adding password strength meter and session ui

2026-05-07 23:51:33 +02:00
parent 69a6da90c5
commit d7632748ab
8 changed files with 256 additions and 1 deletions
@@ -0,0 +1,25 @@
+<?php
+include "../utils/security.php";
+secure_session_start();
+header('Content-Type: application/json');
+
+require_logged_in();
+
+include "../../config/config.php";
+$conn = new mysqli($DB_SERVERNAME, $DB_USERNAME, $DB_PASSWORD, $DB_DATABASE);
+
+$user_id = $_SESSION['id'];
+
+$sql = "SELECT id, action, ip, user_agent, details, created_at FROM activity_log WHERE user_id = ? ORDER BY created_at DESC LIMIT 50";
+$stmt = mysqli_prepare($conn, $sql);
+mysqli_stmt_bind_param($stmt, 'i', $user_id);
+mysqli_stmt_execute($stmt);
+$result = mysqli_stmt_get_result($stmt);
+$entries = [];
+while ($row = mysqli_fetch_assoc($result)) {
+    $entries[] = $row;
+}
+mysqli_stmt_close($stmt);
+
+echo json_encode(['success' => true, 'entries' => $entries]);
+?>
@@ -0,0 +1,48 @@
+<?php
+include "../utils/security.php";
+secure_session_start();
+header('Content-Type: application/json');
+
+require_logged_in();
+
+include "../../config/config.php";
+$conn = new mysqli($DB_SERVERNAME, $DB_USERNAME, $DB_PASSWORD, $DB_DATABASE);
+
+$user_id = $_SESSION['id'];
+$method = $_SERVER['REQUEST_METHOD'];
+
+if ($method === 'GET') {
+    $sql = "SELECT id, agent, auth_token FROM keepmeloggedin WHERE user_id = ? ORDER BY id DESC";
+    $stmt = mysqli_prepare($conn, $sql);
+    mysqli_stmt_bind_param($stmt, 'i', $user_id);
+    mysqli_stmt_execute($stmt);
+    $result = mysqli_stmt_get_result($stmt);
+    $sessions = [];
+    while ($row = mysqli_fetch_assoc($result)) {
+        $sessions[] = [
+            'id' => $row['id'],
+            'user_agent' => $row['agent'],
+            'auth_token' => substr($row['auth_token'], 0, 16) . '...'
+        ];
+    }
+    mysqli_stmt_close($stmt);
+    echo json_encode(['success' => true, 'sessions' => $sessions]);
+
+} elseif ($method === 'POST') {
+    require_csrf_token();
+    $input = json_decode(file_get_contents('php://input'), true);
+
+    $sql = "DELETE FROM keepmeloggedin WHERE user_id = ?";
+    $stmt = mysqli_prepare($conn, $sql);
+    mysqli_stmt_bind_param($stmt, 'i', $user_id);
+    mysqli_stmt_execute($stmt);
+    mysqli_stmt_close($stmt);
+
+    delete_cookie("auth_token");
+    log_activity($conn, $user_id, 'sessions_revoked', 'All remembered sessions deleted');
+
+    echo json_encode(['success' => true, 'message' => 'All sessions revoked.']);
+} else {
+    echo json_encode(['success' => false, 'message' => 'Invalid request method.'], 405);
+}
+?>
@@ -60,6 +60,7 @@ if($data->enable_2fa==true){
            if ($update_stmt->execute()) {
 		unset($_SESSION["pending_2fa_secret"]);
 		clear_rate_limit($conn, 'setup_2fa', (string)$id);
+		log_activity($conn, $id, '2fa_enabled', '');
                echo json_encode(['success' => true, 'message' => '2FA enabled.']);
            } else {
                echo json_encode(['success' => false, 'message' => 'Failed to enable 2fa.']);
@@ -76,6 +77,7 @@ if($data->enable_2fa==false){
 	if ($update_stmt = $conn->prepare($sql)) {
            $update_stmt->bind_param("i",$id);
            if ($update_stmt->execute()) {
+		log_activity($conn, $id, '2fa_disabled', '');
                echo json_encode(['success' => true, 'message' => '2FA disabled.']);
            } else {
                echo json_encode(['success' => false, 'message' => 'Failed to disable 2fa.']);
@@ -69,6 +69,7 @@ if (isset($data->old_password) && isset($data->new_password)) {
                if ($update_stmt = $conn->prepare($update_sql)) {
                    $update_stmt->bind_param("ssi", $hashed_password, $new_pepper, $user_id);
                    if ($update_stmt->execute()) {
+                        log_activity($conn, $user_id, 'password_change', '');
                        echo json_encode(['success' => true, 'message' => 'Password updated successfully.']);
                    } else {
                        echo json_encode(['success' => false, 'message' => 'Failed to update password.']);