Jakach/jakach-login
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

adding ratelimiting with reddis db
Deploy / deploy (push) Failing after 3s
Details

Browse Source
This commit is contained in:
janis steiner
2026-05-06 09:27:02 +02:00
parent d82a08f77b
commit 5deb0e1056
16 changed files with 312 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app-code/api/account/update_2fa.php
+20 -5
View File
@@ -39,13 +39,28 @@ if(!isset($data->enable_2fa) || !is_bool($data->enable_2fa)){
exit();
}
if($data->enable_2fa==true){
//create 2fa secret key
$twofa_secret=generateBase32Secret();
$twofa_pin = trim((string)($data->twofa_pin ?? ""));
if ($twofa_pin === "") {
$twofa_secret=generateBase32Secret();
$_SESSION["pending_2fa_secret"]=$twofa_secret;
echo json_encode(['success' => true, 'pending' => true, 'message' => 'Scan this QR code, then enter the current 2FA code to confirm enrollment.', 'token' => $twofa_secret]);
exit();
}
check_rate_limit($conn, 'setup_2fa', 5, 10 * 60, (string)$id);
$twofa_secret = $_SESSION["pending_2fa_secret"] ?? "";
if ($twofa_secret === "" || !hash_equals(generateTOTP($twofa_secret), $twofa_pin)) {
echo json_encode(['success' => false, 'message' => 'Invalid 2FA code.']);
exit();
}
$sql="UPDATE users SET 2fa = ?, auth_method_enabled_2fa = 1, auth_method_required_2fa = 1 WHERE id = ?";
if ($update_stmt = $conn->prepare($sql)) {
$update_stmt->bind_param("si", $twofa_secret, $id);
if ($update_stmt->execute()) {
echo json_encode(['success' => true, 'message' => '2FA enabled. Your 2fa secret is: '.$twofa_secret.'', 'token' => $twofa_secret]);
unset($_SESSION["pending_2fa_secret"]);
clear_rate_limit($conn, 'setup_2fa', (string)$id);
echo json_encode(['success' => true, 'message' => '2FA enabled.']);
} else {
echo json_encode(['success' => false, 'message' => 'Failed to enable 2fa.']);
}
@@ -56,8 +71,8 @@ if($data->enable_2fa==true){
}
if($data->enable_2fa==false){
//create 2fa secret key
$sql="UPDATE users SET auth_method_enabled_2fa = 0, auth_method_required_2fa = 0 WHERE id = ?";
unset($_SESSION["pending_2fa_secret"]);
$sql="UPDATE users SET 2fa = '', auth_method_enabled_2fa = 0, auth_method_required_2fa = 0 WHERE id = ?";
if ($update_stmt = $conn->prepare($sql)) {
$update_stmt->bind_param("i",$id);
if ($update_stmt->execute()) {
app-code/api/account/update_passkey.php
+30 -8
View File
@@ -30,15 +30,19 @@ try {
// read get argument and post body
$fn = filter_input(INPUT_GET, 'fn');
if (!in_array($fn, ['getCreateArgs', 'processCreate'], true)) {
throw new Exception('Invalid passkey operation.');
}
$requireResidentKey = !!filter_input(INPUT_GET, 'requireResidentKey');
$userVerification = filter_input(INPUT_GET, 'userVerification', FILTER_SANITIZE_SPECIAL_CHARS);
$userId = filter_input(INPUT_GET, 'userId', FILTER_SANITIZE_SPECIAL_CHARS);
$userName = filter_input(INPUT_GET, 'userName', FILTER_SANITIZE_SPECIAL_CHARS);
$userDisplayName = filter_input(INPUT_GET, 'userDisplayName', FILTER_SANITIZE_SPECIAL_CHARS);
$userVerification = 'preferred';
$userName = preg_replace('/[^0-9a-z_]/i', '', $_SESSION["username"] ?? "");
if ($userName === "") {
throw new Exception('Missing account session.');
}
$userId = bin2hex($userName);
$userDisplayName = $userName;
$userId = preg_replace('/[^0-9a-f]/i', '', $userId);
$userName = preg_replace('/[^0-9a-z]/i', '', $_SESSION["username"]);
$userDisplayName = preg_replace('/[^0-9a-z öüäéèàÖÜÄÉÈÀÂÊÎÔÛâêîôû]/i', '', $userDisplayName);
$post = trim(file_get_contents('php://input'));
@@ -96,6 +100,7 @@ try {
// Handle different functions
if ($fn === 'getCreateArgs') {
check_rate_limit($conn, 'passkey_register_args', 10, 60 * 60, $userName);
$createArgs = $WebAuthn->getCreateArgs(\hex2bin($userId), $userName, $userDisplayName, 60*4, $requireResidentKey, $userVerification, $crossPlatformAttachment);
header('Content-Type: application/json');
@@ -103,6 +108,7 @@ try {
// save challange to session. you have to deliver it to processGet later.
$_SESSION['challenge'] = $WebAuthn->getChallenge();
$_SESSION['passkey_register_username'] = $userName;
} else if ($fn === 'getGetArgs') {
$ids = [];
@@ -137,6 +143,15 @@ try {
// save challange to session. you have to deliver it to processGet later.
$_SESSION['challenge'] = $WebAuthn->getChallenge();
} else if ($fn === 'processCreate') {
check_rate_limit($conn, 'passkey_register_process', 5, 60 * 60, $userName);
if (empty($_SESSION['challenge']) || ($_SESSION['passkey_register_username'] ?? '') !== $userName) {
throw new Exception('Invalid passkey session.');
}
foreach (['clientDataJSON', 'attestationObject'] as $requiredField) {
if (!is_object($post) || empty($post->{$requiredField})) {
throw new Exception('Invalid passkey response.');
}
}
// Process create
$challenge = $_SESSION['challenge'];
$clientDataJSON = base64_decode($post->clientDataJSON);
@@ -151,8 +166,15 @@ try {
$data->userDisplayName = $userDisplayName;
// Store registration data in the database
$credentialId = $data->credentialId;
$credentialPublicKey = $data->credentialPublicKey;
$signatureCounter = (int)$data->signatureCounter;
$stmt = $conn->prepare("UPDATE users set credential_id = ?, public_key = ?, counter = ?, auth_method_enabled_passkey = 1, auth_method_required_passkey = 1 WHERE username = ?");
$stmt->execute([ $data->credentialId, $data->credentialPublicKey, $data->signatureCounter,$userName]);
$stmt->bind_param("ssis", $credentialId, $credentialPublicKey, $signatureCounter, $userName);
$stmt->execute();
$stmt->close();
unset($_SESSION['challenge'], $_SESSION['passkey_register_username']);
clear_rate_limit($conn, 'passkey_register_process', $userName);
$msg = 'registration success.';
$return = new stdClass();
@@ -165,7 +187,7 @@ try {
} catch (Throwable $ex) {
$return = new stdClass();
$return->success = false;
$return->msg = $ex->getMessage();
$return->msg = 'Passkey registration failed.';
header('Content-Type: application/json');
print(json_encode($return));