Gets the client IP from a central place
parent
b4b5a7ac8f
commit
0f6dda44b8
|
|
@ -90,33 +90,38 @@ class User {
|
|||
* @return bool True if login is successful, false otherwise.
|
||||
*/
|
||||
public function login($username, $password) {
|
||||
// get client IP address
|
||||
$ipAddress = $_SERVER['REMOTE_ADDR'] ?? '0.0.0.0';
|
||||
try {
|
||||
// Get user's IP address
|
||||
require_once __DIR__ . '/../helpers/logs.php';
|
||||
$ipAddress = getUserIP();
|
||||
|
||||
// Record attempt
|
||||
$this->rateLimiter->attempt($username, $ipAddress);
|
||||
// Record attempt
|
||||
$this->rateLimiter->attempt($username, $ipAddress);
|
||||
|
||||
// Check rate limiting first
|
||||
if (!$this->rateLimiter->isAllowed($username, $ipAddress)) {
|
||||
$remainingTime = $this->rateLimiter->getDecayMinutes();
|
||||
throw new Exception("Too many login attempts. Please try again in {$remainingTime} minutes.");
|
||||
// Check rate limiting first
|
||||
if (!$this->rateLimiter->isAllowed($username, $ipAddress)) {
|
||||
$remainingTime = $this->rateLimiter->getDecayMinutes();
|
||||
throw new Exception("Too many login attempts. Please try again in {$remainingTime} minutes.");
|
||||
}
|
||||
|
||||
// Then check credentials
|
||||
$query = $this->db->prepare("SELECT * FROM users WHERE username = :username");
|
||||
$query->bindParam(':username', $username);
|
||||
$query->execute();
|
||||
|
||||
$user = $query->fetch(PDO::FETCH_ASSOC);
|
||||
if ($user && password_verify($password, $user['password'])) {
|
||||
$_SESSION['user_id'] = $user['id'];
|
||||
$_SESSION['username'] = $user['username'];
|
||||
return true;
|
||||
}
|
||||
|
||||
// Get remaining attempts AFTER this failed attempt
|
||||
$remainingAttempts = $this->rateLimiter->getRemainingAttempts($username, $ipAddress);
|
||||
throw new Exception("Invalid credentials. {$remainingAttempts} attempts remaining.");
|
||||
} catch (Exception $e) {
|
||||
return $e->getMessage();
|
||||
}
|
||||
|
||||
// Then check credentials
|
||||
$query = $this->db->prepare("SELECT * FROM users WHERE username = :username");
|
||||
$query->bindParam(':username', $username);
|
||||
$query->execute();
|
||||
|
||||
$user = $query->fetch(PDO::FETCH_ASSOC);
|
||||
if ($user && password_verify($password, $user['password'])) {
|
||||
$_SESSION['user_id'] = $user['id'];
|
||||
$_SESSION['username'] = $user['username'];
|
||||
return true;
|
||||
}
|
||||
|
||||
// Get remaining attempts AFTER this failed attempt
|
||||
$remainingAttempts = $this->rateLimiter->getRemainingAttempts($username, $ipAddress);
|
||||
throw new Exception("Invalid credentials. {$remainingAttempts} attempts remaining.");
|
||||
}
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -1,6 +1,7 @@
|
|||
<?php
|
||||
|
||||
require_once __DIR__ . '/../helpers/security.php';
|
||||
require_once __DIR__ . '/../helpers/logs.php';
|
||||
|
||||
function applyCsrfMiddleware() {
|
||||
$security = SecurityHelper::getInstance();
|
||||
|
|
@ -23,9 +24,10 @@ function applyCsrfMiddleware() {
|
|||
$token = $_POST['csrf_token'] ?? '';
|
||||
if (!$security->verifyCsrfToken($token)) {
|
||||
// Log CSRF attempt
|
||||
$ipAddress = getUserIP();
|
||||
$logMessage = sprintf(
|
||||
"CSRF attempt detected - IP: %s, Page: %s, User: %s",
|
||||
$_SERVER['REMOTE_ADDR'],
|
||||
$ipAddress,
|
||||
$_GET['page'] ?? 'unknown',
|
||||
$_SESSION['username'] ?? 'anonymous'
|
||||
);
|
||||
|
|
|
|||
|
|
@ -1,6 +1,7 @@
|
|||
<?php
|
||||
|
||||
require_once __DIR__ . '/../classes/ratelimiter.php';
|
||||
require_once __DIR__ . '/../helpers/logs.php';
|
||||
|
||||
/**
|
||||
* Rate limit middleware for page requests
|
||||
|
|
@ -14,7 +15,7 @@ function checkRateLimit($database, $endpoint, $userId = null) {
|
|||
global $app_root;
|
||||
$isTest = defined('PHPUNIT_RUNNING');
|
||||
$rateLimiter = new RateLimiter($database);
|
||||
$ipAddress = $_SERVER['REMOTE_ADDR'];
|
||||
$ipAddress = getUserIP();
|
||||
|
||||
// Check if request is allowed
|
||||
if (!$rateLimiter->isPageRequestAllowed($ipAddress, $endpoint, $userId)) {
|
||||
|
|
|
|||
Loading…
Reference in New Issue