joachim/FileRise
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

New fetchWithCsrf with fallback for session change. start.sh session directory added.

Browse Source
This commit is contained in:
Ryan
2025-04-23 09:53:21 -04:00
committed by GitHub
parent 89f124250c
commit 06b3f28df0
11 changed files with 492 additions and 296 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
CHANGELOG.md
View File

@@ -1,6 +1,6 @@
# Changelog # Changelog
## Changes 4/23/2025 ## Changes 4/23/2025 1.2.4
**AuthModel** **AuthModel**
@@ -16,8 +16,19 @@
- Repopulates `$_SESSION['authenticated']`, `username`, `isAdmin`, `folderOnly`, `readOnly`, `disableUpload` from payload - Repopulates `$_SESSION['authenticated']`, `username`, `isAdmin`, `folderOnly`, `readOnly`, `disableUpload` from payload
- Regenerates session ID and CSRF token, then immediately returns JSON and exits - Regenerates session ID and CSRF token, then immediately returns JSON and exits
- **Updated** `userController.php` - **Updated** `userController.php`
- Fixed totp isAdmin when session is missing but `remember_me_token` cookie present - Fixed totp isAdmin when session is missing but `remember_me_token` cookie present
- **loadCsrfToken()**
- Now reads `X-CSRF-Token` response header first, falls back to JSON `csrf_token` if header absent
- Updates `window.csrfToken`, `window.SHARE_URL`, and `<meta>` tags with the new values
- **fetchWithCsrf(url, options)**
- Sends `credentials: 'include'` and current `X-CSRF-Token` on every request
- Handles “soft-failure” JSON (`{ csrf_expired: true, csrf_token }`): updates token and retries once without a 403 in DevTools
- On HTTP 403 fallback: reads new token from header or `/api/auth/token.php`, updates token, and retries once
- **start.sh**
- Session directory setup
## Changes 4/22/2025 v1.2.3 ## Changes 4/22/2025 v1.2.3

1
custom-php.ini
View File

@@ -41,6 +41,7 @@ upload_tmp_dir=/tmp
session.gc_maxlifetime=1440 session.gc_maxlifetime=1440
session.gc_probability=1 session.gc_probability=1
session.gc_divisor=100 session.gc_divisor=100
session.save_path = "/var/www/sessions"
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Error Handling / Logging ; Error Handling / Logging

73
public/js/auth.js
View File

@@ -44,6 +44,55 @@ function showToast(msgKey) {
} }
window.showToast = showToast; window.showToast = showToast;
const originalFetch = window.fetch;
/*
* @param {string} url
* @param {object} options
* @returns {Promise<Response>}
*/
export async function fetchWithCsrf(url, options = {}) {
options = { credentials: 'include', headers: {}, ...options };
options.headers['X-CSRF-Token'] = window.csrfToken;
// 1) First attempt using the original fetch
let res = await originalFetch(url, options);
// 2) Softfailure JSON check (200 + {csrf_expired})
if (res.ok && res.headers.get('content-type')?.includes('application/json')) {
const clone = res.clone();
const data = await clone.json();
if (data.csrf_expired) {
const newToken = data.csrf_token;
window.csrfToken = newToken;
document.querySelector('meta[name="csrf-token"]').content = newToken;
options.headers['X-CSRF-Token'] = newToken;
return originalFetch(url, options);
}
}
// 3) HTTP 403 fallback
if (res.status === 403) {
let newToken = res.headers.get('X-CSRF-Token');
if (!newToken) {
const tokRes = await originalFetch('/api/auth/token.php', { credentials: 'include' });
if (tokRes.ok) {
const body = await tokRes.json();
newToken = body.csrf_token;
}
}
if (newToken) {
window.csrfToken = newToken;
document.querySelector('meta[name="csrf-token"]').content = newToken;
options.headers['X-CSRF-Token'] = newToken;
res = await originalFetch(url, options);
}
}
return res;
}
// wrap the TOTP modal opener to disable other login buttons only for Basic/OIDC flows // wrap the TOTP modal opener to disable other login buttons only for Basic/OIDC flows
function openTOTPLoginModal() { function openTOTPLoginModal() {
originalOpenTOTPLoginModal(); originalOpenTOTPLoginModal();
@@ -236,6 +285,10 @@ function checkAuthentication(showLoginToast = true) {
if (typeof data.totp_enabled !== "undefined") { if (typeof data.totp_enabled !== "undefined") {
localStorage.setItem("userTOTPEnabled", data.totp_enabled ? "true" : "false"); localStorage.setItem("userTOTPEnabled", data.totp_enabled ? "true" : "false");
} }
if (data.csrf_token) {
window.csrfToken = data.csrf_token;
document.querySelector('meta[name="csrf-token"]').content = data.csrf_token;
}
updateAuthenticatedUI(data); updateAuthenticatedUI(data);
return data; return data;
} else { } else {
@@ -277,11 +330,11 @@ async function submitLogin(data) {
try { try {
const perm = await sendRequest("/api/getUserPermissions.php", "GET"); const perm = await sendRequest("/api/getUserPermissions.php", "GET");
if (perm && typeof perm === "object") { if (perm && typeof perm === "object") {
localStorage.setItem("folderOnly", perm.folderOnly ? "true" : "false"); localStorage.setItem("folderOnly", perm.folderOnly ? "true" : "false");
localStorage.setItem("readOnly", perm.readOnly ? "true" : "false"); localStorage.setItem("readOnly", perm.readOnly ? "true" : "false");
localStorage.setItem("disableUpload",perm.disableUpload? "true" : "false"); localStorage.setItem("disableUpload", perm.disableUpload ? "true" : "false");
} }
} catch {} } catch { }
return window.location.reload(); return window.location.reload();
} }
@@ -406,10 +459,10 @@ function initAuth() {
} }
let url = "/api/addUser.php"; let url = "/api/addUser.php";
if (window.setupMode) url += "?setup=1"; if (window.setupMode) url += "?setup=1";
fetch(url, { fetchWithCsrf(url, {
method: "POST", method: "POST",
credentials: "include", credentials: "include",
headers: { "Content-Type": "application/json", "X-CSRF-Token": window.csrfToken }, headers: { "Content-Type": "application/json" },
body: JSON.stringify({ username: newUsername, password: newPassword, isAdmin }) body: JSON.stringify({ username: newUsername, password: newPassword, isAdmin })
}) })
.then(response => response.json()) .then(response => response.json())
@@ -439,10 +492,10 @@ function initAuth() {
} }
const confirmed = await showCustomConfirmModal("Are you sure you want to delete user " + usernameToRemove + "?"); const confirmed = await showCustomConfirmModal("Are you sure you want to delete user " + usernameToRemove + "?");
if (!confirmed) return; if (!confirmed) return;
fetch("/api/removeUser.php", { fetchWithCsrf("/api/removeUser.php", {
method: "POST", method: "POST",
credentials: "include", credentials: "include",
headers: { "Content-Type": "application/json", "X-CSRF-Token": window.csrfToken }, headers: { "Content-Type": "application/json" },
body: JSON.stringify({ username: usernameToRemove }) body: JSON.stringify({ username: usernameToRemove })
}) })
.then(response => response.json()) .then(response => response.json())
@@ -478,10 +531,10 @@ function initAuth() {
return; return;
} }
const data = { oldPassword, newPassword, confirmPassword }; const data = { oldPassword, newPassword, confirmPassword };
fetch("/api/changePassword.php", { fetchWithCsrf("/api/changePassword.php", {
method: "POST", method: "POST",
credentials: "include", credentials: "include",
headers: { "Content-Type": "application/json", "X-CSRF-Token": window.csrfToken }, headers: { "Content-Type": "application/json" },
body: JSON.stringify(data) body: JSON.stringify(data)
}) })
.then(response => response.json()) .then(response => response.json())

2
public/js/authModals.js
View File

@@ -3,7 +3,7 @@ import { sendRequest } from './networkUtils.js';
import { t, applyTranslations, setLocale } from './i18n.js'; import { t, applyTranslations, setLocale } from './i18n.js';
import { loadAdminConfigFunc } from './auth.js'; import { loadAdminConfigFunc } from './auth.js';
const version = "v1.2.3"; // Update this version string as needed const version = "v1.2.4"; // Update this version string as needed
const adminTitle = `${t("admin_panel")} <small style="font-size: 12px; color: gray;">${version}</small>`; const adminTitle = `${t("admin_panel")} <small style="font-size: 12px; color: gray;">${version}</small>`;
let lastLoginData = null; let lastLoginData = null;

74
public/js/folderManager.js
View File

@@ -4,6 +4,8 @@ import { loadFileList } from './fileListView.js';
import { showToast, escapeHTML, attachEnterKeyListener } from './domUtils.js'; import { showToast, escapeHTML, attachEnterKeyListener } from './domUtils.js';
import { t } from './i18n.js'; import { t } from './i18n.js';
import { openFolderShareModal } from './folderShareModal.js'; import { openFolderShareModal } from './folderShareModal.js';
import { fetchWithCsrf } from './auth.js';
import { loadCsrfToken } from './main.js';
/* ---------------------- /* ----------------------
Helper Functions (Data/State) Helper Functions (Data/State)
@@ -627,45 +629,53 @@ document.getElementById("cancelCreateFolder").addEventListener("click", function
document.getElementById("newFolderName").value = ""; document.getElementById("newFolderName").value = "";
}); });
attachEnterKeyListener("createFolderModal", "submitCreateFolder"); attachEnterKeyListener("createFolderModal", "submitCreateFolder");
document.getElementById("submitCreateFolder").addEventListener("click", function () { document.getElementById("submitCreateFolder").addEventListener("click", async () => {
const folderInput = document.getElementById("newFolderName").value.trim(); const folderInput = document.getElementById("newFolderName").value.trim();
if (!folderInput) { if (!folderInput) return showToast("Please enter a folder name.");
showToast("Please enter a folder name.");
return; const selectedFolder = window.currentFolder || "root";
const parent = selectedFolder === "root" ? "" : selectedFolder;
// 1) Guarantee fresh CSRF
try {
await loadCsrfToken();
} catch {
return showToast("Could not refresh CSRF token. Please reload.");
} }
let selectedFolder = window.currentFolder || "root";
let fullFolderName = folderInput; // 2) Call with fetchWithCsrf
if (selectedFolder && selectedFolder !== "root") { fetchWithCsrf("/api/folder/createFolder.php", {
fullFolderName = selectedFolder + "/" + folderInput;
}
const csrfToken = document.querySelector('meta[name="csrf-token"]').getAttribute('content');
fetch("/api/folder/createFolder.php", {
method: "POST", method: "POST",
headers: { headers: { "Content-Type": "application/json" },
"Content-Type": "application/json", body: JSON.stringify({ folderName: folderInput, parent })
"X-CSRF-Token": csrfToken
},
body: JSON.stringify({
folderName: folderInput,
parent: selectedFolder === "root" ? "" : selectedFolder
})
}) })
.then(response => response.json()) .then(async res => {
.then(data => { if (!res.ok) {
if (data.success) { // pull out a JSON error, or fallback to status text
showToast("Folder created successfully!"); let err;
window.currentFolder = fullFolderName; try {
localStorage.setItem("lastOpenedFolder", fullFolderName); const j = await res.json();
loadFolderList(fullFolderName); err = j.error || j.message || res.statusText;
} else { } catch {
showToast("Error: " + (data.error || "Could not create folder")); err = res.statusText;
}
throw new Error(err);
} }
return res.json();
})
.then(data => {
showToast("Folder created!");
const full = parent ? `${parent}/${folderInput}` : folderInput;
window.currentFolder = full;
localStorage.setItem("lastOpenedFolder", full);
loadFolderList(full);
})
.catch(e => {
showToast("Error creating folder: " + e.message);
})
.finally(() => {
document.getElementById("createFolderModal").style.display = "none"; document.getElementById("createFolderModal").style.display = "none";
document.getElementById("newFolderName").value = ""; document.getElementById("newFolderName").value = "";
})
.catch(error => {
console.error("Error creating folder:", error);
document.getElementById("createFolderModal").style.display = "none";
}); });
}); });

64
public/js/main.js
View File

@@ -1,8 +1,10 @@
import { sendRequest } from './networkUtils.js'; import { sendRequest } from './networkUtils.js';
import { toggleVisibility, toggleAllCheckboxes, updateFileActionButtons, showToast } from './domUtils.js'; import { toggleVisibility, toggleAllCheckboxes, updateFileActionButtons, showToast } from './domUtils.js';
import { loadFolderTree } from './folderManager.js';
import { initUpload } from './upload.js'; import { initUpload } from './upload.js';
import { initAuth, checkAuthentication, loadAdminConfigFunc } from './auth.js'; import { initAuth, fetchWithCsrf, checkAuthentication, loadAdminConfigFunc } from './auth.js';
const _originalFetch = window.fetch;
window.fetch = fetchWithCsrf;
import { loadFolderTree } from './folderManager.js';
import { setupTrashRestoreDelete } from './trashRestoreDelete.js'; import { setupTrashRestoreDelete } from './trashRestoreDelete.js';
import { initDragAndDrop, loadSidebarOrder, loadHeaderOrder } from './dragAndDrop.js'; import { initDragAndDrop, loadSidebarOrder, loadHeaderOrder } from './dragAndDrop.js';
import { initTagSearch, openTagModal, filterFilesByTag } from './fileTags.js'; import { initTagSearch, openTagModal, filterFilesByTag } from './fileTags.js';
@@ -13,35 +15,53 @@ import { editFile, saveFile } from './fileEditor.js';
import { t, applyTranslations, setLocale } from './i18n.js'; import { t, applyTranslations, setLocale } from './i18n.js';
// Remove the retry logic version and just use loadCsrfToken directly: // Remove the retry logic version and just use loadCsrfToken directly:
function loadCsrfToken() { /**
return fetch('/api/auth/token.php', { credentials: 'include' }) * Fetches the current CSRF token (and share URL), updates window globals
* and <meta> tags, and returns the data.
*
* @returns {Promise<{csrf_token: string, share_url: string}>}
*/
export function loadCsrfToken() {
return fetch('/api/auth/token.php', {
method: 'GET',
credentials: 'include'
})
.then(response => { .then(response => {
if (!response.ok) { if (!response.ok) {
throw new Error("Token fetch failed with status: " + response.status); throw new Error(`Token fetch failed with status: ${response.status}`);
} }
return response.json(); // Prefer header if set, otherwise fall back to body
const headerToken = response.headers.get('X-CSRF-Token');
return response.json()
.then(body => ({
csrf_token: headerToken || body.csrf_token,
share_url: body.share_url
}));
}) })
.then(data => { .then(({ csrf_token, share_url }) => {
window.csrfToken = data.csrf_token; // Update globals
window.SHARE_URL = data.share_url; window.csrfToken = csrf_token;
window.SHARE_URL = share_url;
let metaCSRF = document.querySelector('meta[name="csrf-token"]'); // Sync <meta name="csrf-token">
if (!metaCSRF) { let meta = document.querySelector('meta[name="csrf-token"]');
metaCSRF = document.createElement('meta'); if (!meta) {
metaCSRF.name = 'csrf-token'; meta = document.createElement('meta');
document.head.appendChild(metaCSRF); meta.name = 'csrf-token';
document.head.appendChild(meta);
} }
metaCSRF.setAttribute('content', data.csrf_token); meta.content = csrf_token;
let metaShare = document.querySelector('meta[name="share-url"]'); // Sync <meta name="share-url">
if (!metaShare) { let shareMeta = document.querySelector('meta[name="share-url"]');
metaShare = document.createElement('meta'); if (!shareMeta) {
metaShare.name = 'share-url'; shareMeta = document.createElement('meta');
document.head.appendChild(metaShare); shareMeta.name = 'share-url';
document.head.appendChild(shareMeta);
} }
metaShare.setAttribute('content', data.share_url); shareMeta.content = share_url;
return data; return { csrf_token, share_url };
}); });
} }

70
public/js/upload.js
View File

@@ -412,7 +412,12 @@ function initResumableUpload() {
forceChunkSize: true, forceChunkSize: true,
testChunks: false, testChunks: false,
throttleProgressCallbacks: 1, throttleProgressCallbacks: 1,
headers: { "X-CSRF-Token": window.csrfToken } withCredentials: true,
headers: { 'X-CSRF-Token': window.csrfToken },
query: {
folder: window.currentFolder || "root",
upload_token: window.csrfToken // still as a fallback
}
}); });
const fileInput = document.getElementById("file"); const fileInput = document.getElementById("file");
@@ -496,26 +501,40 @@ function initResumableUpload() {
}); });
resumableInstance.on("fileSuccess", function(file, message) { resumableInstance.on("fileSuccess", function(file, message) {
const li = document.querySelector(`li.upload-progress-item[data-upload-index="${file.uniqueIdentifier}"]`); // Try to parse JSON response
let data;
try {
data = JSON.parse(message);
} catch (e) {
data = null;
}
// 1) Softfail CSRF? then update token & retry this file
if (data && data.csrf_expired) {
// Update global and Resumable headers
window.csrfToken = data.csrf_token;
resumableInstance.opts.headers['X-CSRF-Token'] = data.csrf_token;
resumableInstance.opts.query.upload_token = data.csrf_token;
// Retry this chunk/file
file.retry();
return;
}
// 2) Otherwise treat as real success:
const li = document.querySelector(
`li.upload-progress-item[data-upload-index="${file.uniqueIdentifier}"]`
);
if (li && li.progressBar) { if (li && li.progressBar) {
li.progressBar.style.width = "100%"; li.progressBar.style.width = "100%";
li.progressBar.innerText = "Done"; li.progressBar.innerText = "Done";
// Hide pause/resume and remove buttons for successful files. // remove action buttons
const pauseResumeBtn = li.querySelector(".pause-resume-btn"); const pauseResumeBtn = li.querySelector(".pause-resume-btn");
if (pauseResumeBtn) { if (pauseResumeBtn) pauseResumeBtn.style.display = "none";
pauseResumeBtn.style.display = "none";
}
const removeBtn = li.querySelector(".remove-file-btn"); const removeBtn = li.querySelector(".remove-file-btn");
if (removeBtn) { if (removeBtn) removeBtn.style.display = "none";
removeBtn.style.display = "none"; setTimeout(() => li.remove(), 5000);
}
// Schedule removal of the file entry after 5 seconds.
setTimeout(() => {
li.remove();
window.selectedFiles = window.selectedFiles.filter(f => f.uniqueIdentifier !== file.uniqueIdentifier);
updateFileInfoCount();
}, 5000);
} }
loadFileList(window.currentFolder); loadFileList(window.currentFolder);
}); });
@@ -618,8 +637,25 @@ function submitFiles(allFiles) {
} catch (e) { } catch (e) {
jsonResponse = null; jsonResponse = null;
} }
// ─── Soft-fail CSRF: retry this upload ───────────────────────
if (jsonResponse && jsonResponse.csrf_expired) {
console.warn("CSRF expired during upload, retrying chunk", file.uploadIndex);
// 1) update global token + header
window.csrfToken = jsonResponse.csrf_token;
xhr.open("POST", "/api/upload/upload.php", true);
xhr.withCredentials = true;
xhr.setRequestHeader("X-CSRF-Token", window.csrfToken);
// 2) re-send the same formData
xhr.send(formData);
return; // skip the "finishedCount++" and error/success logic for now
}
// ─── Normal success/error handling ────────────────────────────
const li = progressElements[file.uploadIndex]; const li = progressElements[file.uploadIndex];
if (xhr.status >= 200 && xhr.status < 300 && (!jsonResponse || !jsonResponse.error)) { if (xhr.status >= 200 && xhr.status < 300 && (!jsonResponse || !jsonResponse.error)) {
// real success
if (li) { if (li) {
li.progressBar.style.width = "100%"; li.progressBar.style.width = "100%";
li.progressBar.innerText = "Done"; li.progressBar.innerText = "Done";
@@ -627,11 +663,14 @@ function submitFiles(allFiles) {
} }
uploadResults[file.uploadIndex] = true; uploadResults[file.uploadIndex] = true;
} else { } else {
// real failure
if (li) { if (li) {
li.progressBar.innerText = "Error"; li.progressBar.innerText = "Error";
} }
allSucceeded = false; allSucceeded = false;
} }
// ─── Only now count this chunk as finished ───────────────────
finishedCount++; finishedCount++;
if (finishedCount === allFiles.length) { if (finishedCount === allFiles.length) {
refreshFileList(allFiles, uploadResults, progressElements); refreshFileList(allFiles, uploadResults, progressElements);
@@ -665,6 +704,7 @@ function submitFiles(allFiles) {
}); });
xhr.open("POST", "/api/upload/upload.php", true); xhr.open("POST", "/api/upload/upload.php", true);
xhr.withCredentials = true;
xhr.setRequestHeader("X-CSRF-Token", window.csrfToken); xhr.setRequestHeader("X-CSRF-Token", window.csrfToken);
xhr.send(formData); xhr.send(formData);
}); });

18
src/controllers/authController.php
View File

@@ -346,7 +346,9 @@ class AuthController
if (empty($_SESSION['authenticated']) && !empty($_COOKIE['remember_me_token'])) { if (empty($_SESSION['authenticated']) && !empty($_COOKIE['remember_me_token'])) {
$payload = AuthModel::validateRememberToken($_COOKIE['remember_me_token']); $payload = AuthModel::validateRememberToken($_COOKIE['remember_me_token']);
if ($payload) { if ($payload) {
$old = $_SESSION['csrf_token'] ?? bin2hex(random_bytes(32));
session_regenerate_id(true); session_regenerate_id(true);
$_SESSION['csrf_token'] = $old;
$_SESSION['authenticated'] = true; $_SESSION['authenticated'] = true;
$_SESSION['username'] = $payload['username']; $_SESSION['username'] = $payload['username'];
$_SESSION['isAdmin'] = !empty($payload['isAdmin']); $_SESSION['isAdmin'] = !empty($payload['isAdmin']);
@@ -354,7 +356,7 @@ class AuthController
$_SESSION['readOnly'] = $payload['readOnly'] ?? false; $_SESSION['readOnly'] = $payload['readOnly'] ?? false;
$_SESSION['disableUpload'] = $payload['disableUpload'] ?? false; $_SESSION['disableUpload'] = $payload['disableUpload'] ?? false;
// regenerate CSRF if you use one // regenerate CSRF if you use one
$_SESSION['csrf_token'] = bin2hex(random_bytes(32));
// TOTP enabled? (same logic as below) // TOTP enabled? (same logic as below)
$usersFile = USERS_DIR . USERS_FILE; $usersFile = USERS_DIR . USERS_FILE;
@@ -371,6 +373,7 @@ class AuthController
echo json_encode([ echo json_encode([
'authenticated' => true, 'authenticated' => true,
'csrf_token' => $_SESSION['csrf_token'],
'isAdmin' => $_SESSION['isAdmin'], 'isAdmin' => $_SESSION['isAdmin'],
'totp_enabled' => $totp, 'totp_enabled' => $totp,
'username' => $_SESSION['username'], 'username' => $_SESSION['username'],
@@ -446,10 +449,19 @@ class AuthController
*/ */
public function getToken(): void public function getToken(): void
{ {
// 1) Ensure session and CSRF token exist
if (empty($_SESSION['csrf_token'])) {
$_SESSION['csrf_token'] = bin2hex(random_bytes(32));
}
// 2) Emit headers
header('Content-Type: application/json'); header('Content-Type: application/json');
header('X-CSRF-Token: ' . $_SESSION['csrf_token']);
// 3) Return JSON payload
echo json_encode([ echo json_encode([
"csrf_token" => $_SESSION['csrf_token'], 'csrf_token' => $_SESSION['csrf_token'],
"share_url" => SHARE_URL 'share_url' => SHARE_URL
]); ]);
exit; exit;
} }

50
src/controllers/uploadController.php
View File

@@ -73,33 +73,55 @@ class UploadController {
public function handleUpload(): void { public function handleUpload(): void {
header('Content-Type: application/json'); header('Content-Type: application/json');
// CSRF Protection. //
// 1) CSRF pull from header or POST fields
//
$headersArr = array_change_key_case(getallheaders(), CASE_LOWER); $headersArr = array_change_key_case(getallheaders(), CASE_LOWER);
$receivedToken = $headersArr['x-csrf-token'] ?? ''; $received = '';
if (!isset($_SESSION['csrf_token']) || trim($receivedToken) !== $_SESSION['csrf_token']) { if (!empty($headersArr['x-csrf-token'])) {
http_response_code(403); $received = trim($headersArr['x-csrf-token']);
echo json_encode(["error" => "Invalid CSRF token"]); } elseif (!empty($_POST['csrf_token'])) {
$received = trim($_POST['csrf_token']);
} elseif (!empty($_POST['upload_token'])) {
$received = trim($_POST['upload_token']);
}
// 1a) If it doesnt match, soft-fail: send new token and let client retry
if (!isset($_SESSION['csrf_token']) || $received !== $_SESSION['csrf_token']) {
// regenerate
$_SESSION['csrf_token'] = bin2hex(random_bytes(32));
// tell client “please retry with this new token”
http_response_code(200);
echo json_encode([
'csrf_expired' => true,
'csrf_token' => $_SESSION['csrf_token']
]);
exit; exit;
} }
// Ensure user is authenticated.
if (!isset($_SESSION['authenticated']) || $_SESSION['authenticated'] !== true) { //
// 2) Auth checks
//
if (empty($_SESSION['authenticated']) || $_SESSION['authenticated'] !== true) {
http_response_code(401); http_response_code(401);
echo json_encode(["error" => "Unauthorized"]); echo json_encode(["error" => "Unauthorized"]);
exit; exit;
} }
// Check user permissions. $userPerms = loadUserPermissions($_SESSION['username']);
$username = $_SESSION['username'] ?? ''; if (!empty($userPerms['disableUpload'])) {
$userPermissions = loadUserPermissions($username);
if ($username && !empty($userPermissions['disableUpload'])) {
http_response_code(403); http_response_code(403);
echo json_encode(["error" => "Upload disabled for this user."]); echo json_encode(["error" => "Upload disabled for this user."]);
exit; exit;
} }
// Delegate to the model. //
// 3) Delegate the actual file handling
//
$result = UploadModel::handleUpload($_POST, $_FILES); $result = UploadModel::handleUpload($_POST, $_FILES);
// For chunked uploads, output JSON (e.g., "chunk uploaded" status). //
// 4) Respond
//
if (isset($result['error'])) { if (isset($result['error'])) {
http_response_code(400); http_response_code(400);
echo json_encode($result); echo json_encode($result);
@@ -110,7 +132,7 @@ class UploadController {
exit; exit;
} }
// Otherwise, for full upload success, set a flash message and redirect. // fullupload redirect
$_SESSION['upload_message'] = "File uploaded successfully."; $_SESSION['upload_message'] = "File uploaded successfully.";
exit; exit;
} }

331
src/controllers/userController.php
View File

@@ -87,63 +87,83 @@ class UserController
public function addUser() public function addUser()
{ {
// 1) Ensure JSON output and session
header('Content-Type: application/json'); header('Content-Type: application/json');
$usersFile = USERS_DIR . USERS_FILE; // 1a) Initialize CSRF token if missing
if (empty($_SESSION['csrf_token'])) {
$_SESSION['csrf_token'] = bin2hex(random_bytes(32));
}
// Determine if we're in setup mode. // 2) Determine setup mode (first-ever admin creation)
// Setup mode means the "setup" query parameter is passed $usersFile = USERS_DIR . USERS_FILE;
// and users.txt is missing, empty, or contains only whitespace. $isSetup = (isset($_GET['setup']) && $_GET['setup'] === '1');
$isSetup = (isset($_GET['setup']) && $_GET['setup'] === '1'); $setupMode = false;
if ($isSetup && (!file_exists($usersFile) || filesize($usersFile) == 0 || trim(file_get_contents($usersFile)) === '')) { if (
// Allow initial admin creation without session or CSRF checks. $isSetup && (! file_exists($usersFile)
|| filesize($usersFile) === 0
|| trim(file_get_contents($usersFile)) === ''
)
) {
$setupMode = true; $setupMode = true;
} else { } else {
$setupMode = false; // 3) In non-setup, enforce CSRF + auth checks
// In non-setup mode, perform CSRF token and authentication checks. $headersArr = array_change_key_case(getallheaders(), CASE_LOWER);
$headersArr = array_change_key_case(getallheaders(), CASE_LOWER); $receivedToken = trim($headersArr['x-csrf-token'] ?? '');
$receivedToken = isset($headersArr['x-csrf-token']) ? trim($headersArr['x-csrf-token']) : '';
if (!isset($_SESSION['csrf_token']) || $receivedToken !== $_SESSION['csrf_token']) { // 3a) Soft-fail CSRF: on mismatch, regenerate and return new token
http_response_code(403); if ($receivedToken !== $_SESSION['csrf_token']) {
echo json_encode(["error" => "Invalid CSRF token"]); $_SESSION['csrf_token'] = bin2hex(random_bytes(32));
header('X-CSRF-Token: ' . $_SESSION['csrf_token']);
echo json_encode([
'csrf_expired' => true,
'csrf_token' => $_SESSION['csrf_token']
]);
exit; exit;
} }
// 3b) Must be logged in as admin
if ( if (
!isset($_SESSION['authenticated']) || $_SESSION['authenticated'] !== true || empty($_SESSION['authenticated'])
!isset($_SESSION['isAdmin']) || $_SESSION['isAdmin'] !== true || $_SESSION['authenticated'] !== true
|| empty($_SESSION['isAdmin'])
|| $_SESSION['isAdmin'] !== true
) { ) {
echo json_encode(["error" => "Unauthorized"]); echo json_encode(["error" => "Unauthorized"]);
exit; exit;
} }
} }
// Get the JSON input data. // 4) Parse input
$data = json_decode(file_get_contents("php://input"), true); $data = json_decode(file_get_contents('php://input'), true) ?: [];
$newUsername = trim($data["username"] ?? ""); $newUsername = trim($data['username'] ?? '');
$newPassword = trim($data["password"] ?? ""); $newPassword = trim($data['password'] ?? '');
// In setup mode, force the new user to be an admin. // 5) Determine admin flag
if ($setupMode) { if ($setupMode) {
$isAdmin = "1"; $isAdmin = '1';
} else { } else {
$isAdmin = !empty($data["isAdmin"]) ? "1" : "0"; $isAdmin = !empty($data['isAdmin']) ? '1' : '0';
} }
// Validate that a username and password are provided. // 6) Validate fields
if (!$newUsername || !$newPassword) { if ($newUsername === '' || $newPassword === '') {
echo json_encode(["error" => "Username and password required"]); echo json_encode(["error" => "Username and password required"]);
exit; exit;
} }
// Validate username format.
if (!preg_match(REGEX_USER, $newUsername)) { if (!preg_match(REGEX_USER, $newUsername)) {
echo json_encode(["error" => "Invalid username. Only letters, numbers, underscores, dashes, and spaces are allowed."]); echo json_encode([
"error" => "Invalid username. Only letters, numbers, underscores, dashes, and spaces are allowed."
]);
exit; exit;
} }
// Delegate the business logic to the model. // 7) Delegate to model
$result = userModel::addUser($newUsername, $newPassword, $isAdmin, $setupMode); $result = userModel::addUser($newUsername, $newPassword, $isAdmin, $setupMode);
// 8) Return model result
echo json_encode($result); echo json_encode($result);
exit;
} }
/** /**
@@ -847,148 +867,151 @@ class UserController
* ) * )
*/ */
public function verifyTOTP() public function verifyTOTP()
{ {
header('Content-Type: application/json'); header('Content-Type: application/json');
header("Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self';"); header("Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self';");
// Ratelimit // Ratelimit
if (!isset($_SESSION['totp_failures'])) { if (!isset($_SESSION['totp_failures'])) {
$_SESSION['totp_failures'] = 0; $_SESSION['totp_failures'] = 0;
} }
if ($_SESSION['totp_failures'] >= 5) { if ($_SESSION['totp_failures'] >= 5) {
http_response_code(429); http_response_code(429);
echo json_encode(['status' => 'error', 'message' => 'Too many TOTP attempts. Please try again later.']); echo json_encode(['status' => 'error', 'message' => 'Too many TOTP attempts. Please try again later.']);
exit; exit;
} }
// Must be authenticated OR pending login // Must be authenticated OR pending login
if (!((!empty($_SESSION['authenticated'])) || isset($_SESSION['pending_login_user']))) { if (!((!empty($_SESSION['authenticated'])) || isset($_SESSION['pending_login_user']))) {
http_response_code(403); http_response_code(403);
echo json_encode(['status' => 'error', 'message' => 'Not authenticated']); echo json_encode(['status' => 'error', 'message' => 'Not authenticated']);
exit; exit;
} }
// CSRF check // CSRF check
$headersArr = array_change_key_case(getallheaders(), CASE_LOWER); $headersArr = array_change_key_case(getallheaders(), CASE_LOWER);
$csrfHeader = $headersArr['x-csrf-token'] ?? ''; $csrfHeader = $headersArr['x-csrf-token'] ?? '';
if (empty($_SESSION['csrf_token']) || $csrfHeader !== $_SESSION['csrf_token']) { if (empty($_SESSION['csrf_token']) || $csrfHeader !== $_SESSION['csrf_token']) {
http_response_code(403); http_response_code(403);
echo json_encode(['status' => 'error', 'message' => 'Invalid CSRF token']); echo json_encode(['status' => 'error', 'message' => 'Invalid CSRF token']);
exit; exit;
} }
// Parse and validate input // Parse and validate input
$inputData = json_decode(file_get_contents("php://input"), true); $inputData = json_decode(file_get_contents("php://input"), true);
$code = trim($inputData['totp_code'] ?? ''); $code = trim($inputData['totp_code'] ?? '');
if (!preg_match('/^\d{6}$/', $code)) { if (!preg_match('/^\d{6}$/', $code)) {
http_response_code(400); http_response_code(400);
echo json_encode(['status' => 'error', 'message' => 'A valid 6-digit TOTP code is required']); echo json_encode(['status' => 'error', 'message' => 'A valid 6-digit TOTP code is required']);
exit; exit;
} }
// TFA helper // TFA helper
$tfa = new \RobThree\Auth\TwoFactorAuth( $tfa = new \RobThree\Auth\TwoFactorAuth(
new \RobThree\Auth\Providers\Qr\GoogleChartsQrCodeProvider(), new \RobThree\Auth\Providers\Qr\GoogleChartsQrCodeProvider(),
'FileRise', 6, 30, \RobThree\Auth\Algorithm::Sha1 'FileRise',
); 6,
30,
\RobThree\Auth\Algorithm::Sha1
);
// Pendinglogin flow (first password step passed) // Pendinglogin flow (first password step passed)
if (isset($_SESSION['pending_login_user'])) { if (isset($_SESSION['pending_login_user'])) {
$username = $_SESSION['pending_login_user']; $username = $_SESSION['pending_login_user'];
$pendingSecret = $_SESSION['pending_login_secret'] ?? null; $pendingSecret = $_SESSION['pending_login_secret'] ?? null;
$rememberMe = $_SESSION['pending_login_remember_me'] ?? false; $rememberMe = $_SESSION['pending_login_remember_me'] ?? false;
if (!$pendingSecret || !$tfa->verifyCode($pendingSecret, $code)) { if (!$pendingSecret || !$tfa->verifyCode($pendingSecret, $code)) {
$_SESSION['totp_failures']++; $_SESSION['totp_failures']++;
http_response_code(400); http_response_code(400);
echo json_encode(['status' => 'error', 'message' => 'Invalid TOTP code']); echo json_encode(['status' => 'error', 'message' => 'Invalid TOTP code']);
exit; exit;
} }
// === Issue “remember me” token if requested === // === Issue “remember me” token if requested ===
if ($rememberMe) { if ($rememberMe) {
$tokFile = USERS_DIR . 'persistent_tokens.json'; $tokFile = USERS_DIR . 'persistent_tokens.json';
$token = bin2hex(random_bytes(32)); $token = bin2hex(random_bytes(32));
$expiry = time() + 30 * 24 * 60 * 60; $expiry = time() + 30 * 24 * 60 * 60;
$all = []; $all = [];
if (file_exists($tokFile)) { if (file_exists($tokFile)) {
$dec = decryptData(file_get_contents($tokFile), $GLOBALS['encryptionKey']); $dec = decryptData(file_get_contents($tokFile), $GLOBALS['encryptionKey']);
$all = json_decode($dec, true) ?: []; $all = json_decode($dec, true) ?: [];
} }
$isAdmin = ((int)userModel::getUserRole($username) === 1); $isAdmin = ((int)userModel::getUserRole($username) === 1);
$all[$token] = [ $all[$token] = [
'username' => $username, 'username' => $username,
'expiry' => $expiry, 'expiry' => $expiry,
'isAdmin' => $isAdmin 'isAdmin' => $isAdmin
]; ];
file_put_contents( file_put_contents(
$tokFile, $tokFile,
encryptData(json_encode($all, JSON_PRETTY_PRINT), $GLOBALS['encryptionKey']), encryptData(json_encode($all, JSON_PRETTY_PRINT), $GLOBALS['encryptionKey']),
LOCK_EX LOCK_EX
); );
$secure = (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off'); $secure = (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off');
// Persistent cookie // Persistent cookie
setcookie('remember_me_token', $token, $expiry, '/', '', $secure, true); setcookie('remember_me_token', $token, $expiry, '/', '', $secure, true);
// Reissue PHP session cookie // Reissue PHP session cookie
setcookie( setcookie(
session_name(), session_name(),
session_id(), session_id(),
$expiry, $expiry,
'/', '/',
'', '',
$secure, $secure,
true true
); );
} }
// Finalize login // Finalize login
session_regenerate_id(true); session_regenerate_id(true);
$_SESSION['authenticated'] = true; $_SESSION['authenticated'] = true;
$_SESSION['username'] = $username; $_SESSION['username'] = $username;
$_SESSION['isAdmin'] = $isAdmin; $_SESSION['isAdmin'] = $isAdmin;
$_SESSION['folderOnly'] = loadUserPermissions($username); $_SESSION['folderOnly'] = loadUserPermissions($username);
// Clean up // Clean up
unset( unset(
$_SESSION['pending_login_user'], $_SESSION['pending_login_user'],
$_SESSION['pending_login_secret'], $_SESSION['pending_login_secret'],
$_SESSION['pending_login_remember_me'], $_SESSION['pending_login_remember_me'],
$_SESSION['totp_failures'] $_SESSION['totp_failures']
); );
echo json_encode(['status' => 'ok', 'message' => 'Login successful']); echo json_encode(['status' => 'ok', 'message' => 'Login successful']);
exit; exit;
} }
// Setup/verification flow (not pending) // Setup/verification flow (not pending)
$username = $_SESSION['username'] ?? ''; $username = $_SESSION['username'] ?? '';
if (!$username) { if (!$username) {
http_response_code(400); http_response_code(400);
echo json_encode(['status' => 'error', 'message' => 'Username not found in session']); echo json_encode(['status' => 'error', 'message' => 'Username not found in session']);
exit; exit;
} }
$totpSecret = userModel::getTOTPSecret($username); $totpSecret = userModel::getTOTPSecret($username);
if (!$totpSecret) { if (!$totpSecret) {
http_response_code(500); http_response_code(500);
echo json_encode(['status' => 'error', 'message' => 'TOTP secret not found. Please set up TOTP again.']); echo json_encode(['status' => 'error', 'message' => 'TOTP secret not found. Please set up TOTP again.']);
exit; exit;
} }
if (!$tfa->verifyCode($totpSecret, $code)) { if (!$tfa->verifyCode($totpSecret, $code)) {
$_SESSION['totp_failures']++; $_SESSION['totp_failures']++;
http_response_code(400); http_response_code(400);
echo json_encode(['status' => 'error', 'message' => 'Invalid TOTP code']); echo json_encode(['status' => 'error', 'message' => 'Invalid TOTP code']);
exit; exit;
} }
// Successful setup/verification // Successful setup/verification
unset($_SESSION['totp_failures']); unset($_SESSION['totp_failures']);
echo json_encode(['status' => 'ok', 'message' => 'TOTP successfully verified']); echo json_encode(['status' => 'ok', 'message' => 'TOTP successfully verified']);
} }
} }

4
start.sh
View File

@@ -25,6 +25,10 @@ mkdir -p /var/www/metadata/log
chown www-data:www-data /var/www/metadata/log chown www-data:www-data /var/www/metadata/log
chmod 775 /var/www/metadata/log chmod 775 /var/www/metadata/log
mkdir -p /var/www/sessions
chown www-data:www-data /var/www/sessions
chmod 700 /var/www/sessions
# 2.2) Prepare other dynamic dirs # 2.2) Prepare other dynamic dirs
for d in uploads users metadata; do for d in uploads users metadata; do
tgt="/var/www/${d}" tgt="/var/www/${d}"