This commit is contained in:
@@ -17,6 +17,7 @@ if (!isset($_SESSION["logged_in"]) || $_SESSION["logged_in"] !== true) {
|
|||||||
<!-- Bootstrap CSS -->
|
<!-- Bootstrap CSS -->
|
||||||
<?php
|
<?php
|
||||||
include "../assets/components.php";
|
include "../assets/components.php";
|
||||||
|
print_csrf_script();
|
||||||
?>
|
?>
|
||||||
<script src="https://cdn.rawgit.com/davidshimjs/qrcodejs/gh-pages/qrcode.min.js"></script>
|
<script src="https://cdn.rawgit.com/davidshimjs/qrcodejs/gh-pages/qrcode.min.js"></script>
|
||||||
<link href="https://fonts.googleapis.com/icon?family=Material+Icons" rel="stylesheet"> <!-- Google Material Icons -->
|
<link href="https://fonts.googleapis.com/icon?family=Material+Icons" rel="stylesheet"> <!-- Google Material Icons -->
|
||||||
@@ -259,7 +260,8 @@ if (!isset($_SESSION["logged_in"]) || $_SESSION["logged_in"] !== true) {
|
|||||||
fetch('/api/account/update_user_data.php', {
|
fetch('/api/account/update_user_data.php', {
|
||||||
method: 'POST',
|
method: 'POST',
|
||||||
headers: {
|
headers: {
|
||||||
'Content-Type': 'application/json'
|
'Content-Type': 'application/json',
|
||||||
|
'X-CSRF-Token': window.csrfToken
|
||||||
},
|
},
|
||||||
body: JSON.stringify(updatedUser)
|
body: JSON.stringify(updatedUser)
|
||||||
})
|
})
|
||||||
@@ -306,7 +308,8 @@ if (!isset($_SESSION["logged_in"]) || $_SESSION["logged_in"] !== true) {
|
|||||||
fetch('/api/account/update_pw.php', {
|
fetch('/api/account/update_pw.php', {
|
||||||
method: 'POST',
|
method: 'POST',
|
||||||
headers: {
|
headers: {
|
||||||
'Content-Type': 'application/json'
|
'Content-Type': 'application/json',
|
||||||
|
'X-CSRF-Token': window.csrfToken
|
||||||
},
|
},
|
||||||
body: JSON.stringify(passwordData)
|
body: JSON.stringify(passwordData)
|
||||||
})
|
})
|
||||||
@@ -346,6 +349,7 @@ if (!isset($_SESSION["logged_in"]) || $_SESSION["logged_in"] !== true) {
|
|||||||
method: 'POST',
|
method: 'POST',
|
||||||
headers: {
|
headers: {
|
||||||
'Content-Type': 'application/json',
|
'Content-Type': 'application/json',
|
||||||
|
'X-CSRF-Token': window.csrfToken,
|
||||||
},
|
},
|
||||||
body: JSON.stringify({
|
body: JSON.stringify({
|
||||||
enable_2fa: isEnabled, // Send the new state of 2FA
|
enable_2fa: isEnabled, // Send the new state of 2FA
|
||||||
@@ -384,6 +388,7 @@ if (!isset($_SESSION["logged_in"]) || $_SESSION["logged_in"] !== true) {
|
|||||||
method: 'POST',
|
method: 'POST',
|
||||||
headers: {
|
headers: {
|
||||||
'Content-Type': 'application/json',
|
'Content-Type': 'application/json',
|
||||||
|
'X-CSRF-Token': window.csrfToken,
|
||||||
},
|
},
|
||||||
body: JSON.stringify({
|
body: JSON.stringify({
|
||||||
enable_message: isEnabled, // Send the new state of 2FA
|
enable_message: isEnabled, // Send the new state of 2FA
|
||||||
@@ -476,6 +481,9 @@ function generate2FAQRCode(issuer, accountName, secret) {
|
|||||||
rep = await window.fetch('/api/account/update_passkey.php?fn=processCreate' + getGetParams(), {
|
rep = await window.fetch('/api/account/update_passkey.php?fn=processCreate' + getGetParams(), {
|
||||||
//rep = await window.fetch('/test/server.php?fn=processCreate' + getGetParams(), {
|
//rep = await window.fetch('/test/server.php?fn=processCreate' + getGetParams(), {
|
||||||
method : 'POST',
|
method : 'POST',
|
||||||
|
headers : {
|
||||||
|
'X-CSRF-Token': window.csrfToken
|
||||||
|
},
|
||||||
body : JSON.stringify(authenticatorAttestationResponse),
|
body : JSON.stringify(authenticatorAttestationResponse),
|
||||||
cache : 'no-cache'
|
cache : 'no-cache'
|
||||||
});
|
});
|
||||||
@@ -620,7 +628,12 @@ function generate2FAQRCode(issuer, accountName, secret) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
function delete_all_logmein(){
|
function delete_all_logmein(){
|
||||||
fetch("/api/login/delete_keepmeloggedin.php");
|
fetch("/api/login/delete_keepmeloggedin.php", {
|
||||||
|
method: "POST",
|
||||||
|
headers: {
|
||||||
|
"X-CSRF-Token": window.csrfToken
|
||||||
|
}
|
||||||
|
});
|
||||||
}
|
}
|
||||||
</script>
|
</script>
|
||||||
|
|
||||||
|
|||||||
@@ -1,3 +1,11 @@
|
|||||||
|
<?php
|
||||||
|
include "../api/utils/security.php";
|
||||||
|
secure_session_start();
|
||||||
|
if (!isset($_SESSION["logged_in"]) || $_SESSION["logged_in"] !== true || !is_admin_session()) {
|
||||||
|
header("LOCATION:/?send_to=/account/");
|
||||||
|
exit();
|
||||||
|
}
|
||||||
|
?>
|
||||||
<!DOCTYPE html>
|
<!DOCTYPE html>
|
||||||
<html lang="en" data-bs-theme="dark">
|
<html lang="en" data-bs-theme="dark">
|
||||||
<head>
|
<head>
|
||||||
@@ -6,6 +14,7 @@
|
|||||||
<title>User Management</title>
|
<title>User Management</title>
|
||||||
<?php
|
<?php
|
||||||
include "../assets/components.php";
|
include "../assets/components.php";
|
||||||
|
print_csrf_script();
|
||||||
?>
|
?>
|
||||||
</head>
|
</head>
|
||||||
<body>
|
<body>
|
||||||
@@ -58,7 +67,12 @@
|
|||||||
if (!confirm('Are you sure you want to delete this user?')) return;
|
if (!confirm('Are you sure you want to delete this user?')) return;
|
||||||
|
|
||||||
try {
|
try {
|
||||||
const response = await fetch(`/api/manage/delete_user.php?id=${userId}`, { method: 'DELETE' });
|
const response = await fetch(`/api/manage/delete_user.php?id=${userId}`, {
|
||||||
|
method: 'DELETE',
|
||||||
|
headers: {
|
||||||
|
'X-CSRF-Token': window.csrfToken
|
||||||
|
}
|
||||||
|
});
|
||||||
const data = await response.json();
|
const data = await response.json();
|
||||||
|
|
||||||
if (data.success) {
|
if (data.success) {
|
||||||
|
|||||||
@@ -2,7 +2,11 @@
|
|||||||
include "../utils/security.php";
|
include "../utils/security.php";
|
||||||
secure_session_start();
|
secure_session_start();
|
||||||
require_same_origin_request();
|
require_same_origin_request();
|
||||||
|
require_csrf_token();
|
||||||
header('Content-Type: application/json');
|
header('Content-Type: application/json');
|
||||||
|
if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
|
||||||
|
json_response(['success' => false, 'message' => 'Invalid request method.'], 405);
|
||||||
|
}
|
||||||
|
|
||||||
// Check if the user is logged in
|
// Check if the user is logged in
|
||||||
require_logged_in();
|
require_logged_in();
|
||||||
|
|||||||
@@ -2,7 +2,11 @@
|
|||||||
include "../utils/security.php";
|
include "../utils/security.php";
|
||||||
secure_session_start();
|
secure_session_start();
|
||||||
require_same_origin_request();
|
require_same_origin_request();
|
||||||
|
require_csrf_token();
|
||||||
header('Content-Type: application/json');
|
header('Content-Type: application/json');
|
||||||
|
if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
|
||||||
|
json_response(['success' => false, 'message' => 'Invalid request method.'], 405);
|
||||||
|
}
|
||||||
|
|
||||||
// Check if the user is logged in
|
// Check if the user is logged in
|
||||||
require_logged_in();
|
require_logged_in();
|
||||||
|
|||||||
@@ -6,6 +6,7 @@ header('Content-Type: application/json');
|
|||||||
include "../utils/security.php";
|
include "../utils/security.php";
|
||||||
secure_session_start();
|
secure_session_start();
|
||||||
require_same_origin_request();
|
require_same_origin_request();
|
||||||
|
require_csrf_token();
|
||||||
|
|
||||||
require_once 'WebAuthn.php';
|
require_once 'WebAuthn.php';
|
||||||
|
|
||||||
|
|||||||
@@ -2,7 +2,11 @@
|
|||||||
include "../utils/security.php";
|
include "../utils/security.php";
|
||||||
secure_session_start();
|
secure_session_start();
|
||||||
require_same_origin_request();
|
require_same_origin_request();
|
||||||
|
require_csrf_token();
|
||||||
header('Content-Type: application/json');
|
header('Content-Type: application/json');
|
||||||
|
if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
|
||||||
|
json_response(['success' => false, 'message' => 'Invalid request method.'], 405);
|
||||||
|
}
|
||||||
|
|
||||||
// Check if the user is logged in
|
// Check if the user is logged in
|
||||||
require_logged_in();
|
require_logged_in();
|
||||||
|
|||||||
@@ -2,6 +2,7 @@
|
|||||||
include "../utils/security.php";
|
include "../utils/security.php";
|
||||||
secure_session_start();
|
secure_session_start();
|
||||||
require_same_origin_request();
|
require_same_origin_request();
|
||||||
|
require_csrf_token();
|
||||||
header('Content-Type: application/json');
|
header('Content-Type: application/json');
|
||||||
|
|
||||||
// Check if the user is logged in
|
// Check if the user is logged in
|
||||||
|
|||||||
@@ -2,7 +2,11 @@
|
|||||||
include "../utils/security.php";
|
include "../utils/security.php";
|
||||||
secure_session_start();
|
secure_session_start();
|
||||||
require_same_origin_request();
|
require_same_origin_request();
|
||||||
|
require_csrf_token();
|
||||||
header('Content-Type: application/json');
|
header('Content-Type: application/json');
|
||||||
|
if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
|
||||||
|
json_response(['success' => false, 'message' => 'Invalid request method.'], 405);
|
||||||
|
}
|
||||||
$send_to=$_SESSION["end_url"];
|
$send_to=$_SESSION["end_url"];
|
||||||
|
|
||||||
include "../../config/config.php";
|
include "../../config/config.php";
|
||||||
|
|||||||
@@ -3,6 +3,7 @@ header('Content-Type: application/json');
|
|||||||
include "../utils/security.php";
|
include "../utils/security.php";
|
||||||
secure_session_start();
|
secure_session_start();
|
||||||
require_same_origin_request();
|
require_same_origin_request();
|
||||||
|
require_csrf_token();
|
||||||
require_once 'WebAuthn.php';
|
require_once 'WebAuthn.php';
|
||||||
include "../../config/config.php";
|
include "../../config/config.php";
|
||||||
$conn = new mysqli($DB_SERVERNAME, $DB_USERNAME, $DB_PASSWORD,$DB_DATABASE);
|
$conn = new mysqli($DB_SERVERNAME, $DB_USERNAME, $DB_PASSWORD,$DB_DATABASE);
|
||||||
|
|||||||
@@ -2,7 +2,11 @@
|
|||||||
include "../utils/security.php";
|
include "../utils/security.php";
|
||||||
secure_session_start();
|
secure_session_start();
|
||||||
require_same_origin_request();
|
require_same_origin_request();
|
||||||
|
require_csrf_token();
|
||||||
header('Content-Type: application/json');
|
header('Content-Type: application/json');
|
||||||
|
if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
|
||||||
|
json_response(['success' => false, 'message' => 'Invalid request method.'], 405);
|
||||||
|
}
|
||||||
$send_to=$_SESSION["end_url"];
|
$send_to=$_SESSION["end_url"];
|
||||||
|
|
||||||
include "../../config/config.php";
|
include "../../config/config.php";
|
||||||
|
|||||||
@@ -2,7 +2,12 @@
|
|||||||
include "../utils/security.php";
|
include "../utils/security.php";
|
||||||
secure_session_start();
|
secure_session_start();
|
||||||
require_same_origin_request();
|
require_same_origin_request();
|
||||||
|
require_csrf_token();
|
||||||
header('Content-Type: application/json');
|
header('Content-Type: application/json');
|
||||||
|
if ($_SERVER['REQUEST_METHOD'] !== 'POST' && $_SERVER['REQUEST_METHOD'] !== 'DELETE') {
|
||||||
|
echo json_encode(['success' => false, 'message' => 'Invalid request method.']);
|
||||||
|
exit;
|
||||||
|
}
|
||||||
$send_to=$_SESSION["end_url"];
|
$send_to=$_SESSION["end_url"];
|
||||||
require_logged_in();
|
require_logged_in();
|
||||||
|
|
||||||
|
|||||||
@@ -2,7 +2,11 @@
|
|||||||
include "../utils/security.php";
|
include "../utils/security.php";
|
||||||
secure_session_start();
|
secure_session_start();
|
||||||
require_same_origin_request();
|
require_same_origin_request();
|
||||||
|
require_csrf_token();
|
||||||
header('Content-Type: application/json');
|
header('Content-Type: application/json');
|
||||||
|
if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
|
||||||
|
json_response(['success' => false, 'message' => 'Invalid request method.'], 405);
|
||||||
|
}
|
||||||
$send_to=$_SESSION["end_url"];
|
$send_to=$_SESSION["end_url"];
|
||||||
|
|
||||||
include "../../config/config.php";
|
include "../../config/config.php";
|
||||||
|
|||||||
@@ -1,4 +1,8 @@
|
|||||||
<?php
|
<?php
|
||||||
|
include "../utils/security.php";
|
||||||
|
secure_session_start();
|
||||||
|
require_same_origin_request();
|
||||||
|
require_csrf_token();
|
||||||
// Check if the POST request contains 'token' and 'password'
|
// Check if the POST request contains 'token' and 'password'
|
||||||
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
|
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
|
||||||
if (!isset($_POST['token']) || !isset($_POST['password']) || !isset($_POST['confirm_password'])) {
|
if (!isset($_POST['token']) || !isset($_POST['password']) || !isset($_POST['confirm_password'])) {
|
||||||
@@ -67,4 +71,3 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
|
|||||||
echo json_encode(['status' => 'error', 'message' => 'Invalid request method.']);
|
echo json_encode(['status' => 'error', 'message' => 'Invalid request method.']);
|
||||||
}
|
}
|
||||||
?>
|
?>
|
||||||
|
|
||||||
|
|||||||
@@ -2,7 +2,12 @@
|
|||||||
include "../utils/security.php";
|
include "../utils/security.php";
|
||||||
secure_session_start();
|
secure_session_start();
|
||||||
require_same_origin_request();
|
require_same_origin_request();
|
||||||
|
require_csrf_token();
|
||||||
header('Content-Type: application/json');
|
header('Content-Type: application/json');
|
||||||
|
if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
|
||||||
|
echo json_encode(['success' => false, 'message' => 'Invalid request method.']);
|
||||||
|
exit;
|
||||||
|
}
|
||||||
include "../../config/config.php";
|
include "../../config/config.php";
|
||||||
include "../utils/get_location.php";
|
include "../utils/get_location.php";
|
||||||
$username=$_SESSION["username"] ?? "";
|
$username=$_SESSION["username"] ?? "";
|
||||||
|
|||||||
@@ -2,6 +2,10 @@
|
|||||||
include "../utils/security.php";
|
include "../utils/security.php";
|
||||||
secure_session_start();
|
secure_session_start();
|
||||||
require_same_origin_request();
|
require_same_origin_request();
|
||||||
|
require_csrf_token();
|
||||||
|
if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
|
||||||
|
json_response(['success' => false, 'message' => 'Invalid request method.'], 405);
|
||||||
|
}
|
||||||
$_SESSION["needs_auth"]=true;
|
$_SESSION["needs_auth"]=true;
|
||||||
$_SESSION["logged_in"]=false;
|
$_SESSION["logged_in"]=false;
|
||||||
$username = strtolower((string) ($_POST["username"] ?? ""));
|
$username = strtolower((string) ($_POST["username"] ?? ""));
|
||||||
|
|||||||
@@ -3,6 +3,7 @@ header('Content-Type: application/json');
|
|||||||
include "../utils/security.php";
|
include "../utils/security.php";
|
||||||
secure_session_start();
|
secure_session_start();
|
||||||
require_same_origin_request();
|
require_same_origin_request();
|
||||||
|
require_csrf_token();
|
||||||
//check for permisisons
|
//check for permisisons
|
||||||
if (!isset($_SESSION["logged_in"]) || $_SESSION["logged_in"] !== true || !is_admin_session() ) {
|
if (!isset($_SESSION["logged_in"]) || $_SESSION["logged_in"] !== true || !is_admin_session() ) {
|
||||||
echo(json_encode(['success' => false, 'message'=>'not authenticated']));
|
echo(json_encode(['success' => false, 'message'=>'not authenticated']));
|
||||||
|
|||||||
@@ -3,6 +3,7 @@
|
|||||||
include "../utils/security.php";
|
include "../utils/security.php";
|
||||||
secure_session_start();
|
secure_session_start();
|
||||||
require_same_origin_request();
|
require_same_origin_request();
|
||||||
|
require_csrf_token();
|
||||||
header('Content-Type: application/json');
|
header('Content-Type: application/json');
|
||||||
|
|
||||||
include "../../config/config.php";
|
include "../../config/config.php";
|
||||||
|
|||||||
@@ -53,6 +53,32 @@ function require_same_origin_request(): void
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function csrf_token(): string
|
||||||
|
{
|
||||||
|
if (empty($_SESSION['csrf_token']) || !is_string($_SESSION['csrf_token'])) {
|
||||||
|
$_SESSION['csrf_token'] = bin2hex(random_bytes(32));
|
||||||
|
}
|
||||||
|
|
||||||
|
return $_SESSION['csrf_token'];
|
||||||
|
}
|
||||||
|
|
||||||
|
function print_csrf_script(): void
|
||||||
|
{
|
||||||
|
echo '<script>window.csrfToken = ' . json_encode(csrf_token()) . ';</script>';
|
||||||
|
}
|
||||||
|
|
||||||
|
function require_csrf_token(): void
|
||||||
|
{
|
||||||
|
if (!in_array($_SERVER['REQUEST_METHOD'] ?? 'GET', ['POST', 'PUT', 'PATCH', 'DELETE'], true)) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
$token = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? $_POST['csrf_token'] ?? '';
|
||||||
|
if (empty($_SESSION['csrf_token']) || !is_string($token) || !hash_equals($_SESSION['csrf_token'], $token)) {
|
||||||
|
json_response(['success' => false, 'message' => 'Invalid CSRF token.'], 403);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
function require_logged_in(): void
|
function require_logged_in(): void
|
||||||
{
|
{
|
||||||
if (!isset($_SESSION['logged_in']) || $_SESSION['logged_in'] !== true || empty($_SESSION['id'])) {
|
if (!isset($_SESSION['logged_in']) || $_SESSION['logged_in'] !== true || empty($_SESSION['id'])) {
|
||||||
|
|||||||
@@ -25,6 +25,7 @@ if(logmein()==="success"){
|
|||||||
<title>Jakach Login</title>
|
<title>Jakach Login</title>
|
||||||
<?php
|
<?php
|
||||||
include "assets/components.php";
|
include "assets/components.php";
|
||||||
|
print_csrf_script();
|
||||||
?>
|
?>
|
||||||
</head>
|
</head>
|
||||||
<body>
|
<body>
|
||||||
@@ -103,6 +104,7 @@ if(logmein()==="success"){
|
|||||||
method: 'POST',
|
method: 'POST',
|
||||||
headers: {
|
headers: {
|
||||||
'Content-Type': 'application/x-www-form-urlencoded', // Form-like data
|
'Content-Type': 'application/x-www-form-urlencoded', // Form-like data
|
||||||
|
'X-CSRF-Token': window.csrfToken,
|
||||||
},
|
},
|
||||||
body: new URLSearchParams({
|
body: new URLSearchParams({
|
||||||
username: username, // Send username as form data
|
username: username, // Send username as form data
|
||||||
|
|||||||
@@ -10,6 +10,7 @@ secure_session_start();
|
|||||||
<title>Jakach Login</title>
|
<title>Jakach Login</title>
|
||||||
<?php
|
<?php
|
||||||
include "../assets/components.php";
|
include "../assets/components.php";
|
||||||
|
print_csrf_script();
|
||||||
?>
|
?>
|
||||||
</head>
|
</head>
|
||||||
<body>
|
<body>
|
||||||
@@ -43,6 +44,7 @@ secure_session_start();
|
|||||||
method: 'POST',
|
method: 'POST',
|
||||||
headers: {
|
headers: {
|
||||||
'Content-Type': 'application/x-www-form-urlencoded', // Form-like data
|
'Content-Type': 'application/x-www-form-urlencoded', // Form-like data
|
||||||
|
'X-CSRF-Token': window.csrfToken,
|
||||||
},
|
},
|
||||||
body: new URLSearchParams({
|
body: new URLSearchParams({
|
||||||
keepmeloggedin: keepmeloggedin, // Send password as form data
|
keepmeloggedin: keepmeloggedin, // Send password as form data
|
||||||
|
|||||||
@@ -10,6 +10,7 @@ secure_session_start();
|
|||||||
<title>Jakach Login</title>
|
<title>Jakach Login</title>
|
||||||
<?php
|
<?php
|
||||||
include "../assets/components.php";
|
include "../assets/components.php";
|
||||||
|
print_csrf_script();
|
||||||
?>
|
?>
|
||||||
</head>
|
</head>
|
||||||
<body>
|
<body>
|
||||||
@@ -78,6 +79,7 @@ secure_session_start();
|
|||||||
method: 'POST',
|
method: 'POST',
|
||||||
headers: {
|
headers: {
|
||||||
'Content-Type': 'application/x-www-form-urlencoded', // Form-like data
|
'Content-Type': 'application/x-www-form-urlencoded', // Form-like data
|
||||||
|
'X-CSRF-Token': window.csrfToken,
|
||||||
},
|
},
|
||||||
body: new URLSearchParams({
|
body: new URLSearchParams({
|
||||||
twofa_pin: password, // Send password as form data
|
twofa_pin: password, // Send password as form data
|
||||||
|
|||||||
@@ -10,6 +10,7 @@ secure_session_start();
|
|||||||
<title>Jakach Login</title>
|
<title>Jakach Login</title>
|
||||||
<?php
|
<?php
|
||||||
include "../assets/components.php";
|
include "../assets/components.php";
|
||||||
|
print_csrf_script();
|
||||||
?>
|
?>
|
||||||
</head>
|
</head>
|
||||||
<body>
|
<body>
|
||||||
@@ -106,6 +107,9 @@ async function checkRegistration() {
|
|||||||
// send to server
|
// send to server
|
||||||
rep = await window.fetch('/api/login/check_passkey.php?fn=processGet' + getGetParams(), {
|
rep = await window.fetch('/api/login/check_passkey.php?fn=processGet' + getGetParams(), {
|
||||||
method:'POST',
|
method:'POST',
|
||||||
|
headers: {
|
||||||
|
'X-CSRF-Token': window.csrfToken
|
||||||
|
},
|
||||||
body: JSON.stringify(authenticatorAttestationResponse),
|
body: JSON.stringify(authenticatorAttestationResponse),
|
||||||
cache:'no-cache'
|
cache:'no-cache'
|
||||||
});
|
});
|
||||||
|
|||||||
@@ -10,6 +10,7 @@ secure_session_start();
|
|||||||
<title>Jakach Login</title>
|
<title>Jakach Login</title>
|
||||||
<?php
|
<?php
|
||||||
include "../assets/components.php";
|
include "../assets/components.php";
|
||||||
|
print_csrf_script();
|
||||||
?>
|
?>
|
||||||
</head>
|
</head>
|
||||||
<body>
|
<body>
|
||||||
@@ -81,7 +82,12 @@ secure_session_start();
|
|||||||
<script>
|
<script>
|
||||||
//pw reset:
|
//pw reset:
|
||||||
function reset_pw(){
|
function reset_pw(){
|
||||||
fetch("/api/login/send_reset_link.php");
|
fetch("/api/login/send_reset_link.php", {
|
||||||
|
method: "POST",
|
||||||
|
headers: {
|
||||||
|
"X-CSRF-Token": window.csrfToken
|
||||||
|
}
|
||||||
|
});
|
||||||
var resetModal = new bootstrap.Modal(document.getElementById('resetModal'));
|
var resetModal = new bootstrap.Modal(document.getElementById('resetModal'));
|
||||||
resetModal.show();
|
resetModal.show();
|
||||||
}
|
}
|
||||||
@@ -108,6 +114,7 @@ secure_session_start();
|
|||||||
method: 'POST',
|
method: 'POST',
|
||||||
headers: {
|
headers: {
|
||||||
'Content-Type': 'application/x-www-form-urlencoded', // Form-like data
|
'Content-Type': 'application/x-www-form-urlencoded', // Form-like data
|
||||||
|
'X-CSRF-Token': window.csrfToken,
|
||||||
},
|
},
|
||||||
body: new URLSearchParams({
|
body: new URLSearchParams({
|
||||||
password: password, // Send password as form data
|
password: password, // Send password as form data
|
||||||
|
|||||||
@@ -1,3 +1,7 @@
|
|||||||
|
<?php
|
||||||
|
include "../api/utils/security.php";
|
||||||
|
secure_session_start();
|
||||||
|
?>
|
||||||
<!DOCTYPE html>
|
<!DOCTYPE html>
|
||||||
<html lang="en" data-bs-theme="dark">
|
<html lang="en" data-bs-theme="dark">
|
||||||
|
|
||||||
@@ -7,6 +11,7 @@
|
|||||||
<title>Password Reset</title>
|
<title>Password Reset</title>
|
||||||
<?php
|
<?php
|
||||||
include "../assets/components.php";
|
include "../assets/components.php";
|
||||||
|
print_csrf_script();
|
||||||
?>
|
?>
|
||||||
|
|
||||||
</head>
|
</head>
|
||||||
@@ -57,6 +62,9 @@
|
|||||||
try {
|
try {
|
||||||
const response = await fetch('/api/login/reset_pw.php', {
|
const response = await fetch('/api/login/reset_pw.php', {
|
||||||
method: 'POST',
|
method: 'POST',
|
||||||
|
headers: {
|
||||||
|
'X-CSRF-Token': window.csrfToken
|
||||||
|
},
|
||||||
body: formData
|
body: formData
|
||||||
});
|
});
|
||||||
|
|
||||||
@@ -79,4 +87,3 @@
|
|||||||
</body>
|
</body>
|
||||||
|
|
||||||
</html>
|
</html>
|
||||||
|
|
||||||
|
|||||||
@@ -11,6 +11,7 @@ secure_session_start();
|
|||||||
<title>Jakach Login</title>
|
<title>Jakach Login</title>
|
||||||
<?php
|
<?php
|
||||||
include "../assets/components.php";
|
include "../assets/components.php";
|
||||||
|
print_csrf_script();
|
||||||
?>
|
?>
|
||||||
</head>
|
</head>
|
||||||
<body>
|
<body>
|
||||||
@@ -124,6 +125,7 @@ secure_session_start();
|
|||||||
method: 'POST',
|
method: 'POST',
|
||||||
headers: {
|
headers: {
|
||||||
'Content-Type': 'application/json', // JSON format
|
'Content-Type': 'application/json', // JSON format
|
||||||
|
'X-CSRF-Token': window.csrfToken,
|
||||||
},
|
},
|
||||||
body: JSON.stringify(formData), // Convert form data to JSON string
|
body: JSON.stringify(formData), // Convert form data to JSON string
|
||||||
});
|
});
|
||||||
|
|||||||
Reference in New Issue
Block a user