From 7ae7df0a110b978a2ddfe0a423569995a3902878 Mon Sep 17 00:00:00 2001 From: janis steiner Date: Wed, 6 May 2026 08:51:51 +0200 Subject: [PATCH] fixing some security issues and harderning service --- app-code/account/index.php | 4 +- app-code/api/account/get_user_data.php | 7 +- app-code/api/account/update_2fa.php | 17 ++- app-code/api/account/update_message.php | 17 ++- app-code/api/account/update_passkey.php | 5 +- app-code/api/account/update_pw.php | 14 +- app-code/api/account/update_user_data.php | 21 +-- app-code/api/auth/check_auth_key.php | 7 +- app-code/api/login/check_mfa.php | 9 +- app-code/api/login/check_passkey.php | 6 +- app-code/api/login/check_pw.php | 9 +- app-code/api/login/delete_keepmeloggedin.php | 5 +- app-code/api/login/keepmeloggedin.php | 16 ++- app-code/api/login/redirect.php | 14 +- app-code/api/login/send_reset_link.php | 23 +++- app-code/api/login/set_username.php | 8 +- app-code/api/manage/delete_user.php | 6 +- app-code/api/manage/fetch_users.php | 5 +- app-code/api/register/register_user.php | 30 ++++- app-code/api/utils/check_keepmeloggedin.php | 8 +- app-code/api/utils/security.php | 128 +++++++++++++++++++ app-code/index.php | 32 ++--- app-code/login/account_selector.php | 10 +- app-code/login/keepmeloggedin.php | 6 +- app-code/login/logout.php | 5 +- app-code/login/mfa.php | 6 +- app-code/login/passkey.php | 6 +- app-code/login/pw.php | 6 +- app-code/plugins/auth.php | 11 +- app-code/register/index.php | 11 +- 30 files changed, 328 insertions(+), 124 deletions(-) create mode 100644 app-code/api/utils/security.php diff --git a/app-code/account/index.php b/app-code/account/index.php index cef2d9d..228669d 100644 --- a/app-code/account/index.php +++ b/app-code/account/index.php @@ -1,5 +1,6 @@ - diff --git a/app-code/api/account/get_user_data.php b/app-code/api/account/get_user_data.php index bc4d6e9..b5d0a1e 100644 --- a/app-code/api/account/get_user_data.php +++ b/app-code/api/account/get_user_data.php @@ -1,13 +1,14 @@ 'error', 'message' => 'not logged in' ]; - echo json_encode($user_data); + echo json_encode($data); exit(); } diff --git a/app-code/api/account/update_2fa.php b/app-code/api/account/update_2fa.php index a3b337e..288e85e 100644 --- a/app-code/api/account/update_2fa.php +++ b/app-code/api/account/update_2fa.php @@ -1,15 +1,11 @@ false, - 'message' => 'Not logged in' - ]); - exit(); -} +require_logged_in(); // Include database configuration include "../../config/config.php"; @@ -34,6 +30,10 @@ $username = $_SESSION["username"]; // Get the raw POST data (JSON) $data = json_decode(file_get_contents("php://input")); +if(!isset($data->enable_2fa) || !is_bool($data->enable_2fa)){ + echo json_encode(['success' => false, 'message' => 'Missing required fields.']); + exit(); +} if($data->enable_2fa==true){ //create 2fa secret key $twofa_secret=generateBase32Secret(); @@ -68,4 +68,3 @@ if($data->enable_2fa==false){ } ?> - diff --git a/app-code/api/account/update_message.php b/app-code/api/account/update_message.php index 31e2f0a..5f881a4 100644 --- a/app-code/api/account/update_message.php +++ b/app-code/api/account/update_message.php @@ -1,15 +1,11 @@ false, - 'message' => 'Not logged in' - ]); - exit(); -} +require_logged_in(); // Include database configuration include "../../config/config.php"; @@ -32,6 +28,10 @@ $username = $_SESSION["username"]; // Get the raw POST data (JSON) $data = json_decode(file_get_contents("php://input")); +if(!isset($data->enable_message) || !is_bool($data->enable_message)){ + echo json_encode(['success' => false, 'message' => 'Missing required fields.']); + exit(); +} if($data->enable_message==true){ $sql="UPDATE users SET login_message=1 WHERE id = ?"; if ($update_stmt = $conn->prepare($sql)) { @@ -64,4 +64,3 @@ if($data->enable_message==false){ } ?> - diff --git a/app-code/api/account/update_passkey.php b/app-code/api/account/update_passkey.php index bc3c6f0..cfdd109 100644 --- a/app-code/api/account/update_passkey.php +++ b/app-code/api/account/update_passkey.php @@ -3,6 +3,9 @@ header('Content-Type: application/json'); +include "../utils/security.php"; +secure_session_start(); +require_same_origin_request(); require_once 'WebAuthn.php'; @@ -15,7 +18,6 @@ if ($conn->connect_error) { } try { - session_start(); if (!isset($_SESSION["logged_in"]) || $_SESSION["logged_in"] !== true) { echo json_encode([ 'success' => false, @@ -168,4 +170,3 @@ try { print(json_encode($return)); } ?> - diff --git a/app-code/api/account/update_pw.php b/app-code/api/account/update_pw.php index 1733244..c3e14f9 100644 --- a/app-code/api/account/update_pw.php +++ b/app-code/api/account/update_pw.php @@ -1,15 +1,11 @@ false, - 'message' => 'Not logged in' - ]); - exit(); -} +require_logged_in(); // Include database configuration include "../../config/config.php"; @@ -36,7 +32,6 @@ $data = json_decode(file_get_contents("php://input")); // Check if the required fields are present if (isset($data->old_password) && isset($data->new_password)) { // Get the user ID (this should be taken from the session or JWT token) - session_start(); $user_id = $_SESSION['id']; // Assuming user_id is stored in session // Sanitize inputs @@ -95,4 +90,3 @@ if (isset($data->old_password) && isset($data->new_password)) { echo json_encode(['success' => false, 'message' => 'Missing required fields.']); } ?> - diff --git a/app-code/api/account/update_user_data.php b/app-code/api/account/update_user_data.php index aa26a6a..bcb782e 100644 --- a/app-code/api/account/update_user_data.php +++ b/app-code/api/account/update_user_data.php @@ -1,15 +1,11 @@ false, - 'message' => 'Not logged in' - ]); - exit(); -} +require_logged_in(); // Include database configuration include "../../config/config.php"; @@ -47,7 +43,14 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') { // Sanitize and validate the input $name = preg_replace("/[^a-zA-Z0-9_]/", "", $data['name']); // Allow only letters, numbers, and underscores - $email = filter_var($data['email'], FILTER_SANITIZE_EMAIL); // Sanitize email + $email = trim((string) $data['email']); + if ($email !== "" && !filter_var($email, FILTER_VALIDATE_EMAIL)) { + echo json_encode([ + 'success' => false, + 'message' => 'Invalid email address' + ]); + exit(); + } $telegram_id = htmlspecialchars($data['telegram_id'], ENT_QUOTES, 'UTF-8'); // Escape special characters //check if username is allready taken diff --git a/app-code/api/auth/check_auth_key.php b/app-code/api/auth/check_auth_key.php index de0d29f..1543958 100644 --- a/app-code/api/auth/check_auth_key.php +++ b/app-code/api/auth/check_auth_key.php @@ -2,14 +2,14 @@ header('Content-Type: application/json'); include "../../config/config.php"; $conn = new mysqli($DB_SERVERNAME, $DB_USERNAME, $DB_PASSWORD, $DB_DATABASE); +$now=time(); $sql="DELETE FROM auth_tokens WHERE valid_until < ?;"; $stmt = mysqli_prepare($conn, $sql); mysqli_stmt_bind_param($stmt, 'i',$now); mysqli_stmt_execute($stmt); mysqli_stmt_close($stmt); -$auth_key=$_GET["auth_token"]; -$now=time(); +$auth_key=$_GET["auth_token"] ?? ""; $sql="SELECT user_id FROM auth_tokens WHERE auth_token = ? AND valid_until > ?;"; $stmt = mysqli_prepare($conn, $sql); mysqli_stmt_bind_param($stmt, 'si', $auth_key,$now); @@ -54,8 +54,7 @@ if(mysqli_stmt_num_rows($stmt) == 1){ }else{ $data=[ 'status' => 'failure', - 'msg'=>'invalid auth key', - 'auth_key'=>$auth_key + 'msg'=>'invalid auth key' ]; echo(json_encode($data)); } diff --git a/app-code/api/login/check_mfa.php b/app-code/api/login/check_mfa.php index 3911fac..11d9c22 100644 --- a/app-code/api/login/check_mfa.php +++ b/app-code/api/login/check_mfa.php @@ -1,5 +1,7 @@ 'success' ]; diff --git a/app-code/api/login/check_passkey.php b/app-code/api/login/check_passkey.php index 1f286f5..f2f2c8b 100644 --- a/app-code/api/login/check_passkey.php +++ b/app-code/api/login/check_passkey.php @@ -1,5 +1,8 @@ connect_error) { } try { - session_start(); - // read get argument and post body $fn = filter_input(INPUT_GET, 'fn'); $requireResidentKey = !!filter_input(INPUT_GET, 'requireResidentKey'); @@ -144,6 +145,7 @@ try { $_SESSION["mfa_authenticated"]=1; $_SESSION["pw_authenticated"]=1; $_SESSION["passkey_authenticated"]=1; + session_regenerate_id(true); $return = new stdClass(); $return->success = true; diff --git a/app-code/api/login/check_pw.php b/app-code/api/login/check_pw.php index 45fe688..721cd2c 100644 --- a/app-code/api/login/check_pw.php +++ b/app-code/api/login/check_pw.php @@ -1,5 +1,7 @@ 'success' ]; diff --git a/app-code/api/login/delete_keepmeloggedin.php b/app-code/api/login/delete_keepmeloggedin.php index 800a08d..6c142bc 100644 --- a/app-code/api/login/delete_keepmeloggedin.php +++ b/app-code/api/login/delete_keepmeloggedin.php @@ -1,7 +1,10 @@ 'failure', 'message' => 'Not fully authenticated'], 401); + } $_SESSION["keepmeloggedin_asked"]=true; $user_id=$_SESSION["id"]; //create a login token $login_token=bin2hex(random_bytes(128)); - $agent=$_SERVER['HTTP_USER_AGENT']; + $login_token_hash=remember_token_hash($login_token); + $agent=$_SERVER['HTTP_USER_AGENT'] ?? ""; $sql="INSERT INTO keepmeloggedin (auth_token,user_id,agent) VALUES (?,?,?);"; $stmt = mysqli_prepare($conn, $sql); - mysqli_stmt_bind_param($stmt, 'sis', $login_token,$user_id,$agent); + mysqli_stmt_bind_param($stmt, 'sis', $login_token_hash,$user_id,$agent); mysqli_stmt_execute($stmt); mysqli_stmt_close($stmt); - setcookie("auth_token", $login_token, time() + (30 * 24 * 60 * 60), "/", "", true, true); + set_secure_cookie("auth_token", $login_token, time() + (30 * 24 * 60 * 60)); $data = [ 'status' => 'success' ]; diff --git a/app-code/api/login/redirect.php b/app-code/api/login/redirect.php index 8795fe4..8ce7311 100644 --- a/app-code/api/login/redirect.php +++ b/app-code/api/login/redirect.php @@ -1,11 +1,12 @@ 'done', - 'redirect' => $send_to."?auth=$auth_token" + 'redirect' => append_auth_token_to_redirect($send_to, $auth_token) ]; }else{ $data=[ @@ -65,7 +66,8 @@ else if ($_SESSION["needs_auth"]===false && $_SESSION["mfa_authenticated"]==1 && ]; } //update last login - $ip=trim(explode(",",$_SERVER["HTTP_X_FORWARDED_FOR"])[0]); + $forwarded_for = $_SERVER["HTTP_X_FORWARDED_FOR"] ?? $_SERVER["REMOTE_ADDR"] ?? ""; + $ip=trim(explode(",",$forwarded_for)[0]); $date=date('Y-m-d H:i:s'); $last_login_msg=$date." from ".$ip; $sql="UPDATE users SET last_login = ? WHERE id = ?"; @@ -75,7 +77,7 @@ else if ($_SESSION["needs_auth"]===false && $_SESSION["mfa_authenticated"]==1 && mysqli_stmt_close($stmt); //send login message if($_SESSION["login_message"] && $_SESSION["logged_in"]!==true){ - $device = $_SERVER['HTTP_USER_AGENT']; + $device = $_SERVER['HTTP_USER_AGENT'] ?? ""; $location=get_location_from_ip($ip); $message = "⚠️ *Login Warning*\n\n" . "We noticed a login attempt with your account.\n\n" diff --git a/app-code/api/login/send_reset_link.php b/app-code/api/login/send_reset_link.php index 2f86735..746627d 100644 --- a/app-code/api/login/send_reset_link.php +++ b/app-code/api/login/send_reset_link.php @@ -1,9 +1,15 @@ false, 'message' => 'Missing username.']); + exit; +} $sql="SELECT id, email, telegram_id FROM users WHERE username = ?;"; $conn = new mysqli($DB_SERVERNAME, $DB_USERNAME, $DB_PASSWORD, $DB_DATABASE); $mail=""; @@ -15,11 +21,17 @@ mysqli_stmt_execute($stmt); mysqli_stmt_store_result($stmt); mysqli_stmt_bind_result($stmt,$id, $mail,$telegram_id); mysqli_stmt_fetch($stmt); +$user_found = mysqli_stmt_num_rows($stmt) === 1; mysqli_stmt_close($stmt); +if (!$user_found) { + echo json_encode(['success' => true, 'message' => 'If the account has reset methods configured, a reset link has been sent.']); + exit; +} //send telegram message -$device = $_SERVER['HTTP_USER_AGENT']; +$device = $_SERVER['HTTP_USER_AGENT'] ?? ""; //$ip=$_SERVER["REMOTE_ADDR"]; -$ip=trim(explode(",",$_SERVER["HTTP_X_FORWARDED_FOR"])[0]); +$forwarded_for = $_SERVER["HTTP_X_FORWARDED_FOR"] ?? $_SERVER["REMOTE_ADDR"] ?? ""; +$ip=trim(explode(",",$forwarded_for)[0]); $location=get_location_from_ip($ip); $date=date('Y-m-d H:i:s'); $token=bin2hex(random_bytes(128)); @@ -628,11 +640,12 @@ if(!empty($mail)){ //insert the token into our db -$valid_until=time()+(8600/2); +$valid_until=time()+(12 * 60 * 60); $sql="INSERT INTO reset_tokens (auth_token, user_id,valid_until) VALUES (?,?,?);"; $stmt = mysqli_prepare($conn, $sql); mysqli_stmt_bind_param($stmt, 'sii', $token,$id,$valid_until); mysqli_stmt_execute($stmt); mysqli_stmt_close($stmt); +echo json_encode(['success' => true, 'message' => 'If the account has reset methods configured, a reset link has been sent.']); ?> diff --git a/app-code/api/login/set_username.php b/app-code/api/login/set_username.php index 8db9a80..c3dcffa 100644 --- a/app-code/api/login/set_username.php +++ b/app-code/api/login/set_username.php @@ -1,6 +1,10 @@ diff --git a/app-code/api/manage/delete_user.php b/app-code/api/manage/delete_user.php index d918349..907aa84 100644 --- a/app-code/api/manage/delete_user.php +++ b/app-code/api/manage/delete_user.php @@ -1,8 +1,10 @@ false, 'message'=>'not authenticated'])); exit(); } diff --git a/app-code/api/manage/fetch_users.php b/app-code/api/manage/fetch_users.php index 75beec0..9376904 100644 --- a/app-code/api/manage/fetch_users.php +++ b/app-code/api/manage/fetch_users.php @@ -1,8 +1,9 @@ false, 'message'=>'not authenticated'])); exit(); } diff --git a/app-code/api/register/register_user.php b/app-code/api/register/register_user.php index 5334e98..b6d073c 100644 --- a/app-code/api/register/register_user.php +++ b/app-code/api/register/register_user.php @@ -1,5 +1,8 @@ false, 'message' => 'Invalid input. Username and password are required.' @@ -30,10 +33,11 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') { exit; } - $username = trim($data['username']); - $email = trim($data['email']); - $password = trim($data['password']); - $telegram_id = trim($data['telegram']); + $username = strtolower(trim((string) $data['username'])); + $username = preg_replace("/[^a-z0-9_]/", "", $username); + $email = trim((string) ($data['email'] ?? "")); + $password = (string) $data['password']; + $telegram_id = trim((string) ($data['telegram'] ?? "")); // Check for empty fields if (empty($username) || empty($password)) { @@ -44,6 +48,22 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') { exit; } + if (strlen($password) < 12) { + echo json_encode([ + 'success' => false, + 'message' => 'Password must be at least 12 characters.' + ]); + exit; + } + + if ($email !== "" && !filter_var($email, FILTER_VALIDATE_EMAIL)) { + echo json_encode([ + 'success' => false, + 'message' => 'Invalid email address.' + ]); + exit; + } + // Check if the username already exists $sql = "SELECT id FROM users WHERE username = ?"; $stmt = mysqli_prepare($conn, $sql); diff --git a/app-code/api/utils/check_keepmeloggedin.php b/app-code/api/utils/check_keepmeloggedin.php index 8e60d54..1347b27 100644 --- a/app-code/api/utils/check_keepmeloggedin.php +++ b/app-code/api/utils/check_keepmeloggedin.php @@ -5,17 +5,22 @@ $conn = new mysqli($DB_SERVERNAME, $DB_USERNAME, $DB_PASSWORD, $DB_DATABASE); if (isset($_COOKIE['auth_token'])) { $auth_token=$_COOKIE['auth_token']; + $auth_token_hash=remember_token_hash($auth_token); $sql="SELECT user_id,agent FROM keepmeloggedin WHERE auth_token = ?"; $user_id=0; $agent=""; $stmt = mysqli_prepare($conn, $sql); - mysqli_stmt_bind_param($stmt, 's',$auth_token); + mysqli_stmt_bind_param($stmt, 's',$auth_token_hash); mysqli_stmt_execute($stmt); mysqli_stmt_store_result($stmt); if(mysqli_stmt_num_rows($stmt) == 1){ mysqli_stmt_bind_result($stmt, $user_id,$agent); mysqli_stmt_fetch($stmt); mysqli_stmt_close($stmt); + if (!hash_equals($agent, $_SERVER['HTTP_USER_AGENT'] ?? "")) { + delete_cookie("auth_token"); + return $ret; + } //load user data $sql="SELECT auth_method_required_pw, auth_method_required_2fa, auth_method_required_passkey, username, user_token,last_login, login_message,telegram_id, permissions FROM users WHERE id = ?"; @@ -52,6 +57,7 @@ $_SESSION["keepmeloggedin_asked"]=true; $_SESSION["logged_in"]=true; $_SESSION["needs_auth"]=false; + session_regenerate_id(true); $ret="success"; } mysqli_stmt_close($stmt); diff --git a/app-code/api/utils/security.php b/app-code/api/utils/security.php new file mode 100644 index 0000000..d98a5ad --- /dev/null +++ b/app-code/api/utils/security.php @@ -0,0 +1,128 @@ + 0, + 'path' => '/', + 'domain' => '', + 'secure' => $is_https, + 'httponly' => true, + 'samesite' => 'Lax', + ]); + + session_start(); +} + +function json_response(array $data, int $status_code = 200): void +{ + http_response_code($status_code); + header('Content-Type: application/json'); + echo json_encode($data); + exit; +} + +function require_same_origin_request(): void +{ + if (!in_array($_SERVER['REQUEST_METHOD'] ?? 'GET', ['POST', 'PUT', 'PATCH', 'DELETE'], true)) { + return; + } + + $host = $_SERVER['HTTP_HOST'] ?? ''; + $source = $_SERVER['HTTP_ORIGIN'] ?? $_SERVER['HTTP_REFERER'] ?? ''; + + if ($source === '') { + return; + } + + $source_host = parse_url($source, PHP_URL_HOST); + $source_port = parse_url($source, PHP_URL_PORT); + if ($source_host && $source_port) { + $source_host .= ':' . $source_port; + } + + if (!$source_host || !hash_equals(strtolower($host), strtolower($source_host))) { + json_response(['success' => false, 'message' => 'Invalid request origin.'], 403); + } +} + +function require_logged_in(): void +{ + if (!isset($_SESSION['logged_in']) || $_SESSION['logged_in'] !== true || empty($_SESSION['id'])) { + json_response(['success' => false, 'message' => 'Not logged in'], 401); + } +} + +function is_admin_session(): bool +{ + return !empty($_SESSION['permissions']) + && is_string($_SESSION['permissions']) + && isset($_SESSION['permissions'][0]) + && $_SESSION['permissions'][0] === '1'; +} + +function remember_token_hash(string $token): string +{ + return hash('sha256', $token); +} + +function set_secure_cookie(string $name, string $value, int $expires): void +{ + $is_https = (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') + || (isset($_SERVER['SERVER_PORT']) && (int) $_SERVER['SERVER_PORT'] === 443); + + setcookie($name, $value, [ + 'expires' => $expires, + 'path' => '/', + 'secure' => $is_https, + 'httponly' => true, + 'samesite' => 'Lax', + ]); +} + +function delete_cookie(string $name): void +{ + set_secure_cookie($name, '', time() - 3600); +} + +function normalize_redirect_target(?string $target): string +{ + $target = trim((string) $target); + if ($target === '') { + return '/account/'; + } + + if (preg_match('/[\r\n]/', $target)) { + return '/account/'; + } + + if (str_starts_with($target, '/') && !str_starts_with($target, '//')) { + return $target; + } + + $parts = parse_url($target); + if (!$parts || empty($parts['scheme']) || empty($parts['host'])) { + return '/account/'; + } + + if (!in_array(strtolower($parts['scheme']), ['http', 'https'], true)) { + return '/account/'; + } + + return $target; +} + +function append_auth_token_to_redirect(string $redirect, string $auth_token): string +{ + $separator = str_contains($redirect, '?') ? '&' : '?'; + return $redirect . $separator . 'auth=' . rawurlencode($auth_token); +} + +?> diff --git a/app-code/index.php b/app-code/index.php index 522c3cd..d2f3118 100644 --- a/app-code/index.php +++ b/app-code/index.php @@ -1,3 +1,20 @@ + @@ -8,20 +25,6 @@ Jakach Login @@ -135,4 +138,3 @@ ?> - diff --git a/app-code/login/account_selector.php b/app-code/login/account_selector.php index e4442d0..4866155 100644 --- a/app-code/login/account_selector.php +++ b/app-code/login/account_selector.php @@ -1,3 +1,7 @@ + @@ -6,7 +10,6 @@ Jakach Login @@ -22,8 +25,8 @@
- Continue as - ">Use another account + Continue as + ">Use another account
@@ -43,4 +46,3 @@ document.addEventListener("keydown", function(event) { - diff --git a/app-code/login/keepmeloggedin.php b/app-code/login/keepmeloggedin.php index 3d8bbbd..a74e4b1 100644 --- a/app-code/login/keepmeloggedin.php +++ b/app-code/login/keepmeloggedin.php @@ -1,3 +1,7 @@ + @@ -6,7 +10,6 @@ Jakach Login @@ -66,4 +69,3 @@ - diff --git a/app-code/login/logout.php b/app-code/login/logout.php index a3efd04..d606bd7 100644 --- a/app-code/login/logout.php +++ b/app-code/login/logout.php @@ -1,7 +1,8 @@ diff --git a/app-code/login/mfa.php b/app-code/login/mfa.php index f23b3b8..9773f35 100644 --- a/app-code/login/mfa.php +++ b/app-code/login/mfa.php @@ -1,3 +1,7 @@ + @@ -6,7 +10,6 @@ Jakach Login @@ -112,4 +115,3 @@ - diff --git a/app-code/login/passkey.php b/app-code/login/passkey.php index d49c7ad..2d25e6a 100644 --- a/app-code/login/passkey.php +++ b/app-code/login/passkey.php @@ -1,3 +1,7 @@ + @@ -6,7 +10,6 @@ Jakach Login @@ -256,4 +259,3 @@ async function checkRegistration() { - diff --git a/app-code/login/pw.php b/app-code/login/pw.php index 6ba6f83..0e63bd5 100644 --- a/app-code/login/pw.php +++ b/app-code/login/pw.php @@ -1,3 +1,7 @@ + @@ -6,7 +10,6 @@ Jakach Login @@ -142,4 +145,3 @@ - diff --git a/app-code/plugins/auth.php b/app-code/plugins/auth.php index d550bae..a082e7d 100644 --- a/app-code/plugins/auth.php +++ b/app-code/plugins/auth.php @@ -2,10 +2,16 @@ /* This file can be installed in any service. If done so a user can authenticate with Jakach Auth. Jakach Auth will redirect the user here where their token gets validated, and then they can be logged in to your service. */ -$auth_token = $_GET["auth"]; +$auth_token = $_GET["auth"] ?? ""; +header('Content-Type: application/json'); + +if ($auth_token === '') { + echo json_encode(['status' => 'failure', 'msg' => 'Missing auth token']); + exit; +} // Check the auth token against Jakach login API -$check_url = "https://auth.jakach.ch/api/auth/check_auth_key.php?auth_token=" . $auth_token; +$check_url = "https://auth.jakach.ch/api/auth/check_auth_key.php?auth_token=" . rawurlencode($auth_token); // Initialize cURL $ch = curl_init(); @@ -47,4 +53,3 @@ if (isset($data['status'])) { echo json_encode(['status' => 'failure', 'msg' => 'Invalid response from authentication server']); } ?> - diff --git a/app-code/register/index.php b/app-code/register/index.php index dd47f39..2ad6960 100644 --- a/app-code/register/index.php +++ b/app-code/register/index.php @@ -1,5 +1,6 @@ @@ -134,12 +135,8 @@ session_start(); showModalMessage('Success', 'Registration successful!'); // Redirect to a different page if needed after closing the modal setTimeout(() => { - + const endUrl = ; + window.location.href = '/?send_to=' + encodeURIComponent(endUrl); }, 2000); } else { showModalMessage('Error', result.message || 'Registration failed!');