Add missing permissions for TOTP login
This commit is contained in:
Ryan
@@ -867,126 +867,123 @@ class UserController
|
|||||||
* )
|
* )
|
||||||
*/
|
*/
|
||||||
|
|
||||||
public function verifyTOTP()
|
public function verifyTOTP()
|
||||||
{
|
{
|
||||||
header('Content-Type: application/json');
|
header('Content-Type: application/json');
|
||||||
header("Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self';");
|
header("Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self';");
|
||||||
|
|
||||||
// Rate‑limit
|
// Rate-limit
|
||||||
if (!isset($_SESSION['totp_failures'])) {
|
if (!isset($_SESSION['totp_failures'])) {
|
||||||
$_SESSION['totp_failures'] = 0;
|
$_SESSION['totp_failures'] = 0;
|
||||||
}
|
}
|
||||||
if ($_SESSION['totp_failures'] >= 5) {
|
if ($_SESSION['totp_failures'] >= 5) {
|
||||||
http_response_code(429);
|
http_response_code(429);
|
||||||
echo json_encode(['status' => 'error', 'message' => 'Too many TOTP attempts. Please try again later.']);
|
echo json_encode(['status' => 'error', 'message' => 'Too many TOTP attempts. Please try again later.']);
|
||||||
exit;
|
exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Must be authenticated OR pending login
|
// Must be authenticated OR pending login
|
||||||
if (!((!empty($_SESSION['authenticated'])) || isset($_SESSION['pending_login_user']))) {
|
if (empty($_SESSION['authenticated']) && !isset($_SESSION['pending_login_user'])) {
|
||||||
http_response_code(403);
|
http_response_code(403);
|
||||||
echo json_encode(['status' => 'error', 'message' => 'Not authenticated']);
|
echo json_encode(['status' => 'error', 'message' => 'Not authenticated']);
|
||||||
exit;
|
exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
// CSRF check
|
// CSRF check
|
||||||
$headersArr = array_change_key_case(getallheaders(), CASE_LOWER);
|
$headersArr = array_change_key_case(getallheaders(), CASE_LOWER);
|
||||||
$csrfHeader = $headersArr['x-csrf-token'] ?? '';
|
$csrfHeader = $headersArr['x-csrf-token'] ?? '';
|
||||||
if (empty($_SESSION['csrf_token']) || $csrfHeader !== $_SESSION['csrf_token']) {
|
if (empty($_SESSION['csrf_token']) || $csrfHeader !== $_SESSION['csrf_token']) {
|
||||||
http_response_code(403);
|
http_response_code(403);
|
||||||
echo json_encode(['status' => 'error', 'message' => 'Invalid CSRF token']);
|
echo json_encode(['status' => 'error', 'message' => 'Invalid CSRF token']);
|
||||||
exit;
|
exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Parse and validate input
|
// Parse & validate input
|
||||||
$inputData = json_decode(file_get_contents("php://input"), true);
|
$inputData = json_decode(file_get_contents("php://input"), true);
|
||||||
$code = trim($inputData['totp_code'] ?? '');
|
$code = trim($inputData['totp_code'] ?? '');
|
||||||
if (!preg_match('/^\d{6}$/', $code)) {
|
if (!preg_match('/^\d{6}$/', $code)) {
|
||||||
http_response_code(400);
|
http_response_code(400);
|
||||||
echo json_encode(['status' => 'error', 'message' => 'A valid 6-digit TOTP code is required']);
|
echo json_encode(['status' => 'error', 'message' => 'A valid 6-digit TOTP code is required']);
|
||||||
exit;
|
exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
// TFA helper
|
// TFA helper
|
||||||
$tfa = new \RobThree\Auth\TwoFactorAuth(
|
$tfa = new \RobThree\Auth\TwoFactorAuth(
|
||||||
new \RobThree\Auth\Providers\Qr\GoogleChartsQrCodeProvider(),
|
new \RobThree\Auth\Providers\Qr\GoogleChartsQrCodeProvider(),
|
||||||
'FileRise',
|
'FileRise', 6, 30, \RobThree\Auth\Algorithm::Sha1
|
||||||
6,
|
);
|
||||||
30,
|
|
||||||
\RobThree\Auth\Algorithm::Sha1
|
|
||||||
);
|
|
||||||
|
|
||||||
// Pending‑login flow (first password step passed)
|
// === Pending-login flow (we just came from auth and need to finish login) ===
|
||||||
if (isset($_SESSION['pending_login_user'])) {
|
if (isset($_SESSION['pending_login_user'])) {
|
||||||
$username = $_SESSION['pending_login_user'];
|
$username = $_SESSION['pending_login_user'];
|
||||||
$pendingSecret = $_SESSION['pending_login_secret'] ?? null;
|
$pendingSecret = $_SESSION['pending_login_secret'] ?? null;
|
||||||
$rememberMe = $_SESSION['pending_login_remember_me'] ?? false;
|
$rememberMe = $_SESSION['pending_login_remember_me'] ?? false;
|
||||||
|
|
||||||
if (!$pendingSecret || !$tfa->verifyCode($pendingSecret, $code)) {
|
if (!$pendingSecret || !$tfa->verifyCode($pendingSecret, $code)) {
|
||||||
$_SESSION['totp_failures']++;
|
$_SESSION['totp_failures']++;
|
||||||
http_response_code(400);
|
http_response_code(400);
|
||||||
echo json_encode(['status' => 'error', 'message' => 'Invalid TOTP code']);
|
echo json_encode(['status' => 'error', 'message' => 'Invalid TOTP code']);
|
||||||
exit;
|
exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
// === Issue “remember me” token if requested ===
|
// Issue “remember me” token if requested
|
||||||
if ($rememberMe) {
|
if ($rememberMe) {
|
||||||
$tokFile = USERS_DIR . 'persistent_tokens.json';
|
$tokFile = USERS_DIR . 'persistent_tokens.json';
|
||||||
$token = bin2hex(random_bytes(32));
|
$token = bin2hex(random_bytes(32));
|
||||||
$expiry = time() + 30 * 24 * 60 * 60;
|
$expiry = time() + 30 * 24 * 60 * 60;
|
||||||
$all = [];
|
$all = [];
|
||||||
|
if (file_exists($tokFile)) {
|
||||||
|
$dec = decryptData(file_get_contents($tokFile), $GLOBALS['encryptionKey']);
|
||||||
|
$all = json_decode($dec, true) ?: [];
|
||||||
|
}
|
||||||
|
$all[$token] = [
|
||||||
|
'username' => $username,
|
||||||
|
'expiry' => $expiry,
|
||||||
|
'isAdmin' => ((int)userModel::getUserRole($username) === 1),
|
||||||
|
'folderOnly' => loadUserPermissions($username)['folderOnly'] ?? false,
|
||||||
|
'readOnly' => loadUserPermissions($username)['readOnly'] ?? false,
|
||||||
|
'disableUpload'=> loadUserPermissions($username)['disableUpload']?? false
|
||||||
|
];
|
||||||
|
file_put_contents(
|
||||||
|
$tokFile,
|
||||||
|
encryptData(json_encode($all, JSON_PRETTY_PRINT), $GLOBALS['encryptionKey']),
|
||||||
|
LOCK_EX
|
||||||
|
);
|
||||||
|
$secure = (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off');
|
||||||
|
setcookie('remember_me_token', $token, $expiry, '/', '', $secure, true);
|
||||||
|
setcookie(session_name(), session_id(), $expiry, '/', '', $secure, true);
|
||||||
|
}
|
||||||
|
|
||||||
if (file_exists($tokFile)) {
|
// === Finalize login into session exactly as finalizeLogin() would ===
|
||||||
$dec = decryptData(file_get_contents($tokFile), $GLOBALS['encryptionKey']);
|
session_regenerate_id(true);
|
||||||
$all = json_decode($dec, true) ?: [];
|
$_SESSION['authenticated'] = true;
|
||||||
}
|
$_SESSION['username'] = $username;
|
||||||
$isAdmin = ((int)userModel::getUserRole($username) === 1);
|
$_SESSION['isAdmin'] = ((int)userModel::getUserRole($username) === 1);
|
||||||
$all[$token] = [
|
$perms = loadUserPermissions($username);
|
||||||
'username' => $username,
|
$_SESSION['folderOnly'] = $perms['folderOnly'] ?? false;
|
||||||
'expiry' => $expiry,
|
$_SESSION['readOnly'] = $perms['readOnly'] ?? false;
|
||||||
'isAdmin' => $isAdmin
|
$_SESSION['disableUpload'] = $perms['disableUpload'] ?? false;
|
||||||
];
|
|
||||||
file_put_contents(
|
|
||||||
$tokFile,
|
|
||||||
encryptData(json_encode($all, JSON_PRETTY_PRINT), $GLOBALS['encryptionKey']),
|
|
||||||
LOCK_EX
|
|
||||||
);
|
|
||||||
|
|
||||||
$secure = (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off');
|
// Clean up pending markers
|
||||||
|
unset(
|
||||||
|
$_SESSION['pending_login_user'],
|
||||||
|
$_SESSION['pending_login_secret'],
|
||||||
|
$_SESSION['pending_login_remember_me'],
|
||||||
|
$_SESSION['totp_failures']
|
||||||
|
);
|
||||||
|
|
||||||
// Persistent cookie
|
// Send back full login payload
|
||||||
setcookie('remember_me_token', $token, $expiry, '/', '', $secure, true);
|
echo json_encode([
|
||||||
|
'status' => 'ok',
|
||||||
// Re‑issue PHP session cookie
|
'success' => 'Login successful',
|
||||||
setcookie(
|
'isAdmin' => $_SESSION['isAdmin'],
|
||||||
session_name(),
|
'folderOnly' => $_SESSION['folderOnly'],
|
||||||
session_id(),
|
'readOnly' => $_SESSION['readOnly'],
|
||||||
$expiry,
|
'disableUpload' => $_SESSION['disableUpload'],
|
||||||
'/',
|
'username' => $_SESSION['username']
|
||||||
'',
|
]);
|
||||||
$secure,
|
exit;
|
||||||
true
|
}
|
||||||
);
|
|
||||||
}
|
|
||||||
|
|
||||||
// Finalize login
|
|
||||||
session_regenerate_id(true);
|
|
||||||
$_SESSION['authenticated'] = true;
|
|
||||||
$_SESSION['username'] = $username;
|
|
||||||
$_SESSION['isAdmin'] = $isAdmin;
|
|
||||||
$_SESSION['folderOnly'] = loadUserPermissions($username);
|
|
||||||
|
|
||||||
// Clean up
|
|
||||||
unset(
|
|
||||||
$_SESSION['pending_login_user'],
|
|
||||||
$_SESSION['pending_login_secret'],
|
|
||||||
$_SESSION['pending_login_remember_me'],
|
|
||||||
$_SESSION['totp_failures']
|
|
||||||
);
|
|
||||||
|
|
||||||
echo json_encode(['status' => 'ok', 'message' => 'Login successful']);
|
|
||||||
exit;
|
|
||||||
}
|
|
||||||
|
|
||||||
// Setup/verification flow (not pending)
|
// Setup/verification flow (not pending)
|
||||||
$username = $_SESSION['username'] ?? '';
|
$username = $_SESSION['username'] ?? '';
|
||||||
|
|||||||
Reference in New Issue
Block a user