This commit is contained in:
@@ -17,6 +17,7 @@ if (!isset($_SESSION["logged_in"]) || $_SESSION["logged_in"] !== true) {
|
||||
<!-- Bootstrap CSS -->
|
||||
<?php
|
||||
include "../assets/components.php";
|
||||
print_csrf_script();
|
||||
?>
|
||||
<script src="https://cdn.rawgit.com/davidshimjs/qrcodejs/gh-pages/qrcode.min.js"></script>
|
||||
<link href="https://fonts.googleapis.com/icon?family=Material+Icons" rel="stylesheet"> <!-- Google Material Icons -->
|
||||
@@ -259,7 +260,8 @@ if (!isset($_SESSION["logged_in"]) || $_SESSION["logged_in"] !== true) {
|
||||
fetch('/api/account/update_user_data.php', {
|
||||
method: 'POST',
|
||||
headers: {
|
||||
'Content-Type': 'application/json'
|
||||
'Content-Type': 'application/json',
|
||||
'X-CSRF-Token': window.csrfToken
|
||||
},
|
||||
body: JSON.stringify(updatedUser)
|
||||
})
|
||||
@@ -306,7 +308,8 @@ if (!isset($_SESSION["logged_in"]) || $_SESSION["logged_in"] !== true) {
|
||||
fetch('/api/account/update_pw.php', {
|
||||
method: 'POST',
|
||||
headers: {
|
||||
'Content-Type': 'application/json'
|
||||
'Content-Type': 'application/json',
|
||||
'X-CSRF-Token': window.csrfToken
|
||||
},
|
||||
body: JSON.stringify(passwordData)
|
||||
})
|
||||
@@ -346,6 +349,7 @@ if (!isset($_SESSION["logged_in"]) || $_SESSION["logged_in"] !== true) {
|
||||
method: 'POST',
|
||||
headers: {
|
||||
'Content-Type': 'application/json',
|
||||
'X-CSRF-Token': window.csrfToken,
|
||||
},
|
||||
body: JSON.stringify({
|
||||
enable_2fa: isEnabled, // Send the new state of 2FA
|
||||
@@ -384,6 +388,7 @@ if (!isset($_SESSION["logged_in"]) || $_SESSION["logged_in"] !== true) {
|
||||
method: 'POST',
|
||||
headers: {
|
||||
'Content-Type': 'application/json',
|
||||
'X-CSRF-Token': window.csrfToken,
|
||||
},
|
||||
body: JSON.stringify({
|
||||
enable_message: isEnabled, // Send the new state of 2FA
|
||||
@@ -476,6 +481,9 @@ function generate2FAQRCode(issuer, accountName, secret) {
|
||||
rep = await window.fetch('/api/account/update_passkey.php?fn=processCreate' + getGetParams(), {
|
||||
//rep = await window.fetch('/test/server.php?fn=processCreate' + getGetParams(), {
|
||||
method : 'POST',
|
||||
headers : {
|
||||
'X-CSRF-Token': window.csrfToken
|
||||
},
|
||||
body : JSON.stringify(authenticatorAttestationResponse),
|
||||
cache : 'no-cache'
|
||||
});
|
||||
@@ -620,7 +628,12 @@ function generate2FAQRCode(issuer, accountName, secret) {
|
||||
}
|
||||
}
|
||||
function delete_all_logmein(){
|
||||
fetch("/api/login/delete_keepmeloggedin.php");
|
||||
fetch("/api/login/delete_keepmeloggedin.php", {
|
||||
method: "POST",
|
||||
headers: {
|
||||
"X-CSRF-Token": window.csrfToken
|
||||
}
|
||||
});
|
||||
}
|
||||
</script>
|
||||
|
||||
|
||||
@@ -1,3 +1,11 @@
|
||||
<?php
|
||||
include "../api/utils/security.php";
|
||||
secure_session_start();
|
||||
if (!isset($_SESSION["logged_in"]) || $_SESSION["logged_in"] !== true || !is_admin_session()) {
|
||||
header("LOCATION:/?send_to=/account/");
|
||||
exit();
|
||||
}
|
||||
?>
|
||||
<!DOCTYPE html>
|
||||
<html lang="en" data-bs-theme="dark">
|
||||
<head>
|
||||
@@ -6,6 +14,7 @@
|
||||
<title>User Management</title>
|
||||
<?php
|
||||
include "../assets/components.php";
|
||||
print_csrf_script();
|
||||
?>
|
||||
</head>
|
||||
<body>
|
||||
@@ -58,7 +67,12 @@
|
||||
if (!confirm('Are you sure you want to delete this user?')) return;
|
||||
|
||||
try {
|
||||
const response = await fetch(`/api/manage/delete_user.php?id=${userId}`, { method: 'DELETE' });
|
||||
const response = await fetch(`/api/manage/delete_user.php?id=${userId}`, {
|
||||
method: 'DELETE',
|
||||
headers: {
|
||||
'X-CSRF-Token': window.csrfToken
|
||||
}
|
||||
});
|
||||
const data = await response.json();
|
||||
|
||||
if (data.success) {
|
||||
|
||||
@@ -2,7 +2,11 @@
|
||||
include "../utils/security.php";
|
||||
secure_session_start();
|
||||
require_same_origin_request();
|
||||
require_csrf_token();
|
||||
header('Content-Type: application/json');
|
||||
if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
|
||||
json_response(['success' => false, 'message' => 'Invalid request method.'], 405);
|
||||
}
|
||||
|
||||
// Check if the user is logged in
|
||||
require_logged_in();
|
||||
|
||||
@@ -2,7 +2,11 @@
|
||||
include "../utils/security.php";
|
||||
secure_session_start();
|
||||
require_same_origin_request();
|
||||
require_csrf_token();
|
||||
header('Content-Type: application/json');
|
||||
if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
|
||||
json_response(['success' => false, 'message' => 'Invalid request method.'], 405);
|
||||
}
|
||||
|
||||
// Check if the user is logged in
|
||||
require_logged_in();
|
||||
|
||||
@@ -6,6 +6,7 @@ header('Content-Type: application/json');
|
||||
include "../utils/security.php";
|
||||
secure_session_start();
|
||||
require_same_origin_request();
|
||||
require_csrf_token();
|
||||
|
||||
require_once 'WebAuthn.php';
|
||||
|
||||
|
||||
@@ -2,7 +2,11 @@
|
||||
include "../utils/security.php";
|
||||
secure_session_start();
|
||||
require_same_origin_request();
|
||||
require_csrf_token();
|
||||
header('Content-Type: application/json');
|
||||
if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
|
||||
json_response(['success' => false, 'message' => 'Invalid request method.'], 405);
|
||||
}
|
||||
|
||||
// Check if the user is logged in
|
||||
require_logged_in();
|
||||
|
||||
@@ -2,6 +2,7 @@
|
||||
include "../utils/security.php";
|
||||
secure_session_start();
|
||||
require_same_origin_request();
|
||||
require_csrf_token();
|
||||
header('Content-Type: application/json');
|
||||
|
||||
// Check if the user is logged in
|
||||
|
||||
@@ -2,7 +2,11 @@
|
||||
include "../utils/security.php";
|
||||
secure_session_start();
|
||||
require_same_origin_request();
|
||||
require_csrf_token();
|
||||
header('Content-Type: application/json');
|
||||
if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
|
||||
json_response(['success' => false, 'message' => 'Invalid request method.'], 405);
|
||||
}
|
||||
$send_to=$_SESSION["end_url"];
|
||||
|
||||
include "../../config/config.php";
|
||||
|
||||
@@ -3,6 +3,7 @@ header('Content-Type: application/json');
|
||||
include "../utils/security.php";
|
||||
secure_session_start();
|
||||
require_same_origin_request();
|
||||
require_csrf_token();
|
||||
require_once 'WebAuthn.php';
|
||||
include "../../config/config.php";
|
||||
$conn = new mysqli($DB_SERVERNAME, $DB_USERNAME, $DB_PASSWORD,$DB_DATABASE);
|
||||
|
||||
@@ -2,7 +2,11 @@
|
||||
include "../utils/security.php";
|
||||
secure_session_start();
|
||||
require_same_origin_request();
|
||||
require_csrf_token();
|
||||
header('Content-Type: application/json');
|
||||
if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
|
||||
json_response(['success' => false, 'message' => 'Invalid request method.'], 405);
|
||||
}
|
||||
$send_to=$_SESSION["end_url"];
|
||||
|
||||
include "../../config/config.php";
|
||||
|
||||
@@ -2,7 +2,12 @@
|
||||
include "../utils/security.php";
|
||||
secure_session_start();
|
||||
require_same_origin_request();
|
||||
require_csrf_token();
|
||||
header('Content-Type: application/json');
|
||||
if ($_SERVER['REQUEST_METHOD'] !== 'POST' && $_SERVER['REQUEST_METHOD'] !== 'DELETE') {
|
||||
echo json_encode(['success' => false, 'message' => 'Invalid request method.']);
|
||||
exit;
|
||||
}
|
||||
$send_to=$_SESSION["end_url"];
|
||||
require_logged_in();
|
||||
|
||||
|
||||
@@ -2,7 +2,11 @@
|
||||
include "../utils/security.php";
|
||||
secure_session_start();
|
||||
require_same_origin_request();
|
||||
require_csrf_token();
|
||||
header('Content-Type: application/json');
|
||||
if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
|
||||
json_response(['success' => false, 'message' => 'Invalid request method.'], 405);
|
||||
}
|
||||
$send_to=$_SESSION["end_url"];
|
||||
|
||||
include "../../config/config.php";
|
||||
|
||||
@@ -1,4 +1,8 @@
|
||||
<?php
|
||||
include "../utils/security.php";
|
||||
secure_session_start();
|
||||
require_same_origin_request();
|
||||
require_csrf_token();
|
||||
// Check if the POST request contains 'token' and 'password'
|
||||
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
|
||||
if (!isset($_POST['token']) || !isset($_POST['password']) || !isset($_POST['confirm_password'])) {
|
||||
@@ -67,4 +71,3 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
|
||||
echo json_encode(['status' => 'error', 'message' => 'Invalid request method.']);
|
||||
}
|
||||
?>
|
||||
|
||||
|
||||
@@ -2,7 +2,12 @@
|
||||
include "../utils/security.php";
|
||||
secure_session_start();
|
||||
require_same_origin_request();
|
||||
require_csrf_token();
|
||||
header('Content-Type: application/json');
|
||||
if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
|
||||
echo json_encode(['success' => false, 'message' => 'Invalid request method.']);
|
||||
exit;
|
||||
}
|
||||
include "../../config/config.php";
|
||||
include "../utils/get_location.php";
|
||||
$username=$_SESSION["username"] ?? "";
|
||||
|
||||
@@ -2,6 +2,10 @@
|
||||
include "../utils/security.php";
|
||||
secure_session_start();
|
||||
require_same_origin_request();
|
||||
require_csrf_token();
|
||||
if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
|
||||
json_response(['success' => false, 'message' => 'Invalid request method.'], 405);
|
||||
}
|
||||
$_SESSION["needs_auth"]=true;
|
||||
$_SESSION["logged_in"]=false;
|
||||
$username = strtolower((string) ($_POST["username"] ?? ""));
|
||||
|
||||
@@ -3,6 +3,7 @@ header('Content-Type: application/json');
|
||||
include "../utils/security.php";
|
||||
secure_session_start();
|
||||
require_same_origin_request();
|
||||
require_csrf_token();
|
||||
//check for permisisons
|
||||
if (!isset($_SESSION["logged_in"]) || $_SESSION["logged_in"] !== true || !is_admin_session() ) {
|
||||
echo(json_encode(['success' => false, 'message'=>'not authenticated']));
|
||||
|
||||
@@ -3,6 +3,7 @@
|
||||
include "../utils/security.php";
|
||||
secure_session_start();
|
||||
require_same_origin_request();
|
||||
require_csrf_token();
|
||||
header('Content-Type: application/json');
|
||||
|
||||
include "../../config/config.php";
|
||||
|
||||
@@ -53,6 +53,32 @@ function require_same_origin_request(): void
|
||||
}
|
||||
}
|
||||
|
||||
function csrf_token(): string
|
||||
{
|
||||
if (empty($_SESSION['csrf_token']) || !is_string($_SESSION['csrf_token'])) {
|
||||
$_SESSION['csrf_token'] = bin2hex(random_bytes(32));
|
||||
}
|
||||
|
||||
return $_SESSION['csrf_token'];
|
||||
}
|
||||
|
||||
function print_csrf_script(): void
|
||||
{
|
||||
echo '<script>window.csrfToken = ' . json_encode(csrf_token()) . ';</script>';
|
||||
}
|
||||
|
||||
function require_csrf_token(): void
|
||||
{
|
||||
if (!in_array($_SERVER['REQUEST_METHOD'] ?? 'GET', ['POST', 'PUT', 'PATCH', 'DELETE'], true)) {
|
||||
return;
|
||||
}
|
||||
|
||||
$token = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? $_POST['csrf_token'] ?? '';
|
||||
if (empty($_SESSION['csrf_token']) || !is_string($token) || !hash_equals($_SESSION['csrf_token'], $token)) {
|
||||
json_response(['success' => false, 'message' => 'Invalid CSRF token.'], 403);
|
||||
}
|
||||
}
|
||||
|
||||
function require_logged_in(): void
|
||||
{
|
||||
if (!isset($_SESSION['logged_in']) || $_SESSION['logged_in'] !== true || empty($_SESSION['id'])) {
|
||||
|
||||
@@ -25,6 +25,7 @@ if(logmein()==="success"){
|
||||
<title>Jakach Login</title>
|
||||
<?php
|
||||
include "assets/components.php";
|
||||
print_csrf_script();
|
||||
?>
|
||||
</head>
|
||||
<body>
|
||||
@@ -103,6 +104,7 @@ if(logmein()==="success"){
|
||||
method: 'POST',
|
||||
headers: {
|
||||
'Content-Type': 'application/x-www-form-urlencoded', // Form-like data
|
||||
'X-CSRF-Token': window.csrfToken,
|
||||
},
|
||||
body: new URLSearchParams({
|
||||
username: username, // Send username as form data
|
||||
|
||||
@@ -10,6 +10,7 @@ secure_session_start();
|
||||
<title>Jakach Login</title>
|
||||
<?php
|
||||
include "../assets/components.php";
|
||||
print_csrf_script();
|
||||
?>
|
||||
</head>
|
||||
<body>
|
||||
@@ -43,6 +44,7 @@ secure_session_start();
|
||||
method: 'POST',
|
||||
headers: {
|
||||
'Content-Type': 'application/x-www-form-urlencoded', // Form-like data
|
||||
'X-CSRF-Token': window.csrfToken,
|
||||
},
|
||||
body: new URLSearchParams({
|
||||
keepmeloggedin: keepmeloggedin, // Send password as form data
|
||||
|
||||
@@ -10,6 +10,7 @@ secure_session_start();
|
||||
<title>Jakach Login</title>
|
||||
<?php
|
||||
include "../assets/components.php";
|
||||
print_csrf_script();
|
||||
?>
|
||||
</head>
|
||||
<body>
|
||||
@@ -78,6 +79,7 @@ secure_session_start();
|
||||
method: 'POST',
|
||||
headers: {
|
||||
'Content-Type': 'application/x-www-form-urlencoded', // Form-like data
|
||||
'X-CSRF-Token': window.csrfToken,
|
||||
},
|
||||
body: new URLSearchParams({
|
||||
twofa_pin: password, // Send password as form data
|
||||
|
||||
@@ -10,6 +10,7 @@ secure_session_start();
|
||||
<title>Jakach Login</title>
|
||||
<?php
|
||||
include "../assets/components.php";
|
||||
print_csrf_script();
|
||||
?>
|
||||
</head>
|
||||
<body>
|
||||
@@ -106,6 +107,9 @@ async function checkRegistration() {
|
||||
// send to server
|
||||
rep = await window.fetch('/api/login/check_passkey.php?fn=processGet' + getGetParams(), {
|
||||
method:'POST',
|
||||
headers: {
|
||||
'X-CSRF-Token': window.csrfToken
|
||||
},
|
||||
body: JSON.stringify(authenticatorAttestationResponse),
|
||||
cache:'no-cache'
|
||||
});
|
||||
|
||||
@@ -10,6 +10,7 @@ secure_session_start();
|
||||
<title>Jakach Login</title>
|
||||
<?php
|
||||
include "../assets/components.php";
|
||||
print_csrf_script();
|
||||
?>
|
||||
</head>
|
||||
<body>
|
||||
@@ -81,7 +82,12 @@ secure_session_start();
|
||||
<script>
|
||||
//pw reset:
|
||||
function reset_pw(){
|
||||
fetch("/api/login/send_reset_link.php");
|
||||
fetch("/api/login/send_reset_link.php", {
|
||||
method: "POST",
|
||||
headers: {
|
||||
"X-CSRF-Token": window.csrfToken
|
||||
}
|
||||
});
|
||||
var resetModal = new bootstrap.Modal(document.getElementById('resetModal'));
|
||||
resetModal.show();
|
||||
}
|
||||
@@ -108,6 +114,7 @@ secure_session_start();
|
||||
method: 'POST',
|
||||
headers: {
|
||||
'Content-Type': 'application/x-www-form-urlencoded', // Form-like data
|
||||
'X-CSRF-Token': window.csrfToken,
|
||||
},
|
||||
body: new URLSearchParams({
|
||||
password: password, // Send password as form data
|
||||
|
||||
@@ -1,3 +1,7 @@
|
||||
<?php
|
||||
include "../api/utils/security.php";
|
||||
secure_session_start();
|
||||
?>
|
||||
<!DOCTYPE html>
|
||||
<html lang="en" data-bs-theme="dark">
|
||||
|
||||
@@ -7,6 +11,7 @@
|
||||
<title>Password Reset</title>
|
||||
<?php
|
||||
include "../assets/components.php";
|
||||
print_csrf_script();
|
||||
?>
|
||||
|
||||
</head>
|
||||
@@ -57,6 +62,9 @@
|
||||
try {
|
||||
const response = await fetch('/api/login/reset_pw.php', {
|
||||
method: 'POST',
|
||||
headers: {
|
||||
'X-CSRF-Token': window.csrfToken
|
||||
},
|
||||
body: formData
|
||||
});
|
||||
|
||||
@@ -79,4 +87,3 @@
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
||||
|
||||
@@ -11,6 +11,7 @@ secure_session_start();
|
||||
<title>Jakach Login</title>
|
||||
<?php
|
||||
include "../assets/components.php";
|
||||
print_csrf_script();
|
||||
?>
|
||||
</head>
|
||||
<body>
|
||||
@@ -124,6 +125,7 @@ secure_session_start();
|
||||
method: 'POST',
|
||||
headers: {
|
||||
'Content-Type': 'application/json', // JSON format
|
||||
'X-CSRF-Token': window.csrfToken,
|
||||
},
|
||||
body: JSON.stringify(formData), // Convert form data to JSON string
|
||||
});
|
||||
|
||||
Reference in New Issue
Block a user