 return: bool False if signature missing or invalid, true if valid |
| yourls_auth_signature(false|string $username = false ) X-Ref |
| Generate secret signature hash return: string Signature param: false|string $username Username to generate signature for, or false to use current user |
| yourls_auth_signature_length() X-Ref |
| Return length of auth signature, which is 32 chars by default unless filtered return: int |
| yourls_check_timestamp( $time ) X-Ref |
| Check if timestamp is not too old return: bool True if timestamp is valid param: int $time Timestamp to check |
| yourls_store_cookie(string $user = '' ) X-Ref |
| Store new cookie. No $user will delete the cookie. return: void param: string $user User login, or empty string to delete cookie |
| yourls_setcookie($name, $value, $expire, $path, $domain, $secure, $httponly) X-Ref |
| Replacement for PHP's setcookie(), with support for SameSite cookie attribute since: 1.7.7 return: bool setcookie() result : false if output sent before, true otherwise. This does not indicate whether the user accepted the cookie. param: string $name cookie name param: string $value cookie value param: int $expire time the cookie expires as a Unix timestamp (number of seconds since the epoch) param: string $path path on the server in which the cookie will be available on param: string $domain (sub)domain that the cookie is available to param: bool $secure if cookie should only be transmitted over a secure HTTPS connection param: bool $httponly if cookie will be made accessible only through the HTTP protocol |
| yourls_cookie_attributes() X-Ref |
| Get auth cookie attributes after filters Single source of truth used both when storing the cookie and when deriving the cookie name prefix in yourls_cookie_name_prefix(). This guarantees the prefix matches the attributes actually sent: otherwise the browser silently rejects the Set-Cookie and breaks login. since: 1.10.5 return: array Associative array with keys 'path', 'domain', 'secure', 'httponly' |
| yourls_cookie_name_prefix() X-Ref |
| Get the cookie name prefix matching the current cookie attributes Picks the strongest RFC 6265bis prefix the attributes allow, since both prefixes are mutually exclusive (a cookie has one name): __Host- : requires Secure + Path=/ + no Domain attribute (host-only cookie). On HTTPS, retires the #1673 cross-subdomain concern at the browser level: the cookie cannot leak to nor be set by sibling subdomains. __Secure- : requires Secure only. Used when a Domain attribute is set, or when the cookie path is not '/'. Blocks Set-Cookie from insecure channels. '' : on HTTP installs, no prefix is possible: the browser would reject any prefixed cookie that lacks the Secure attribute. since: 1.10.5 return: string '__Host-', '__Secure-' or '' depending on cookie attributes |
| yourls_set_user( $user ) X-Ref |
| Set user name return: void param: string $user Username |
| yourls_get_cookie_life() X-Ref |
| Get YOURLS_COOKIE_LIFE value (ie the life span of an auth cookie in seconds) Use this function instead of directly using the constant. This way, its value can be modified by plugins on a per case basis. Defaults to 7 days when YOURLS_COOKIE_LIFE is not defined. since: 1.7.7 return: integer cookie life span, in seconds |
| yourls_get_nonce_life() X-Ref |
| Get YOURLS_NONCE_LIFE value (ie life span of a nonce in seconds) Use this function instead of directly using the constant. This way, its value can be modified by plugins on a per case basis. Defaults to 12 hours when YOURLS_NONCE_LIFE is not defined. since: 1.7.7 return: integer nonce life span, in seconds |
| yourls_cookie_name() X-Ref |
| Get YOURLS cookie name The base name is unique per install (salt of the site URL) to prevent collision between eg sho.rt and very.sho.rt - see #1673. On HTTPS, the name is additionally prefixed with __Host- or __Secure- to enable browser-side hardening against cookie injection over insecure channels and, for __Host-, cross-subdomain reads or writes. See #2785 TODO: when multi user is implemented, the whole cookie stuff should be reworked to allow storing multiple users since: 1.7.1 return: string unique cookie name for a given YOURLS site |
| yourls_cookie_value( $user ) X-Ref |
| Get auth cookie value since: 1.7.7 return: string cookie value param: string $user user name |
| yourls_tick() X-Ref |
| Return a time-dependent string for nonce creation Actually, this returns a float: ceil rounds up a value but is of type float, see https://www.php.net/ceil return: float |
| yourls_get_cookie_key() X-Ref |
| Get the cookie key (secret used for hashing), as maybe defined in config, filtered This is the secret key used by yourls_salt() to hash cookies and nonces. since: 1.10.5 return: string Cookie key |
| yourls_salt(string $string ) X-Ref |
| Return hashed string This function is badly named, it's not a salt or a salted string : it's a cryptographic hash. since: 1.4.1 return: string hashed string param: string $string string to salt |
| yourls_hmac_algo() X-Ref |
| Return an available hash_hmac() algorithm since: 1.8.3 return: string hash_hmac() algorithm |
| yourls_create_nonce($action, $user = false ) X-Ref |
| Create a time limited, action limited and user limited token return: string Nonce token param: string $action Action to create nonce for param: false|string $user Optional user string, false for current user |
| yourls_nonce_field($action, $name = 'nonce', $user = false, $echo = true ) X-Ref |
| Echoes or returns a nonce field for inclusion into a form return: string Nonce field param: string $action Action to create nonce for param: string $name Optional name of nonce field -- defaults to 'nonce' param: false|string $user Optional user string, false if unspecified param: bool $echo True to echo, false to return nonce field |
| yourls_nonce_url($action, $url = false, $name = 'nonce', $user = false ) X-Ref |
| Add a nonce to a URL. If URL omitted, adds nonce to current URL return: string URL with nonce added param: string $action Action to create nonce for param: string $url Optional URL to add nonce to -- defaults to current URL param: string $name Optional name of nonce field -- defaults to 'nonce' param: false|string $user Optional user string, false if unspecified |
| yourls_verify_nonce($action, $nonce = false, $user = false, $return = '' ) X-Ref |
| Check validity of a nonce (ie time span, user and action match). Returns true if valid, dies otherwise (yourls_die() or die($return) if defined). If $nonce is false or unspecified, it will use $_REQUEST['nonce'] return: bool|void True if valid, dies otherwise param: string $action param: false|string $nonce Optional, string: nonce value, or false to use $_REQUEST['nonce'] param: false|string $user Optional, string user, false for current user param: string $return Optional, string: message to die with if nonce is invalid |
| yourls_is_user_from_env() X-Ref |
| Check if user credentials comes from environment variables since: 1.8.2 return: bool true if credentials are defined as environment variables |
| yourls_maybe_hash_passwords() X-Ref |
| Check if we should hash passwords in the config file By default, passwords are hashed. They are not if - there is no password in clear text in the config file (ie everything is already hashed) - the user defined constant YOURLS_NO_HASH_PASSWORD is true, see https://yourls.org/docs/guide/essentials/credentials#i-don-t-want-to-encrypt-my-password - YOURLS_USER and YOURLS_PASSWORD are provided by the environment, not the config file since: 1.8.2 return: bool |
| yourls_skip_password_hashing() X-Ref |
| Check if user setting for skipping password hashing is set since: 1.8.2 return: bool |
| Generated: Sat Jul 11 05:10:54 2026 | Cross-referenced by PHPXref 0.7.1 |