v1.2 initial commit

This commit is contained in:
2026-05-10 21:40:25 +02:00
commit 1a5dfda288
995 changed files with 242075 additions and 0 deletions

84
pub/login/php/auth.php Normal file
View File

@@ -0,0 +1,84 @@
<?php
session_start();
include_once $_SERVER['DOCUMENT_ROOT'] . '/login/php/authFunctions.php';
if (checkLoginAttempts() > 3) {
header('Location: /login/');
exit;
}
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$username = trim($_POST['username'] ?? '');
$password = $_POST['password'] ?? '';
if (empty($username) || empty($password)) {
die("Username and password are required.");
}
if ($username !== 'superuser' && !filter_var($username, FILTER_VALIDATE_EMAIL)) {
die("Invalid email address.");
}
$stmt = $GLOBALS['conn']->prepare("SELECT * FROM vc_users WHERE user_email = ? LIMIT 1");
$stmt->bind_param('s', $username);
$stmt->execute();
$result = $stmt->get_result();
$user = $result->fetch_assoc();
if (!$user) {
setcookie('login_error', 'Invalid username or password', time() + 3600, '/');
addLoginAttempts();
header('Location: /login/');
exit;
}
if (!password_verify($password, $user['user_password'])) {
setcookie('login_error', 'Invalid username or password', time() + 3600, '/');
addLoginAttempts();
header('Location: /login/');
exit;
}
switch ($user['user_status']) {
case 'banned':
setcookie('login_error', 'Account is banned.', time() + 3600, '/');
header('Location: /login/');
exit;
case 'inactive':
setcookie('login_error', 'Account is inactive.', time() + 3600, '/');
header('Location: /login/');
exit;
case 'pending':
setcookie('login_error', 'Account is pending approval.', time() + 3600, '/');
header('Location: /login/');
exit;
case 'active':
// continue
break;
default:
setcookie('login_error', 'something went wrong, contact support', time() + 3600, '/');
header('Location: /login/');
exit;
}
setTimeZoneCookie();
# check if mfa2 is enabled
if ($user['user_two_factor_enabled'] == 1) {
# go to the mfa login
session_regenerate_id(true); # create session to store some data
$_SESSION['mfa'] = ['user_uuid' => $user['user_uuid'], 'user_secret' => $user['user_two_factor_secret']];
header('Location: /login/');
exit;
} else {
# No mfa2 is setup
loginUser($user['user_uuid']);
header('Location: /');
exit;
}
}

View File

@@ -0,0 +1,118 @@
<?php
include_once $_SERVER['DOCUMENT_ROOT'] . '/bin/php/db_connect.php';
function checkLoginAttempts()
{
$stmt = $GLOBALS['conn']->prepare("SELECT address
FROM ip_login_attempts
WHERE address LIKE ?
AND timestamp > (UNIX_TIMESTAMP() - 600)
");
$stmt->bind_param('s', $_SERVER['REMOTE_ADDR']);
$stmt->execute();
$stmt->store_result();
return $stmt->num_rows;
}
function addLoginAttempts()
{
$ip = $_SERVER["REMOTE_ADDR"];
$stmt = $GLOBALS['conn']->prepare("INSERT INTO ip_login_attempts (address, timestamp) VALUES (?, UNIX_TIMESTAMP())");
$stmt->bind_param('s', $ip);
$stmt->execute();
$stmt->close();
}
function setTimeZoneCookie()
{
?>
<script>
document.cookie = "user_timezone=" + Intl.DateTimeFormat().resolvedOptions().timeZone + "; path=/";
</script>
<?php
}
function getUserTimezone()
{
$default_timezone = 'America/New_York';
if (isset($_COOKIE['user_timezone']) && in_array($_COOKIE['user_timezone'], DateTimeZone::listIdentifiers())) {
$timezone = $_COOKIE['user_timezone'];
} else {
$timezone = $default_timezone;
}
return $timezone;
}
function setSessionParams()
{
if (isset($_SESSION['user']['user_uuid'])) {
$user_uuid = $_SESSION['user']['user_uuid'];
$stmt = $GLOBALS['conn']->prepare("SELECT * FROM vc_users INNER JOIN vc_user_groups ON vc_users.user_group_uuid = vc_user_groups.user_group_uuid WHERE user_uuid = ? LIMIT 1");
$stmt->bind_param('s', $user_uuid);
$stmt->execute();
$result = $stmt->get_result();
$user = $result->fetch_assoc();
$_SESSION['user'] = ['user_uuid' => $user['user_uuid'],
'user_email' => $user['user_email'],
'user_first_name' => $user['user_first_name'],
'user_full_name' => $user['user_full_name'],
'user_group_uuid' => $user['user_group_uuid'],
'user_group_weight' => $user['user_group_weight'],
'user_group_type' => $user['user_group_type'],
'user_pref_language' => $user['user_pref_language'],
'user_two_factor_enabled' => $user['user_two_factor_enabled'],
'user_profile_picture' => $user['user_profile_picture'],
'user_profile_picture_thumbnail' => $user['user_profile_picture_thumbnail'],
'user_timezone' => getUserTimezone(),
];
$stmt = $GLOBALS['conn']->prepare("SELECT vc_user_group_permissions_portal.permission_value, vc_permissions.permission_name
FROM vc_user_group_permissions_portal
INNER JOIN vc_permissions ON vc_user_group_permissions_portal.permission_uuid = vc_permissions.permission_uuid
WHERE user_group_uuid = ?");
$stmt->bind_param('s', $user['user_group_uuid']);
$_SESSION['permission'] = array();
$stmt->execute();
$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
$_SESSION['permission'][$row['permission_name']] = $row['permission_value'];
}
}
}
function loginUser($user_uuid)
{
$update = $GLOBALS['conn']->prepare("UPDATE vc_users SET user_last_login_timestamp = ? WHERE user_uuid = ?");
$update->bind_param('is', time(), $user_uuid);
$update->execute();
session_regenerate_id(true);
$_SESSION['user'] = ['user_uuid' => $user_uuid];
setSessionParams();
}
# link the verification code input and check if its an valid code.
function linkVerificationPosts()
{
$codeParts = [];
$allSet = true;
for ($i = 1; $i <= 6; $i++) {
$key = 'verification-' . $i;
if (isset($_POST[$key]) && $_POST[$key] !== '') {
$codeParts[] = $_POST[$key];
} else {
$allSet = false;
break;
}
}
if ($allSet) {
return implode('', $codeParts);
} else {
return false;
}
}

View File

@@ -0,0 +1,87 @@
<?php
use bin\php\Classes\mailBuilder;
if (!isset($_POST['user_email'])) {
header('Location: /');
exit;
}
include_once $_SERVER['DOCUMENT_ROOT'] . '/login/php/authFunctions.php';
include_once $_SERVER['DOCUMENT_ROOT'] . '/bin/php/Classes/mailBuilder.php';
$loginAttempts = checkLoginAttempts();
if ($loginAttempts > 5) {
header('location: /login/forgotPassword.php?result=blocked');
exit;
}
$user_email = $_POST['user_email'];
$sql = "SELECT * FROM vc_users WHERE user_email = ?";
$stmt = $GLOBALS['conn']->prepare($sql);
$stmt->bind_param("s", $user_email);
if (!$stmt->execute()) {
header('location: /login/forgotPassword.php?result=failed');
exit;
}
$result = $stmt->get_result();
$user_data = $result->fetch_assoc();
if ($result->num_rows == 0) {
header('location: /login/forgotPassword.php?result=success');
exit;
}
if ($user_data['user_status'] != 'active') {
header('location: /login/forgotPassword.php?result=success');
exit;
}
$user_uuid = $user_data["user_uuid"];
$user_password_reset_token = bin2hex(random_bytes(32));
$user_password_reset_expires = time() + 86400;
$sql = "UPDATE vc_users SET user_password_reset_token = ?, user_password_reset_expires = ? WHERE user_uuid = ?";
$stmt = $GLOBALS['conn']->prepare($sql);
$stmt->bind_param("sss",
$user_password_reset_token,
$user_password_reset_expires,
$user_uuid
);
# Sending an email to the user
$host = $_SERVER['HTTP_HOST'];
$verifyLink = "https://{$host}/login/resetPassword.php?token={$user_password_reset_token}";
$mail = new mailBuilder();
$mail->subject = "Hello " . $user_data['user_full_name'] . ", Heres Your Password Reset Link";
$mail->addAddress($user_data['user_email'], $user_data['user_first_name']);
$mail->mailText = '
Hello ' . $user_data['user_first_name'] . ',<br><br>
We received a request to reset the password for your account. You can reset your password by clicking the link below.<br>
This link is valid for 24 hours from the time of this request:<br>
<a href="' . $verifyLink . '" class="btn btn-primary">Reset Password</a><br><br>
Or copy and paste the following link into your browser: <br>' . $verifyLink . '<br><br>
If you did not request a password reset, you can safely ignore this message. No changes will be made to your account.<br><br>
Best regards,<br><br>
The Sentri gnome behind the code
';
if ($stmt->execute()) {
$mail->sendMail();
addLoginAttempts(); # add login attempt to prevent spamming from the forgot password link
header('location: /login/forgotPassword.php?result=success');
} else {
header('location: /login/forgotPassword.php?result=failed');
}
exit;

45
pub/login/php/mfaAuth.php Normal file
View File

@@ -0,0 +1,45 @@
<?php
session_start();
# includes
require $_SERVER['DOCUMENT_ROOT'] . '/../vendor/autoload.php';
include_once $_SERVER['DOCUMENT_ROOT'] . '/login/php/authFunctions.php';
use RobThree\Auth\Providers\Qr\EndroidQrCodeWithLogoProvider;
use RobThree\Auth\TwoFactorAuth;
if (!isset($_POST['verification-1']) && !isset($_SESSION['mfa']['user_secret']) && !isset($_SESSION['mfa']['user_uuid'])) {
unset($_SESSION['mfa']);
addLoginAttempts();
header('Location: /');
exit;
}
if (checkLoginAttempts() > 3) {
header('Location: /login/');
exit;
}
$tfa = new TwoFactorAuth(new EndroidQrCodeWithLogoProvider());
$secret = $_SESSION['mfa']['user_secret'];
$postedCode = linkVerificationPosts();
if ($postedCode) {
$result = $tfa->verifyCode($secret, $postedCode);
if ($result) {
loginUser($_SESSION['mfa']['user_uuid']);
unset($_SESSION['mfa']);
} else {
addLoginAttempts();
setcookie('login_error', 'Invalid verification code', time() + 3600, '/');
}
} else {
unset($_SESSION['mfa']);
}
header('Location: /');
exit;

View File

@@ -0,0 +1,69 @@
<?php
if ($_POST['password-1'] != $_POST['password-2']) {
header('location: /login/resetPassword.php?result=failed');
exit;
}
include_once $_SERVER['DOCUMENT_ROOT'] . '/login/php/authFunctions.php';
$user_password = password_hash($_POST['password-1'], PASSWORD_BCRYPT, ["cost" => 12]);
if (isset($_POST['user_uuid'])) {
session_start();
if (!isset($_SESSION['user']['user_uuid'])) {
header('location: /login/resetPassword.php?result=failed');
exit;
}
$user_uuid = $_SESSION['user']['user_uuid'];
$sql = "UPDATE vc_users SET user_password = ?,
user_password_reset_token = NULL,
user_password_reset_expires = NULL
WHERE user_uuid = ?";
$userSql = "SELECT COUNT(*) FROM vc_users WHERE user_uuid = ?";
$whereValue = $user_uuid;
} elseif (isset($_POST['user_password_reset_token'])) {
$user_password_reset_token = $_POST['user_password_reset_token'];
$sql = "UPDATE vc_users SET user_password = ?,
user_password_reset_token = NULL,
user_password_reset_expires = NULL,
user_verified_email = 1,
user_status = 'active'
WHERE user_password_reset_token = ? AND user_status IN ('active', 'pending')";
$userSql = "SELECT COUNT(*) FROM vc_users WHERE user_password_reset_token = ?";
$whereValue = $user_password_reset_token;
}
function checkUserExists($whereValue, $conn, $sql)
{
$stmt = $conn->prepare($sql);
$stmt->bind_param("s", $whereValue);
$stmt->execute();
$stmt->bind_result($count);
$stmt->fetch();
$stmt->close();
return $count > 0;
}
if (!checkUserExists($whereValue, $GLOBALS['conn'], $userSql)) {
header('location: /');
exit;
}
$stmt = $GLOBALS['conn']->prepare($sql);
$stmt->bind_param("ss",
$user_password,
$whereValue
);
if ($stmt->execute()) {
header('location: /login/resetPassword.php?result=success');
exit;
} else {
header('location: /login/resetPassword.php?result=failed');
exit;
}