joachim/FileRise
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Refactor fixes and adjustments

Browse Source
This commit is contained in:
Ryan
2025-04-16 17:15:59 -04:00
committed by GitHub
parent 4ec4ba832f
commit 75d3bf5a9b
15 changed files with 93 additions and 77 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
CHANGELOG.md
View File

@@ -18,6 +18,15 @@
This refactor improves maintainability, testability, and documentation clarity across all API endpoints.
### Refactor fixes and adjustments
- Added fallback checks for disableFormLogin / disableBasicAuth / disableOIDCLogin when coming in either at the top level or under loginOptions.
- Updated auth.js to read and store the nested loginOptions booleans correctly in localStorage, then show/hide the BasicAuth and OIDC buttons as configured.
- Changed the logout controller to header("Location: /index.html?logout=1") so after /api/auth/logout.php it lands on the root index.html, not under /api/auth/.
- Switched your share modal code to use a leading slash ("/api/file/share.php") so it generates absolute URLs instead of relative /share.php.
- In the sharedfolder gallery, adjusted the clientside image path to point at /uploads/... instead of /api/folder/uploads/...
- Updated both AdminModel defaults and the AuthController to use the exact full path
---
## Changes 4/15/2025

4
config/config.php
View File

@@ -165,8 +165,8 @@ define('BASE_URL', 'http://yourwebsite/uploads/');
if (strpos(BASE_URL, 'yourwebsite') !== false) {
$defaultShareUrl = isset($_SERVER['HTTP_HOST'])
? "http://" . $_SERVER['HTTP_HOST'] . "/share.php"
: "http://localhost/public/api/file/share.php";
: "http://localhost/api/file/share.php";
} else {
$defaultShareUrl = rtrim(BASE_URL, '/') . "api/file/share.php";
$defaultShareUrl = rtrim(BASE_URL, '/') . "/api/file/share.php";
}
define('SHARE_URL', getenv('SHARE_URL') ? getenv('SHARE_URL') : $defaultShareUrl);

4
public/index.html
View File

@@ -15,7 +15,7 @@
<link rel="icon" type="image/png" href="/assets/logo.png">
<link rel="icon" type="image/svg+xml" href="/assets/logo.svg">
<meta name="csrf-token" content="">
<meta name="share-url" content="">
<meta name="share-url" content="/api/file/share.php">
<!-- Google Fonts and Material Icons -->
<link href="https://fonts.googleapis.com/css2?family=Roboto:wght@400;500&display=swap" rel="stylesheet" />
<link href="https://fonts.googleapis.com/icon?family=Material+Icons" rel="stylesheet" />
@@ -200,7 +200,7 @@
</div>
<!-- Basic HTTP Login Option -->
<div class="text-center mt-3">
<a href="/public/api/auth/login_basic.php" class="btn btn-secondary" data-i18n-key="basic_http_login">Use Basic HTTP
<a href="/api/auth/login_basic.php" class="btn btn-secondary" data-i18n-key="basic_http_login">Use Basic HTTP
Login</a>
</div>
</div>

8
public/js/auth.js
View File

@@ -25,7 +25,7 @@ const currentOIDCConfig = {
providerUrl: "https://your-oidc-provider.com",
clientId: "YOUR_CLIENT_ID",
clientSecret: "YOUR_CLIENT_SECRET",
redirectUri: "https://yourdomain.com/auth.php?oidc=callback",
redirectUri: "https://yourdomain.com/api/auth/auth.php?oidc=callback",
globalOtpauthUrl: ""
};
window.currentOIDCConfig = currentOIDCConfig;
@@ -51,7 +51,7 @@ function openTOTPLoginModal() {
const isFormLogin = Boolean(window.__lastLoginData);
if (!isFormLogin) {
// disable BasicAuth link
const basicLink = document.querySelector("a[href='api/auth/login_basic.php']");
const basicLink = document.querySelector("a[href='/api/auth/login_basic.php']");
if (basicLink) {
basicLink.style.pointerEvents = 'none';
basicLink.style.opacity = '0.5';
@@ -80,7 +80,7 @@ function updateLoginOptionsUI({ disableFormLogin, disableBasicAuth, disableOIDCL
const authForm = document.getElementById("authForm");
if (authForm) authForm.style.display = disableFormLogin ? "none" : "block";
const basicAuthLink = document.querySelector("a[href='api/auth/login_basic.php']");
const basicAuthLink = document.querySelector("a[href='/api/auth/login_basic.php']");
if (basicAuthLink) basicAuthLink.style.display = disableBasicAuth ? "none" : "inline-block";
const oidcLoginBtn = document.getElementById("oidcLoginBtn");
if (oidcLoginBtn) oidcLoginBtn.style.display = disableOIDCLogin ? "none" : "inline-block";
@@ -480,7 +480,7 @@ document.addEventListener("DOMContentLoaded", function () {
const oidcLoginBtn = document.getElementById("oidcLoginBtn");
if (oidcLoginBtn) {
oidcLoginBtn.addEventListener("click", () => {
window.location.href = "api/auth/auth.php?oidc=initiate";
window.location.href = "/api/auth/auth.php?oidc=initiate";
});
}

4
public/js/authModals.js
View File

@@ -97,7 +97,7 @@ export function openTOTPLoginModal() {
.then(json => {
if (json.status === "ok") {
// recovery succeeded → finalize login
window.location.href = "index.html";
window.location.href = "/index.html";
} else {
showToast(json.message || t("recovery_code_verification_failed"));
}
@@ -125,7 +125,7 @@ export function openTOTPLoginModal() {
.then(res => res.json())
.then(json => {
if (json.status === "ok") {
window.location.href = "index.html";
window.location.href = "/index.html";
} else {
showToast(json.message || t("totp_verification_failed"));
this.value = "";

2
public/js/fileActions.js
View File

@@ -111,7 +111,7 @@ export function confirmSingleDownload() {
// Build the URL for download.php using GET parameters.
const folder = window.currentFolder || "root";
const downloadURL = "api/file/download.php?folder=" + encodeURIComponent(folder) +
const downloadURL = "/api/file/download.php?folder=" + encodeURIComponent(folder) +
"&file=" + encodeURIComponent(window.singleFileToDownload);
fetch(downloadURL, {

2
public/js/fileListView.js
View File

@@ -197,7 +197,7 @@ export function loadFileList(folderParam) {
.then(response => {
if (response.status === 401) {
showToast("Session expired. Please log in again.");
window.location.href = "logout.php";
window.location.href = "/api/auth/logout.php";
throw new Error("Unauthorized");
}
return response.json();

4
public/js/filePreview.js
View File

@@ -65,9 +65,7 @@ export function openShareModal(file, folder) {
.then(response => response.json())
.then(data => {
if (data.token) {
let shareEndpoint = document.querySelector('meta[name="share-url"]')
? document.querySelector('meta[name="share-url"]').getAttribute('content')
: (window.SHARE_URL || "api/file/share.php");
const shareEndpoint = `${window.location.origin}/api/file/share.php`;
const shareUrl = `${shareEndpoint}?token=${encodeURIComponent(data.token)}`;
const displayDiv = document.getElementById("shareLinkDisplay");
const inputField = document.getElementById("shareLinkInput");

2
public/js/folderManager.js
View File

@@ -364,7 +364,7 @@ export async function loadFolderTree(selectedFolder) {
if (response.status === 401) {
console.error("Unauthorized: Please log in to view folders.");
showToast("Session expired. Please log in again.");
window.location.href = "logout.php";
window.location.href = "/api/auth/logout.php";
return;
}
let folderData = await response.json();

2
public/js/upload.js
View File

@@ -405,7 +405,7 @@ const useResumable = true; // Enable resumable for file picker uploads
let resumableInstance;
function initResumableUpload() {
resumableInstance = new Resumable({
target: "api/upload/upload.php",
target: "/api/upload/upload.php",
query: { folder: window.currentFolder || "root", upload_token: window.csrfToken },
chunkSize: 1.5 * 1024 * 1024, // 1.5 MB chunks
simultaneousUploads: 3,

105
src/controllers/authController.php
View File

@@ -4,12 +4,14 @@
require_once __DIR__ . '/../../config/config.php';
require_once PROJECT_ROOT . '/src/models/AuthModel.php';
require_once PROJECT_ROOT . '/vendor/autoload.php';
require_once PROJECT_ROOT . '/src/models/AdminModel.php';
use RobThree\Auth\Algorithm;
use RobThree\Auth\Providers\Qr\GoogleChartsQrCodeProvider;
use Jumbojett\OpenIDConnectClient;
class AuthController {
class AuthController
{
/**
* @OA\Post(
@@ -56,7 +58,8 @@ class AuthController {
*
* @return void Redirects on success or outputs JSON error.
*/
public function auth(): void {
public function auth(): void
{
// Global exception handler.
set_exception_handler(function ($e) {
error_log("Unhandled exception: " . $e->getMessage());
@@ -64,7 +67,7 @@ class AuthController {
echo json_encode(["error" => "Internal Server Error"]);
exit();
});
header('Content-Type: application/json');
// If OIDC parameters are present, initiate OIDC flow.
@@ -73,20 +76,15 @@ class AuthController {
$oidcAction = 'callback';
}
if ($oidcAction) {
// Load admin configuration for OIDC.
$adminConfigFile = USERS_DIR . 'adminConfig.json';
if (file_exists($adminConfigFile)) {
$enc = file_get_contents($adminConfigFile);
$dec = decryptData($enc, $encryptionKey);
$cfg = ($dec !== false) ? json_decode($dec, true) : [];
} else {
$cfg = [];
}
$oidc_provider_url = $cfg['oidc']['providerUrl'] ?? 'https://your-oidc-provider.com';
$oidc_client_id = $cfg['oidc']['clientId'] ?? 'YOUR_CLIENT_ID';
$oidc_client_secret = $cfg['oidc']['clientSecret'] ?? 'YOUR_CLIENT_SECRET';
$oidc_redirect_uri = $cfg['oidc']['redirectUri'] ?? 'https://yourdomain.com/api/auth/auth.php?oidc=callback';
// new: delegate to AdminModel
$cfg = AdminModel::getConfig();
// Optional: log to confirm you loaded the right values
error_log("Loaded OIDC config: " . print_r($cfg['oidc'], true));
$oidc_provider_url = $cfg['oidc']['providerUrl'];
$oidc_client_id = $cfg['oidc']['clientId'];
$oidc_client_secret = $cfg['oidc']['clientSecret'];
$oidc_redirect_uri = $cfg['oidc']['redirectUri'];
$oidc = new OpenIDConnectClient($oidc_provider_url, $oidc_client_id, $oidc_client_secret);
$oidc->setRedirectURL($oidc_redirect_uri);
@@ -94,7 +92,7 @@ class AuthController {
try {
$oidc->authenticate();
$username = $oidc->requestUserInfo('preferred_username');
// Check for TOTP secret.
$totp_secret = null;
$usersFile = USERS_DIR . USERS_FILE;
@@ -110,17 +108,17 @@ class AuthController {
if ($totp_secret) {
$_SESSION['pending_login_user'] = $username;
$_SESSION['pending_login_secret'] = $totp_secret;
header("Location: index.html?totp_required=1");
header("Location: /index.html?totp_required=1");
exit();
}
// Finalize login (no TOTP)
session_regenerate_id(true);
$_SESSION["authenticated"] = true;
$_SESSION["username"] = $username;
$_SESSION["isAdmin"] = (AuthModel::getUserRole($username) === "1");
$_SESSION["folderOnly"] = loadUserPermissions($username);
header("Location: index.html");
header("Location: /index.html");
exit();
} catch (Exception $e) {
error_log("OIDC authentication error: " . $e->getMessage());
@@ -141,32 +139,32 @@ class AuthController {
}
}
}
// Fallback: Form-based Authentication.
$data = json_decode(file_get_contents("php://input"), true);
$username = trim($data["username"] ?? "");
$password = trim($data["password"] ?? "");
$rememberMe = isset($data["remember_me"]) && $data["remember_me"] === true;
if (!$username || !$password) {
http_response_code(400);
echo json_encode(["error" => "Username and password are required"]);
exit();
}
if (!preg_match(REGEX_USER, $username)) {
http_response_code(400);
echo json_encode(["error" => "Invalid username format. Only letters, numbers, underscores, dashes, and spaces are allowed."]);
exit();
}
$ip = $_SERVER['REMOTE_ADDR'];
$currentTime = time();
$attemptsFile = USERS_DIR . 'failed_logins.json';
$failedAttempts = AuthModel::loadFailedAttempts($attemptsFile);
$maxAttempts = 5;
$lockoutTime = 30 * 60; // 30 minutes
if (isset($failedAttempts[$ip])) {
$attemptData = $failedAttempts[$ip];
if ($attemptData['count'] >= $maxAttempts && ($currentTime - $attemptData['last_attempt']) < $lockoutTime) {
@@ -175,7 +173,7 @@ class AuthController {
exit();
}
}
$user = AuthModel::authenticate($username, $password);
if ($user !== false) {
// Handle TOTP if required.
@@ -203,19 +201,19 @@ class AuthController {
}
}
}
// Clear failed attempts.
if (isset($failedAttempts[$ip])) {
unset($failedAttempts[$ip]);
AuthModel::saveFailedAttempts($attemptsFile, $failedAttempts);
}
session_regenerate_id(true);
$_SESSION["authenticated"] = true;
$_SESSION["username"] = $username;
$_SESSION["isAdmin"] = ($user['role'] === "1");
$_SESSION["folderOnly"] = loadUserPermissions($username);
// Handle "remember me"
if ($rememberMe) {
$persistentTokensFile = USERS_DIR . 'persistent_tokens.json';
@@ -240,7 +238,7 @@ class AuthController {
$secure = (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off');
setcookie('remember_me_token', $tokenPersistent, $expiry, '/', '', $secure, true);
}
echo json_encode([
"status" => "ok",
"success" => "Login successful",
@@ -298,7 +296,8 @@ class AuthController {
*
* @return void Outputs a JSON response with authentication details.
*/
public function checkAuth(): void {
public function checkAuth(): void
{
header('Content-Type: application/json');
$usersFile = USERS_DIR . USERS_FILE;
@@ -328,7 +327,7 @@ class AuthController {
}
}
}
// Determine admin status using AuthModel::getUserRole()
$userRole = AuthModel::getUserRole($username);
$isAdmin = ((int)$userRole === 1);
@@ -344,7 +343,7 @@ class AuthController {
exit;
}
/**
/**
* @OA\Get(
* path="/api/auth/token.php",
* summary="Retrieve CSRF token and share URL",
@@ -366,7 +365,8 @@ class AuthController {
*
* @return void Outputs the JSON response.
*/
public function getToken(): void {
public function getToken(): void
{
header('Content-Type: application/json');
echo json_encode([
"csrf_token" => $_SESSION['csrf_token'],
@@ -400,7 +400,8 @@ class AuthController {
*
* @return void Redirects on success or sends a 401 header.
*/
public function loginBasic(): void {
public function loginBasic(): void
{
// Set header for plain-text or JSON as needed.
header('Content-Type: application/json');
@@ -432,7 +433,7 @@ class AuthController {
// If TOTP is required, store pending values and redirect to prompt for TOTP.
$_SESSION['pending_login_user'] = $username;
$_SESSION['pending_login_secret'] = $secret;
header("Location: index.html?totp_required=1");
header("Location: /index.html?totp_required=1");
exit;
}
// Finalize login.
@@ -442,7 +443,7 @@ class AuthController {
$_SESSION["isAdmin"] = (AuthModel::getUserRole($username) === "1");
$_SESSION["folderOnly"] = AuthModel::loadFolderPermission($username);
header("Location: index.html");
header("Location: /index.html");
exit;
}
// Invalid credentials; prompt again.
@@ -473,16 +474,17 @@ class AuthController {
*
* @return void Redirects to index.html with a logout flag.
*/
public function logout(): void {
public function logout(): void
{
// Retrieve headers and check CSRF token.
$headersArr = array_change_key_case(getallheaders(), CASE_LOWER);
$receivedToken = isset($headersArr['x-csrf-token']) ? trim($headersArr['x-csrf-token']) : '';
// Log mismatch but do not prevent logout.
if (isset($_SESSION['csrf_token']) && $receivedToken !== $_SESSION['csrf_token']) {
error_log("CSRF token mismatch on logout. Proceeding with logout.");
}
// Remove the "remember_me_token" from persistent tokens.
if (isset($_COOKIE['remember_me_token'])) {
$token = $_COOKIE['remember_me_token'];
@@ -501,24 +503,29 @@ class AuthController {
$secure = (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off');
setcookie('remember_me_token', '', time() - 3600, '/', '', $secure, true);
}
// Clear session data.
$_SESSION = [];
// Clear the session cookie.
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
setcookie(
session_name(),
'',
time() - 42000,
$params["path"],
$params["domain"],
$params["secure"],
$params["httponly"]
);
}
// Destroy the session.
session_destroy();
// Redirect the user to the login page (or index) with a logout flag.
header("Location: index.html?logout=1");
header("Location: /index.html?logout=1");
exit;
}
}
}

2
src/controllers/fileController.php
View File

@@ -935,7 +935,7 @@ class FileController {
</head>
<body>
<h2>This file is protected by a password.</h2>
<form method="get" action="api/file/share.php">
<form method="get" action="/api/file/share.php">
<input type="hidden" name="token" value="<?php echo htmlspecialchars($token, ENT_QUOTES, 'UTF-8'); ?>">
<label for="pass">Password:</label>
<input type="password" name="pass" id="pass" required>

18
src/controllers/folderController.php
View File

@@ -437,7 +437,7 @@ class FolderController {
<div class="container">
<h2>Folder Protected</h2>
<p>This folder is protected by a password. Please enter the password to view its contents.</p>
<form method="get" action="api/folder/shareFolder.php">
<form method="get" action="/api/folder/shareFolder.php">
<input type="hidden" name="token" value="<?php echo htmlspecialchars($token, ENT_QUOTES, 'UTF-8'); ?>">
<label for="pass">Password:</label>
<input type="password" name="pass" id="pass" required>
@@ -534,7 +534,7 @@ class FolderController {
foreach ($files as $file):
$filePath = $data['realFolderPath'] . DIRECTORY_SEPARATOR . $file;
$fileSize = file_exists($filePath) ? formatBytes(filesize($filePath)) : "Unknown";
$downloadLink = "api/folder/downloadSharedFile.php?token=" . urlencode($token) . "&file=" . urlencode($file);
$downloadLink = "/api/folder/downloadSharedFile.php?token=" . urlencode($token) . "&file=" . urlencode($file);
?>
<tr>
<td>
@@ -557,7 +557,7 @@ class FolderController {
<!-- Pagination Controls -->
<div class="pagination">
<?php if ($currentPage > 1): ?>
<a href="api/folder/shareFolder.php?token=<?php echo urlencode($token); ?>&page=<?php echo $currentPage - 1; ?><?php echo !empty($providedPass) ? "&pass=" . urlencode($providedPass) : ""; ?>">Prev</a>
<a href="/api/folder/shareFolder.php?token=<?php echo urlencode($token); ?>&page=<?php echo $currentPage - 1; ?><?php echo !empty($providedPass) ? "&pass=" . urlencode($providedPass) : ""; ?>">Prev</a>
<?php else: ?>
<span>Prev</span>
<?php endif; ?>
@@ -569,12 +569,12 @@ class FolderController {
<?php if ($i == $currentPage): ?>
<span class="current"><?php echo $i; ?></span>
<?php else: ?>
<a href="api/folder/shareFolder.php?token=<?php echo urlencode($token); ?>&page=<?php echo $i; ?><?php echo !empty($providedPass) ? "&pass=" . urlencode($providedPass) : ""; ?>"><?php echo $i; ?></a>
<a href="/api/folder/shareFolder.php?token=<?php echo urlencode($token); ?>&page=<?php echo $i; ?><?php echo !empty($providedPass) ? "&pass=" . urlencode($providedPass) : ""; ?>"><?php echo $i; ?></a>
<?php endif; ?>
<?php endfor; ?>
<?php if ($currentPage < $totalPages): ?>
<a href="api/folder/shareFolder.php?token=<?php echo urlencode($token); ?>&page=<?php echo $currentPage + 1; ?><?php echo !empty($providedPass) ? "&pass=" . urlencode($providedPass) : ""; ?>">Next</a>
<a href="/api/folder/shareFolder.php?token=<?php echo urlencode($token); ?>&page=<?php echo $currentPage + 1; ?><?php echo !empty($providedPass) ? "&pass=" . urlencode($providedPass) : ""; ?>">Next</a>
<?php else: ?>
<span>Next</span>
<?php endif; ?>
@@ -584,7 +584,7 @@ class FolderController {
<?php if (isset($data['record']['allowUpload']) && $data['record']['allowUpload'] == 1): ?>
<div class="upload-container">
<h3>Upload File (50mb max size)</h3>
<form action="api/folder/uploadToSharedFolder.php" method="post" enctype="multipart/form-data">
<form action="/api/folder/uploadToSharedFolder.php" method="post" enctype="multipart/form-data">
<!-- Pass the share token so the upload endpoint can verify -->
<input type="hidden" name="token" value="<?php echo htmlspecialchars($token, ENT_QUOTES, 'UTF-8'); ?>">
<input type="file" name="fileToUpload" required>
@@ -613,7 +613,9 @@ class FolderController {
var galleryContainer = document.getElementById("galleryViewContainer");
var html = '<div class="shared-gallery-container">';
filesData.forEach(function(file) {
var fileUrl = "uploads/<?php echo htmlspecialchars($folderName, ENT_QUOTES, 'UTF-8'); ?>/" + encodeURIComponent(file);
var fileUrl = window.location.origin
+ "/uploads/<?php echo rawurlencode($folderName); ?>/"
+ encodeURIComponent(file);
var ext = file.split('.').pop().toLowerCase();
var thumbnail = "";
if (['jpg','jpeg','png','gif','bmp','webp','svg','ico'].indexOf(ext) >= 0) {
@@ -900,7 +902,7 @@ class FolderController {
$_SESSION['upload_message'] = "File uploaded successfully.";
// Redirect back to the shared folder view.
$redirectUrl = "api/folder/shareFolder.php?token=" . urlencode($token);
$redirectUrl = "/api/folder/shareFolder.php?token=" . urlencode($token);
header("Location: " . $redirectUrl);
exit;
}

2
src/models/AdminModel.php
View File

@@ -104,7 +104,7 @@ class AdminModel
'providerUrl' => 'https://your-oidc-provider.com',
'clientId' => 'YOUR_CLIENT_ID',
'clientSecret' => 'YOUR_CLIENT_SECRET',
'redirectUri' => 'https://yourdomain.com/auth.php?oidc=callback'
'redirectUri' => 'https://yourdomain.com/api/auth/auth.php?oidc=callback'
],
'loginOptions' => [
'disableFormLogin' => false,

2
src/models/FolderModel.php
View File

@@ -403,7 +403,7 @@ class FolderModel {
$baseUrl = $protocol . "://" . $host;
}
// The share URL points to the shared folder page.
$link = $baseUrl . "api/folder/shareFolder.php?token=" . urlencode($token);
$link = $baseUrl . "/api/folder/shareFolder.php?token=" . urlencode($token);
return ["token" => $token, "expires" => $expires, "link" => $link];
}