From 0f6dda44b88db1bc75b12f918247ad7915c87061 Mon Sep 17 00:00:00 2001 From: Yasen Pramatarov Date: Sun, 23 Feb 2025 17:58:26 +0200 Subject: [PATCH] Gets the client IP from a central place --- app/classes/user.php | 53 ++++++++++++++------------ app/includes/csrf_middleware.php | 4 +- app/includes/rate_limit_middleware.php | 3 +- 3 files changed, 34 insertions(+), 26 deletions(-) diff --git a/app/classes/user.php b/app/classes/user.php index da7eaf4..f0a9628 100644 --- a/app/classes/user.php +++ b/app/classes/user.php @@ -90,33 +90,38 @@ class User { * @return bool True if login is successful, false otherwise. */ public function login($username, $password) { - // get client IP address - $ipAddress = $_SERVER['REMOTE_ADDR'] ?? '0.0.0.0'; + try { + // Get user's IP address + require_once __DIR__ . '/../helpers/logs.php'; + $ipAddress = getUserIP(); - // Record attempt - $this->rateLimiter->attempt($username, $ipAddress); + // Record attempt + $this->rateLimiter->attempt($username, $ipAddress); - // Check rate limiting first - if (!$this->rateLimiter->isAllowed($username, $ipAddress)) { - $remainingTime = $this->rateLimiter->getDecayMinutes(); - throw new Exception("Too many login attempts. Please try again in {$remainingTime} minutes."); + // Check rate limiting first + if (!$this->rateLimiter->isAllowed($username, $ipAddress)) { + $remainingTime = $this->rateLimiter->getDecayMinutes(); + throw new Exception("Too many login attempts. Please try again in {$remainingTime} minutes."); + } + + // Then check credentials + $query = $this->db->prepare("SELECT * FROM users WHERE username = :username"); + $query->bindParam(':username', $username); + $query->execute(); + + $user = $query->fetch(PDO::FETCH_ASSOC); + if ($user && password_verify($password, $user['password'])) { + $_SESSION['user_id'] = $user['id']; + $_SESSION['username'] = $user['username']; + return true; + } + + // Get remaining attempts AFTER this failed attempt + $remainingAttempts = $this->rateLimiter->getRemainingAttempts($username, $ipAddress); + throw new Exception("Invalid credentials. {$remainingAttempts} attempts remaining."); + } catch (Exception $e) { + return $e->getMessage(); } - - // Then check credentials - $query = $this->db->prepare("SELECT * FROM users WHERE username = :username"); - $query->bindParam(':username', $username); - $query->execute(); - - $user = $query->fetch(PDO::FETCH_ASSOC); - if ($user && password_verify($password, $user['password'])) { - $_SESSION['user_id'] = $user['id']; - $_SESSION['username'] = $user['username']; - return true; - } - - // Get remaining attempts AFTER this failed attempt - $remainingAttempts = $this->rateLimiter->getRemainingAttempts($username, $ipAddress); - throw new Exception("Invalid credentials. {$remainingAttempts} attempts remaining."); } diff --git a/app/includes/csrf_middleware.php b/app/includes/csrf_middleware.php index c703ae6..bf5317e 100644 --- a/app/includes/csrf_middleware.php +++ b/app/includes/csrf_middleware.php @@ -1,6 +1,7 @@ verifyCsrfToken($token)) { // Log CSRF attempt + $ipAddress = getUserIP(); $logMessage = sprintf( "CSRF attempt detected - IP: %s, Page: %s, User: %s", - $_SERVER['REMOTE_ADDR'], + $ipAddress, $_GET['page'] ?? 'unknown', $_SESSION['username'] ?? 'anonymous' ); diff --git a/app/includes/rate_limit_middleware.php b/app/includes/rate_limit_middleware.php index 46441b9..48c48bc 100644 --- a/app/includes/rate_limit_middleware.php +++ b/app/includes/rate_limit_middleware.php @@ -1,6 +1,7 @@ isPageRequestAllowed($ipAddress, $endpoint, $userId)) {