From 496af3af58430afcbb3cbf7c8c6bc699e062e912 Mon Sep 17 00:00:00 2001
From: cash <cash.costello@gmail.com>
Date: Sat, 17 Dec 2011 21:35:27 -0500
Subject: added support for temporary storage of nonces

---
 classes/OpenID_ElggStore.php | 65 +++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 58 insertions(+), 7 deletions(-)

(limited to 'classes')

diff --git a/classes/OpenID_ElggStore.php b/classes/OpenID_ElggStore.php
index 5f6c63e42..35f4797a1 100644
--- a/classes/OpenID_ElggStore.php
+++ b/classes/OpenID_ElggStore.php
@@ -150,7 +150,7 @@ class OpenID_ElggStore extends Auth_OpenID_OpenIDStore {
 	/**
 	 * Can we use this nonce?
 	 *
-	 * Checks time skew and replay
+	 * Checks for time skew and replay attacks
 	 *
 	 * @param type $server_url The identity server endpoint
 	 * @param type $timestamp  The timestamp from the nonce
@@ -164,8 +164,49 @@ class OpenID_ElggStore extends Auth_OpenID_OpenIDStore {
 			return false;
 		}
 
-		// @todo
-		// we should check if nonce has been used before to guard against replays
+		if (!$this->addNonce($server_url, $timestamp, $salt)) {
+			return false;
+		}
+
+		return true;
+	}
+
+	/**
+	 * Store the nonce to prevent replay attacks
+	 *
+	 * @param string $server_url
+	 * @param string $timestamp
+	 * @param string $salt
+	 * @return bool
+	 */
+	protected function addNonce($server_url, $timestamp, $salt) {
+		global $Auth_OpenID_SKEW;
+
+		$identifier = md5($server_url . $timestamp . $salt);
+
+		// was the nonce already used
+		$count = elgg_get_entities_from_metadata(array(
+			'type' => 'object',
+			'subtype' => 'openid_client::nonce',
+			'metadata_name' => 'identifier',
+			'metadata_value' => $identifier,
+			'count' => true,
+		));
+		if ($count) {
+			return false;
+		}
+
+		// add it
+		$object = new ElggObject();
+		$object->subtype = 'openid_client::nonce';
+		$object->owner_guid = 0;
+		$object->container_guid = 0;
+		$object->access_id = ACCESS_PUBLIC;
+		$object->server_url = $server_url;
+		$object->expires = $timestamp + $Auth_OpenID_SKEW;
+		$object->identifier = $identifier;
+		$object->save();
+
 		return true;
 	}
 
@@ -175,12 +216,22 @@ class OpenID_ElggStore extends Auth_OpenID_OpenIDStore {
 	 * @return int
 	 */
 	public function cleanupNonces() {
-		global $Auth_OpenID_SKEW;
-		$cutoff = time() - $Auth_OpenID_SKEW;
+		$options = array(
+			'type' => 'object',
+			'subtype' => 'openid_client::nonce',
+			'metadata_name_value_pairs' => array(
+				array('name' => 'expires', 'value' => time(), 'operand' => '<')
+			),
+			'limit' => 0,
+		);
+		$nonces = elgg_get_entities_from_metadata($options);
+		$total = count($nonces);
 
-		// @todo
+		foreach ($nonces as $nonce) {
+			$nonce->delete();
+		}
 
-		return 0;
+		return $total;
 	}
 
 	/**
-- 
cgit v1.2.3