[pmwiki-users] "Authentication" via dynamic DNS and/or IP address

[Oliver Betz]

Hello All,

especially for a small, known group of users, it would IMO be
convenient to get authenticated by IP address (ranges) and/or dynamic
DNS.

I tried to implement such a check (regardless my rudimentary PHP
knowledge) but I'm not sure whether it's the right way, so I ask for
comments.

To avoid a bunch of DNS queries with each page request, I start the
check only if the session hasn't been established. Is it a good idea
to check AuthList directly, or is there a cleaner way?

To make the authentication info useable with AuthUser, I add the 
group '@DNS' to the auth list (should be configurable in a later
version).

The allowed host names and IP addresses (or masks as in the existing
blocklist) are taken from a wiki page defined by $DNScheckPage.

Here my crude hack, just to show the idea:

- snip -

if(!isset($AuthList['@DNS'])){
  $ip = preg_quote($_SERVER['REMOTE_ADDR']);
  $ip = preg_replace('/\\d+$/', '($0\\b|\\*)', $ip);

  $page = ReadPage($DNScheckPage, READPAGE_CURRENT);
  $list = preg_split("/[\\s,;]+/", $page['text'], -1,
PREG_SPLIT_NO_EMPTY);

  $hostips = '';
  foreach($list as $host) {
    if(preg_match("/\\d+\\.\\d+\\.\\d+\\.[\\d+*]/",$host)){
      $hostips .= " " . $host;
    }
    else {
      $hostips .= " " . gethostbyname($host);
    }
  }

  SessionAuth($pagename, array('authlist' => array("@DNS" =>
preg_match("/\\b$ip/", $hostips))));

}
- snip -

Any comments about security issues, potential improvements?

Worth to be published in /Cookbook?

Oliver
-- 
Oliver Betz, Muenchen (oliverbetz.de)