This commit is contained in:
@@ -0,0 +1,25 @@
|
||||
<?php
|
||||
include "../utils/security.php";
|
||||
secure_session_start();
|
||||
header('Content-Type: application/json');
|
||||
|
||||
require_logged_in();
|
||||
|
||||
include "../../config/config.php";
|
||||
$conn = new mysqli($DB_SERVERNAME, $DB_USERNAME, $DB_PASSWORD, $DB_DATABASE);
|
||||
|
||||
$user_id = $_SESSION['id'];
|
||||
|
||||
$sql = "SELECT id, action, ip, user_agent, details, created_at FROM activity_log WHERE user_id = ? ORDER BY created_at DESC LIMIT 50";
|
||||
$stmt = mysqli_prepare($conn, $sql);
|
||||
mysqli_stmt_bind_param($stmt, 'i', $user_id);
|
||||
mysqli_stmt_execute($stmt);
|
||||
$result = mysqli_stmt_get_result($stmt);
|
||||
$entries = [];
|
||||
while ($row = mysqli_fetch_assoc($result)) {
|
||||
$entries[] = $row;
|
||||
}
|
||||
mysqli_stmt_close($stmt);
|
||||
|
||||
echo json_encode(['success' => true, 'entries' => $entries]);
|
||||
?>
|
||||
@@ -0,0 +1,48 @@
|
||||
<?php
|
||||
include "../utils/security.php";
|
||||
secure_session_start();
|
||||
header('Content-Type: application/json');
|
||||
|
||||
require_logged_in();
|
||||
|
||||
include "../../config/config.php";
|
||||
$conn = new mysqli($DB_SERVERNAME, $DB_USERNAME, $DB_PASSWORD, $DB_DATABASE);
|
||||
|
||||
$user_id = $_SESSION['id'];
|
||||
$method = $_SERVER['REQUEST_METHOD'];
|
||||
|
||||
if ($method === 'GET') {
|
||||
$sql = "SELECT id, agent, auth_token FROM keepmeloggedin WHERE user_id = ? ORDER BY id DESC";
|
||||
$stmt = mysqli_prepare($conn, $sql);
|
||||
mysqli_stmt_bind_param($stmt, 'i', $user_id);
|
||||
mysqli_stmt_execute($stmt);
|
||||
$result = mysqli_stmt_get_result($stmt);
|
||||
$sessions = [];
|
||||
while ($row = mysqli_fetch_assoc($result)) {
|
||||
$sessions[] = [
|
||||
'id' => $row['id'],
|
||||
'user_agent' => $row['agent'],
|
||||
'auth_token' => substr($row['auth_token'], 0, 16) . '...'
|
||||
];
|
||||
}
|
||||
mysqli_stmt_close($stmt);
|
||||
echo json_encode(['success' => true, 'sessions' => $sessions]);
|
||||
|
||||
} elseif ($method === 'POST') {
|
||||
require_csrf_token();
|
||||
$input = json_decode(file_get_contents('php://input'), true);
|
||||
|
||||
$sql = "DELETE FROM keepmeloggedin WHERE user_id = ?";
|
||||
$stmt = mysqli_prepare($conn, $sql);
|
||||
mysqli_stmt_bind_param($stmt, 'i', $user_id);
|
||||
mysqli_stmt_execute($stmt);
|
||||
mysqli_stmt_close($stmt);
|
||||
|
||||
delete_cookie("auth_token");
|
||||
log_activity($conn, $user_id, 'sessions_revoked', 'All remembered sessions deleted');
|
||||
|
||||
echo json_encode(['success' => true, 'message' => 'All sessions revoked.']);
|
||||
} else {
|
||||
echo json_encode(['success' => false, 'message' => 'Invalid request method.'], 405);
|
||||
}
|
||||
?>
|
||||
@@ -60,6 +60,7 @@ if($data->enable_2fa==true){
|
||||
if ($update_stmt->execute()) {
|
||||
unset($_SESSION["pending_2fa_secret"]);
|
||||
clear_rate_limit($conn, 'setup_2fa', (string)$id);
|
||||
log_activity($conn, $id, '2fa_enabled', '');
|
||||
echo json_encode(['success' => true, 'message' => '2FA enabled.']);
|
||||
} else {
|
||||
echo json_encode(['success' => false, 'message' => 'Failed to enable 2fa.']);
|
||||
@@ -76,6 +77,7 @@ if($data->enable_2fa==false){
|
||||
if ($update_stmt = $conn->prepare($sql)) {
|
||||
$update_stmt->bind_param("i",$id);
|
||||
if ($update_stmt->execute()) {
|
||||
log_activity($conn, $id, '2fa_disabled', '');
|
||||
echo json_encode(['success' => true, 'message' => '2FA disabled.']);
|
||||
} else {
|
||||
echo json_encode(['success' => false, 'message' => 'Failed to disable 2fa.']);
|
||||
|
||||
@@ -69,6 +69,7 @@ if (isset($data->old_password) && isset($data->new_password)) {
|
||||
if ($update_stmt = $conn->prepare($update_sql)) {
|
||||
$update_stmt->bind_param("ssi", $hashed_password, $new_pepper, $user_id);
|
||||
if ($update_stmt->execute()) {
|
||||
log_activity($conn, $user_id, 'password_change', '');
|
||||
echo json_encode(['success' => true, 'message' => 'Password updated successfully.']);
|
||||
} else {
|
||||
echo json_encode(['success' => false, 'message' => 'Failed to update password.']);
|
||||
|
||||
@@ -135,6 +135,11 @@ else if ($_SESSION["needs_auth"]===false && $_SESSION["mfa_authenticated"]==1 &&
|
||||
curl_close($ch);
|
||||
|
||||
}
|
||||
|
||||
//log activity
|
||||
if($_SESSION["logged_in"]!==true){
|
||||
log_activity($conn, $user_id, 'login', 'Login to ' . ($send_to ?: '/account/'));
|
||||
}
|
||||
|
||||
$_SESSION["logged_in"]=true;
|
||||
echo(json_encode($data));
|
||||
|
||||
@@ -295,6 +295,19 @@ function append_auth_token_to_redirect(string $redirect, string $auth_token): st
|
||||
return $redirect . $separator . 'auth=' . rawurlencode($auth_token);
|
||||
}
|
||||
|
||||
function log_activity(mysqli $conn, int $user_id, string $action, string $details = ''): void
|
||||
{
|
||||
$forwarded_for = $_SERVER['HTTP_X_FORWARDED_FOR'] ?? $_SERVER['REMOTE_ADDR'] ?? '';
|
||||
$ip = trim(explode(',', $forwarded_for)[0]);
|
||||
$user_agent = $_SERVER['HTTP_USER_AGENT'] ?? '';
|
||||
|
||||
$sql = "INSERT INTO activity_log (user_id, action, ip, user_agent, details) VALUES (?, ?, ?, ?, ?)";
|
||||
$stmt = mysqli_prepare($conn, $sql);
|
||||
mysqli_stmt_bind_param($stmt, 'issss', $user_id, $action, $ip, $user_agent, $details);
|
||||
mysqli_stmt_execute($stmt);
|
||||
mysqli_stmt_close($stmt);
|
||||
}
|
||||
|
||||
function is_external_domain(string $url): ?string
|
||||
{
|
||||
if (!str_starts_with($url, 'http://') && !str_starts_with($url, 'https://')) {
|
||||
|
||||
Reference in New Issue
Block a user