This commit is contained in:
@@ -0,0 +1,48 @@
|
||||
<?php
|
||||
include "../utils/security.php";
|
||||
secure_session_start();
|
||||
header('Content-Type: application/json');
|
||||
|
||||
require_logged_in();
|
||||
|
||||
include "../../config/config.php";
|
||||
$conn = new mysqli($DB_SERVERNAME, $DB_USERNAME, $DB_PASSWORD, $DB_DATABASE);
|
||||
|
||||
$user_id = $_SESSION['id'];
|
||||
$method = $_SERVER['REQUEST_METHOD'];
|
||||
|
||||
if ($method === 'GET') {
|
||||
$sql = "SELECT id, domain, confirmed_at FROM confirmed_domains WHERE user_id = ? ORDER BY confirmed_at DESC";
|
||||
$stmt = mysqli_prepare($conn, $sql);
|
||||
mysqli_stmt_bind_param($stmt, 'i', $user_id);
|
||||
mysqli_stmt_execute($stmt);
|
||||
$result = mysqli_stmt_get_result($stmt);
|
||||
$domains = [];
|
||||
while ($row = mysqli_fetch_assoc($result)) {
|
||||
$domains[] = $row;
|
||||
}
|
||||
mysqli_stmt_close($stmt);
|
||||
echo json_encode(['success' => true, 'domains' => $domains]);
|
||||
|
||||
} elseif ($method === 'POST') {
|
||||
require_csrf_token();
|
||||
$input = json_decode(file_get_contents('php://input'), true);
|
||||
$domain_id = (int)($input['id'] ?? 0);
|
||||
|
||||
if ($domain_id <= 0) {
|
||||
echo json_encode(['success' => false, 'message' => 'Invalid domain ID.']);
|
||||
exit;
|
||||
}
|
||||
|
||||
$sql = "DELETE FROM confirmed_domains WHERE id = ? AND user_id = ?";
|
||||
$stmt = mysqli_prepare($conn, $sql);
|
||||
mysqli_stmt_bind_param($stmt, 'ii', $domain_id, $user_id);
|
||||
mysqli_stmt_execute($stmt);
|
||||
mysqli_stmt_close($stmt);
|
||||
|
||||
echo json_encode(['success' => true, 'message' => 'Domain removed.']);
|
||||
|
||||
} else {
|
||||
echo json_encode(['success' => false, 'message' => 'Invalid request method.'], 405);
|
||||
}
|
||||
?>
|
||||
@@ -3,6 +3,27 @@ include "../utils/security.php";
|
||||
secure_session_start();
|
||||
header('Content-Type: application/json');
|
||||
|
||||
$_SESSION["external_domain_confirmed"] = true;
|
||||
if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
|
||||
echo json_encode(['success' => false, 'message' => 'Invalid request method.']);
|
||||
exit;
|
||||
}
|
||||
|
||||
$input = json_decode(file_get_contents('php://input'), true);
|
||||
$domain = $input['domain'] ?? '';
|
||||
|
||||
if ($domain === '' || !isset($_SESSION['id'])) {
|
||||
echo json_encode(['success' => false, 'message' => 'Missing domain or not logged in.']);
|
||||
exit;
|
||||
}
|
||||
|
||||
include "../../config/config.php";
|
||||
$conn = new mysqli($DB_SERVERNAME, $DB_USERNAME, $DB_PASSWORD, $DB_DATABASE);
|
||||
|
||||
$user_id = $_SESSION['id'];
|
||||
$sql = "INSERT IGNORE INTO confirmed_domains (user_id, domain) VALUES (?, ?)";
|
||||
$stmt = mysqli_prepare($conn, $sql);
|
||||
mysqli_stmt_bind_param($stmt, 'is', $user_id, $domain);
|
||||
mysqli_stmt_execute($stmt);
|
||||
mysqli_stmt_close($stmt);
|
||||
|
||||
echo json_encode(['success' => true]);
|
||||
@@ -57,12 +57,26 @@ else if ($_SESSION["needs_auth"]===false && $_SESSION["mfa_authenticated"]==1 &&
|
||||
mysqli_stmt_close($stmt);
|
||||
if(!empty($send_to)){
|
||||
$external_domain = is_external_domain($send_to);
|
||||
if ($external_domain !== null && !isset($_SESSION["external_domain_confirmed"])){
|
||||
$data=[
|
||||
'message' => 'external_redirect_warning',
|
||||
'domain' => $external_domain,
|
||||
'redirect' => append_auth_token_to_redirect($send_to, $auth_token)
|
||||
];
|
||||
if ($external_domain !== null){
|
||||
$sql="SELECT id FROM confirmed_domains WHERE user_id = ? AND domain = ?";
|
||||
$stmt = mysqli_prepare($conn, $sql);
|
||||
mysqli_stmt_bind_param($stmt, 'is', $user_id, $external_domain);
|
||||
mysqli_stmt_execute($stmt);
|
||||
mysqli_stmt_store_result($stmt);
|
||||
$domain_confirmed = mysqli_stmt_num_rows($stmt) > 0;
|
||||
mysqli_stmt_close($stmt);
|
||||
if (!$domain_confirmed){
|
||||
$data=[
|
||||
'message' => 'external_redirect_warning',
|
||||
'domain' => $external_domain,
|
||||
'redirect' => append_auth_token_to_redirect($send_to, $auth_token)
|
||||
];
|
||||
}else{
|
||||
$data=[
|
||||
'message' => 'done',
|
||||
'redirect' => append_auth_token_to_redirect($send_to, $auth_token)
|
||||
];
|
||||
}
|
||||
}else{
|
||||
$data=[
|
||||
'message' => 'done',
|
||||
|
||||
@@ -11,7 +11,6 @@ $conn = new mysqli($DB_SERVERNAME, $DB_USERNAME, $DB_PASSWORD, $DB_DATABASE);
|
||||
check_rate_limit($conn, 'set_username', 30, 60);
|
||||
$_SESSION["needs_auth"]=true;
|
||||
$_SESSION["logged_in"]=false;
|
||||
unset($_SESSION["external_domain_confirmed"]);
|
||||
$username = strtolower((string) ($_POST["username"] ?? ""));
|
||||
$_SESSION["username"]=preg_replace("/[^a-z0-9_]/","",$username);
|
||||
session_regenerate_id(true);
|
||||
|
||||
Reference in New Issue
Block a user