adding passkey to profile.php

2024-04-26 16:12:22 +02:00
parent 30444e57eb
commit c924815e99
6 changed files with 39 additions and 17 deletions
--- a/src/server/cyberhex-code/install/create_admin.php
+++ b/src/server/cyberhex-code/install/create_admin.php
@@ -49,7 +49,7 @@
 								$success=0;
 								die("Connection failed: " . $conn->connect_error);
 							}
-							$stmt = $conn->prepare("INSERT INTO users (email, username, password,perms) VALUES (?, ?, ?, ?)");
+							$stmt = $conn->prepare("INSERT INTO users (email, username, password,perms,allow_pw_login) VALUES (?, ?, ?, ?,1)");
 							$stmt->bind_param("ssss", $email, $username, $hash, $permissions);
 							$email=htmlspecialchars($_POST["email"]);
--- a/src/server/cyberhex-code/install/create_db.php
+++ b/src/server/cyberhex-code/install/create_db.php
@@ -68,6 +68,7 @@
 				telegram_id VARCHAR(255),
 				user_hex_id VARCHAR(255),
 				credential_id VARBINARY(64),
 				allow_pw_login INT,
 				public_key TEXT,
 				counter INT
 			)";
--- a/src/server/cyberhex-code/system/insecure_zone/php/login.php
+++ b/src/server/cyberhex-code/system/insecure_zone/php/login.php
@@ -271,19 +271,27 @@ async function checkRegistration() {
 							// Check if the user exists and verify the password
 							if ($result->num_rows > 0) {
 								$row = $result->fetch_assoc();
-								if (password_verify($password, $row['password'])) {
+								if($row["allow_pw_login"]==1){
-									$_SESSION["username"]=$username;
+									if (password_verify($password, $row['password'])) {
-									$_SESSION["login"]=true;
+										$_SESSION["username"]=$username;
-									$_SESSION["perms"]=$row["perms"];
+										$_SESSION["login"]=true;
-									$_SESSION["email"]=$row["email"];
+										$_SESSION["perms"]=$row["perms"];
-									$_SESSION["telegram_id"]=$row["telegram_id"];
+										$_SESSION["email"]=$row["email"];
-									
+										$_SESSION["telegram_id"]=$row["telegram_id"];
-									echo '<script>window.location.href = "/system/secure_zone/php/index.php";</script>';
+										$_SESSION["allow_pw_login"]=$row["allow_pw_login"];
-									exit();
+										
-								} else {
+										echo '<script>window.location.href = "/system/secure_zone/php/index.php";</script>';
 										exit();
 									} else {
 										echo '<div class="alert alert-danger" role="alert">
 												Incorrect username or password.
 											  </div>';
 									}
 								}
 								else{
 									echo '<div class="alert alert-danger" role="alert">
-											Incorrect username or password.
+										Password login is disabled on your account. Please use your passkey
-										  </div>';
+									  </div>';
 								}
 							} else {
 								echo '<div class="alert alert-danger" role="alert">
--- a/src/server/cyberhex-code/system/secure_zone/php/add_user.php
+++ b/src/server/cyberhex-code/system/secure_zone/php/add_user.php
@@ -156,7 +156,7 @@ include "perms_functions.php";
 										$success=0;
 										die("Connection failed: " . $conn->connect_error);
 									}
-								$stmt = $conn->prepare("INSERT INTO users (email, username, password,perms) VALUES (?, ?, ?, ?)");
+								$stmt = $conn->prepare("INSERT INTO users (email, username, password,perms,allow_pw_login) VALUES (?, ?, ?, ?,1)");
 								$stmt->bind_param("ssss", $email, $username, $hash, $permissions);
 								$email=htmlspecialchars($_POST["email"]);
--- a/src/server/cyberhex-code/system/secure_zone/php/passwd.php
+++ b/src/server/cyberhex-code/system/secure_zone/php/passwd.php
@@ -66,7 +66,6 @@ $email = $_SESSION["email"];
                if (authenticatorAttestationServerResponse.success) {
                    reloadServerPreview();
                    window.alert(authenticatorAttestationServerResponse.msg || 'registration success');
 					window.location.href = "end.php";
                } else {
                    throw new Error(authenticatorAttestationServerResponse.msg);
                }
--- a/src/server/cyberhex-code/system/secure_zone/php/profile.php
+++ b/src/server/cyberhex-code/system/secure_zone/php/profile.php
@@ -21,6 +21,7 @@ if ($_SERVER["REQUEST_METHOD"] == "POST") {
 	$email=htmlspecialchars($_POST["email"]);
 	$username_new=htmlspecialchars($_POST["username"]);
 	$telegram_id=htmlspecialchars($_POST["telegram_id"]);
 	$pw_login=isset($_POST["pw_login"]);
 	// Create connection
 	$conn = new mysqli($DB_SERVERNAME, $DB_USERNAME, $DB_PASSWORD,$DB_DATABASE);
@@ -29,8 +30,8 @@ if ($_SERVER["REQUEST_METHOD"] == "POST") {
 		$success=0;
 		die("Connection failed: " . $conn->connect_error);
 	}
-	$stmt = $conn->prepare("UPDATE users set email = ?, username = ?, telegram_id = ? where username = ?");
+	$stmt = $conn->prepare("UPDATE users set email = ?, username = ?, telegram_id = ?, allow_pw_login = ? where username = ?");
-	$stmt->bind_param("ssss", $email, $username_new,$telegram_id, $username);
+	$stmt->bind_param("sssis", $email, $username_new,$telegram_id, $pw_login, $username);
 	$email=htmlspecialchars($_POST["email"]);
 	$username_new=htmlspecialchars($_POST["username"]);
@@ -42,6 +43,7 @@ if ($_SERVER["REQUEST_METHOD"] == "POST") {
 	$_SESSION["username"]=$username;
 	$_SESSION["email"]=$email;
 	$_SESSION["telegram_id"]=$telegram_id;
 	$_SESSION["allow_pw_login"]=$pw_login;
 }
 ?>
@@ -81,6 +83,18 @@ if ($_SERVER["REQUEST_METHOD"] == "POST") {
 							</label>
 							<input type="text" class="form-control" id="perms" name="perms" value="<?php echo($perms); ?>" readonly>
 						</div>
 						<div class="form-group">
 							<label for="pw_login">Allow password logins. (Please make shure you have a passkey, if you disable this!)</label>
 							<?php
 								if($_SESSION["allow_pw_login"]==1){
 									echo("<input type='checkbox' id='pw_login' name='pw_login' checked>");
 								}else{
 									echo("<input type='checkbox' id='pw_login' name='pw_login'>");
 								}
 							?>
 							<input type="checkbox" id="pw_login" name="pw_login">
 						</div>
 						<br>
 						<button type="submit" class="btn btn-primary btn-block">Update</button>
 					</form>