diff --git a/libraries/Routes.php b/libraries/Routes.php
index 43a7000..8d8bffa 100644
--- a/libraries/Routes.php
+++ b/libraries/Routes.php
@@ -21,6 +21,8 @@ class Config {
static public $on_other=false;
+ static public $on_proxy=false;
+
}
/*Examples
diff --git a/modules/admin/controllers/app.php b/modules/admin/controllers/app.php
index b5a4593..7218511 100644
--- a/modules/admin/controllers/app.php
+++ b/modules/admin/controllers/app.php
@@ -36,6 +36,10 @@ class AppController extends TplController{
$c_user=$this->db->select_count('useradmin', '', []);
+ $error=1;
+
+ $error_form=['username_error' => ''];
+
if(!$c_user) {
header('Location: '.Url::make_url('admin', 'app', ['signup']));
@@ -45,41 +49,111 @@ class AppController extends TplController{
if($_SERVER['REQUEST_METHOD']=='POST') {
- $username=trim($_POST['username']);
- $password=trim($_POST['password']);
+ //Check csrf token first.
- $error=1;
-
- $error_form=['username_error' => ''];
-
- if($username=='') {
-
- $error_form['username_error']=_('Username empty');
-
- }
-
- $arr_user=$this->db->select_a_row('useradmin', [], 'WHERE username=?', [$username]);
-
- if($arr_user) {
-
- if(password_verify($password, $arr_user['password'])) {
+ if(PhangoApp\PhaRouter\Config::$on_proxy) {
- $error=0;
-
- $_SESSION['admin_login']=1;
-
- }
- else {
-
- $error_form['username_error']=_('Wrong user or password');
-
- }
+ $ip=$_SERVER['HTTP_CLIENT_IP'] ?? $_SERVER['HTTP_X_FORWARDED_FOR'] ?? $_SERVER['REMOTE_ADDR'] ?? '';
}
else {
-
- $error_form['username_error']=_('Wrong user or password');
+
+ $ip=$_SERVER['REMOTE_ADDR'] ?? '';
+
+ }
+ if($ip!='') {
+
+ $arr_tries=$this->db->select_a_row('login_tries', [], 'WHERE ip=?', [$ip]);
+
+ $now=date("Y-m-d H:i:s");
+
+ if($arr_tries) {
+
+ $timestamp_5_min=strtotime($now)-300;
+ $timestamp_last_login=strtotime($arr_tries['date']);
+
+ if($timestamp_5_min>$timestamp_last_login) {
+
+ $this->db->delete('login_tries', 'WHERE ip=?', [$ip]);
+ $arr_tries=false;
+
+ }
+
+ }
+
+ $num_tries=$arr_tries['num_tries'] ?? 0;
+
+ if($num_tries<5) {
+
+ $username=trim($_POST['username']);
+ $password=trim($_POST['password']);
+
+ if($username=='') {
+
+ $error_form['username_error']=_('Username empty');
+
+ }
+
+ $arr_user=$this->db->select_a_row('useradmin', [], 'WHERE username=?', [$username]);
+
+ if($arr_user) {
+
+ if(password_verify($password, $arr_user['password'])) {
+
+ $error=0;
+
+ $_SESSION['admin_login']=1;
+
+ if($arr_user['double_auth']) {
+
+ $_SESSION['double_auth']=1;
+
+ $this->db->update('useradmin', ['auth_token' => PhangoApp\PhaUtils\Utils::get_token(25)], 'where id=?', [$arr_user['id']]);
+
+ }
+
+ }
+ else {
+
+ $error_form['username_error']=_('Wrong user or password');
+
+ }
+
+ }
+ else {
+
+ $error_form['username_error']=_('Wrong user or password');
+
+ }
+
+ if($error) {
+
+ if(!$arr_tries) {
+
+ $this->db->insert('login_tries', ['num_tries' => 0, 'ip' => $ip]);
+
+ }
+ else {
+
+ $this->db->update('login_tries', ['num_tries' => $arr_tries['num_tries']+1, 'date' => date("Y-m-d H:i:s")], 'WHERE ip=?', [$ip]);
+
+ }
+
+ }
+
+ }
+ else {
+
+ $error_form['username_error']=_('Sorry, you need wait 5 minutes for retry login.');
+
+ }
+
+ }
+ else {
+
+ $error_form['username_error']=_('Unknown error');
+
}
echo $this->json(['error' => $error, 'error_form' => $error_form, 'message' => '']);
@@ -178,6 +252,20 @@ class AppController extends TplController{
}
break;
+
+ case 'double_auth':
+
+ echo $this->tpl->load_template('check_auth', ['title' => 'Double auth']);
+
+ break;
+
+ case 'logout':
+
+ unset($_SESSION['admin_login']);
+
+ header('Location: '.PhangoApp\PhaRouter\Url::make_url('admin'));
+
+ break;
}
diff --git a/modules/admin/libraries/tplcontroller.php b/modules/admin/libraries/tplcontroller.php
index 500b5e6..a86a9e1 100644
--- a/modules/admin/libraries/tplcontroller.php
+++ b/modules/admin/libraries/tplcontroller.php
@@ -12,9 +12,11 @@ class TplController extends PhangoApp\PhaRouter\Controller {
session_start();
- $table=new WPDO\WTable('useradmin', ['username', 'password', 'email', 'num_attempts']);
+ $useradmin=new WPDO\WTable('useradmin', ['id', 'username', 'password', 'email', 'double_auth', 'auth_token']);
- $this->db=new WPDO\WPDO(['useradmin' => $table]);
+ $login_tries=new WPDO\WTable('login_tries', ['ip', 'num_tries', 'date']);
+
+ $this->db=new WPDO\WPDO(['useradmin' => $useradmin, 'login_tries' => $login_tries]);
$this->tpl=new Templates(['theme/admin/templates', 'modules/admin/templates']);
@@ -24,6 +26,13 @@ class TplController extends PhangoApp\PhaRouter\Controller {
if(isset($_SESSION['admin_login'])) {
+ if(isset($_SESSION['double_auth'])) {
+
+ //header('Location: '.PhangoApp\PhaRouter\Url::make_url('admin', 'app', ['check_auth']));
+ die;
+
+ }
+
return true;
}
diff --git a/modules/admin/templates/check_auth.php b/modules/admin/templates/check_auth.php
new file mode 100644
index 0000000..f5269a3
--- /dev/null
+++ b/modules/admin/templates/check_auth.php
@@ -0,0 +1,67 @@
+layout('login_tpl', ['title' => $title])?>
+start('content')?>
+
+end('content')?>
+start('footer_js')?>
+
+end('footer_js')?>