From f038581c3474f6cbe5c33cfe857b166b97430a7c Mon Sep 17 00:00:00 2001 From: janis steiner Date: Thu, 7 May 2026 22:37:44 +0200 Subject: [PATCH] adding redirect warnings to external systems --- .../api/login/confirm_external_redirect.php | 8 +++ app-code/api/login/redirect.php | 17 +++++-- app-code/api/login/set_username.php | 1 + app-code/api/utils/security.php | 19 +++++++ app-code/login/index.php | 51 ++++++++++++++++--- 5 files changed, 86 insertions(+), 10 deletions(-) create mode 100644 app-code/api/login/confirm_external_redirect.php diff --git a/app-code/api/login/confirm_external_redirect.php b/app-code/api/login/confirm_external_redirect.php new file mode 100644 index 0000000..d8a0d82 --- /dev/null +++ b/app-code/api/login/confirm_external_redirect.php @@ -0,0 +1,8 @@ + true]); \ No newline at end of file diff --git a/app-code/api/login/redirect.php b/app-code/api/login/redirect.php index 1e8e9ae..d5aa451 100644 --- a/app-code/api/login/redirect.php +++ b/app-code/api/login/redirect.php @@ -56,10 +56,19 @@ else if ($_SESSION["needs_auth"]===false && $_SESSION["mfa_authenticated"]==1 && mysqli_stmt_execute($stmt); mysqli_stmt_close($stmt); if(!empty($send_to)){ - $data=[ - 'message' => 'done', - 'redirect' => append_auth_token_to_redirect($send_to, $auth_token) - ]; + $external_domain = is_external_domain($send_to); + if ($external_domain !== null && !isset($_SESSION["external_domain_confirmed"])){ + $data=[ + 'message' => 'external_redirect_warning', + 'domain' => $external_domain, + 'redirect' => append_auth_token_to_redirect($send_to, $auth_token) + ]; + }else{ + $data=[ + 'message' => 'done', + 'redirect' => append_auth_token_to_redirect($send_to, $auth_token) + ]; + } }else{ $data=[ 'message' => 'done', diff --git a/app-code/api/login/set_username.php b/app-code/api/login/set_username.php index ab03182..0da5c52 100644 --- a/app-code/api/login/set_username.php +++ b/app-code/api/login/set_username.php @@ -11,6 +11,7 @@ $conn = new mysqli($DB_SERVERNAME, $DB_USERNAME, $DB_PASSWORD, $DB_DATABASE); check_rate_limit($conn, 'set_username', 30, 60); $_SESSION["needs_auth"]=true; $_SESSION["logged_in"]=false; +unset($_SESSION["external_domain_confirmed"]); $username = strtolower((string) ($_POST["username"] ?? "")); $_SESSION["username"]=preg_replace("/[^a-z0-9_]/","",$username); session_regenerate_id(true); diff --git a/app-code/api/utils/security.php b/app-code/api/utils/security.php index 56737b8..cc365a2 100644 --- a/app-code/api/utils/security.php +++ b/app-code/api/utils/security.php @@ -295,4 +295,23 @@ function append_auth_token_to_redirect(string $redirect, string $auth_token): st return $redirect . $separator . 'auth=' . rawurlencode($auth_token); } +function is_external_domain(string $url): ?string +{ + if (!str_starts_with($url, 'http://') && !str_starts_with($url, 'https://')) { + return null; + } + + $host = parse_url($url, PHP_URL_HOST); + if ($host === null || $host === '') { + return null; + } + + $host = strtolower($host); + if ($host === 'auth.jakach.ch' || str_ends_with($host, '.jakach.ch')) { + return null; + } + + return $host; +} + ?> diff --git a/app-code/login/index.php b/app-code/login/index.php index 4dffda2..68408be 100644 --- a/app-code/login/index.php +++ b/app-code/login/index.php @@ -12,15 +12,39 @@
- + +