phangoapp/simplephango
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity

Fixes in controllers and login

Browse source
This commit is contained in:
Antonio de la Rosa 2025-11-25 01:35:44 +01:00
parent 9f21c3a87e
commit 7ac0f6c850
4 changed files with 197 additions and 31 deletions
Download patch file Download diff file Expand all files Collapse all files

2
libraries/Routes.php
View file

@ -21,6 +21,8 @@ class Config {
static public $on_other=false;
static public $on_proxy=false;
}
/*Examples

114
modules/admin/controllers/app.php
View file

@ -36,6 +36,10 @@ class AppController extends TplController{
$c_user=$this->db->select_count('useradmin', '', []);
$error=1;
$error_form=['username_error' => ''];
if(!$c_user) {
header('Location: '.Url::make_url('admin', 'app', ['signup']));
@ -45,40 +49,110 @@ class AppController extends TplController{
if($_SERVER['REQUEST_METHOD']=='POST') {
$username=trim($_POST['username']);
$password=trim($_POST['password']);
//Check csrf token first.
$error=1;
if(PhangoApp\PhaRouter\Config::$on_proxy) {
$error_form=['username_error' => ''];
$ip=$_SERVER['HTTP_CLIENT_IP'] ?? $_SERVER['HTTP_X_FORWARDED_FOR'] ?? $_SERVER['REMOTE_ADDR'] ?? '';
if($username=='') {
}
else {
$error_form['username_error']=_('Username empty');
$ip=$_SERVER['REMOTE_ADDR'] ?? '';
}
$arr_user=$this->db->select_a_row('useradmin', [], 'WHERE username=?', [$username]);
if($ip!='') {
if($arr_user) {
$arr_tries=$this->db->select_a_row('login_tries', [], 'WHERE ip=?', [$ip]);
if(password_verify($password, $arr_user['password'])) {
$now=date("Y-m-d H:i:s");
$error=0;
if($arr_tries) {
$_SESSION['admin_login']=1;
$timestamp_5_min=strtotime($now)-300;
$timestamp_last_login=strtotime($arr_tries['date']);
if($timestamp_5_min>$timestamp_last_login) {
$this->db->delete('login_tries', 'WHERE ip=?', [$ip]);
$arr_tries=false;
}
}
$num_tries=$arr_tries['num_tries'] ?? 0;
if($num_tries<5) {
$username=trim($_POST['username']);
$password=trim($_POST['password']);
if($username=='') {
$error_form['username_error']=_('Username empty');
}
$arr_user=$this->db->select_a_row('useradmin', [], 'WHERE username=?', [$username]);
if($arr_user) {
if(password_verify($password, $arr_user['password'])) {
$error=0;
$_SESSION['admin_login']=1;
if($arr_user['double_auth']) {
$_SESSION['double_auth']=1;
$this->db->update('useradmin', ['auth_token' => PhangoApp\PhaUtils\Utils::get_token(25)], 'where id=?', [$arr_user['id']]);
}
}
else {
$error_form['username_error']=_('Wrong user or password');
}
}
else {
$error_form['username_error']=_('Wrong user or password');
}
if($error) {
if(!$arr_tries) {
$this->db->insert('login_tries', ['num_tries' => 0, 'ip' => $ip]);
}
else {
$this->db->update('login_tries', ['num_tries' => $arr_tries['num_tries']+1, 'date' => date("Y-m-d H:i:s")], 'WHERE ip=?', [$ip]);
}
}
}
else {
$error_form['username_error']=_('Wrong user or password');
$error_form['username_error']=_('Sorry, you need wait 5 minutes for retry login.');
}
}
else {
$error_form['username_error']=_('Wrong user or password');
$error_form['username_error']=_('Unknown error');
}
@ -179,6 +253,20 @@ class AppController extends TplController{
break;
case 'double_auth':
echo $this->tpl->load_template('check_auth', ['title' => 'Double auth']);
break;
case 'logout':
unset($_SESSION['admin_login']);
header('Location: '.PhangoApp\PhaRouter\Url::make_url('admin'));
break;
}
}

13
modules/admin/libraries/tplcontroller.php
View file

@ -12,9 +12,11 @@ class TplController extends PhangoApp\PhaRouter\Controller {
session_start();
$table=new WPDO\WTable('useradmin', ['username', 'password', 'email', 'num_attempts']);
$useradmin=new WPDO\WTable('useradmin', ['id', 'username', 'password', 'email', 'double_auth', 'auth_token']);
$this->db=new WPDO\WPDO(['useradmin' => $table]);
$login_tries=new WPDO\WTable('login_tries', ['ip', 'num_tries', 'date']);
$this->db=new WPDO\WPDO(['useradmin' => $useradmin, 'login_tries' => $login_tries]);
$this->tpl=new Templates(['theme/admin/templates', 'modules/admin/templates']);
@ -24,6 +26,13 @@ class TplController extends PhangoApp\PhaRouter\Controller {
if(isset($_SESSION['admin_login'])) {
if(isset($_SESSION['double_auth'])) {
//header('Location: '.PhangoApp\PhaRouter\Url::make_url('admin', 'app', ['check_auth']));
die;
}
return true;
}

67
modules/admin/templates/check_auth.php Normal file
View file

@ -0,0 +1,67 @@
<?=$this->layout('login_tpl', ['title' => $title])?>
<?=$this->start('content')?>
<form method="post" name="auth_submit" id="auth_submit">
<p><label for="auth_code"></label><input type="text" name="auth_code" id="auth_code_form" placeholder="<?=_('Code')?>"/></p>
<p class="error" id="username_error"></p>
<?=PhangoApp\PhaUtils\Utils::set_csrf_key($name_token='csrf_token', $length_token=80)?>
<p>
<input type="submit" id="button_submit" class="button" value="<?=_('Send auth code')?>" />
</p>
</form>
<?=$this->end('content')?>
<?=$this->start('footer_js')?>
<script language="Javascript">
$(document).ready( function () {
$("#auth_submit").submit( function () {
$('.error').html('');
$('#loader-wrapper').show();
$.ajax({
url: "<?=$this->make_url('admin', 'app', ['login'])?>",
method: "POST",
dataType: "json",
data: {'auth_code': $('#auth_code_form').val()},
success: function (data) {
if(data.error==0)
{
console.log('Success');
$('#loader-wrapper').hide();
location.href="<?=$this->make_url('admin')?>";
}
else
{
$('#loader-wrapper').hide();
$('#csrf_token').attr('value', data.csrf_token);
$('#username_error').html(data.error_form.username_error);
}
},
error: function (data) {
$('#loader-wrapper').hide();
alert('Error');
console.log(data);
}
});
return false;
});
});
</script>
<?=$this->end('footer_js')?>