Change the user's password

Switches:

-password_hash_algorithm (optional, defaults to "salted-sha1")

Parameters:

user_id (required)

new_password (required)

Testcases:

ad_change_check_password, get_calitems

Check if the provided password is correct. OpenACS never stores password, but uses salted hashes for identification. Different algorithm can be used. When the stored hash is from another hash algorithm, which is preferred, this function updates the password hash automatically, but only, when the password is correct.

Parameters:

user_id (required)

password_from_form (required)

Returns:

Returns 1 if the password is correct for the given user ID.

Testcases:

auth_password_change, auth_password_implementations, ad_change_check_password

Looks up a property for a session. If -cache is true, will use the cached value if available. If -cache_only is true, will never incur a database hit (i.e., will only return a value if cached). If the property is secure, we must be on a validated session over HTTPS or the default is returned.

Switches:

-cache (optional, defaults to "t")

-cache_only (optional, defaults to "f")

-default (optional)

-session_id (optional)

controls which session is used

Parameters:

module (required)

typically the name of the package to which the property belongs (serves as a namespace)

name (required)

name of the property

Returns:

value of the property or default

See Also:

• ad_set_client_property

Testcases:

client_properties

Return for the specified subsite (or the current registry subsite) the external authority interface objs. Per default, all defined external registries are returned, but a subsite might restrict this.

Switches:

-subsite_id (optional)

Testcases:

webtest_example

Returns a URL to the login page of the closest subsite, or the main site, if there's no current connection.

Switches:

-authority_id (optional)

-username (optional)

-return (optional, boolean)

-external_registry (optional)

Options:

-return

If set, will export the current form, so when the registration is complete, the user will be returned to the current location. All variables in ns_getform (both posts and gets) will be maintained.

Authors:

Lars Pind <lars@collaboraid.biz>

Gustaf Neumann

Testcases:

login_logout_urls

Returns a URL to the logout page of the closest subsite, or the main site, if there's no current connection.

Switches:

-return (optional, boolean)

-return_url (optional)

Options:

-return

If set, will export the current form, so when the logout is complete the user will be returned to the current location. All variables in ns_getform (both posts and gets) will be maintained.

Author:

Lars Pind <lars@collaboraid.biz>

Testcases:

login_logout_urls

Retrieves a signed cookie. Validates a cookie against its cryptographic signature and ensures that the cookie has not expired. Throws an exception if cookie does not exists or validation fails (maybe due to expiration).

Switches:

-include_set_cookies (optional, defaults to "t")

-secret (optional)

Parameters:

name (required)

Returns:

cookie value

See Also:

• ad_get_cookie
• ad_set_signed_cookie
• ad_get_signed_cookie_with_expr

Testcases:

test_set_cookie_procs

Retrieves a signed cookie. Validates a cookie against its cryptographic signature and ensures that the cookie has not expired. Throws an exception when cookie does not exist or validation fails.

Switches:

-include_set_cookies (optional, defaults to "t")

-secret (optional)

Parameters:

name (required)

Returns:

Two-element list containing cookie data and expiration time

See Also:

• ad_get_cookie
• ad_get_signed_cookie
• ad_set_signed_cookie

Testcases:

sync_http_get_document

Redirects user to [subsite]/register/index to require the user to register. When registration is complete, the user will be returned to the current location. All variables in ns_getform (both posts and gets) will be maintained.

It's up to the caller to issue an ad_script_abort, if that's what you want.

See Also:

• ad_get_login_url

Testcases:

No testcase defined.

A preauth filter that will halt service of any page if the user is unregistered, except the site index page and stuff underneath [subsite]/register. Use permissions on the site node map to control access.

Parameters:

conn (required)

args (required)

why (required)

Testcases:

No testcase defined.

Sets a client (session-level) property. If -persistent is true, the new value will be written through to the database (it will survive a server restart, bit it will be slower). If -secure is true, the property will not be retrievable except via a validated, secure (HTTPS) connection.

Switches:

-clob (optional, defaults to "f")

tells us to use a large object to store the value

-secure (optional, defaults to "f")

-persistent (optional, defaults to "t")

-session_id (optional)

controls which session is used

Parameters:

module (required)

typically the name of the package to which the property belongs (serves as a namespace)

name (required)

name of the property

value (required)

value if the property

See Also:

• ad_get_client_property

Testcases:

client_properties

Sets a signed cookie. Negative token_ids are reserved for secrets external to the signed cookie mechanism. If a token_id is specified, a secret must be specified.

Switches:

-replace (optional, defaults to "f")

-secure (optional, defaults to "f")

-expire (optional, defaults to "f")

-discard (optional, defaults to "f")

-scriptable (optional, defaults to "f")

allow access to the cookie from JavaScript

-max_age (optional)

specifies the maximum age of the cookies in seconds (consistent with RFC 2109). max_age inf specifies cookies that never expire. (see ad_set_cookie). The default is session cookies.

-signature_max_age (optional)

-domain (optional)

-path (optional, defaults to "/")

-secret (optional)

allows the caller to specify a known secret external to the random secret management mechanism.

-token_id (optional)

allows the caller to specify a token_id.

-samesite (optional, defaults to "lax")

Parameters:

name (required)

value (required)

the value for the cookie. This is automatically url-encoded.

Author:

Richard Li <richardl@arsdigita.com>

Created:

18 October 2000

See Also:

• ad_set_cookie
• ad_get_signed_cookie
• ad_get_signed_cookie_with_expr

Testcases:

test_set_cookie_procs

Returns a digital signature of the value. Negative token_ids are reserved for secrets external to the ACS digital signature mechanism. If a token_id is specified, a secret must also be specified.

Switches:

-secret (optional)

allows the caller to specify a known secret external to the random secret management mechanism.

-token_id (optional)

allows the caller to specify a token_id which is then ignored so don't use it.

-max_age (optional)

specifies the length of time the signature is valid in seconds. The default is forever.

-binding (optional, defaults to "0")

allows the caller to bind a signature to a user/session. A value of 0 (default) means no additional binding. When the value is "-1" only the user who created the signature can obtain the value again. When the value is "-2" only the user with the same csrf token can obtain the value again. The permissible values might be extended in the future.

Parameters:

value (required)

the value to be signed.

Testcases:

auth_password_recover, sync_http_get_document

Logs the user in, forever (via the user_login cookie) if -forever is true. This procedure assumes that the user identity has been validated.

Switches:

-account_status (optional, defaults to "ok")

-cookie_domain (optional)

-external_registry (optional)

-forever (optional, boolean)

Parameters:

user_id (required)

Testcases:

logout_from_everywhere

Logs the user out.

Switches:

-cookie_domain (optional)

Testcases:

fs_create_folder

Verifies a digital signature. Returns 1 for success, and 0 for failed validation. Validation can fail due to tampering or expiration of signature.

Switches:

-secret (optional)

specifies an external secret to use instead of the one provided by the ACS signature mechanism.

Parameters:

value (required)

signature (required)

Testcases:

No testcase defined.

Verifies a digital signature. Returns either the expiration time or 0 if the validation fails.

Switches:

-secret (optional)

specifies an external secret to use instead of the one provided by the ACS signature mechanism.

Parameters:

value (required)

signature (required)

Testcases:

sync_http_get_document

Change the user's auth_token, which invalidates all existing login cookies, i.e. forces user logout at the server.

Parameters:

user_id (required)

Testcases:

logout_from_everywhere

Randomly returns a token_id from the token cache

Testcases:

secret_tokens_get

Returns the token corresponding to the token_id. This first checks the thread-persistent Tcl cache, then checks the server size-limited cache before finally hitting the db in the worst case if the secret_token value is not in either cache. The procedure also updates the caches. Cache eviction is handled by the ns_cache API for the size-limited cache and is handled by AOLserver (via thread termination) for the thread-persistent Tcl cache.

Parameters:

token_id (required)

Testcases:

secret_tokens_get

Get the user's auth token for verifying login cookies.

Parameters:

user_id (required)

Testcases:

No testcase defined.

If the login was issued from an external_registry, use this as well for refreshing.

Returns:

registry object or the empty string when not applicable

Testcases:

No testcase defined.

If a login cookie exists, it is checked for expiration (depending on LoginTimeout) and the account status is validated. In every case, the session info including [ad_conn] and the session cookie is updated accordingly. Modified ad_conn variables: untrusted_user_id, session_id, auth_level, account_status, and user_id.

Testcases:

No testcase defined.

Generates a random token.

Testcases:

No testcase defined.

Return 1 if login pages and other pages taking user password should be restricted to a secure (HTTPS) connection and 0 otherwise. Based on acs-kernel parameter with same name.

Author:

Peter Marklund

Testcases:

No testcase defined.

Return a list of dicts containing type, driver, location and port of all configured drivers

See Also:

• util_driver_info

Testcases:

No testcase defined.

Parameters:

plain_name (required)

Returns:

the supplied cookie name, but potentially prefixed according to the NaviServer CookieNamespace parameter, to make it unique for this particular domain.

Testcases:

No testcase defined.

Set the CSP rule on the current connection for a static resource depending on the MIME type.

Switches:

-mime_type (required)

MIME type of the resource to be delivered

Testcases:

No testcase defined.

Generate a nonce token and return it. The nonce token can be used in content security policies (CSP2) for "script" and "style" elements. Desired Properties: generate a single unique value per request which is hard for a hacker to predict, it should only contain base64 characters (so hex is fine). For details, see https://www.w3.org/TR/CSP/

Switches:

-tokenname (optional, defaults to "__csp_nonce")

Returns:

nonce token

Author:

Gustaf Neumann

Testcases:

No testcase defined.

This is the CSP generator. Collect the specified directives and build from these directives the full CSP specification for the current page.

Author:

Gustaf Neumann

See Also:

• security::csp::require

Testcases:

No testcase defined.

Add a single value directive to the CSP rule-set. The directives are picked up, when the page is rendered, by the CSP generator.

Switches:

-force (optional, boolean)

Parameters:

directive (required)

name of the directive (such as e.g. style-src)

value (required)

allowed source for this page (such as e.g. unsafe-inline)

Author:

Gustaf Neumann

See Also:

• security::csp::render

Testcases:

No testcase defined.

Create a security token to protect against CSRF (Cross-Site Request Forgery). The token is set (and cached) in a global per-thread variable and can be included in forms e.g. via the following command.

        <if @::__csrf_token@ defined>
            <input type="hidden" name="__csrf_token" value="@::__csrf_token;literal@">
        </if>

The token is automatically cleared together with other global variables at the end of the processing of every request.

The optional argument user_id is currently ignored, but it is there, since there are algorithms published to calculate the CSRF token based on a user_id. So far, i found no evidence that these should be used, but the argument is there as a reminder, such the interface does not have to be used, when we switch to such an algorithm.

Switches:

-tokenname (optional, defaults to "__csrf_token")

-user_id (optional)

Returns:

CSRF token

Author:

Gustaf Neumann

Testcases:

No testcase defined.

Validate a CSRF token and call security::csrf::fail the request if invalid.

Switches:

-tokenname (optional, defaults to "__csrf_token")

-allowempty (optional, defaults to "false")

Returns:

nothing

Testcases:

create_workflow_with_instance

Return the secure driver if available

Author:

Gustaf Neumann

Testcases:

No testcase defined.

Convenience function for retrieving user password from client property

Parameters:

password (required)

See Also:

• security::set_client_property_password

Testcases:

No testcase defined.

Parameters:

url (required)

Returns:

secure or insecure qualified url

Testcases:

No testcase defined.

Returns a URL pointing to the subsite, on which the register/unregister should be performed. If there is no current connection, the main site url is returned. TODO: util_current_location and security::get_register_subsite can be probably cached, when using the following parameters in the cache key: - host header field - [ns_conn location] - ... also [security::get_register_subsite] could/should be cached

Author:

Gustaf Neumann

Testcases:

No testcase defined.

Return the current location in secure (https) mode.

Author:

Peter Marklund

Testcases:

get_insecure_location

Return 1 if server is configured to support HTTPS and 0 otherwise.

Author:

Peter Marklund

Testcases:

No testcase defined.

This function returns the configured locations and the current location and the vhost locations, potentially in HTTP or in HTTPs variants. When the package parameter "SuppressHttpPort" of acs-tcl parameter is true, then an alternate location without a port is included. This proc also assumes hostnames from host_node_map table are accurate and legit. The term location refers to protocol://domain:port for website.

Returns:

insecure location and secure location followed possibly by alternate location(s) as a list.

Testcases:

ad_dom_sanitize_html

Compute a compact single-token signed value based on the parameterSecret.

Switches:

-max_age (optional)

Parameters:

value (required)

See Also:

• security::parameter::validated

Testcases:

No testcase defined.

Validate the single-token signed value and return its content value. Raise an exception, when the signature is broken.

Parameters:

input (required)

See Also:

• security::parameter::signed

Testcases:

No testcase defined.

Redirect to the given URL and enter insecure (HTTP) mode.

Parameters:

url (required)

Author:

Peter Marklund

Testcases:

No testcase defined.

Redirect to the given URL and enter secure (HTTPS) mode. Does nothing if the server is not configured for HTTPS support.

Switches:

-script_abort (optional, boolean, defaults to "true")

Parameters:

url (required)

Author:

Peter Marklund

Testcases:

No testcase defined.

Redirect back to the current page in secure mode (HTTPS) if we are not already in secure mode. Does nothing if the server is not configured for HTTPS support.

Author:

Peter Marklund

Testcases:

No testcase defined.

Checks that a file is a safe tmpfile, that is, it belongs to the configured tmpdir. When the file exists, we also enforce additional criteria: - file must belong to the current system user - file must be readable and writable by the current system user

Switches:

-must_exist (optional, boolean)

make sure the file exists

Parameters:

tmpfile (required)

absolute path to a possibly existing tmpfile

Returns:

boolean

Testcases:

safe_tmpfile_p

Returns true if the connection [ad_conn] is secure (HTTPS), or false otherwise.

Testcases:

No testcase defined.

Check, if the content of host is a "secure" value, which means, it is either white-listed or belongs to a non-public IP address, such it cannot harm in redirect operations.

Parameters:

host (required)

Returns:

boolean value

Testcases:

No testcase defined.

Convenience function for remembering user password as client property rather than passing it as query parameter.

Parameters:

password (required)

See Also:

• security::get_client_property_password

Testcases:

No testcase defined.

Returns:

validated host header field or empty

Author:

Gustaf Neumann Protect against faked or invalid host header fields. Host header attacks can lead to web-cache poisoning and password reset attacks (for more details, see e.g. http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html) or to unintended redirects to different sites. The validated host header most be syntactically correct, and it must be either configured/white-listed or it must be from a non-routable IP address. White-listed hosts are taken from the alternate host names specified in the "ns/module/DRIVER/servers" section, or via the configuration variable "hostname" (e.g., "openacs.org www.openacs.org") which is added the the "/server" section during startup.

Testcases:

No testcase defined.