fixing some seucirty issues

public/index.html

@@ -471,6 +471,7 @@ async function checkAuth() {
       document.getElementById('settingsUser').textContent = res.user.username + ' (' + res.user.user_token.substring(0, 12) + '...)';
       document.getElementById('appLogin').style.display = 'none';
       document.getElementById('appMain').style.display = '';
+      fetchCsrf();
       initApp();
       return true;
     }
@@ -547,11 +548,24 @@ function loadPage(name) {
 }
 
 // --- API Helpers ---
+let csrfToken = '';
+
+async function fetchCsrf() {
+  try {
+    const res = await api('/auth/csrf', { method: 'GET', noCsrf: true });
+    csrfToken = res.csrf_token || '';
+  } catch {}
+}
+
 async function api(path, opts = {}) {
-  const res = await fetch(API + path, {
-    headers: { 'Accept': 'application/json', ...(opts.body ? { 'Content-Type': 'application/json' } : {}) },
-    ...opts,
-  });
+  const headers = { 'Accept': 'application/json' };
+  if (opts.body) {
+    headers['Content-Type'] = 'application/json';
+  }
+  if (opts.method && opts.method !== 'GET' && !opts.noCsrf && csrfToken) {
+    headers['X-CSRF-TOKEN'] = csrfToken;
+  }
+  const res = await fetch(API + path, { headers, ...opts });
   const data = await res.json();
   if (!res.ok) {
     const err = new Error(data.error || 'Request failed');
@@ -963,7 +977,11 @@ async function loadSettings() {
 
   try {
     const res = await api('/config/telegram');
-    document.getElementById('telegramBotToken').value = res.bot_token || '';
+    if (res.bot_token) {
+      document.getElementById('telegramBotToken').value = res.bot_token;
+    } else {
+      document.getElementById('telegramBotToken').placeholder = res.bot_token_masked || 'Enter bot token';
+    }
     document.getElementById('telegramChatId').value = res.chat_id || '';
   } catch (e) { console.error('load telegram error', e); }
 

public/oauth.php

@@ -5,47 +5,47 @@ require_once __DIR__ . '/../vendor/autoload.php';
 use Jakach\Logging\Storage\Database;
 use Jakach\Logging\Storage\Repository;
 
-$logFile = '/tmp/oauth_debug.log';
-file_put_contents($logFile, date('c') . " oauth.php called\n", FILE_APPEND);
-file_put_contents($logFile, "GET: " . json_encode($_GET) . "\n", FILE_APPEND);
+function isSafeRedirect(string $url): bool
+{
+    if ($url === '' || $url === '/') return true;
+    $host = parse_url($url, PHP_URL_HOST);
+    if ($host === null || $host === '') return true;
+    return str_ends_with($host, '.jakach.ch') || $host === 'jakach.ch';
+}
 
 session_set_cookie_params([
     'lifetime' => 86400 * 7,
     'path' => '/',
     'httponly' => true,
+    'secure' => true,
     'samesite' => 'Lax',
 ]);
 session_start();
 
 $authToken = $_GET['auth'] ?? '';
-$errorRedirect = $_GET['redirect'] ?? '/';
-
-file_put_contents($logFile, "authToken: $authToken\n", FILE_APPEND);
+$errorRedirect = isSafeRedirect($_GET['redirect'] ?? '') ? $_GET['redirect'] : '/';
 
 if (!$authToken) {
     $_SESSION['auth_error'] = 'Missing authentication token.';
-    file_put_contents($logFile, "ERROR: missing auth token\n", FILE_APPEND);
     header('Location: ' . $errorRedirect);
     exit;
 }
 
 $checkUrl = 'https://auth.jakach.ch/api/auth/check_auth_key.php?auth_token=' . urlencode($authToken);
-file_put_contents($logFile, "checkUrl: $checkUrl\n", FILE_APPEND);
 
 $ch = curl_init();
 curl_setopt($ch, CURLOPT_URL, $checkUrl);
 curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
 curl_setopt($ch, CURLOPT_TIMEOUT, 15);
+curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
+curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
 $response = curl_exec($ch);
 $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
 $curlError = curl_error($ch);
 curl_close($ch);
 
-file_put_contents($logFile, "httpCode: $httpCode response: " . substr($response, 0, 500) . " curlError: $curlError\n", FILE_APPEND);
-
 if ($httpCode !== 200 || !$response) {
     $_SESSION['auth_error'] = "Auth server unreachable ($httpCode)";
-    file_put_contents($logFile, "ERROR: bad response $httpCode\n", FILE_APPEND);
     header('Location: ' . $errorRedirect);
     exit;
 }
@@ -54,30 +54,27 @@ $data = json_decode($response, true);
 
 if (!isset($data['status']) || $data['status'] !== 'success') {
     $_SESSION['auth_error'] = 'Authentication failed: ' . ($data['msg'] ?? 'Unknown error');
-    file_put_contents($logFile, "ERROR: auth failed: " . json_encode($data) . "\n", FILE_APPEND);
     header('Location: ' . $errorRedirect);
     exit;
 }
 
 $userToken = $data['user_token'] ?? '';
-file_put_contents($logFile, "Auth success, user_token: $userToken\n", FILE_APPEND);
 
 $db = new Database();
 $repo = new Repository($db);
 
 $allowedTokens = $repo->getAllowedUserTokens();
-file_put_contents($logFile, "allowedTokens: " . json_encode($allowedTokens) . "\n", FILE_APPEND);
 
 if (empty($allowedTokens)) {
-    file_put_contents($logFile, "First user, adding to allowed tokens\n", FILE_APPEND);
     $repo->setAllowedUserTokens([$userToken]);
 } elseif (!in_array($userToken, $allowedTokens, true)) {
     $_SESSION['auth_error'] = 'Your Jakach account is not authorized to access this system. Contact an administrator.';
-    file_put_contents($logFile, "ERROR: user not allowed\n", FILE_APPEND);
     header('Location: ' . $errorRedirect);
     exit;
 }
 
+session_regenerate_id(true);
+
 $_SESSION['loggedin'] = true;
 $_SESSION['username'] = $data['username'] ?? 'unknown';
 $_SESSION['id'] = $data['id'] ?? '';
@@ -86,8 +83,6 @@ $_SESSION['telegram_id'] = $data['telegram_id'] ?? '';
 $_SESSION['user_token'] = $userToken;
 unset($_SESSION['auth_error']);
 
-file_put_contents($logFile, "Session set, redirecting to: $errorRedirect\n", FILE_APPEND);
-
-$redirect = $_GET['redirect'] ?? '/';
+$redirect = isSafeRedirect($_GET['redirect'] ?? '') ? $_GET['redirect'] : '/';
 header('Location: ' . $redirect);
 exit;