From b4445fc4d81d939fb42c9a4ada5a80228e346956 Mon Sep 17 00:00:00 2001
From: Ryan <ryantl66@gmail.com>
Date: Sun, 6 Apr 2025 01:24:13 -0400
Subject: [PATCH] share new password page, totp setup focus, logout clear
 session cookie

---
 index.html       |  7 +++++
 js/authModals.js | 26 +++++++++++++--
 logout.php       | 21 ++++++++++---
 share.php        | 82 ++++++++++++++++++++++++++++++++++++++----------
 4 files changed, 114 insertions(+), 22 deletions(-)

diff --git a/index.html b/index.html
index d541d4e..4baef0e 100644
--- a/index.html
+++ b/index.html
@@ -5,6 +5,13 @@
   <meta charset="UTF-8" />
   <meta name="viewport" content="width=device-width, initial-scale=1" />
   <title>FileRise</title>
+  <script>
+    const params = new URLSearchParams(window.location.search);
+    if (params.get('logout') === '1') {
+      localStorage.removeItem("username");
+      localStorage.removeItem("userTOTPEnabled");
+    }
+  </script>
   <link rel="icon" type="image/png" href="/assets/logo.png">
   <link rel="icon" type="image/svg+xml" href="/assets/logo.svg">
   <meta name="csrf-token" content="">
diff --git a/js/authModals.js b/js/authModals.js
index 1e80360..8cd7ca0 100644
--- a/js/authModals.js
+++ b/js/authModals.js
@@ -1,4 +1,4 @@
-import { showToast, toggleVisibility } from './domUtils.js';
+import { showToast, toggleVisibility, attachEnterKeyListener } from './domUtils.js';
 import { sendRequest } from './networkUtils.js';
 
 const version = "v1.0.8";
@@ -8,7 +8,7 @@ let lastLoginData = null;
 export function setLastLoginData(data) {
   lastLoginData = data;
   // expose to auth.js so it can tell form-login vs basic/oidc
-  window.__lastLoginData = data;
+  //window.__lastLoginData = data;
 }
 
 export function openTOTPLoginModal() {
@@ -258,12 +258,34 @@ export function openTOTPModal() {
       })
       .catch(() => { showToast("Error verifying TOTP code."); });
     });
+
+    // Focus the input and attach enter key listener
+    const totpConfirmInput = document.getElementById("totpConfirmInput");
+    if (totpConfirmInput) {
+      setTimeout(() => {
+        const totpConfirmInput = document.getElementById("totpConfirmInput");
+        if (totpConfirmInput) totpConfirmInput.focus();
+      }, 100);
+    }
+    attachEnterKeyListener("totpModal", "confirmTOTPBtn");
+
   } else {
     totpModal.style.display = "flex";
     totpModal.style.backgroundColor = overlayBackground;
     const modalContent = totpModal.querySelector(".modal-content");
     modalContent.style.background = isDarkMode ? "#2c2c2c" : "#fff";
     modalContent.style.color = isDarkMode ? "#e0e0e0" : "#000";
+    
+    // Focus the input and attach enter key listener
+    const totpConfirmInput = document.getElementById("totpConfirmInput");
+    if (totpConfirmInput) {
+      totpConfirmInput.value = "";
+      setTimeout(() => {
+        const totpConfirmInput = document.getElementById("totpConfirmInput");
+        if (totpConfirmInput) totpConfirmInput.focus();
+      }, 100);
+    }
+    attachEnterKeyListener("totpModal", "confirmTOTPBtn");
   }
 }
 
diff --git a/logout.php b/logout.php
index 1572888..a8c2d3e 100644
--- a/logout.php
+++ b/logout.php
@@ -5,12 +5,12 @@ require_once 'config.php';
 $headers = array_change_key_case(getallheaders(), CASE_LOWER);
 $receivedToken = isset($headers['x-csrf-token']) ? trim($headers['x-csrf-token']) : '';
 
-// If there's a mismatch, log it but continue with logout.
+// Log CSRF mismatch but proceed with logout.
 if (isset($_SESSION['csrf_token']) && $receivedToken !== $_SESSION['csrf_token']) {
     error_log("CSRF token mismatch on logout. Proceeding with logout.");
 }
 
-// If the remember me token is set, remove it from the persistent tokens file.
+// Remove the remember_me token.
 if (isset($_COOKIE['remember_me_token'])) {
     $token = $_COOKIE['remember_me_token'];
     $persistentTokensFile = USERS_DIR . 'persistent_tokens.json';
@@ -25,13 +25,26 @@ if (isset($_COOKIE['remember_me_token'])) {
         }
     }
     // Clear the cookie.
+    // Ensure $secure is defined; for example:
+    $secure = (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off');
     setcookie('remember_me_token', '', time() - 3600, '/', '', $secure, true);
 }
 
-// Clear session data and destroy the session.
+// Clear session data and remove session cookie.
 $_SESSION = [];
+
+// Clear the session cookie.
+if (ini_get("session.use_cookies")) {
+    $params = session_get_cookie_params();
+    setcookie(session_name(), '', time() - 42000,
+        $params["path"], $params["domain"],
+        $params["secure"], $params["httponly"]
+    );
+}
+
+// Destroy the session.
 session_destroy();
 
-header("Location: index.html");
+header("Location: index.html?logout=1");
 exit;
 ?>
\ No newline at end of file
diff --git a/share.php b/share.php
index 430301d..948cda6 100644
--- a/share.php
+++ b/share.php
@@ -1,10 +1,11 @@
 <?php
 // share.php
+
 require_once 'config.php';
 
-// Get token and password (if provided)
-$token = isset($_GET['token']) ? $_GET['token'] : '';
-$providedPass = isset($_GET['pass']) ? $_GET['pass'] : '';
+// Retrieve and sanitize input
+$token = filter_input(INPUT_GET, 'token', FILTER_SANITIZE_STRING);
+$providedPass = filter_input(INPUT_GET, 'pass', FILTER_SANITIZE_STRING);
 
 if (empty($token)) {
     http_response_code(400);
@@ -12,7 +13,7 @@ if (empty($token)) {
     exit;
 }
 
-// Load share links.
+// Load share links from file
 $shareFile = META_DIR . "share_links.json";
 if (!file_exists($shareFile)) {
     http_response_code(404);
@@ -36,18 +37,54 @@ if (time() > $record['expires']) {
     exit;
 }
 
-// If a password is required and none is provided, show a simple form.
+// If a password is required and none is provided, show a password form.
 if (!empty($record['password']) && empty($providedPass)) {
     ?>
     <!DOCTYPE html>
     <html>
     <head>
+        <meta charset="utf-8">
+        <meta name="viewport" content="width=device-width, initial-scale=1">
         <title>Enter Password</title>
+        <style>
+            body {
+                font-family: Arial, sans-serif;
+                padding: 20px;
+                background-color: #f4f4f4;
+                color: #333;
+            }
+            form {
+                max-width: 400px;
+                margin: 40px auto;
+                background: #fff;
+                padding: 20px;
+                border-radius: 8px;
+                box-shadow: 0 2px 4px rgba(0,0,0,0.1);
+            }
+            input[type="password"] {
+                width: 100%;
+                padding: 10px;
+                margin: 10px 0;
+                border: 1px solid #ccc;
+                border-radius: 4px;
+            }
+            button {
+                padding: 10px 20px;
+                background: #007BFF;
+                border: none;
+                border-radius: 4px;
+                color: #fff;
+                cursor: pointer;
+            }
+            button:hover {
+                background: #0056b3;
+            }
+        </style>
     </head>
-    <body style="font-family: Arial, sans-serif; padding: 20px;">
+    <body>
         <h2>This file is protected by a password.</h2>
         <form method="get" action="share.php">
-            <input type="hidden" name="token" value="<?php echo htmlspecialchars($token); ?>">
+            <input type="hidden" name="token" value="<?php echo htmlspecialchars($token, ENT_QUOTES, 'UTF-8'); ?>">
             <label for="pass">Password:</label>
             <input type="password" name="pass" id="pass" required>
             <button type="submit">Submit</button>
@@ -58,7 +95,7 @@ if (!empty($record['password']) && empty($providedPass)) {
     exit;
 }
 
-// If a password was set, validate it.
+// Validate provided password if set.
 if (!empty($record['password'])) {
     if (!password_verify($providedPass, $record['password'])) {
         http_response_code(403);
@@ -67,7 +104,7 @@ if (!empty($record['password'])) {
     }
 }
 
-// Build file path.
+// Build file path securely.
 $folder = trim($record['folder'], "/\\ ");
 $file = $record['file'];
 $filePath = rtrim(UPLOAD_DIR, '/\\') . DIRECTORY_SEPARATOR;
@@ -76,24 +113,37 @@ if (!empty($folder) && strtolower($folder) !== 'root') {
 }
 $filePath .= $file;
 
-if (!file_exists($filePath)) {
+// Resolve the real path and ensure it's within the allowed directory.
+$realFilePath = realpath($filePath);
+$uploadDirReal = realpath(UPLOAD_DIR);
+if ($realFilePath === false || strpos($realFilePath, $uploadDirReal) !== 0) {
+    http_response_code(404);
+    echo json_encode(["error" => "File not found."]);
+    exit;
+}
+
+if (!file_exists($realFilePath)) {
     http_response_code(404);
     echo json_encode(["error" => "File not found."]);
     exit;
 }
 
 // Serve the file.
-$mimeType = mime_content_type($filePath);
+$mimeType = mime_content_type($realFilePath);
 header("Content-Type: " . $mimeType);
 
-// Determine extension and set disposition accordingly.
-$ext = strtolower(pathinfo($filePath, PATHINFO_EXTENSION));
+// Set Content-Disposition based on file type.
+$ext = strtolower(pathinfo($realFilePath, PATHINFO_EXTENSION));
 if (in_array($ext, ['jpg','jpeg','png','gif','bmp','webp','svg','ico'])) {
-    header('Content-Disposition: inline; filename="' . basename($filePath) . '"');
+    header('Content-Disposition: inline; filename="' . basename($realFilePath) . '"');
 } else {
-    header('Content-Disposition: attachment; filename="' . basename($filePath) . '"');
+    header('Content-Disposition: attachment; filename="' . basename($realFilePath) . '"');
 }
 
-readfile($filePath);
+// Optionally disable caching for sensitive files.
+header("Cache-Control: no-store, no-cache, must-revalidate");
+header("Pragma: no-cache");
+
+readfile($realFilePath);
 exit;
 ?>
\ No newline at end of file