* fix: Fixed http-auth not honouring http_auth_guest
* Always fall back to http_auth_guest.
Make sure $username is set, otherwise, we won't try to authenticate.
* reverted elseif to default to http-auth-guest
* Update authenticate.inc.php
simplify logic
* fix: Two-Factor Auth
Moved library to a class to take advantage of namespacing and auto loading.
Update the two factor code to use the AuthenticationException for error messages.
Fix remember me to work with 2fa.
* missing change
* fix: minimize session open time
page/graphs speedup part 2
Write close the session as soon as we no longer need to write to it. Prevents the session from blocking other requests.
Do not run through full authentication functions if the session is already authenticated.
Removes password from the session as well as some items to prevent session fixation from #4608.
WARNING: This will cause issues for ad/ldap users who do not have a bind user configured!
* Do no erase username when using cookie auth.
Properly close the session in ajax_setresolution.php
* write close the session as soon as possible in ajax_setresolution.php
* Remove session regeneration. It is not compatible with the current code and would require more changes.
* Totally refactor authentication. Extract code to functions for re-use and improved readability
* Use exceptions for authentication and error logging
Tested: mysql, ad_auth with and without bind user
* fix a couple scrutinizer issues
* fix reauthenticate in radius
* Fix redirect on login for instances
On instances where base_url has been set for use behind a reverse proxy, logins are incorrectly redirected.
This happens because REQUEST_URI is set by the proxy:
1. librenms has base_url set to http://site.com/nms/
2. Browser requests http://site.com/nms/
3. nginx reverse proxies /nms/ to librenms at http://somehost:1234/
4. librenms sees REQUEST_URI as "/"
5. librenms logs the user in, but sends "Location: /" to the browser. This redirects to the wrong location.
To resolve, concatenate REQUEST_URI (which is relative) to base_url. As base_url is slash-terminated, crop the trailing slash. This should have no effect on users with default settings and will correctly redirect instances behind reverse proxies.
* I agree to the conditions of the Contributor Agreement contained in doc/General/Contributing.md.
* Adding comment explaining redirect logic on login
* Use rtrim instead of substr
* feature: bind user for active_directory auth
Optional, allows the use of "remember me", API, and alerting.
* missing global (but still may not be working)
* always return a value from reauthenticate()
* Make sure the ldapbind credentials are correct on reauth.
Do not send output if they are incorrect (use d_echo) this breaks ajax calls, etc.
Add scripts/auth_test.php, to make it easier to debug authentication.
* Refine auth_test.php a bit more
A few small cleanups in other places of the auth
* Add auth_test.php to docs
Some more improvements in the auth_test.php output.
* Update Authentication.md
* Updated to remove passwords from sessions
* Remove users sessions when user deleted
* Updated when cookies are set
* Updated setcookies to always contain a value
* Added destroy_cookies() to remove users cookies on failed login
* Removed debug line
* Fixed graph issues
* Implement an autoloader
When cleaning up classes for psr2, things got a bit unwieldy, so I implemented a class autoloader.
I created a PSR-0 compliant LibreNMS directory and moved all classes there that made sense.
Implemented LibreNMS\ClassLoader which supports adding manual class mappings
This reduces the file includes needed and only loads classes when needed.
* Add teh autoloader to graph.php
* Add a small bit of docs
Fix incomplete class in includes/discovery/functions.inc.php
Tested against Google-Authenticator app on Android 4.4.4
Made `verify_hotp` more efficient.
Added autofocus on twofactor input
Added GUI Unlock and Remove for TwoFactor credentials in /edituser/
Allow additional tries after elapsed time from last try exceeds configured parameter `$config['twofactor_lock']`.
If `$config['twofactor_lock']` is not defined or is set to `0`, administrators have to unlock accounts that exceed 3 failures via GUI.
Added Documentation
Moved TwoFactor form to logon.inc.php
Disabled autocomplete on twofactor input field
Updated Docs to include link to Google-Authenticator's install-guides
Moved authentication logic from authenticate.inc.php to twofactor.lib.php
typo in docblock for `twofactor_auth()`
Fixed scrutinizer bugs
To please scrutinizer
