This commit is contained in:
@@ -2,7 +2,11 @@
|
||||
include "../utils/security.php";
|
||||
secure_session_start();
|
||||
require_same_origin_request();
|
||||
require_csrf_token();
|
||||
header('Content-Type: application/json');
|
||||
if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
|
||||
json_response(['success' => false, 'message' => 'Invalid request method.'], 405);
|
||||
}
|
||||
|
||||
// Check if the user is logged in
|
||||
require_logged_in();
|
||||
|
||||
@@ -2,7 +2,11 @@
|
||||
include "../utils/security.php";
|
||||
secure_session_start();
|
||||
require_same_origin_request();
|
||||
require_csrf_token();
|
||||
header('Content-Type: application/json');
|
||||
if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
|
||||
json_response(['success' => false, 'message' => 'Invalid request method.'], 405);
|
||||
}
|
||||
|
||||
// Check if the user is logged in
|
||||
require_logged_in();
|
||||
|
||||
@@ -6,6 +6,7 @@ header('Content-Type: application/json');
|
||||
include "../utils/security.php";
|
||||
secure_session_start();
|
||||
require_same_origin_request();
|
||||
require_csrf_token();
|
||||
|
||||
require_once 'WebAuthn.php';
|
||||
|
||||
|
||||
@@ -2,7 +2,11 @@
|
||||
include "../utils/security.php";
|
||||
secure_session_start();
|
||||
require_same_origin_request();
|
||||
require_csrf_token();
|
||||
header('Content-Type: application/json');
|
||||
if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
|
||||
json_response(['success' => false, 'message' => 'Invalid request method.'], 405);
|
||||
}
|
||||
|
||||
// Check if the user is logged in
|
||||
require_logged_in();
|
||||
|
||||
@@ -2,6 +2,7 @@
|
||||
include "../utils/security.php";
|
||||
secure_session_start();
|
||||
require_same_origin_request();
|
||||
require_csrf_token();
|
||||
header('Content-Type: application/json');
|
||||
|
||||
// Check if the user is logged in
|
||||
|
||||
@@ -2,7 +2,11 @@
|
||||
include "../utils/security.php";
|
||||
secure_session_start();
|
||||
require_same_origin_request();
|
||||
require_csrf_token();
|
||||
header('Content-Type: application/json');
|
||||
if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
|
||||
json_response(['success' => false, 'message' => 'Invalid request method.'], 405);
|
||||
}
|
||||
$send_to=$_SESSION["end_url"];
|
||||
|
||||
include "../../config/config.php";
|
||||
|
||||
@@ -3,6 +3,7 @@ header('Content-Type: application/json');
|
||||
include "../utils/security.php";
|
||||
secure_session_start();
|
||||
require_same_origin_request();
|
||||
require_csrf_token();
|
||||
require_once 'WebAuthn.php';
|
||||
include "../../config/config.php";
|
||||
$conn = new mysqli($DB_SERVERNAME, $DB_USERNAME, $DB_PASSWORD,$DB_DATABASE);
|
||||
|
||||
@@ -2,7 +2,11 @@
|
||||
include "../utils/security.php";
|
||||
secure_session_start();
|
||||
require_same_origin_request();
|
||||
require_csrf_token();
|
||||
header('Content-Type: application/json');
|
||||
if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
|
||||
json_response(['success' => false, 'message' => 'Invalid request method.'], 405);
|
||||
}
|
||||
$send_to=$_SESSION["end_url"];
|
||||
|
||||
include "../../config/config.php";
|
||||
|
||||
@@ -2,7 +2,12 @@
|
||||
include "../utils/security.php";
|
||||
secure_session_start();
|
||||
require_same_origin_request();
|
||||
require_csrf_token();
|
||||
header('Content-Type: application/json');
|
||||
if ($_SERVER['REQUEST_METHOD'] !== 'POST' && $_SERVER['REQUEST_METHOD'] !== 'DELETE') {
|
||||
echo json_encode(['success' => false, 'message' => 'Invalid request method.']);
|
||||
exit;
|
||||
}
|
||||
$send_to=$_SESSION["end_url"];
|
||||
require_logged_in();
|
||||
|
||||
|
||||
@@ -2,7 +2,11 @@
|
||||
include "../utils/security.php";
|
||||
secure_session_start();
|
||||
require_same_origin_request();
|
||||
require_csrf_token();
|
||||
header('Content-Type: application/json');
|
||||
if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
|
||||
json_response(['success' => false, 'message' => 'Invalid request method.'], 405);
|
||||
}
|
||||
$send_to=$_SESSION["end_url"];
|
||||
|
||||
include "../../config/config.php";
|
||||
|
||||
@@ -1,4 +1,8 @@
|
||||
<?php
|
||||
include "../utils/security.php";
|
||||
secure_session_start();
|
||||
require_same_origin_request();
|
||||
require_csrf_token();
|
||||
// Check if the POST request contains 'token' and 'password'
|
||||
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
|
||||
if (!isset($_POST['token']) || !isset($_POST['password']) || !isset($_POST['confirm_password'])) {
|
||||
@@ -67,4 +71,3 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
|
||||
echo json_encode(['status' => 'error', 'message' => 'Invalid request method.']);
|
||||
}
|
||||
?>
|
||||
|
||||
|
||||
@@ -2,7 +2,12 @@
|
||||
include "../utils/security.php";
|
||||
secure_session_start();
|
||||
require_same_origin_request();
|
||||
require_csrf_token();
|
||||
header('Content-Type: application/json');
|
||||
if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
|
||||
echo json_encode(['success' => false, 'message' => 'Invalid request method.']);
|
||||
exit;
|
||||
}
|
||||
include "../../config/config.php";
|
||||
include "../utils/get_location.php";
|
||||
$username=$_SESSION["username"] ?? "";
|
||||
|
||||
@@ -2,6 +2,10 @@
|
||||
include "../utils/security.php";
|
||||
secure_session_start();
|
||||
require_same_origin_request();
|
||||
require_csrf_token();
|
||||
if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
|
||||
json_response(['success' => false, 'message' => 'Invalid request method.'], 405);
|
||||
}
|
||||
$_SESSION["needs_auth"]=true;
|
||||
$_SESSION["logged_in"]=false;
|
||||
$username = strtolower((string) ($_POST["username"] ?? ""));
|
||||
|
||||
@@ -3,6 +3,7 @@ header('Content-Type: application/json');
|
||||
include "../utils/security.php";
|
||||
secure_session_start();
|
||||
require_same_origin_request();
|
||||
require_csrf_token();
|
||||
//check for permisisons
|
||||
if (!isset($_SESSION["logged_in"]) || $_SESSION["logged_in"] !== true || !is_admin_session() ) {
|
||||
echo(json_encode(['success' => false, 'message'=>'not authenticated']));
|
||||
|
||||
@@ -3,6 +3,7 @@
|
||||
include "../utils/security.php";
|
||||
secure_session_start();
|
||||
require_same_origin_request();
|
||||
require_csrf_token();
|
||||
header('Content-Type: application/json');
|
||||
|
||||
include "../../config/config.php";
|
||||
|
||||
@@ -53,6 +53,32 @@ function require_same_origin_request(): void
|
||||
}
|
||||
}
|
||||
|
||||
function csrf_token(): string
|
||||
{
|
||||
if (empty($_SESSION['csrf_token']) || !is_string($_SESSION['csrf_token'])) {
|
||||
$_SESSION['csrf_token'] = bin2hex(random_bytes(32));
|
||||
}
|
||||
|
||||
return $_SESSION['csrf_token'];
|
||||
}
|
||||
|
||||
function print_csrf_script(): void
|
||||
{
|
||||
echo '<script>window.csrfToken = ' . json_encode(csrf_token()) . ';</script>';
|
||||
}
|
||||
|
||||
function require_csrf_token(): void
|
||||
{
|
||||
if (!in_array($_SERVER['REQUEST_METHOD'] ?? 'GET', ['POST', 'PUT', 'PATCH', 'DELETE'], true)) {
|
||||
return;
|
||||
}
|
||||
|
||||
$token = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? $_POST['csrf_token'] ?? '';
|
||||
if (empty($_SESSION['csrf_token']) || !is_string($token) || !hash_equals($_SESSION['csrf_token'], $token)) {
|
||||
json_response(['success' => false, 'message' => 'Invalid CSRF token.'], 403);
|
||||
}
|
||||
}
|
||||
|
||||
function require_logged_in(): void
|
||||
{
|
||||
if (!isset($_SESSION['logged_in']) || $_SESSION['logged_in'] !== true || empty($_SESSION['id'])) {
|
||||
|
||||
Reference in New Issue
Block a user