10.4/_abstract_user_authentication_8php_source.html

<?php


/*

 * This file is part of the TYPO3 CMS project.

 *

 * It is free software; you can redistribute it and/or modify it under

 * the terms of the GNU General Public License, either version 2

 * of the License, or any later version.

 *

 * For the full copyright and license information, please read the

 * LICENSE.txt file that was distributed with this source code.

 *

 * The TYPO3 project - inspiring people to share!

 */


namespace ‪TYPO3\CMS\Core\Authentication;


use Psr\Log\LoggerAwareInterface;

use Psr\Log\LoggerAwareTrait;

use Symfony\Component\HttpFoundation\Cookie;

use ‪TYPO3\CMS\Core\Core\Environment;

use ‪TYPO3\CMS\Core\Crypto\Random;

use ‪TYPO3\CMS\Core\Database\Connection;

use ‪TYPO3\CMS\Core\Database\ConnectionPool;

use ‪TYPO3\CMS\Core\Database\Query\Restriction\DefaultRestrictionContainer;

use ‪TYPO3\CMS\Core\Database\Query\Restriction\DeletedRestriction;

use ‪TYPO3\CMS\Core\Database\Query\Restriction\EndTimeRestriction;

use ‪TYPO3\CMS\Core\Database\Query\Restriction\HiddenRestriction;

use ‪TYPO3\CMS\Core\Database\Query\Restriction\QueryRestrictionContainerInterface;

use ‪TYPO3\CMS\Core\Database\Query\Restriction\RootLevelRestriction;

use ‪TYPO3\CMS\Core\Database\Query\Restriction\StartTimeRestriction;

use ‪TYPO3\CMS\Core\Exception;

use ‪TYPO3\CMS\Core\Http\CookieHeaderTrait;

use ‪TYPO3\CMS\Core\Session\Backend\Exception\SessionNotFoundException;

use ‪TYPO3\CMS\Core\Session\Backend\HashableSessionBackendInterface;

use ‪TYPO3\CMS\Core\Session\Backend\SessionBackendInterface;

use ‪TYPO3\CMS\Core\Session\SessionManager;

use ‪TYPO3\CMS\Core\SysLog\Action\Login as SystemLogLoginAction;

use ‪TYPO3\CMS\Core\SysLog\Error as SystemLogErrorClassification;

use ‪TYPO3\CMS\Core\SysLog\Type as SystemLogType;

use ‪TYPO3\CMS\Core\Utility\GeneralUtility;


abstract class ‪AbstractUserAuthentication implements LoggerAwareInterface

{

    use LoggerAwareTrait;

    use ‪CookieHeaderTrait;


    public ‪$name = '';


    public ‪$user_table = '';


    public ‪$usergroup_table = '';


    public ‪$username_column = '';


    public ‪$userident_column = '';


    public ‪$userid_column = '';


    public ‪$usergroup_column = '';


    public ‪$lastLogin_column = '';


    public ‪$enablecolumns = [

        'rootLevel' => '',

        // Boolean: If TRUE, 'AND pid=0' will be a part of the query...

        'disabled' => '',

        'starttime' => '',

        'endtime' => '',

        'deleted' => '',

    ];


    public ‪$showHiddenRecords = false;


    public ‪$formfield_uname = '';


    public ‪$formfield_uident = '';


    public ‪$formfield_status = '';


    public ‪$sessionTimeout = 0;


    public ‪$auth_timeout_field = '';


    public ‪$lifetime = 0;


    public ‪$gc_time = 86400;


    public ‪$gc_probability = 1;


    public ‪$writeStdLog = false;


    public ‪$writeAttemptLog = false;


    public ‪$sendNoCacheHeaders = true;


    public ‪$hash_length = 32;


    public ‪$warningEmail = '';


    public ‪$warningPeriod = 3600;


    public ‪$warningMax = 3;


    public ‪$checkPid = true;


    public ‪$checkPid_value = 0;


    public ‪$id;


    public ‪$loginFailure = false;


    public ‪$loginSessionStarted = false;


    public ‪$user;


    public ‪$newSessionID = false;


    public ‪$forceSetCookie = false;


    public ‪$dontSetCookie = false;


    protected ‪$cookieWasSetOnCurrentRequest = false;


    public ‪$loginType = '';


    public ‪$svConfig = [];


    public ‪$uc;


    protected ‪$ipLocker;


    protected ‪$sessionBackend;


    protected ‪$sessionData = [];


    public function ‪__construct()

    {

        $this->svConfig = ‪$GLOBALS['TYPO3_CONF_VARS']['SVCONF']['auth'] ?? [];

        // If there is a custom session timeout, use this instead of the 1d default gc time.

        if ($this->sessionTimeout > 0) {

            $this->gc_time = ‪$this->sessionTimeout;

        }

        // Backend or frontend login - used for auth services

        if (empty($this->loginType)) {

            throw new ‪Exception('No loginType defined, must be set explicitly by subclass', 1476045345);

        }


        $this->ipLocker = GeneralUtility::makeInstance(

            IpLocker::class,

            ‪$GLOBALS['TYPO3_CONF_VARS'][$this->loginType]['lockIP'],

            ‪$GLOBALS['TYPO3_CONF_VARS'][$this->loginType]['lockIPv6']

        );

    }


    public function ‪start()

    {

        $this->logger->debug('## Beginning of auth logging.');

        $this->newSessionID = false;

        // Make certain that NO user is set initially

        $this->user = null;

        // sessionID is set to ses_id if cookie is present. Otherwise a new session will start

        $this->id = $this->‪getCookie($this->name);


        // If new session or client tries to fix session...

        if (!$this->‪isExistingSessionRecord($this->id)) {

            $this->id = $this->‪createSessionId();

            $this->newSessionID = true;

        }


        // Set all possible headers that could ensure that the script is not cached on the client-side

        $this->‪sendHttpHeaders();

        // Load user session, check to see if anyone has submitted login-information and if so authenticate

        // the user with the session. $this->user[uid] may be used to write log...

        $this->‪checkAuthentication();

        // Set cookie if generally enabled or if the current session is a non-session cookie (FE permalogin)

        if (!$this->dontSetCookie || $this->‪isRefreshTimeBasedCookie()) {

            $this->‪setSessionCookie();

        }

        // Hook for alternative ways of filling the $this->user array (is used by the "timtaw" extension)

        foreach (‪$GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_userauth.php']['postUserLookUp'] ?? [] as $funcName) {

            $_params = [

                'pObj' => $this,

            ];

            GeneralUtility::callUserFunction($funcName, $_params, $this);

        }

        // If we're lucky we'll get to clean up old sessions

        if (random_int(0, mt_getrandmax()) % 100 <= $this->gc_probability) {

            $this->‪gc();

        }

    }


    protected function ‪sendHttpHeaders()

    {

        // skip sending the "no-cache" headers if it's a CLI request or the no-cache headers should not be sent.

        if (!$this->sendNoCacheHeaders || ‪Environment::isCli()) {

            return;

        }

        $httpHeaders = $this->‪getHttpHeaders();

        foreach ($httpHeaders as $httpHeaderName => $value) {

            header($httpHeaderName . ': ' . $value);

        }

    }


    protected function ‪getHttpHeaders(): array

    {

        $headers = [

            'Expires' => 0,

            'Last-Modified' => gmdate('D, d M Y H:i:s') . ' GMT'

        ];

        $cacheControlHeader = 'no-cache, must-revalidate';

        $pragmaHeader = 'no-cache';

        // Prevent error message in IE when using a https connection

        // see https://forge.typo3.org/issues/24125

        if (strpos(GeneralUtility::getIndpEnv('HTTP_USER_AGENT'), 'MSIE') !== false

            && GeneralUtility::getIndpEnv('TYPO3_SSL')) {

            // Some IEs can not handle no-cache

            // see http://support.microsoft.com/kb/323308/en-us

            $cacheControlHeader = 'must-revalidate';

            // IE needs "Pragma: private" if SSL connection

            $pragmaHeader = 'private';

        }

        $headers['Cache-Control'] = $cacheControlHeader;

        $headers['Pragma'] = $pragmaHeader;

        return $headers;

    }


    protected function ‪setSessionCookie()

    {

        $isSetSessionCookie = $this->‪isSetSessionCookie();

        $isRefreshTimeBasedCookie = $this->‪isRefreshTimeBasedCookie();

        if ($isSetSessionCookie || $isRefreshTimeBasedCookie) {

            $settings = ‪$GLOBALS['TYPO3_CONF_VARS']['SYS'];

            // Get the domain to be used for the cookie (if any):

            $cookieDomain = $this->‪getCookieDomain();

            // If no cookie domain is set, use the base path:

            $cookiePath = $cookieDomain ? '/' : GeneralUtility::getIndpEnv('TYPO3_SITE_PATH');

            // If the cookie lifetime is set, use it:

            $cookieExpire = $isRefreshTimeBasedCookie ? ‪$GLOBALS['EXEC_TIME'] + $this->lifetime : 0;

            // Use the secure option when the current request is served by a secure connection:

            $cookieSecure = (bool)$settings['cookieSecure'] && GeneralUtility::getIndpEnv('TYPO3_SSL');

            // Valid options are "strict", "lax" or "none", whereas "none" only works in HTTPS requests (default & fallback is "strict")

            $cookieSameSite = $this->sanitizeSameSiteCookieValue(

                strtolower(‪$GLOBALS['TYPO3_CONF_VARS'][$this->loginType]['cookieSameSite'] ?? Cookie::SAMESITE_STRICT)

            );

            // SameSite "none" needs the secure option (only allowed on HTTPS)

            if ($cookieSameSite === Cookie::SAMESITE_NONE) {

                $cookieSecure = true;

            }

            // Do not set cookie if cookieSecure is set to "1" (force HTTPS) and no secure channel is used:

            if ((int)$settings['cookieSecure'] !== 1 || GeneralUtility::getIndpEnv('TYPO3_SSL')) {

                $cookie = new Cookie(

                    $this->name,

                    $this->id,

                    $cookieExpire,

                    $cookiePath,

                    $cookieDomain,

                    $cookieSecure,

                    true,

                    false,

                    $cookieSameSite

                );

                header('Set-Cookie: ' . $cookie->__toString(), false);

                $this->cookieWasSetOnCurrentRequest = true;

            } else {

                throw new ‪Exception('Cookie was not set since HTTPS was forced in $TYPO3_CONF_VARS[SYS][cookieSecure].', 1254325546);

            }

            $this->logger->debug(

                ($isRefreshTimeBasedCookie ? 'Updated Cookie: ' : 'Set Cookie: ')

                . sha1($this->id) . ($cookieDomain ? ', ' . $cookieDomain : '')

            );

        }

    }


    protected function ‪getCookieDomain()

    {

        $result = '';

        $cookieDomain = ‪$GLOBALS['TYPO3_CONF_VARS']['SYS']['cookieDomain'];

        // If a specific cookie domain is defined for a given TYPO3_MODE,

        // use that domain

        if (!empty(‪$GLOBALS['TYPO3_CONF_VARS'][$this->loginType]['cookieDomain'])) {

            $cookieDomain = ‪$GLOBALS['TYPO3_CONF_VARS'][‪$this->loginType]['cookieDomain'];

        }

        if ($cookieDomain) {

            if ($cookieDomain[0] === '/') {

                $match = [];

                $matchCnt = @preg_match($cookieDomain, GeneralUtility::getIndpEnv('TYPO3_HOST_ONLY'), $match);

                if ($matchCnt === false) {

                    $this->logger->critical('The regular expression for the cookie domain (' . $cookieDomain . ') contains errors. The session is not shared across sub-domains.');

                } elseif ($matchCnt) {

                    $result = $match[0];

                }

            } else {

                $result = $cookieDomain;

            }

        }

        return $result;

    }


    protected function ‪getCookie($cookieName)

    {

        return isset($_COOKIE[$cookieName]) ? stripslashes($_COOKIE[$cookieName]) : '';

    }


    public function ‪isSetSessionCookie()

    {

        return ($this->newSessionID || $this->forceSetCookie) && $this->lifetime == 0;

    }


    public function ‪isRefreshTimeBasedCookie()

    {

        return $this->lifetime > 0;

    }


    public function ‪checkAuthentication()

    {

        // No user for now - will be searched by service below

        $tempuserArr = [];

        $tempuser = false;

        // User is not authenticated by default

        $authenticated = false;

        // User want to login with passed login data (name/password)

        $activeLogin = false;

        // Indicates if an active authentication failed (not auto login)

        $this->loginFailure = false;

        $this->logger->debug('Login type: ' . $this->loginType);

        // The info array provide additional information for auth services

        $authInfo = $this->‪getAuthInfoArray();

        // Get Login/Logout data submitted by a form or params

        $loginData = $this->‪getLoginFormData();

        $this->logger->debug('Login data', $this->‪removeSensitiveLoginDataForLoggingInfo($loginData));

        // Active logout (eg. with "logout" button)

        if ($loginData['status'] === ‪LoginType::LOGOUT) {

            if ($this->writeStdLog) {

                // $type,$action,$error,$details_nr,$details,$data,$tablename,$recuid,$recpid

                $this->‪writelog(SystemLogType::LOGIN, SystemLogLoginAction::LOGOUT, SystemLogErrorClassification::MESSAGE, 2, 'User %s logged out', [$this->user['username']], '', 0, 0);

            }

            $this->logger->info('User logged out. Id: ' . sha1($this->id));

            $this->‪logoff();

        }

        // Determine whether we need to skip session update.

        // This is used mainly for checking session timeout in advance without refreshing the current session's timeout.

        $skipSessionUpdate = (bool)GeneralUtility::_GP('skipSessionUpdate');

        $haveSession = false;

        $anonymousSession = false;

        if (!$this->newSessionID) {

            // Read user session

            $authInfo['userSession'] = $this->‪fetchUserSession($skipSessionUpdate);

            $haveSession = is_array($authInfo['userSession']);

            if ($haveSession && !empty($authInfo['userSession']['ses_anonymous'])) {

                $anonymousSession = true;

            }

        }


        // Active login (eg. with login form).

        if (!$haveSession && $loginData['status'] === ‪LoginType::LOGIN) {

            $activeLogin = true;

            $this->logger->debug('Active login (eg. with login form)');

            // check referrer for submitted login values

            if ($this->formfield_status && $loginData['uident'] && $loginData['uname']) {

                // Delete old user session if any

                $this->‪logoff();

            }

            // Refuse login for _CLI users, if not processing a CLI request type

            // (although we shouldn't be here in case of a CLI request type)

            if (stripos($loginData['uname'], '_CLI_') === 0 && !‪Environment::isCli()) {

                throw new \RuntimeException('TYPO3 Fatal Error: You have tried to login using a CLI user. Access prohibited!', 1270853931);

            }

        }


        // Cause elevation of privilege, make sure regenerateSessionId is called later on

        if ($anonymousSession && $loginData['status'] === ‪LoginType::LOGIN) {

            $activeLogin = true;

        }


        if ($haveSession) {

            $this->logger->debug('User session found', [

                $this->userid_column => $authInfo['userSession'][$this->userid_column] ?? null,

                $this->username_column => $authInfo['userSession'][$this->username_column] ?? null,

            ]);

        } else {

            $this->logger->debug('No user session found');

        }

        if (is_array($this->svConfig['setup'] ?? false)) {

            $this->logger->debug('SV setup', $this->svConfig['setup']);

        }


        // Fetch user if ...

        if (

            $activeLogin || !empty($this->svConfig['setup'][$this->loginType . '_alwaysFetchUser'])

            || !$haveSession && !empty($this->svConfig['setup'][$this->loginType . '_fetchUserIfNoSession'])

        ) {

            // Use 'auth' service to find the user

            // First found user will be used

            $subType = 'getUser' . ‪$this->loginType;

            foreach ($this->‪getAuthServices($subType, $loginData, $authInfo) as $serviceObj) {

                if ($row = $serviceObj->getUser()) {

                    $tempuserArr[] = $row;

                    $this->logger->debug('User found', [

                        $this->userid_column => $row[$this->userid_column],

                        $this->username_column => $row[$this->username_column],

                    ]);

                    // User found, just stop to search for more if not configured to go on

                    if (empty($this->svConfig['setup'][$this->loginType . '_fetchAllUsers'])) {

                        break;

                    }

                }

            }


            if (!empty($this->svConfig['setup'][$this->loginType . '_alwaysFetchUser'])) {

                $this->logger->debug($this->loginType . '_alwaysFetchUser option is enabled');

            }

            if (empty($tempuserArr)) {

                $this->logger->debug('No user found by services');

            } else {

                $this->logger->debug(count($tempuserArr) . ' user records found by services');

            }

        }


        // If no new user was set we use the already found user session

        if (empty($tempuserArr) && $haveSession && !$anonymousSession) {

            $tempuserArr[] = $authInfo['userSession'];

            $tempuser = $authInfo['userSession'];

            // User is authenticated because we found a user session

            $authenticated = true;

            $this->logger->debug('User session used', [

                $this->userid_column => $authInfo['userSession'][$this->userid_column],

                $this->username_column => $authInfo['userSession'][$this->username_column],

            ]);

        }

        // Re-auth user when 'auth'-service option is set

        if (!empty($this->svConfig['setup'][$this->loginType . '_alwaysAuthUser'])) {

            $authenticated = false;

            $this->logger->debug('alwaysAuthUser option is enabled');

        }

        // Authenticate the user if needed

        if (!empty($tempuserArr) && !$authenticated) {

            foreach ($tempuserArr as $tempuser) {

                // Use 'auth' service to authenticate the user

                // If one service returns FALSE then authentication failed

                // a service might return 100 which means there's no reason to stop but the user can't be authenticated by that service

                $this->logger->debug('Auth user', $this->‪removeSensitiveLoginDataForLoggingInfo($tempuser, true));

                $subType = 'authUser' . ‪$this->loginType;


                foreach ($this->‪getAuthServices($subType, $loginData, $authInfo) as $serviceObj) {

                    if (($ret = $serviceObj->authUser($tempuser)) > 0) {

                        // If the service returns >=200 then no more checking is needed - useful for IP checking without password

                        if ((int)$ret >= 200) {

                            $authenticated = true;

                            break;

                        }

                        if ((int)$ret >= 100) {

                        } else {

                            $authenticated = true;

                        }

                    } else {

                        $authenticated = false;

                        break;

                    }

                }


                if ($authenticated) {

                    // Leave foreach() because a user is authenticated

                    break;

                }

            }

            // mimic user authentication to mitigate observable timing discrepancies

        // @link https://cwe.mitre.org/data/definitions/208.html

        } elseif ($activeLogin) {

            $subType = 'authUser' . ‪$this->loginType;

            foreach ($this->‪getAuthServices($subType, $loginData, $authInfo) as $serviceObj) {

                if ($serviceObj instanceof MimicServiceInterface && $serviceObj->mimicAuthUser() === false) {

                    break;

                }

            }

        }


        // If user is authenticated a valid user is in $tempuser

        if ($authenticated) {

            // Reset failure flag

            $this->loginFailure = false;

            // Insert session record if needed:

            if (!$haveSession || $anonymousSession || $tempuser['ses_id'] != $this->id && $tempuser['uid'] != $authInfo['userSession']['ses_userid']) {

                ‪$sessionData = $this->‪createUserSession($tempuser);


                // Preserve session data on login

                if ($anonymousSession) {

                    ‪$sessionData = $this->‪getSessionBackend()->‪update(

                        $this->id,

                        ['ses_data' => $authInfo['userSession']['ses_data']]

                    );

                }


                $this->user = array_merge(

                    $tempuser,

                    ‪$sessionData

                );

                // The login session is started.

                $this->loginSessionStarted = true;

                if (is_array($this->user)) {

                    $this->logger->debug('User session finally read', [

                        $this->userid_column => $this->user[$this->userid_column],

                        $this->username_column => $this->user[$this->username_column],

                    ]);

                }

            } elseif ($haveSession) {

                // Validate the session ID and promote it

                // This check can be removed in TYPO3 v11

                if ($this->‪getSessionBackend() instanceof HashableSessionBackendInterface && !empty($authInfo['userSession']['ses_id'] ?? '')) {

                    // The session is stored in plaintext, promote it

                    if ($authInfo['userSession']['ses_id'] === $this->id) {

                        $authInfo['userSession'] = $this->‪getSessionBackend()->‪update(

                            $this->id,

                            ['ses_data' => $authInfo['userSession']['ses_data']]

                        );

                    }

                }

                // if we come here the current session is for sure not anonymous as this is a pre-condition for $authenticated = true

                $this->user = $authInfo['userSession'];

            }


            if ($activeLogin && !$this->newSessionID) {

                $this->‪regenerateSessionId();

            }


            // User logged in - write that to the log!

            if ($this->writeStdLog && $activeLogin) {

                $this->‪writelog(SystemLogType::LOGIN, SystemLogLoginAction::LOGIN, SystemLogErrorClassification::MESSAGE, 1, 'User %s logged in from ###IP###', [$tempuser[$this->username_column]], '', '', '');

            }

            if ($activeLogin) {

                $this->logger->info('User ' . $tempuser[$this->username_column] . ' logged in from ' . GeneralUtility::getIndpEnv('REMOTE_ADDR'));

            }

            if (!$activeLogin) {

                $this->logger->debug('User ' . $tempuser[$this->username_column] . ' authenticated from ' . GeneralUtility::getIndpEnv('REMOTE_ADDR'));

            }

        } else {

            // User was not authenticated, so we should reuse the existing anonymous session

            if ($anonymousSession) {

                $this->user = $authInfo['userSession'];

            }


            // Mark the current login attempt as failed

            if ($activeLogin || !empty($tempuserArr)) {

                $this->loginFailure = true;

                if (empty($tempuserArr) && $activeLogin) {

                    $logData = [

                        'loginData' => $this->‪removeSensitiveLoginDataForLoggingInfo($loginData)

                    ];

                    $this->logger->debug('Login failed', $logData);

                }

                if (!empty($tempuserArr)) {

                    $logData = [

                        $this->userid_column => $tempuser[‪$this->userid_column],

                        $this->username_column => $tempuser[‪$this->username_column],

                    ];

                    $this->logger->debug('Login failed', $logData);

                }

            }

        }


        // If there were a login failure, check to see if a warning email should be sent:

        if ($this->loginFailure && $activeLogin) {

            $this->logger->debug(

                'Call checkLogFailures',

                [

                    'warningEmail' => $this->warningEmail,

                    'warningPeriod' => $this->warningPeriod,

                    'warningMax' => $this->warningMax

                ]

            );


            // Hook to implement login failure tracking methods

            $_params = [];

            $sleep = true;

            foreach (‪$GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_userauth.php']['postLoginFailureProcessing'] ?? [] as $_funcRef) {

                GeneralUtility::callUserFunction($_funcRef, $_params, $this);

                $sleep = false;

            }


            if ($sleep) {

                // No hooks were triggered - default login failure behavior is to sleep 5 seconds

                sleep(5);

            }


            $this->‪checkLogFailures($this->warningEmail, $this->warningPeriod, $this->warningMax);

        }

    }


    public function ‪createSessionId()

    {

        return GeneralUtility::makeInstance(Random::class)->generateRandomHexString($this->hash_length);

    }


    protected function ‪getAuthServices(string $subType, array $loginData, array $authInfo): \Traversable

    {

        $serviceChain = [];

        while (is_object($serviceObj = GeneralUtility::makeInstanceService('auth', $subType, $serviceChain))) {

            $serviceChain[] = $serviceObj->getServiceKey();

            $serviceObj->initAuth($subType, $loginData, $authInfo, $this);

            yield $serviceObj;

        }

        if (!empty($serviceChain)) {

            $this->logger->debug($subType . ' auth services called: ' . implode(', ', $serviceChain));

        }

    }


    protected function ‪regenerateSessionId(array $existingSessionRecord = [], bool $anonymous = false)

    {

        if (empty($existingSessionRecord)) {

            $existingSessionRecord = $this->‪getSessionBackend()->‪get($this->id);

        }


        // Update session record with new ID

        $oldSessionId = ‪$this->id;

        $this->id = $this->‪createSessionId();

        $updatedSession = $this->‪getSessionBackend()->‪set($this->id, $existingSessionRecord);

        $this->sessionData = unserialize($updatedSession['ses_data']);

        // Merge new session data into user/session array

        $this->user = array_merge($this->user ?? [], $updatedSession);

        $this->‪getSessionBackend()->‪remove($oldSessionId);

        $this->newSessionID = true;

    }


    /*************************

     *

     * User Sessions

     *

     *************************/


    public function ‪createUserSession($tempuser)

    {

        $this->logger->debug('Create session ses_id = ' . sha1($this->id));

        // Delete any session entry first

        $this->‪getSessionBackend()->‪remove($this->id);

        // Re-create session entry

        $sessionRecord = $this->‪getNewSessionRecord($tempuser);

        $sessionRecord = $this->‪getSessionBackend()->‪set($this->id, $sessionRecord);

        // Updating lastLogin_column carrying information about last login.

        $this->‪updateLoginTimestamp($tempuser[$this->userid_column]);

        return $sessionRecord;

    }


    protected function ‪updateLoginTimestamp(int $userId)

    {

        if ($this->lastLogin_column) {

            $connection = GeneralUtility::makeInstance(ConnectionPool::class)->getConnectionForTable($this->user_table);

            $connection->update(

                $this->user_table,

                [$this->lastLogin_column => ‪$GLOBALS['EXEC_TIME']],

                [$this->userid_column => $userId]

            );

        }

    }


    public function ‪getNewSessionRecord($tempuser)

    {

        $sessionIpLock = $this->ipLocker->getSessionIpLock((string)GeneralUtility::getIndpEnv('REMOTE_ADDR'), empty($tempuser['disableIPlock']));


        return [

            'ses_id' => ‪$this->id,

            'ses_iplock' => $sessionIpLock,

            'ses_userid' => $tempuser[‪$this->userid_column] ?? 0,

            'ses_tstamp' => ‪$GLOBALS['EXEC_TIME'],

            'ses_data' => '',

        ];

    }


    public function ‪fetchUserSession($skipSessionUpdate = false)

    {

        $this->logger->debug('Fetch session ses_id = ' . sha1($this->id));

        try {

            $sessionRecord = $this->‪getSessionBackend()->‪get($this->id);

        } catch (SessionNotFoundException $e) {

            return false;

        }


        $this->sessionData = unserialize($sessionRecord['ses_data']);

        // Session is anonymous so no need to fetch user

        if (!empty($sessionRecord['ses_anonymous'])) {

            return $sessionRecord;

        }


        // Fetch the user from the DB

        $userRecord = $this->‪getRawUserByUid((int)$sessionRecord['ses_userid']);

        if ($userRecord) {

            $userRecord = array_merge($sessionRecord, $userRecord);

            // A user was found

            $userRecord['ses_tstamp'] = (int)$userRecord['ses_tstamp'];

            $userRecord['is_online'] = (int)$userRecord['ses_tstamp'];


            if (!empty($this->auth_timeout_field)) {

                // Get timeout-time from usertable

                $timeout = (int)$userRecord[$this->auth_timeout_field];

            } else {

                $timeout = ‪$this->sessionTimeout;

            }

            // If timeout > 0 (TRUE) and current time has not exceeded the latest sessions-time plus the timeout in seconds then accept user

            // Use a gracetime-value to avoid updating a session-record too often

            if ($timeout > 0 && ‪$GLOBALS['EXEC_TIME'] < $userRecord['ses_tstamp'] + $timeout) {

                $sessionUpdateGracePeriod = 61;

                if (!$skipSessionUpdate && ‪$GLOBALS['EXEC_TIME'] > ($userRecord['ses_tstamp'] + $sessionUpdateGracePeriod)) {

                    // Update the session timestamp by writing a dummy update. (Backend will update the timestamp)

                    $updatesSession = $this->‪getSessionBackend()->‪update($this->id, []);

                    $userRecord = array_merge($userRecord, $updatesSession);

                }

            } else {

                // Delete any user set...

                $this->‪logoff();

                $userRecord = false;

            }

        }

        return $userRecord;

    }


    public function ‪enforceNewSessionId()

    {

        $this->‪regenerateSessionId();

        $this->‪setSessionCookie();

    }


    public function ‪logoff()

    {

        $this->logger->debug('logoff: ses_id = ' . sha1($this->id));


        $_params = [];

        foreach (‪$GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_userauth.php']['logoff_pre_processing'] ?? [] as $_funcRef) {

            if ($_funcRef) {

                GeneralUtility::callUserFunction($_funcRef, $_params, $this);

            }

        }

        $this->‪performLogoff();


        foreach (‪$GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_userauth.php']['logoff_post_processing'] ?? [] as $_funcRef) {

            if ($_funcRef) {

                GeneralUtility::callUserFunction($_funcRef, $_params, $this);

            }

        }

    }


    protected function ‪performLogoff()

    {

        if ($this->id) {

            $this->‪getSessionBackend()->‪remove($this->id);

        }

        $this->sessionData = [];

        $this->user = null;

        if ($this->‪isCookieSet()) {

            $this->‪removeCookie($this->name);

        }

    }


    public function ‪removeCookie($cookieName)

    {

        $cookieDomain = $this->‪getCookieDomain();

        // If no cookie domain is set, use the base path

        $cookiePath = $cookieDomain ? '/' : GeneralUtility::getIndpEnv('TYPO3_SITE_PATH');

        setcookie($cookieName, '', -1, $cookiePath, $cookieDomain);

    }


    public function ‪isExistingSessionRecord(‪$id)

    {

        if (empty(‪$id)) {

            return false;

        }

        try {

            $sessionRecord = $this->‪getSessionBackend()->‪get(‪$id);

            if (empty($sessionRecord)) {

                return false;

            }

            // If the session does not match the current IP lock, it should be treated as invalid

            // and a new session should be created.

            return $this->ipLocker->validateRemoteAddressAgainstSessionIpLock((string)GeneralUtility::getIndpEnv('REMOTE_ADDR'), $sessionRecord['ses_iplock']);

        } catch (‪SessionNotFoundException $e) {

            return false;

        }

    }


    public function ‪isCookieSet()

    {

        return $this->cookieWasSetOnCurrentRequest || $this->‪getCookie($this->name);

    }


    /*************************

     *

     * SQL Functions

     *

     *************************/

    protected function ‪userConstraints(): QueryRestrictionContainerInterface

    {

        $restrictionContainer = GeneralUtility::makeInstance(DefaultRestrictionContainer::class);


        if (empty($this->enablecolumns['disabled'])) {

            $restrictionContainer->removeByType(HiddenRestriction::class);

        }


        if (empty($this->enablecolumns['deleted'])) {

            $restrictionContainer->removeByType(DeletedRestriction::class);

        }


        if (empty($this->enablecolumns['starttime'])) {

            $restrictionContainer->removeByType(StartTimeRestriction::class);

        }


        if (empty($this->enablecolumns['endtime'])) {

            $restrictionContainer->removeByType(EndTimeRestriction::class);

        }


        if (!empty($this->enablecolumns['rootLevel'])) {

            $restrictionContainer->add(GeneralUtility::makeInstance(RootLevelRestriction::class, [$this->user_table]));

        }


        return $restrictionContainer;

    }


    /*************************

     *

     * Session and Configuration Handling

     *

     *************************/

    public function ‪writeUC($variable = '')

    {

        if (is_array($this->user) && $this->user[$this->userid_column]) {

            if (!is_array($variable)) {

                $variable = ‪$this->uc;

            }

            $this->logger->debug('writeUC: ' . $this->userid_column . '=' . (int)$this->user[$this->userid_column]);

            GeneralUtility::makeInstance(ConnectionPool::class)->getConnectionForTable($this->user_table)->update(

                $this->user_table,

                ['uc' => serialize($variable)],

                [$this->userid_column => (int)$this->user[$this->userid_column]],

                ['uc' => ‪Connection::PARAM_LOB]

            );

        }

    }


    public function ‪unpack_uc($theUC = '')

    {

        if (!$theUC && isset($this->user['uc'])) {

            $theUC = unserialize($this->user['uc'], ['allowed_classes' => false]);

        }

        if (is_array($theUC)) {

            $this->uc = $theUC;

        }

    }


    public function ‪pushModuleData($module, $data, $noSave = 0)

    {

        $sessionHash = GeneralUtility::hmac(

            $this->id,

            'core-session-hash'

        );

        $this->uc['moduleData'][$module] = $data;

        $this->uc['moduleSessionID'][$module] = $sessionHash;

        if (!$noSave) {

            $this->‪writeUC();

        }

    }


    public function ‪getModuleData($module, $type = '')

    {

        $sessionHash = GeneralUtility::hmac(

            $this->id,

            'core-session-hash'

        );

        ‪$sessionData = $this->uc['moduleData'][$module] ?? null;

        $moduleSessionIdHash = $this->uc['moduleSessionID'][$module] ?? null;

        if ($type !== 'ses'

            || ‪$sessionData !== null && $moduleSessionIdHash === $sessionHash

            // @todo Fallback for non-hashed values in `moduleSessionID`, remove for TYPO3 v11.5 LTS

            || ‪$sessionData !== null && $moduleSessionIdHash === $this->id

        ) {

            return ‪$sessionData;

        }

        return null;

    }


    public function ‪getSessionData($key)

    {

        return $this->sessionData[$key] ?? null;

    }


    public function ‪setSessionData($key, $data)

    {

        if (empty($key)) {

            throw new \InvalidArgumentException('Argument key must not be empty', 1484311516);

        }

        $this->sessionData[$key] = $data;

    }


    public function ‪setAndSaveSessionData($key, $data)

    {

        $this->sessionData[$key] = $data;

        $this->user['ses_data'] = serialize($this->sessionData);

        $this->logger->debug('setAndSaveSessionData: ses_id = ' . sha1($this->id));

        $updatedSession = $this->‪getSessionBackend()->‪update(

            $this->id,

            ['ses_data' => $this->user['ses_data']]

        );

        $this->user = array_merge($this->user ?? [], $updatedSession);

    }


    /*************************

     *

     * Misc

     *

     *************************/

    public function ‪getLoginFormData()

    {

        $loginData = [

            'status' => GeneralUtility::_GP($this->formfield_status),

            'uname'  => GeneralUtility::_POST($this->formfield_uname),

            'uident' => GeneralUtility::_POST($this->formfield_uident)

        ];

        // Only process the login data if a login is requested

        if ($loginData['status'] === ‪LoginType::LOGIN) {

            $loginData = $this->‪processLoginData($loginData);

        }

        return $loginData;

    }


    public function ‪processLoginData($loginData, $passwordTransmissionStrategy = '')

    {

        $loginSecurityLevel = trim(‪$GLOBALS['TYPO3_CONF_VARS'][$this->loginType]['loginSecurityLevel']) ?: 'normal';

        $passwordTransmissionStrategy = $passwordTransmissionStrategy ?: $loginSecurityLevel;

        $this->logger->debug('Login data before processing', $this->‪removeSensitiveLoginDataForLoggingInfo($loginData));

        $subType = 'processLoginData' . ‪$this->loginType;

        $authInfo = $this->‪getAuthInfoArray();

        $isLoginDataProcessed = false;

        $processedLoginData = $loginData;

        foreach ($this->‪getAuthServices($subType, $loginData, $authInfo) as $serviceObject) {

            $serviceResult = $serviceObject->processLoginData($processedLoginData, $passwordTransmissionStrategy);

            if (!empty($serviceResult)) {

                $isLoginDataProcessed = true;

                // If the service returns >=200 then no more processing is needed

                if ((int)$serviceResult >= 200) {

                    break;

                }

            }

        }

        if ($isLoginDataProcessed) {

            $loginData = $processedLoginData;

            $this->logger->debug('Processed login data', $this->‪removeSensitiveLoginDataForLoggingInfo($processedLoginData));

        }

        return $loginData;

    }


    protected function ‪removeSensitiveLoginDataForLoggingInfo($data, bool $isUserRecord = false)

    {

        if ($isUserRecord && is_array($data)) {

            $fieldNames = ['uid', 'pid', 'tstamp', 'crdate', 'cruser_id', 'deleted', 'disabled', 'starttime', 'endtime', 'username', 'admin', 'usergroup', 'db_mountpoints', 'file_mountpoints', 'file_permissions', 'workspace_perms', 'lastlogin', 'workspace_id', 'category_perms'];

            $data = array_intersect_key($data, array_combine($fieldNames, $fieldNames));

        }

        if (isset($data['uident'])) {

            $data['uident'] = '********';

        }

        if (isset($data['uident_text'])) {

            $data['uident_text'] = '********';

        }

        if (isset($data['password'])) {

            $data['password'] = '********';

        }

        return $data;

    }


    public function ‪getAuthInfoArray()

    {

        $queryBuilder = GeneralUtility::makeInstance(ConnectionPool::class)->getQueryBuilderForTable($this->user_table);

        $expressionBuilder = $queryBuilder->expr();

        $authInfo = [];

        $authInfo['loginType'] = ‪$this->loginType;

        $authInfo['refInfo'] = parse_url(GeneralUtility::getIndpEnv('HTTP_REFERER'));

        $authInfo['HTTP_HOST'] = GeneralUtility::getIndpEnv('HTTP_HOST');

        $authInfo['REMOTE_ADDR'] = GeneralUtility::getIndpEnv('REMOTE_ADDR');

        $authInfo['REMOTE_HOST'] = GeneralUtility::getIndpEnv('REMOTE_HOST');

        $authInfo['showHiddenRecords'] = ‪$this->showHiddenRecords;

        // Can be overridden in localconf by SVCONF:

        $authInfo['db_user']['table'] = ‪$this->user_table;

        $authInfo['db_user']['userid_column'] = ‪$this->userid_column;

        $authInfo['db_user']['username_column'] = ‪$this->username_column;

        $authInfo['db_user']['userident_column'] = ‪$this->userident_column;

        $authInfo['db_user']['usergroup_column'] = ‪$this->usergroup_column;

        $authInfo['db_user']['enable_clause'] = $this->‪userConstraints()->‪buildExpression(

            [$this->user_table => $this->user_table],

            $expressionBuilder

        );

        if ($this->checkPid && $this->checkPid_value !== null) {

            $authInfo['db_user']['checkPidList'] = ‪$this->checkPid_value;

            $authInfo['db_user']['check_pid_clause'] = $expressionBuilder->in(

                'pid',

                ‪GeneralUtility::intExplode(',', (string)$this->checkPid_value)

            );

        } else {

            $authInfo['db_user']['checkPidList'] = '';

            $authInfo['db_user']['check_pid_clause'] = '';

        }

        $authInfo['db_groups']['table'] = ‪$this->usergroup_table;

        return $authInfo;

    }


    public function ‪gc()

    {

        $this->‪getSessionBackend()->‪collectGarbage($this->gc_time);

    }


    public function ‪writelog($type, $action, $error, $details_nr, $details, $data, $tablename, $recuid, $recpid)

    {

    }


    public function ‪checkLogFailures($email, $secondsBack, $maxFailures)

    {

    }


    public function ‪setBeUserByUid($uid)

    {

        $this->user = $this->‪getRawUserByUid($uid);

    }


    public function ‪setBeUserByName(‪$name)

    {

        $this->user = $this->‪getRawUserByName(‪$name);

    }


    public function ‪getRawUserByUid($uid)

    {

        $query = GeneralUtility::makeInstance(ConnectionPool::class)->getQueryBuilderForTable($this->user_table);

        $query->setRestrictions($this->‪userConstraints());

        $query->select('*')

            ->from($this->user_table)

            ->where($query->expr()->eq('uid', $query->createNamedParameter($uid, \PDO::PARAM_INT)));


        return $query->execute()->fetch();

    }


    public function ‪getRawUserByName(‪$name)

    {

        $query = GeneralUtility::makeInstance(ConnectionPool::class)->getQueryBuilderForTable($this->user_table);

        $query->setRestrictions($this->‪userConstraints());

        $query->select('*')

            ->from($this->user_table)

            ->where($query->expr()->eq('username', $query->createNamedParameter(‪$name, \PDO::PARAM_STR)));


        return $query->execute()->fetch();

    }


    public function ‪getSessionId(): string

    {

        return ‪$this->id;

    }


    public function ‪getLoginType(): string

    {

        return ‪$this->loginType;

    }


    protected function ‪getSessionBackend()

    {

        if (!isset($this->sessionBackend)) {

            $this->sessionBackend = GeneralUtility::makeInstance(SessionManager::class)->getSessionBackend($this->loginType);

        }

        return ‪$this->sessionBackend;

    }

}