[ Index ]

PHP Cross Reference of YOURLS

title

Body

[close]

/includes/ -> functions-auth.php (summary)

Function related to authentication functions and nonces

File Size: 875 lines (31 kb)
Included or required:0 times
Referenced: 0 times
Includes or requires: 1 file
 includes/auth.php

Defines 39 functions

  yourls_maybe_require_auth()
  yourls_is_valid_user()
  yourls_check_username_password()
  yourls_check_password_hash()
  yourls_hash_passwords_now()
  yourls_phpass_hash()
  yourls_phpass_check()
  yourls_has_cleartext_passwords()
  yourls_has_md5_passwords()
  yourls_has_md5_password()
  yourls_has_phpass_password()
  yourls_check_auth_cookie()
  yourls_check_signature_timestamp()
  yourls_default_hash_algo()
  yourls_allowed_hash_algos()
  yourls_check_signature()
  yourls_auth_signature()
  yourls_auth_signature_length()
  yourls_check_timestamp()
  yourls_store_cookie()
  yourls_setcookie()
  yourls_cookie_attributes()
  yourls_cookie_name_prefix()
  yourls_set_user()
  yourls_get_cookie_life()
  yourls_get_nonce_life()
  yourls_cookie_name()
  yourls_cookie_value()
  yourls_tick()
  yourls_get_cookie_key()
  yourls_salt()
  yourls_hmac_algo()
  yourls_create_nonce()
  yourls_nonce_field()
  yourls_nonce_url()
  yourls_verify_nonce()
  yourls_is_user_from_env()
  yourls_maybe_hash_passwords()
  yourls_skip_password_hashing()

Functions
Functions that are not part of a class:

yourls_maybe_require_auth()   X-Ref
Show login form if required

return: void

yourls_is_valid_user()   X-Ref
Check for valid user via login form or stored cookie. Returns true or an error message

return: bool|string|mixed true if valid user, error message otherwise. Can also call yourls_die() or redirect to login page. Oh my.

yourls_check_username_password()   X-Ref
Check auth against list of login=>pwd. Sets user if applicable, returns bool

return: bool  true if login/pwd pair is valid (and sets user if applicable), false otherwise

yourls_check_password_hash($user, $submitted_password )   X-Ref
Check a submitted password sent in plain text against stored password which can be a salted hash

return: bool
param: string $user
param: string $submitted_password

yourls_hash_passwords_now( $config_file )   X-Ref
Overwrite plaintext passwords in config file with hashed versions.

since: 1.7
return: true|string  if overwrite was successful, an error message otherwise
param: string $config_file Full path to file

yourls_phpass_hash(string $password )   X-Ref
Create a password hash

since: 1.7
return: string hashed password
param: string $password password to hash

yourls_phpass_check( $password, $hash )   X-Ref
Verify that a password matches a hash

since: 1.7
return: bool true if the hash matches the password, false otherwise
param: string $password clear (eg submitted in a form) password
param: string $hash hash

yourls_has_cleartext_passwords()   X-Ref
Check to see if any passwords are stored as cleartext.

since: 1.7
return: bool true if any passwords are cleartext

yourls_has_md5_passwords()   X-Ref
Check to see if any password is stored as md5.

since: 1.10.5
return: bool true if any passwords are md5

yourls_has_md5_password(string $user )   X-Ref
Check if a user has a md5 hashed password

Check if a user password is 'md5:[38 chars]'.
TODO: deprecate this when/if we have proper user management with password hashes stored in the DB

since: 1.7
return: bool true if password hashed, false otherwise
param: string $user user login

yourls_has_phpass_password( $user )   X-Ref
Check if a user's password is hashed with password_hash

Check if a user password is 'phpass:[lots of chars]'.
(For historical reason we're using 'phpass' as an identifier.)
TODO: deprecate this when/if we have proper user management with password hashes stored in the DB
In such case, check password_needs_rehash()

since: 1.7
return: bool true if password hashed with password_hash, otherwise false
param: string $user user login

yourls_check_auth_cookie()   X-Ref
Check auth against encrypted COOKIE data. Sets user if applicable, returns bool

return: bool true if authenticated, false otherwise

yourls_check_signature_timestamp()   X-Ref
Check auth against signature and timestamp. Sets user if applicable, returns bool

Original usage :
http://sho.rt/yourls-api.php?timestamp=<timestamp>&signature=<md5 hash>&action=...
Since 1.7.7 we allow a `hash` parameter and an arbitrary hashed signature, hashed
with the `hash` function. Examples :
http://sho.rt/yourls-api.php?timestamp=<timestamp>&signature=<sha512 hash>&hash=sha512&action=...
Since 1.10.5, the hash must be one of: sha256, sha384, or sha512, unless explicitly allowed by a plugin via the
`allowed_hash_algos` filter.

since: 1.4.1
return: bool False if signature or timestamp missing or invalid, true if valid

yourls_default_hash_algo()   X-Ref
Helper function: return default hash algorithm for signature hashing, which is sha256 unless filtered

since: 1.10.5
return: string default hash algorithm for signature hashing

yourls_allowed_hash_algos()   X-Ref
Helper function: return list of allowed hash algorithms for signature hashing, which by default are sha256, sha384, and sha512 unless filtered

since: 1.10.5
return: array list of allowed hash algorithms for signature hashing

yourls_check_signature()   X-Ref
Check auth against signature. Sets user if applicable, returns bool

since: 1.4.1
return: bool False if signature missing or invalid, true if valid

yourls_auth_signature(false|string $username = false )   X-Ref
Generate secret signature hash

return: string                 Signature
param: false|string $username Username to generate signature for, or false to use current user

yourls_auth_signature_length()   X-Ref
Return length of auth signature, which is 32 chars by default unless filtered

return: int

yourls_check_timestamp( $time )   X-Ref
Check if timestamp is not too old

return: bool      True if timestamp is valid
param: int $time  Timestamp to check

yourls_store_cookie(string $user = '' )   X-Ref
Store new cookie. No $user will delete the cookie.

return: void
param: string $user  User login, or empty string to delete cookie

yourls_setcookie($name, $value, $expire, $path, $domain, $secure, $httponly)   X-Ref
Replacement for PHP's setcookie(), with support for SameSite cookie attribute

since: 1.7.7
return: bool                setcookie() result : false if output sent before, true otherwise. This does not indicate whether the user accepted the cookie.
param: string  $name       cookie name
param: string  $value      cookie value
param: int     $expire     time the cookie expires as a Unix timestamp (number of seconds since the epoch)
param: string  $path       path on the server in which the cookie will be available on
param: string  $domain     (sub)domain that the cookie is available to
param: bool    $secure     if cookie should only be transmitted over a secure HTTPS connection
param: bool    $httponly   if cookie will be made accessible only through the HTTP protocol

yourls_cookie_attributes()   X-Ref
Get auth cookie attributes after filters

Single source of truth used both when storing the cookie and when deriving the
cookie name prefix in yourls_cookie_name_prefix(). This guarantees the prefix
matches the attributes actually sent: otherwise the browser silently rejects
the Set-Cookie and breaks login.

since: 1.10.5
return: array  Associative array with keys 'path', 'domain', 'secure', 'httponly'

yourls_cookie_name_prefix()   X-Ref
Get the cookie name prefix matching the current cookie attributes

Picks the strongest RFC 6265bis prefix the attributes allow, since both prefixes
are mutually exclusive (a cookie has one name):
__Host-   : requires Secure + Path=/ + no Domain attribute (host-only cookie).
On HTTPS, retires the #1673 cross-subdomain concern at the browser
level: the cookie cannot leak to nor be set by sibling subdomains.
__Secure- : requires Secure only. Used when a Domain attribute is set, or when
the cookie path is not '/'. Blocks Set-Cookie from insecure channels.
''        : on HTTP installs, no prefix is possible: the browser would reject
any prefixed cookie that lacks the Secure attribute.

since: 1.10.5
return: string  '__Host-', '__Secure-' or '' depending on cookie attributes

yourls_set_user( $user )   X-Ref
Set user name

return: void
param: string $user  Username

yourls_get_cookie_life()   X-Ref
Get YOURLS_COOKIE_LIFE value (ie the life span of an auth cookie in seconds)

Use this function instead of directly using the constant. This way, its value can be modified by plugins
on a per case basis. Defaults to 7 days when YOURLS_COOKIE_LIFE is not defined.

since: 1.7.7
return: integer     cookie life span, in seconds

yourls_get_nonce_life()   X-Ref
Get YOURLS_NONCE_LIFE value (ie life span of a nonce in seconds)

Use this function instead of directly using the constant. This way, its value can be modified by plugins
on a per case basis. Defaults to 12 hours when YOURLS_NONCE_LIFE is not defined.

since: 1.7.7
return: integer     nonce life span, in seconds

yourls_cookie_name()   X-Ref
Get YOURLS cookie name

The base name is unique per install (salt of the site URL) to prevent collision between eg sho.rt
and very.sho.rt - see #1673.
On HTTPS, the name is additionally prefixed with __Host- or __Secure- to enable browser-side
hardening against cookie injection over insecure channels and, for __Host-, cross-subdomain reads or writes.
See #2785

TODO: when multi user is implemented, the whole cookie stuff should be reworked to allow storing multiple users

since: 1.7.1
return: string  unique cookie name for a given YOURLS site

yourls_cookie_value( $user )   X-Ref
Get auth cookie value

since: 1.7.7
return: string          cookie value
param: string $user     user name

yourls_tick()   X-Ref
Return a time-dependent string for nonce creation

Actually, this returns a float: ceil rounds up a value but is of type float, see https://www.php.net/ceil

return: float

yourls_get_cookie_key()   X-Ref
Get the cookie key (secret used for hashing), as maybe defined in config, filtered

This is the secret key used by yourls_salt() to hash cookies and nonces.

since: 1.10.5
return: string Cookie key

yourls_salt(string $string )   X-Ref
Return hashed string

This function is badly named, it's not a salt or a salted string : it's a cryptographic hash.

since: 1.4.1
return: string          hashed string
param: string $string   string to salt

yourls_hmac_algo()   X-Ref
Return an available hash_hmac() algorithm

since: 1.8.3
return: string  hash_hmac() algorithm

yourls_create_nonce($action, $user = false )   X-Ref
Create a time limited, action limited and user limited token

return: string             Nonce token
param: string $action      Action to create nonce for
param: false|string $user  Optional user string, false for current user

yourls_nonce_field($action, $name = 'nonce', $user = false, $echo = true )   X-Ref
Echoes or returns a nonce field for inclusion into a form

return: string             Nonce field
param: string $action      Action to create nonce for
param: string $name        Optional name of nonce field -- defaults to 'nonce'
param: false|string $user  Optional user string, false if unspecified
param: bool $echo          True to echo, false to return nonce field

yourls_nonce_url($action, $url = false, $name = 'nonce', $user = false )   X-Ref
Add a nonce to a URL. If URL omitted, adds nonce to current URL

return: string             URL with nonce added
param: string $action      Action to create nonce for
param: string $url         Optional URL to add nonce to -- defaults to current URL
param: string $name        Optional name of nonce field -- defaults to 'nonce'
param: false|string $user  Optional user string, false if unspecified

yourls_verify_nonce($action, $nonce = false, $user = false, $return = '' )   X-Ref
Check validity of a nonce (ie time span, user and action match).

Returns true if valid, dies otherwise (yourls_die() or die($return) if defined).
If $nonce is false or unspecified, it will use $_REQUEST['nonce']

return: bool|void           True if valid, dies otherwise
param: string $action
param: false|string $nonce  Optional, string: nonce value, or false to use $_REQUEST['nonce']
param: false|string $user   Optional, string user, false for current user
param: string $return       Optional, string: message to die with if nonce is invalid

yourls_is_user_from_env()   X-Ref
Check if user credentials comes from environment variables

since: 1.8.2
return: bool  true if credentials are defined as environment variables

yourls_maybe_hash_passwords()   X-Ref
Check if we should hash passwords in the config file

By default, passwords are hashed. They are not if
- there is no password in clear text in the config file (ie everything is already hashed)
- the user defined constant YOURLS_NO_HASH_PASSWORD is true, see https://yourls.org/docs/guide/essentials/credentials#i-don-t-want-to-encrypt-my-password
- YOURLS_USER and YOURLS_PASSWORD are provided by the environment, not the config file

since: 1.8.2
return: bool

yourls_skip_password_hashing()   X-Ref
Check if user setting for skipping password hashing is set

since: 1.8.2
return: bool



Generated: Sat Jul 11 05:10:54 2026 Cross-referenced by PHPXref 0.7.1