Compare commits
4 Commits
complete_p
...
3250792c9d
| Author | SHA1 | Date | |
|---|---|---|---|
| 3250792c9d | |||
| 16fa0db8ca | |||
| 661b01e1e6 | |||
| a6ad3e4e51 |
@@ -14,6 +14,9 @@
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
require_once(__DIR__ . "/helpers.php");
|
||||
|
||||
class MatrixConnection {
|
||||
|
||||
private $hs;
|
||||
@@ -45,12 +48,8 @@ class MatrixConnection {
|
||||
|
||||
$url = "https://" . $this->hs . "/_matrix/client/r0/rooms/"
|
||||
. urlencode($room_id) . "/send/m.room.message?access_token=" . $this->at;
|
||||
$handle = curl_init($url);
|
||||
curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);
|
||||
curl_setopt($handle, CURLOPT_CONNECTTIMEOUT, 5);
|
||||
curl_setopt($handle, CURLOPT_TIMEOUT, 60);
|
||||
$handle = getCurlHandle($url);
|
||||
curl_setopt($handle, CURLOPT_POSTFIELDS, json_encode($send_message));
|
||||
curl_setopt($handle, CURLOPT_HTTPHEADER, array("Content-Type: application/json"));
|
||||
|
||||
$response = $this->exec_curl_request($handle);
|
||||
return isset($response["event_id"]);
|
||||
@@ -70,37 +69,51 @@ class MatrixConnection {
|
||||
}
|
||||
|
||||
$url = "https://" . $this->hs . "/_matrix/client/r0/profile/@" . $username . ":" . $this->hs;
|
||||
$handle = curl_init($url);
|
||||
curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);
|
||||
curl_setopt($handle, CURLOPT_CONNECTTIMEOUT, 5);
|
||||
curl_setopt($handle, CURLOPT_TIMEOUT, 60);
|
||||
curl_setopt($handle, CURLOPT_HTTPHEADER, array("Content-Type: application/json"));
|
||||
$handle = getCurlHandle($url);
|
||||
|
||||
$res = $this->exec_curl_request($handle);
|
||||
return !(isset($res["errcode"]) && $res["errcode"] == "M_UNKNOWN");
|
||||
}
|
||||
|
||||
function getRegisterNonce() {
|
||||
$url = "https://" . $this->hs . "/_matrix/client/r0/admin/register";
|
||||
$handle = getCurlHandle($url);
|
||||
|
||||
try {
|
||||
$response = $this->exec_curl_request($handle);
|
||||
if (is_array($response) && isset($response["nonce"])) {
|
||||
return $response["nonce"];
|
||||
}
|
||||
throw new Exception("INVALID_RESPONSE_FROM_SERVER");
|
||||
} catch (Exception $e) {
|
||||
if (strcmp("AUTHENTICATION_FAILED", $e->getMessage()) == 0) {
|
||||
throw new Exception("WRONG_REGISTRATION_SHARED_SECRET");
|
||||
} else {
|
||||
throw $e;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
function register($username, $password, $shared_secret) {
|
||||
if (!$username) {
|
||||
error_log("no username provided");
|
||||
}
|
||||
if (!$password) {
|
||||
error_log("no message to send");
|
||||
error_log("no password provided");
|
||||
}
|
||||
|
||||
$mac = hash_hmac('sha1', $username, $shared_secret);
|
||||
$nonce = $this->getRegisterNonce();
|
||||
//TODO allow registering of admin.
|
||||
$hmac_content = $nonce . "\x00" . $username . "\x00" . $password . "\x00notadmin";
|
||||
$mac = hash_hmac('sha1', $hmac_content, $shared_secret);
|
||||
|
||||
$data = array(
|
||||
"nonce" => $nonce,
|
||||
"username" => $username,
|
||||
"password" => $password,
|
||||
"mac" => $mac,
|
||||
);
|
||||
$url = "https://" . $this->hs . "/_matrix/client/v2_alpha/register";
|
||||
$handle = curl_init($url);
|
||||
curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);
|
||||
curl_setopt($handle, CURLOPT_CONNECTTIMEOUT, 5);
|
||||
curl_setopt($handle, CURLOPT_TIMEOUT, 60);
|
||||
curl_setopt($handle, CURLOPT_HTTPHEADER, array("Content-Type: application/json"));
|
||||
$url = "https://" . $this->hs . "/_matrix/client/r0/admin/register";
|
||||
$handle = getCurlHandle($url);
|
||||
curl_setopt($handle, CURLOPT_POSTFIELDS, json_encode($data));
|
||||
|
||||
try {
|
||||
@@ -172,7 +185,6 @@ class MatrixMessage {
|
||||
function get_object() {
|
||||
return $this->message;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
?>
|
||||
|
||||
17
README.md
17
README.md
@@ -23,6 +23,15 @@ When using `operationMode=local` you can have the following benefits (some requi
|
||||
- Use the 3PID lookup for other users (only email)
|
||||
- Search for users that you have not seen yet
|
||||
|
||||
## Requirements
|
||||
|
||||
- Working PHP environment with
|
||||
- database connection provider \[one of sqlite, mysql, postgres\]
|
||||
- curl extension to notify admins and register users (in `operationMode=synapse`)
|
||||
- mail capability to interact with the users (Verification, Approval (+ initial password), Notifications)
|
||||
- matrix-synapse-rest-auth when using `operationMode=local`
|
||||
- some PHP capable webserver which makes the folder `public` accessible to the public and propably `internal` for server-internal access
|
||||
|
||||
## How to install
|
||||
|
||||
- Copy `config.sample.php` to `config.php` and configure the bot as you can find there
|
||||
@@ -43,9 +52,11 @@ When using `operationMode=local` you can have the following benefits (some requi
|
||||
|
||||
## Further notes:
|
||||
|
||||
### This bot sends mails
|
||||
To allow the bot to verify the email address of the user and to interact with them e.g. in case of approval this bot needs a running mailserver configuration.
|
||||
This bot relies on php to be properly configured.
|
||||
### Security: Passwords from registration form are stored in clear text
|
||||
Currently the passwords which are typed in while capturing the register request are stored in clear text.
|
||||
The bot needs to access them to trigger a register request with correct credentials.
|
||||
It is currently strongly recommended to set `"getPasswordOnRegistration" => false` in your config!
|
||||
This leads to autocreating passwords which will then be send to the users directly without storing it.
|
||||
|
||||
### Use the ChangePasswortInterceptor (if `operationMode=local`)
|
||||
|
||||
|
||||
6
cron.php
6
cron.php
@@ -19,7 +19,9 @@ require_once(__DIR__ . "/language.php");
|
||||
require_once(__DIR__ . "/mail_templates.php");
|
||||
require_once(__DIR__ . "/database.php");
|
||||
|
||||
$sql = "SELECT id, first_name, last_name, username, email, state, note, verify_token, admin_token FROM registrations "
|
||||
$sql = "SELECT id, first_name, last_name, username, password, email,"
|
||||
. " state, note, verify_token, admin_token "
|
||||
. "FROM registrations "
|
||||
. "WHERE state = " . RegisterState::PendingEmailSend
|
||||
. " OR state = " . RegisterState::PendingAdminSend
|
||||
. " OR state = " . RegisterState::PendingRegistration
|
||||
@@ -87,7 +89,7 @@ foreach ($mx_db->query($sql) as $row) {
|
||||
break;
|
||||
case "local":
|
||||
// register by adding a user to the local database
|
||||
$password = $mx_db->addUser($row["first_name"], $row["last_name"], $row["username"], $row["email"]);
|
||||
$password = $mx_db->addUser($row["first_name"], $row["last_name"], $row["username"], $row["password"], $row["email"]);
|
||||
break;
|
||||
default:
|
||||
throw new Exception("Unknown operationMode");
|
||||
|
||||
17
database.php
17
database.php
@@ -78,7 +78,7 @@ class mxDatabase {
|
||||
first_name TEXT,
|
||||
last_name TEXT,
|
||||
username TEXT,
|
||||
password_hash TEXT DEFAULT '',
|
||||
password TEXT DEFAULT '',
|
||||
note TEXT,
|
||||
email TEXT,
|
||||
verify_token TEXT,
|
||||
@@ -98,7 +98,7 @@ class mxDatabase {
|
||||
)");
|
||||
// make sure the bot is allowed to login
|
||||
if (!$this->userRegistered("register_bot")) {
|
||||
$password = $this->addUser("Register", "Bot", "register_bot", $config["register_email"]);
|
||||
$password = $this->addUser("Register", "Bot", "register_bot", NULL, $config["register_email"]);
|
||||
$config["register_password"] = $password;
|
||||
$myfile = fopen(dirname(__FILE__) . "/config.json", "w");
|
||||
fwrite($myfile, json_encode($config, JSON_PRETTY_PRINT));
|
||||
@@ -184,7 +184,7 @@ class mxDatabase {
|
||||
*
|
||||
* @return ["verify_token"]
|
||||
*/
|
||||
function addRegistration($first_name, $last_name, $username, $note, $email) {
|
||||
function addRegistration($first_name, $last_name, $username, $password, $note, $email) {
|
||||
if ($this->userPendingRegistrations($username)) {
|
||||
throw new Exception("USERNAME_PENDING_REGISTRATION");
|
||||
}
|
||||
@@ -196,8 +196,9 @@ class mxDatabase {
|
||||
$admin_token = bin2hex(random_bytes(16));
|
||||
|
||||
$this->db->exec("INSERT INTO registrations
|
||||
(first_name, last_name, username, note, email, verify_token, admin_token)
|
||||
VALUES ('" . $first_name . "','" . $last_name . "','" . $username . "','" . $note . "','"
|
||||
(first_name, last_name, username, password, note, email, verify_token, admin_token)
|
||||
VALUES ('" . $first_name . "','" . $last_name . "','"
|
||||
. $username . "','" . $password . "','" . $note . "','"
|
||||
. $email . "','" . $verify_token . "','" . $admin_token . "')");
|
||||
|
||||
return [
|
||||
@@ -217,7 +218,7 @@ class mxDatabase {
|
||||
$res = $this->db->query($sql);
|
||||
|
||||
if ($res->fetchColumn() > 0) {
|
||||
$sql = "SELECT first_name, last_name, username, note, email FROM registrations"
|
||||
$sql = "SELECT first_name, last_name, username, password, note, email FROM registrations"
|
||||
. " WHERE admin_token = '" . $admin_token . "'"
|
||||
. " AND state = " . RegisterState::PendingAdminVerify
|
||||
. " LIMIT 1;";
|
||||
@@ -282,14 +283,16 @@ class mxDatabase {
|
||||
* NULL when failed
|
||||
*
|
||||
*/
|
||||
function addUser($first_name, $last_name, $username, $email) {
|
||||
function addUser($first_name, $last_name, $username, $password, $email) {
|
||||
// check if user already exists and abort in that case
|
||||
if ($this->userRegistered($username)) {
|
||||
return NULL;
|
||||
}
|
||||
|
||||
if ($password == NULL) {
|
||||
// generate a password with 10 characters
|
||||
$password = bin2hex(openssl_random_pseudo_bytes(5));
|
||||
}
|
||||
$password_hash = password_hash($password, PASSWORD_BCRYPT, ["cost" => 12]);
|
||||
|
||||
$sql = "INSERT INTO logins (first_name, last_name, localpart, password_hash, email) VALUES "
|
||||
|
||||
@@ -30,4 +30,13 @@ function stripLocalpart($mxid) {
|
||||
return $localpart;
|
||||
}
|
||||
|
||||
function getCurlHandle($url) {
|
||||
$handle = curl_init($url);
|
||||
curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);
|
||||
curl_setopt($handle, CURLOPT_CONNECTTIMEOUT, 5);
|
||||
curl_setopt($handle, CURLOPT_TIMEOUT, 60);
|
||||
curl_setopt($handle, CURLOPT_HTTPHEADER, array("Content-Type: application/json"));
|
||||
return $handle;
|
||||
}
|
||||
|
||||
?>
|
||||
@@ -37,6 +37,7 @@ $language = array(
|
||||
"USERNAME_NOT_ALNUM" => "Nutzername ist nicht alphanumerisch",
|
||||
"USERNAME_PENDING_REGISTRATION" => "Dieser Nutzername wurde bereits zur Registrierung vorgemerkt. Versuche es später noch einmal oder wähle einen anderen Nutzernamen",
|
||||
"USERNAME_REGISTERED" => "Dieser Nutzername wurde bereits registriert. Bitte wähle einen anderen Nutzernamen",
|
||||
"PASSWORD_NOT_PROVIDED" => "Ein oder beide Passwörter wurden nicht gesetzt",
|
||||
"PASSWORD_NOT_MATCH" => "Passwörter stimmen nicht überein",
|
||||
"NOTE_LENGTH_EXEEDED" => "Notiz ist länger als die erlaubten 50 Zeichen",
|
||||
"PLACEHOLDER_NOTE_ABOUT_YOURSELF" => "Notiz zu dir (max. 50 Zeichen)",
|
||||
|
||||
@@ -37,6 +37,7 @@ $language = array(
|
||||
"USERNAME_NOT_ALNUM" => "Username is not alphanumeric",
|
||||
"USERNAME_PENDING_REGISTRATION" => "This username is locked for registration. Try again later or try again with a different username",
|
||||
"USERNAME_REGISTERED" => "This username is already registered. Please try again with another username",
|
||||
"PASSWORD_NOT_PROVIDED" => "One or both passwords are not provided",
|
||||
"PASSWORD_NOT_MATCH" => "passwords do not match",
|
||||
"NOTE_LENGTH_EXEEDED" => "Note consists of more than 50 characters",
|
||||
"PLACEHOLDER_NOTE_ABOUT_YOURSELF" => "Note about yourself (max. 50 characters)",
|
||||
|
||||
@@ -79,7 +79,7 @@ Deine Registrierungsanfrage wurde durch die Administratoren bestätigt.
|
||||
|
||||
Zum Anmelden kannst du folgende Zugangsdaten verwenden:
|
||||
Nutzername: $username
|
||||
Passwort: $password
|
||||
Passwort: " . (empty($password) ? "wie selbst gesetzt": $password) . "
|
||||
|
||||
Hinweis: Das Passwort kannst du aktuell über die App selbst ändern. Auch wenn das Passwort nirgends
|
||||
im Klartext gespeichert wird, kann jemand Zugriff auf diese Mail erlangen und so den Zugriff bekommen.
|
||||
|
||||
@@ -78,7 +78,7 @@ Your registration request got verified by the admin team.
|
||||
|
||||
To log in you can use the following credentials::
|
||||
Username: $username
|
||||
Password: $password
|
||||
Passwort: " . (empty($password) ? "as self-set": $password) . "
|
||||
|
||||
Important: Please change your password as soon as possible after your first login.
|
||||
The password is not stored in clear text on the server but people could get access to this mail
|
||||
|
||||
@@ -20,7 +20,7 @@ if (!isset($_SERVER['HTTPS'])) {
|
||||
}
|
||||
|
||||
require_once(__DIR__ . "/../language.php");
|
||||
if (!file_exists("../config.php")) {
|
||||
if (!file_exists(__DIR__ . "/../config.php")) {
|
||||
print($language["NO_CONFIGURATION"]);
|
||||
exit();
|
||||
}
|
||||
@@ -57,8 +57,10 @@ if ($_SERVER["REQUEST_METHOD"] == "POST") {
|
||||
if (ctype_alnum($_POST['username']) != true) {
|
||||
throw new Exception("USERNAME_NOT_ALNUM");
|
||||
}
|
||||
if (isset($config["getPasswordOnRegistration"]) && $config["getPasswordOnRegistration"] &&
|
||||
$_POST["password"] != $_POST["password_confirm"]) {
|
||||
if ($storePassword && (!isset($_POST["password"]) || !isset($_POST["password_confirm"]))) {
|
||||
throw new Exception("PASSWORD_NOT_PROVIDED");
|
||||
}
|
||||
if ($storePassword && $_POST["password"] != $_POST["password_confirm"]) {
|
||||
throw new Exception("PASSWORD_NOT_MATCH");
|
||||
}
|
||||
if (isset($_POST["note"]) && strlen($_POST["note"]) > 50) {
|
||||
@@ -82,6 +84,7 @@ if ($_SERVER["REQUEST_METHOD"] == "POST") {
|
||||
}
|
||||
|
||||
$username = filter_var($_POST["username"], FILTER_SANITIZE_STRING);
|
||||
$password = "";
|
||||
if ($storePassword && isset($_POST["password"])) {
|
||||
$password = filter_var($_POST["password"], FILTER_SANITIZE_STRING);
|
||||
}
|
||||
@@ -89,7 +92,7 @@ if ($_SERVER["REQUEST_METHOD"] == "POST") {
|
||||
$email = filter_var($_POST["email"], FILTER_VALIDATE_EMAIL);
|
||||
|
||||
require_once(__DIR__ . "/../database.php");
|
||||
$res = $mx_db->addRegistration($first_name, $last_name, $username, $note, $email);
|
||||
$res = $mx_db->addRegistration($first_name, $last_name, $username, $password, $note, $email);
|
||||
|
||||
if (!isset($res["verify_token"])) {
|
||||
error_log("sth. went wrong. registration did not throw but admin_token not set");
|
||||
|
||||
@@ -51,18 +51,21 @@ try {
|
||||
$email = $user["email"];
|
||||
$admin_token = $user["admin_token"];
|
||||
|
||||
// we have 2 cases: first and last name or just the username
|
||||
$call_name = strlen($first_name . $last_name) > 0 ? $first_name . " " . $last_name : $username;
|
||||
|
||||
require_once(__DIR__ . "/../MatrixConnection.php");
|
||||
$adminUrl = $config["webroot"] . "/verify_admin.php?t=" . $admin_token;
|
||||
$mxConn = new MatrixConnection($config["homeserver"], $config["access_token"]);
|
||||
$mxMsg = new MatrixMessage();
|
||||
$mxMsg->set_body(strtr($language["MSG_USER_WANTS_REGISTER"], [
|
||||
"@name" => (strlen($first_name . $last_name) > 0 ? $first_name . " " . $last_name : $username),
|
||||
"@name" => $call_name,
|
||||
"@note" => $note,
|
||||
"@adminUrl" => $adminUrl
|
||||
]));
|
||||
if (isset($language["MSG_USER_WANTS_REGISTER_FORMATTED"])) {
|
||||
$mxMsg->set_formatted_body(strtr($language["MSG_USER_WANTS_REGISTER_FORMATTED"], [
|
||||
"@name" => (strlen($first_name . $last_name) > 0 ? $first_name . " " . $last_name : $username),
|
||||
"@name" => $call_name,
|
||||
"@note" => $note,
|
||||
"@adminUrl" => $adminUrl
|
||||
]));
|
||||
@@ -76,7 +79,7 @@ try {
|
||||
$mx_db->setRegistrationStateVerify(
|
||||
($response ? RegisterState::PendingAdminVerify : RegisterState::PendingAdminSend), $token);
|
||||
|
||||
send_mail_pending_approval($config["homeserver"], $first_name . " " . $last_name, $email);
|
||||
send_mail_pending_approval($config["homeserver"], $call_name, $email);
|
||||
|
||||
print("<title>" . $language["VERIFICATION_SUCEEDED"] . "</title>");
|
||||
print("</head><body>");
|
||||
|
||||
@@ -60,6 +60,9 @@ try {
|
||||
$first_name = $user["first_name"];
|
||||
$last_name = $user["last_name"];
|
||||
$username = $user["username"];
|
||||
// we have 2 cases: first and last name or just the username
|
||||
$call_name = strlen($first_name . $last_name) > 0 ? $first_name . " " . $last_name : $username;
|
||||
|
||||
$note = $user["note"];
|
||||
$email = $user["email"];
|
||||
|
||||
@@ -71,11 +74,17 @@ try {
|
||||
$mxConn = new MatrixConnection($config["homeserver"], $config["access_token"]);
|
||||
|
||||
$password = NULL;
|
||||
$use_db_password = (isset($config["getPasswordOnRegistration"]) && $config["getPasswordOnRegistration"]);
|
||||
if ($use_db_password && isset($user["password"]) && strlen($user["password"]) > 0) {
|
||||
$password = $user["password"];
|
||||
} else {
|
||||
$use_db_password = false;
|
||||
// generate a password with 10 characters
|
||||
$password = bin2hex(openssl_random_pseudo_bytes(5));
|
||||
}
|
||||
switch ($config["operationMode"]) {
|
||||
case "synapse":
|
||||
// register with registration_shared_secret
|
||||
// generate a password with 10 characters
|
||||
$password = bin2hex(openssl_random_pseudo_bytes(5));
|
||||
$res = $mxConn->register($username, $password, $config["registration_shared_secret"]);
|
||||
if (!$res) {
|
||||
// something went wrong while registering
|
||||
@@ -84,7 +93,7 @@ try {
|
||||
break;
|
||||
case "local":
|
||||
// register by adding a user to the local database
|
||||
$password = $mx_db->addUser($first_name, $last_name, $username, $email);
|
||||
$password = $mx_db->addUser($first_name, $last_name, $username, $password, $email);
|
||||
break;
|
||||
default:
|
||||
throw new Exception("Unknown operationMode");
|
||||
@@ -92,7 +101,13 @@ try {
|
||||
if ($password != NULL) {
|
||||
// send registration_success
|
||||
$res = send_mail_registration_success(
|
||||
$config["homeserver"], $first_name . " " . $last_name, $email, $username, $password, $config["howToURL"]
|
||||
$config["homeserver"],
|
||||
$call_name,
|
||||
$email,
|
||||
$username,
|
||||
// only send password when auto-created
|
||||
($use_db_password ? NULL : $password),
|
||||
$config["howToURL"]
|
||||
);
|
||||
if ($res) {
|
||||
$mx_db->setRegistrationStateAdmin(RegisterState::AllDone, $token);
|
||||
@@ -100,11 +115,11 @@ try {
|
||||
$mx_db->setRegistrationStateAdmin(RegisterState::PendingSendRegistrationMail, $token);
|
||||
}
|
||||
} else {
|
||||
send_mail_registration_allowed_but_failed($config["homeserver"], $first_name . " " . $last_name, $email);
|
||||
send_mail_registration_allowed_but_failed($config["homeserver"], $call_name, $email);
|
||||
$mxMsg = new MatrixMessage();
|
||||
$mxMsg->set_type("m.text");
|
||||
$mxMsg->set_body(strtr($language["REGISTRATION_FAILED_FOR"], [
|
||||
"@name" => strlen($first_name . $last_name) > 0 ? $first_name . " " . $last_name : $username,
|
||||
"@name" => $call_name,
|
||||
]));
|
||||
$mxConn->send($config["register_room"], $mxMsg);
|
||||
throw new Exception("REGISTRATION_FAILED");
|
||||
@@ -117,7 +132,7 @@ try {
|
||||
} elseif ($action == RegisterState::RegistrationDeclined) {
|
||||
$mx_db->setRegistrationStateAdmin(RegisterState::RegistrationDeclined, $token);
|
||||
send_mail_registration_decline(
|
||||
$config["homeserver"], strlen($first_name . $last_name) > 0 ? $first_name . " " . $last_name : $username, $email, $decline_reason
|
||||
$config["homeserver"], $call_name, $email, $decline_reason
|
||||
);
|
||||
print("<title>" . $language["ADMIN_VERIFY_SITE_TITLE"] . "</title>");
|
||||
print("</head><body>");
|
||||
|
||||
Reference in New Issue
Block a user