From 27a4dca7c602e3dd9923d0262c68d21c8465616a Mon Sep 17 00:00:00 2001
From: Yasen Pramatarov <yasen@lindeas.com>
Date: Thu, 30 Jan 2025 18:48:46 +0200
Subject: [PATCH] Adds CSRF checks to login/logout pages

---
 app/pages/login.php          | 23 +++++++++++++++++++++++
 app/templates/form-login.php | 26 +++++++++++++++++---------
 public_html/index.php        | 21 +++++++++++++++++----
 3 files changed, 57 insertions(+), 13 deletions(-)

diff --git a/app/pages/login.php b/app/pages/login.php
index 6349261..84c2987 100644
--- a/app/pages/login.php
+++ b/app/pages/login.php
@@ -27,6 +27,29 @@ try {
 
     if ( $_SERVER['REQUEST_METHOD'] == 'POST' ) {
         try {
+            // Validate form data
+            $security = SecurityHelper::getInstance();
+            $formData = $security->sanitizeArray($_POST, ['username', 'password', 'remember_me', 'csrf_token']);
+
+            $validationRules = [
+                'username' => [
+                    'type' => 'string',
+                    'required' => true,
+                    'min' => 3,
+                    'max' => 20
+                ],
+                'password' => [
+                    'type' => 'string',
+                    'required' => true,
+                    'min' => 2
+                ]
+            ];
+
+            $errors = $security->validateFormData($formData, $validationRules);
+            if (!empty($errors)) {
+                throw new Exception("Invalid input: " . implode(", ", $errors));
+            }
+
             $username = $_POST['username'];
             $password = $_POST['password'];
 
diff --git a/app/templates/form-login.php b/app/templates/form-login.php
index c9d9be8..a8e998e 100644
--- a/app/templates/form-login.php
+++ b/app/templates/form-login.php
@@ -4,15 +4,23 @@
             <div class="card-body">
                 <p class="card-text"><strong>Welcome to JILO!</strong><br />Please enter login credentials:</p>
                 <form method="POST" action="<?= htmlspecialchars($app_root) ?>?page=login">
-                    <input type="text" name="username" placeholder="Username" required autofocus />
-                    <br />
-                    <input type="password" name="password" placeholder="Password" required />
-                    <br />
-                    <label for="remember_me">
-                        <input type="checkbox" id="remember_me" name="remember_me" />
-                        remember me
-                    </label>
-                    <br />&nbsp;<br />
+<?php include 'csrf_token.php'; ?>
+                    <div class="form-group mb-3">
+                        <input type="text" class="form-control" name="username" placeholder="Username".
+                            pattern="[a-zA-Z0-9_-]{3,20}" title="3-20 characters, letters, numbers, - and _"
+                            required autofocus />
+                    </div>
+                    <div class="form-group mb-3">
+                        <input type="password" class="form-control" name="password" placeholder="Password".
+                            pattern=".{2,}" title="Eight or more characters"
+                            required />
+                    </div>
+                    <div class="form-group mb-3">
+                        <label for="remember_me">
+                            <input type="checkbox" id="remember_me" name="remember_me" />
+                            remember me
+                        </label>
+                    </div>
                     <input type="submit" class="btn btn-primary" value="Login" />
                 </form>
             </div>
diff --git a/public_html/index.php b/public_html/index.php
index 4f3418c..f7985ac 100644
--- a/public_html/index.php
+++ b/public_html/index.php
@@ -18,6 +18,17 @@ ob_start();
 // sanitize all input vars that may end up in URLs or forms
 require '../app/includes/sanitize.php';
 
+session_name('jilo');
+session_start();
+
+// Initialize security middleware
+require_once '../app/includes/csrf_middleware.php';
+require_once '../app/helpers/securityhelper.php';
+$security = SecurityHelper::getInstance();
+
+// Verify CSRF token for POST requests
+verifyCsrfToken();
+
 // Initialize message system
 require_once '../app/classes/messages.php';
 $messages = [];
@@ -87,9 +98,6 @@ if ($config_file) {
 
 $app_root = $config['folder'];
 
-session_name('jilo');
-session_start();
-
 // check if logged in
 unset($currentUser);
 if (isset($_COOKIE['username'])) {
@@ -151,14 +159,19 @@ $userObject = new User($dbWeb);
 
 // logout is a special case, as we can't use session vars for notices
 if ($page == 'logout') {
+    // get user info before destroying session
+    $user_id = $userObject->getUserId($currentUser)[0]['id'];
 
     // clean up session
     session_unset();
     session_destroy();
+
+    // start new session for the login page
+    session_start();
+
     setcookie('username', "", time() - 100, $config['folder'], $config['domain'], isset($_SERVER['HTTPS']), true);
 
     // Log successful logout
-    $user_id = $userObject->getUserId($currentUser)[0]['id'];
     $logObject->insertLog($user_id, "Logout: User \"$currentUser\" logged out. IP: $user_IP", 'user');
 
     // Set success message