Home Explore Help
Sign In
fusionpbx
/
fusionpbx-framework
mirror of https://github.com/fusionpbx/fusionpbx-framework.git
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

Authentication: Additional improvements to order execution and invalid creds.

fusionate 2 years ago
parent
15fc30003b
commit
b8cd5d6748
3 changed files with 76 additions and 32 deletions
Split View Show Diff Stats
  1. 8 3
      core/authentication/resources/classes/plugins/database.php
  2. 46 16
      core/authentication/resources/classes/plugins/email.php
  3. 22 13
      core/authentication/resources/classes/plugins/totp.php

+ 8 - 3
core/authentication/resources/classes/plugins/database.php
View File 

@@ -107,7 +107,8 @@ class plugin_database {
 
 					$view->assign("login_logo_height", $settings['theme']['login_logo_height']);
 
 					$view->assign("login_logo_source", $settings['theme']['logo']);
 
 					$view->assign("message_delay", $settings['theme']['message_delay']);
 
-					if (!empty($_SESSION['authentication']['plugin']['database']['authorized']) && $_SESSION['authentication']['plugin']['database']['authorized'] == 1 && !empty($_SESSION['username'])) {
 
+// 					if (!empty($_SESSION['authentication']['plugin']['database']['authorized']) && $_SESSION['authentication']['plugin']['database']['authorized'] == 1 && !empty($_SESSION['username'])) {
 
+					if (!empty($_SESSION['username'])) {
 
 						$view->assign("login_password_description", $text['label-password_description']);
 
 						$view->assign("username", $_SESSION['username']);
 
 						$view->assign("button_cancel", $text['button-cancel']);
 
@@ -191,7 +192,7 @@ class plugin_database {
 
 			$sql .= "and (user_enabled = 'true' or user_enabled is null) ";
 
 			$database = new database;
 
 			$row = $database->select($sql, $parameters, 'row');
 
-			if (is_array($row)) {
 
+			if (!empty($row) && is_array($row) && @sizeof($row) != 0) {
 
 
 				//set the domain details
 
 					$this->domain_uuid = $_SESSION['domain_uuid'];
 
@@ -287,7 +288,11 @@ class plugin_database {
 
 						}
 
 					}
 
 					else {
 
-						unset($_SESSION['username'], $_REQUEST['username'], $_POST['username'], $this->username);
 
+						//clear authentication session
 
+						unset($_SESSION['authentication']);
 
+
 
+						// clear username
 
+						unset($_SESSION['username'], $_REQUEST['username'], $_POST['username']);
 
 					}
 
 
 			}

+ 46 - 16
core/authentication/resources/classes/plugins/email.php
View File 

@@ -56,6 +56,7 @@ class plugin_email {
 
 			$settings['theme']['logo'] = !empty($_SESSION['theme']['logo']['text']) ? $_SESSION['theme']['logo']['text'] : PROJECT_PATH.'/themes/default/images/logo_login.png';
 
 			$settings['theme']['login_logo_width'] = !empty($_SESSION['theme']['login_logo_width']['text']) ? $_SESSION['theme']['login_logo_width']['text'] : 'auto; max-width: 300px';
 
 			$settings['theme']['login_logo_height'] = !empty($_SESSION['theme']['login_logo_height']['text']) ? $_SESSION['theme']['login_logo_height']['text'] : 'auto; max-height: 300px';
 
+			$settings['theme']['message_delay'] = isset($_SESSION['theme']['message_delay']) ? 1000 * (float) $_SESSION['theme']['message_delay'] : 3000;
 
 
 			//set a default template
 
 			$_SESSION['domain']['template']['name'] = 'default';
 
@@ -99,6 +100,7 @@ class plugin_email {
 
 				$view->assign("login_logo_height", $settings['theme']['login_logo_height']);
 
 				$view->assign("login_logo_source", $settings['theme']['logo']);
 
 				$view->assign("button_login", $text['button-login']);
 
+				$view->assign("message_delay", $settings['theme']['message_delay']);
 
 
 				//messages
 
 				$view->assign('messages', message::html(true, '		'));
 
@@ -151,10 +153,13 @@ class plugin_email {
 
 				//user not found
 
 				if (empty($row) || !is_array($row) || @sizeof($row) == 0) {
 
 					//clear submitted usernames
 
-					unset($this->username, $_SESSION['username'], $_POST['username']);
 
+					unset($this->username, $_SESSION['username'], $_REQUEST['username'], $_POST['username']);
 
+
 
+					//clear authentication session
 
+					unset($_SESSION['authentication']);
 
 
 					//build the result array
 
-					$result["plugin"] = "totp";
 
+					$result["plugin"] = "email";
 
 					$result["domain_uuid"] = $_SESSION["domain_uuid"];
 
 					$result["domain_name"] = $_SESSION["domain_name"];
 
 					$result["authorized"] = false;
 
@@ -165,6 +170,12 @@ class plugin_email {
 
 
 				//user email not found
 
 				else if (empty($row["user_email"])) {
 
+					//clear submitted usernames
 
+					unset($this->username, $_SESSION['username'], $_REQUEST['username'], $_POST['username']);
 
+
 
+					//clear authentication session
 
+					unset($_SESSION['authentication']);
 
+
 
 					//build the result array
 
 					$result["plugin"] = "email";
 
 					$result["domain_name"] = $_SESSION["domain_name"];
 
@@ -185,8 +196,8 @@ class plugin_email {
 
 				$_SESSION["user"]["authentication"]["email"]["code"] = generate_password(6, 1);
 
 				$_SESSION["user"]["authentication"]["email"]["epoch"] = time();
 
 
-				////$_SESSION["authentication_address"] = $_SERVER['REMOTE_ADDR'];
 
-				////$_SESSION["authentication_date"] = 'now()';
 
+				//$_SESSION["authentication_address"] = $_SERVER['REMOTE_ADDR'];
 
+				//$_SESSION["authentication_date"] = 'now()';
 
 
 				//set the authentication code
 
 				//$sql = "update v_users \n";
 
@@ -346,6 +357,11 @@ class plugin_email {
 
 				$this->user_email = $row['user_email'];
 
 				$this->contact_uuid = $row['contact_uuid'];
 
 				unset($parameters);
 
+				/*
 
+				echo 'session code = '.$_SESSION["user"]["authentication"]["email"]["code"].'<br>';
 
+				echo 'post code = '.$_POST['authentication_code'].'<br>';
 
+				exit;
 
+				*/
 
 
 				//validate the code
 
 				if (!empty($_SESSION["user"]) && $_SESSION["user"]["authentication"]["email"]["code"] === $_POST['authentication_code']) {
 
@@ -379,18 +395,25 @@ class plugin_email {
 
 					//$_SESSION["contact_uuid"] = $row["contact_uuid"];
 
 				}
 
 				else {
 
-					//destroy session
 
-					session_unset();
 
-					session_destroy();
 
-					//$_SESSION['authentication']['plugin']
 
-					//send http 403
 
-					header('HTTP/1.0 403 Forbidden', true, 403);
 
-
 
-					//redirect to the root of the website
 
-					header("Location: ".PROJECT_PATH."/");
 
-
 
-					//exit the code
 
-					exit();
 
+// 					//destroy session
 
+// 					session_unset();
 
+// 					session_destroy();
 
+// 					//$_SESSION['authentication']['plugin']
 
+// 					//send http 403
 
+// 					header('HTTP/1.0 403 Forbidden', true, 403);
 
+//
 
+// 					//redirect to the root of the website
 
+// 					header("Location: ".PROJECT_PATH."/");
 
+//
 
+// 					//exit the code
 
+// 					exit();
 
+
 
+					//clear submitted usernames
 
+					unset($this->username, $_SESSION['username'], $_REQUEST['username'], $_POST['username']);
 
+
 
+					//clear authentication session
 
+					unset($_SESSION['authentication']);
 
+
 
 				}
 
 
 				/*
 
@@ -422,6 +445,13 @@ class plugin_email {
 
 				$result["domain_uuid"] = $_SESSION["domain_uuid"];
 
 				$result["contact_uuid"] = $_SESSION["contact_uuid"];
 
 				$result["authorized"] = $auth_valid ? true : false;
 
+
 
+				//add the failed login to user logs
 
+				if (!$auth_valid) {
 
+					user_logs::add($result);
 
+				}
 
+
 
+				//retun the array
 
 				return $result;
 
 
 				//$_SESSION['authentication']['plugin']['email']['plugin'] = "email";

+ 22 - 13
core/authentication/resources/classes/plugins/totp.php
View File 

@@ -64,6 +64,7 @@ class plugin_totp {
 
 			}
 
 			if (isset($_POST['username'])) {
 
 				$this->username = $_POST['username'];
 
+				$_SESSION["username"] = $this->username;
 
 			}
 
 
 		//request the username
 
@@ -153,7 +154,7 @@ class plugin_totp {
 
 				$row = $database->select($sql, $parameters, 'row');
 
 				if (empty($row) || !is_array($row) || @sizeof($row) == 0) {
 
 					//clear submitted usernames
 
-					unset($this->username, $_SESSION['username'], $_POST['username']);
 
+					unset($this->username, $_SESSION['username'], $_REQUEST['username'], $_POST['username']);
 
 
 					//build the result array
 
 					$result["plugin"] = "totp";
 
@@ -278,6 +279,7 @@ class plugin_totp {
 
 					$view->assign("totp_description", $text['description-totp']);
 
 					$view->assign("button_next", $text['button-next']);
 
 					$view->assign("favicon", $settings['theme']['favicon']);
 
+					$view->assign("message_delay", $settings['theme']['message_delay']);
 
 
 					//messages
 
 					$view->assign('messages', message::html(true, '		'));
 
@@ -288,6 +290,7 @@ class plugin_totp {
 
 				else {
 
 					//assign values to the template
 
 					$view->assign("button_verify", $text['label-verify']);
 
+					$view->assign("message_delay", $settings['theme']['message_delay']);
 
 
 					//messages
 
 					$view->assign('messages', message::html(true, '		'));
 
@@ -354,18 +357,24 @@ class plugin_totp {
 
 					unset($parameters);
 
 				}
 
 				else {
 
-					//destroy session
 
-					session_unset();
 
-					session_destroy();
 
-
 
-					//send http 403
 
-					header('HTTP/1.0 403 Forbidden', true, 403);
 
-
 
-					//redirect to the root of the website
 
-					header("Location: ".PROJECT_PATH."/");
 
-
 
-					//exit the code
 
-					exit();
 
+// 					//destroy session
 
+// 					session_unset();
 
+// 					session_destroy();
 
+//
 
+// 					//send http 403
 
+// 					header('HTTP/1.0 403 Forbidden', true, 403);
 
+//
 
+// 					//redirect to the root of the website
 
+// 					header("Location: ".PROJECT_PATH."/");
 
+//
 
+// 					//exit the code
 
+// 					exit();
 
+
 
+					//clear authentication session
 
+					unset($_SESSION['authentication']);
 
+
 
+					// clear username
 
+					unset($_SESSION["username"]);
 
 				}
 
 
 				/*