From 2fa388d441069f7c730b6b80ea85043a857fbcef Mon Sep 17 00:00:00 2001
From: jakani24 <janis.st44@gmail.com>
Date: Thu, 6 Jun 2024 16:21:36 +0200
Subject: [PATCH] adding 2fa

---
 .../system/insecure_zone/php/2fa.php          | 78 +++++++++++++++++++
 .../system/insecure_zone/php/login.php        |  9 +++
 2 files changed, 87 insertions(+)
 create mode 100644 src/server/cyberhex-code/system/insecure_zone/php/2fa.php

diff --git a/src/server/cyberhex-code/system/insecure_zone/php/2fa.php b/src/server/cyberhex-code/system/insecure_zone/php/2fa.php
new file mode 100644
index 0000000..bb63fab
--- /dev/null
+++ b/src/server/cyberhex-code/system/insecure_zone/php/2fa.php
@@ -0,0 +1,78 @@
+<?php
+session_start();
+if(isset($_SESSION["login"])){
+	header("LOCATION:/system/secure_zone/php/index.php");
+}
+if(!isset($_SESSION["2fa_auth"])){ //so only someone who has allready confirmed his passwd can get here
+	header("LOCATION:/system/insecure_zone/php/login.php");
+	exit();
+}
+include "../../../api/php/notifications/sendmessage.php"; //to send user notification on login
+?>
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta name="viewport" content="width=device-width, initial-scale=1">
+    <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-EVSTQN3/azprG1Anm3QDgpJLIm9Nao0Yz1ztcQTwFspd3yD65VohhpuuCOmLASjC" crossorigin="anonymous">
+    <script src="https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/js/bootstrap.bundle.min.js" integrity="sha384-MrcW6ZMFYlzcLA8Nl+NtUVF0sA7MsXsP1UyJoMp4YLEuNSfAP+JcXn/tWtIaxVXM" crossorigin="anonymous"></script>
+	<title>Cyberhex login page</title>
+	<style>
+    .bg-image {
+      background-image: url('/logo.png');
+      background-size: contain;
+      background-repeat: no-repeat;
+      background-position: center;
+      height: 100vh; /* Set height to viewport height */
+    }
+  </style>
+</head>
+<body>
+<div class="container-fluid bg-image">
+	<div class="container mt-5">
+		<div class="row justify-content-center">
+			<div class="col-md-6">
+				<div class="card">
+					<div class="card-header">
+						<h4>Login to Cyberhex using second factor</h4>
+					</div>
+					<div class="card-body">
+						<form action="login.php" method="post">
+							<div class="form-group">
+								<label for="pin">2FA-Pin (sent to you via Telegram):</label>
+								<input type="text" class="form-control" id="pin" name="pin" required>
+							</div>
+						</form>
+						<!-- php code to verify 2fa pin-->
+						<?php
+							// Check if the form is submitted
+							if ($_SERVER["REQUEST_METHOD"] == "POST") {
+								//include db pw
+								include "../../../config.php";
+								
+								// Retrieve user input
+								$pin = htmlspecialchars($_POST["pin"]);
+								if($pin==$_SESSION["pin"])	
+								{
+									$_SESSION["login"]=true;
+									if($_SESSION["send_login_message"]=="1"){
+										$ip = $_SERVER['REMOTE_ADDR'];
+										$username=$row["username"];
+										send_to_user("[LOGIN WARNING]\nHello $username\nSomebody has logged into Cyberhex with your account.\nIf this was you, you can ignore this message. Else please take steps to secure your account!\nIP: $ip\n",$username);
+										echo '<script>window.location.href = "/system/secure_zone/php/index.php";</script>';
+									}
+								}else {
+									echo '<div class="alert alert-danger" role="alert">
+													Incorrect pin.
+												  </div>';
+								}
+							}
+						?>
+						
+					</div>
+				</div>
+			</div>
+		</div>
+	</div>
+</div>
+</body>
+</html>
diff --git a/src/server/cyberhex-code/system/insecure_zone/php/login.php b/src/server/cyberhex-code/system/insecure_zone/php/login.php
index 957f0f1..e20f6dd 100644
--- a/src/server/cyberhex-code/system/insecure_zone/php/login.php
+++ b/src/server/cyberhex-code/system/insecure_zone/php/login.php
@@ -305,6 +305,15 @@ async function checkRegistration() {
 											$_SESSION["allow_pw_login"]=$row["allow_pw_login"];
 											$_SESSION["send_login_message"]=$row["send_login_message"];
 											$_SESSION["use_2fa"]=$row["use_2fa"];
+											if($_SESSION["use_2fa"]=="1"){
+												$_SESSION["login"]=false; //set the login state to false
+												$_SESSION["2fa_auth"]=true;
+												$pin=mt_rand(100000, 999999);
+												$_SESSION["pin"]=$pin;
+												send_to_user("[2FA-Pin]\nHello $username\nHere is your pin to log into cyberhex: $pin. If you did not try to log in please take steps to secure your account!\nIP: $ip\n",$username);
+												//send the user to 2fa auth page
+												echo '<script>window.location.href = "/system/insecure_zone/php/2fa.php";</script>';
+											}
 											
 											if($_SESSION["send_login_message"]=="1"){
 												$ip = $_SERVER['REMOTE_ADDR'];