Add 30day persistent token remember me for login

2025-03-22 07:12:20 -04:00
parent 833eaa3194
commit 2092512f43
6 changed files with 71 additions and 8 deletions
--- a/addUser.php
+++ b/addUser.php
@@ -6,9 +6,9 @@ $usersFile = USERS_DIR . USERS_FILE;

 // Determine if we are in setup mode:
 // - Query parameter setup=1 is passed
-// - And users.txt is either missing or empty
+// - And users.txt is either missing or empty (zero bytes or trimmed content is empty)
 $isSetup = (isset($_GET['setup']) && $_GET['setup'] === '1');
-if ($isSetup && (!file_exists($usersFile) || trim(file_get_contents($usersFile)) === '')) {
+if ($isSetup && (!file_exists($usersFile) || filesize($usersFile) == 0 || trim(file_get_contents($usersFile)) === '')) {
    // Allow initial admin creation without session checks.
    $setupMode = true;
 } else {
--- a/auth.js
+++ b/auth.js
@@ -78,9 +78,14 @@ function initAuth() {
  if (authForm) {
    authForm.addEventListener("submit", function (event) {
      event.preventDefault();
+      // Get the "Remember me" checkbox value.
+      const rememberMe = document.getElementById("rememberMeCheckbox") 
+        ? document.getElementById("rememberMeCheckbox").checked 
+        : false;
      const formData = {
        username: document.getElementById("loginUsername").value.trim(),
-        password: document.getElementById("loginPassword").value.trim()
+        password: document.getElementById("loginPassword").value.trim(),
+        remember_me: rememberMe
      };
      sendRequest("auth.php", "POST", formData, { "X-CSRF-Token": window.csrfToken })
        .then(data => {
--- a/auth.php
+++ b/auth.php
@@ -10,6 +10,9 @@ $lockoutTime = 30 * 60; // 30 minutes in seconds
 $attemptsFile = USERS_DIR . 'failed_logins.json'; // JSON file for tracking failed login attempts
 $failedLogFile = USERS_DIR . 'failed_login.log';   // Plain text log for fail2ban

+// Persistent tokens file for "Remember me"
+$persistentTokensFile = USERS_DIR . 'persistent_tokens.json';
+
 // Load failed attempts data from file.
 function loadFailedAttempts($file) {
    if (file_exists($file)) {
@@ -46,11 +49,9 @@ if (isset($failedAttempts[$ip])) {
 function authenticate($username, $password)
 {
    global $usersFile;
-
    if (!file_exists($usersFile)) {
        return false;
    }
-
    $lines = file($usersFile, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
    foreach ($lines as $line) {
        list($storedUser, $storedPass, $storedRole) = explode(':', trim($line), 3);
@@ -65,6 +66,7 @@ function authenticate($username, $password)
 $data = json_decode(file_get_contents("php://input"), true);
 $username = trim($data["username"] ?? "");
 $password = trim($data["password"] ?? "");
+$rememberMe = isset($data["remember_me"]) && $data["remember_me"] === true;

 // Validate input: ensure both fields are provided.
 if (!$username || !$password) {
@@ -72,7 +74,7 @@ if (!$username || !$password) {
    exit;
 }

-// Validate username format: allow only letters, numbers, underscores, dashes, and spaces.
+// Validate username format.
 if (!preg_match('/^[A-Za-z0-9_\- ]+$/', $username)) {
    echo json_encode(["error" => "Invalid username format. Only letters, numbers, underscores, dashes, and spaces are allowed."]);
    exit;
@@ -92,6 +94,29 @@ if ($userRole !== false) {
    $_SESSION["username"] = $username;
    $_SESSION["isAdmin"] = ($userRole === "1"); // "1" indicates admin

+    // If "Remember me" is checked, generate a persistent login token.
+    if ($rememberMe) {
+        // Generate a secure random token.
+        $token = bin2hex(random_bytes(32));
+        $expiry = time() + (30 * 24 * 60 * 60); // 30 days
+        // Load existing persistent tokens.
+        $persistentTokens = [];
+        if (file_exists($persistentTokensFile)) {
+            $persistentTokens = json_decode(file_get_contents($persistentTokensFile), true);
+            if (!is_array($persistentTokens)) {
+                $persistentTokens = [];
+            }
+        }
+        // Save token along with username and expiry.
+        $persistentTokens[$token] = [
+            "username" => $username,
+            "expiry" => $expiry
+        ];
+        file_put_contents($persistentTokensFile, json_encode($persistentTokens, JSON_PRETTY_PRINT));
+        // Set the cookie. (Assuming $secure is defined in config.php.)
+        setcookie('remember_me_token', $token, $expiry, '/', '', $secure, true);
+    }
+    
    echo json_encode(["success" => "Login successful", "isAdmin" => $_SESSION["isAdmin"]]);
 } else {
    // On failed login, update failed attempts.
--- a/config.php
+++ b/config.php
@@ -27,6 +27,29 @@ if (empty($_SESSION['csrf_token'])) {
    $_SESSION['csrf_token'] = bin2hex(random_bytes(32));
 }

+// Auto-login via persistent token if session is not active.
+if (!isset($_SESSION["authenticated"]) && isset($_COOKIE['remember_me_token'])) {
+    $persistentTokensFile = USERS_DIR . 'persistent_tokens.json';
+    if (file_exists($persistentTokensFile)) {
+        $persistentTokens = json_decode(file_get_contents($persistentTokensFile), true);
+        if (is_array($persistentTokens) && isset($persistentTokens[$_COOKIE['remember_me_token']])) {
+            $tokenData = $persistentTokens[$_COOKIE['remember_me_token']];
+            if ($tokenData['expiry'] >= time()) {
+                // Token is valid; auto-authenticate the user.
+                $_SESSION["authenticated"] = true;
+                $_SESSION["username"] = $tokenData["username"];
+                // Optionally, set admin status if stored in token data:
+                // $_SESSION["isAdmin"] = $tokenData["isAdmin"];
+            } else {
+                // Token expired; remove it and clear the cookie.
+                unset($persistentTokens[$_COOKIE['remember_me_token']]);
+                file_put_contents($persistentTokensFile, json_encode($persistentTokens, JSON_PRETTY_PRINT));
+                setcookie('remember_me_token', '', time() - 3600, '/', '', $secure, true);
+            }
+        }
+    }
+}
+
 // Define BASE_URL (this should point to where index.html is, e.g. your uploads directory)
 define('BASE_URL', 'http://yourwebsite/uploads/');

--- a/index.html
+++ b/index.html
@@ -143,6 +143,10 @@
            <input type="password" class="form-control" id="loginPassword" name="password" required />
          </div>
          <button type="submit" class="btn btn-primary btn-block btn-login">Login</button>
+          <div class="form-group remember-me-container">
+            <input type="checkbox" id="rememberMeCheckbox" name="remember_me" />
+            <label for="rememberMeCheckbox">Remember me</label>
+          </div>
        </form>
      </div>
    </div>
--- a/styles.css
+++ b/styles.css
@@ -13,6 +13,7 @@ body {
 body {
  letter-spacing: 0.2px;
 }
+
 .custom-dash {
  display: inline-block;
  transform: scaleX(1.5);
@@ -53,7 +54,8 @@ body {
 /************************************************************/
 /* FLEXBOX HEADER: LOGO, TITLE, BUTTONS FIXED               */
 /************************************************************/
-#uploadCard, #folderManagementCard {
+#uploadCard,
+#folderManagementCard {
  min-height: 342px;
 }

@@ -333,6 +335,10 @@ body.dark-mode .material-icons.gallery-icon {
 /* ===========================================================
   FORMS & LOGIN
   =========================================================== */
+.remember-me-container {
+  margin-top: 20px !important;
+}
+
 #loginForm {
  margin: 0 auto;
  max-width: 400px;
@@ -1709,7 +1715,7 @@ body.dark-mode .folder-help-summary {
 body.dark-mode .folder-help-icon {
  color: #f6a72c;
  font-size: 20px;
-  
+
 }

 body.dark-mode #searchIcon {