This commit is contained in:
@@ -0,0 +1,8 @@
|
||||
<?php
|
||||
include "../utils/security.php";
|
||||
secure_session_start();
|
||||
header('Content-Type: application/json');
|
||||
|
||||
$_SESSION["external_domain_confirmed"] = true;
|
||||
|
||||
echo json_encode(['success' => true]);
|
||||
@@ -56,10 +56,19 @@ else if ($_SESSION["needs_auth"]===false && $_SESSION["mfa_authenticated"]==1 &&
|
||||
mysqli_stmt_execute($stmt);
|
||||
mysqli_stmt_close($stmt);
|
||||
if(!empty($send_to)){
|
||||
$data=[
|
||||
'message' => 'done',
|
||||
'redirect' => append_auth_token_to_redirect($send_to, $auth_token)
|
||||
];
|
||||
$external_domain = is_external_domain($send_to);
|
||||
if ($external_domain !== null && !isset($_SESSION["external_domain_confirmed"])){
|
||||
$data=[
|
||||
'message' => 'external_redirect_warning',
|
||||
'domain' => $external_domain,
|
||||
'redirect' => append_auth_token_to_redirect($send_to, $auth_token)
|
||||
];
|
||||
}else{
|
||||
$data=[
|
||||
'message' => 'done',
|
||||
'redirect' => append_auth_token_to_redirect($send_to, $auth_token)
|
||||
];
|
||||
}
|
||||
}else{
|
||||
$data=[
|
||||
'message' => 'done',
|
||||
|
||||
@@ -11,6 +11,7 @@ $conn = new mysqli($DB_SERVERNAME, $DB_USERNAME, $DB_PASSWORD, $DB_DATABASE);
|
||||
check_rate_limit($conn, 'set_username', 30, 60);
|
||||
$_SESSION["needs_auth"]=true;
|
||||
$_SESSION["logged_in"]=false;
|
||||
unset($_SESSION["external_domain_confirmed"]);
|
||||
$username = strtolower((string) ($_POST["username"] ?? ""));
|
||||
$_SESSION["username"]=preg_replace("/[^a-z0-9_]/","",$username);
|
||||
session_regenerate_id(true);
|
||||
|
||||
@@ -295,4 +295,23 @@ function append_auth_token_to_redirect(string $redirect, string $auth_token): st
|
||||
return $redirect . $separator . 'auth=' . rawurlencode($auth_token);
|
||||
}
|
||||
|
||||
function is_external_domain(string $url): ?string
|
||||
{
|
||||
if (!str_starts_with($url, 'http://') && !str_starts_with($url, 'https://')) {
|
||||
return null;
|
||||
}
|
||||
|
||||
$host = parse_url($url, PHP_URL_HOST);
|
||||
if ($host === null || $host === '') {
|
||||
return null;
|
||||
}
|
||||
|
||||
$host = strtolower($host);
|
||||
if ($host === 'auth.jakach.ch' || str_ends_with($host, '.jakach.ch')) {
|
||||
return null;
|
||||
}
|
||||
|
||||
return $host;
|
||||
}
|
||||
|
||||
?>
|
||||
|
||||
@@ -12,15 +12,39 @@
|
||||
<body>
|
||||
<div class="d-flex flex-column justify-content-center align-items-center" style="height: 100vh;">
|
||||
<!-- Spinner -->
|
||||
<div class="spinner-border text-primary mb-3" role="status">
|
||||
<div class="spinner-border text-primary mb-3" role="status" id="loadingSpinner">
|
||||
<span class="visually-hidden">Loading...</span>
|
||||
</div>
|
||||
<!-- Redirecting Text -->
|
||||
<p class="text-center fs-4">Redirecting...</p>
|
||||
<p class="text-center fs-4" id="statusText">Redirecting...</p>
|
||||
</div>
|
||||
|
||||
<div class="modal fade" id="externalWarningModal" data-bs-backdrop="static" data-bs-keyboard="false" tabindex="-1" aria-labelledby="externalWarningModalLabel" aria-hidden="true">
|
||||
<div class="modal-dialog modal-dialog-centered">
|
||||
<div class="modal-content">
|
||||
<div class="modal-header">
|
||||
<h5 class="modal-title" id="externalWarningModalLabel">⚠️ External Login Warning</h5>
|
||||
</div>
|
||||
<div class="modal-body">
|
||||
<p>You are being logged in into <strong id="externalDomainDisplay"></strong></p>
|
||||
<p>This service is <strong>not operated by Jakach</strong>. The service will have access to:</p>
|
||||
<ul>
|
||||
<li>Email username</li>
|
||||
<li>Telegram ID</li>
|
||||
<li>User ID & User Token</li>
|
||||
</ul>
|
||||
<p class="mb-0 text-muted">Do you want to continue?</p>
|
||||
</div>
|
||||
<div class="modal-footer">
|
||||
<a href="/account/" class="btn btn-secondary">Cancel</a>
|
||||
<button type="button" class="btn btn-primary" id="confirmExternalRedirect">Continue</button>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
<script>
|
||||
const redirect_api="/api/login/redirect.php";
|
||||
|
||||
let pendingRedirectUrl = null;
|
||||
|
||||
async function redirect() {
|
||||
try {
|
||||
@@ -39,15 +63,30 @@
|
||||
|
||||
// Check if the redirect URL exists
|
||||
if (redirectUrl) {
|
||||
// Redirect the user to the URL
|
||||
window.location.href = redirectUrl;
|
||||
if (data.message === 'external_redirect_warning') {
|
||||
pendingRedirectUrl = redirectUrl;
|
||||
document.getElementById('externalDomainDisplay').textContent = data.domain;
|
||||
document.getElementById('loadingSpinner').style.display = 'none';
|
||||
document.getElementById('statusText').textContent = 'Login warning';
|
||||
var warningModal = new bootstrap.Modal(document.getElementById('externalWarningModal'));
|
||||
warningModal.show();
|
||||
} else {
|
||||
// Redirect the user to the URL
|
||||
window.location.href = redirectUrl;
|
||||
}
|
||||
}
|
||||
} catch (error) {
|
||||
// Handle errors (e.g., network issues or API errors)
|
||||
console.error("Error fetching data:", error);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
document.getElementById('confirmExternalRedirect').addEventListener('click', function() {
|
||||
fetch('/api/login/confirm_external_redirect.php', { method: 'POST' }).then(() => {
|
||||
window.location.href = pendingRedirectUrl;
|
||||
});
|
||||
});
|
||||
|
||||
// Call the function on page load
|
||||
redirect();
|
||||
</script>
|
||||
|
||||
Reference in New Issue
Block a user