Permalink
Browse files

added documentation

  • Loading branch information...
1 parent af3456c commit 180b0388e35b483fd3e3a64d634a297ab4ea1b41 @chregu committed Feb 22, 2011
Showing with 40 additions and 16 deletions.
  1. +40 −16 web/index.php
View
56 web/index.php
@@ -2,6 +2,10 @@
ob_start(); //i'm too lazy to check when is sent what ;)
//set session cookie to be read only via http and not by JavaScript
ini_set("session.cookie_httponly", 1);
+
+include_once("../lib/GoogleAuthenticator.php");
+include_once("Users.php");
+
?>
<!DOCTYPE HTML>
<html>
@@ -10,64 +14,83 @@
</head>
<body>
<?php
-include_once("../lib/GoogleAuthenticator.php");
-include_once("Users.php");
+//set this to false, if you don't want the token prefilled
$debug = true;
$users = new Users();
+//check if the user has a session, if not, show the login screen
if ($username = $users->hasSession()) {
+ //load the user data from the json storage.
$user = $users->loadUser($username);
+ //if he clicked logout, destroy the session and redirect to the startscreen.
if (isset($_GET['logout'])) {
session_destroy();
header("Location: ./");
}
+ // check if the user is logged in.
if ($user->isLoggedIn()) {
include("../tmpl/loggedin.php");
+ //show the QR code if whished so
if (isset($_GET['showqr'])) {
$secret = $user->getSecret();
include("../tmpl/show-qr.php");
}
- } else if ($user->isOTP() && isset($_POST['otp'])) {
+ }
+ //if the user is in the OTP phase and submit the OTP.
+ else if ($user->isOTP() && isset($_POST['otp'])) {
$g = new GoogleAuthenticator();
+ // check if the submitted token is the right one and log in
if ($g->checkCode($user->getSecret(),$_POST['otp'])) {
+ // do log-in the user
$user->doLogin();
+ //if the user clicked the "remember the token" checkbox, set the cookie
if (isset($_POST['remember']) && $_POST['remember']) {
$user->setOTPCookie();
}
include("../tmpl/loggedin.php");
- } else {
+ }
+ //if the OTP is wrong, destroy the session and tell the user to try again
+ else {
session_destroy();
include("../tmpl/login-error.php");
}
- } else {
+ }
+ // if the user is neither logged in nor in the OTP phase, show the login form
+ else {
session_destroy();
include("../tmpl/login.php");
}
-
-
-
die();
-} else if (isset($_POST['username'])) {
+}
+//if the username is set in _POST, then we assume the user filled in the login form.
+else if (isset($_POST['username'])) {
+ // check if we can load the user (ie. the user exists in our db)
$user = $users->loadUser($_POST['username']);
-
if ($user) {
+ //try to authenticate the password and start the session if it's correct.
if ($user->auth($_POST['password'])) {
$user->startSession();
+ //check if the user has a valid OTP cookie, so we don't have to
+ // ask for the current token and can directly log in
if ($user->hasValidOTPCookie()) {
include("../tmpl/loggedin.php");
$user->doLogin();
-
- } else if (!$user->getSecret()) {
+ }
+ // try to get the users' secret from the db,
+ // if he doesn't have one, generate one, store it and show it.
+ else if (!$user->getSecret()) {
include("../tmpl/loggedin.php");
$secret = $user->generateSecret();
$users->storeData($user);
$user->doLogin();
include("../tmpl/show-qr.php");
-
- } else {
+ }
+ // if the user neither has a valid OTP cookie nor it's the first login
+ // ask for the OTP
+ else {
$user->doOTP();
include("../tmpl/ask-for-otp.php");
}
@@ -76,12 +99,13 @@
die();
}
}
- session_destroy();
+ // if we're here, something went wrong, destroy the session and show a login error
+ session_destroy();
include("../tmpl/login-error.php");
die();
}
-
+// if neither a session nor tried to submit the login credentials -> login screen
include("../tmpl/login.php");

0 comments on commit 180b038

Please sign in to comment.