lindeas
/
jilo-web
1
1
Fork 0
Code Issues Pull Requests Packages Projects Releases 6 Wiki Activity

Updates credentials page and session vars

main
Yasen Pramatarov 2025-04-08 10:30:07 +03:00
parent 947a4e39c5
commit eb0a603b8d
2 changed files with 28 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app/includes/session_middleware.php
View File

@ -24,7 +24,7 @@ function applySessionMiddleware($config, $app_root) {
} }
// Check if user is logged in // Check if user is logged in
if (!isset($_SESSION['USER_ID'])) { if (!isset($_SESSION['user_id'])) {
if (!$isTest) { if (!$isTest) {
header('Location: ' . $app_root . '?page=login'); header('Location: ' . $app_root . '?page=login');
exit(); exit();

38
app/pages/credentials.php
View File

@ -14,14 +14,24 @@
* - `password`: Change password * - `password`: Change password
*/ */
// Check if user is logged in
if (!isset($_SESSION['user_id'])) {
header("Location: $app_root?page=login");
exit();
}
$user_id = $_SESSION['user_id'];
// Initialize user object
$userObject = new User($dbWeb);
$action = $_REQUEST['action'] ?? ''; $action = $_REQUEST['action'] ?? '';
$item = $_REQUEST['item'] ?? ''; $item = $_REQUEST['item'] ?? '';
// if a form is submitted // if a form is submitted
if ($_SERVER['REQUEST_METHOD'] == 'POST') { if ($_SERVER['REQUEST_METHOD'] == 'POST') {
// Validate CSRF token // Validate CSRF token
require_once '../app/helpers/security.php'; $security->verifyCsrfToken($_POST['csrf_token'] ?? '');
$security = SecurityHelper::getInstance();
if (!$security->verifyCsrfToken($_POST['csrf_token'] ?? '')) { if (!$security->verifyCsrfToken($_POST['csrf_token'] ?? '')) {
Feedback::flash('ERROR', 'DEFAULT', 'Invalid security token. Please try again.'); Feedback::flash('ERROR', 'DEFAULT', 'Invalid security token. Please try again.');
header("Location: $app_root?page=credentials"); header("Location: $app_root?page=credentials");
@ -34,8 +44,6 @@ if ($_SERVER['REQUEST_METHOD'] == 'POST') {
switch ($item) { switch ($item) {
case '2fa': case '2fa':
require_once '../app/helpers/2fa.php';
switch ($action) { switch ($action) {
case 'setup': case 'setup':
// Validate the setup code // Validate the setup code
@ -47,13 +55,17 @@ if ($_SERVER['REQUEST_METHOD'] == 'POST') {
header("Location: $app_root?page=credentials"); header("Location: $app_root?page=credentials");
exit(); exit();
} else { } else {
Feedback::flash('ERROR', 'DEFAULT', 'Invalid verification code. Please try again.'); // Only show error if code was actually submitted
header("Location: $app_root?page=credentials&action=edit"); if ($code !== '') {
Feedback::flash('ERROR', 'DEFAULT', 'Invalid verification code. Please try again.');
}
header("Location: $app_root?page=credentials&action=setup");
exit(); exit();
} }
break; break;
case 'verify': case 'verify':
// This is a user-initiated verification
$code = $_POST['code'] ?? ''; $code = $_POST['code'] ?? '';
if ($userObject->verifyTwoFactor($user_id, $code)) { if ($userObject->verifyTwoFactor($user_id, $code)) {
$_SESSION['2fa_verified'] = true; $_SESSION['2fa_verified'] = true;
@ -127,12 +139,16 @@ if ($_SERVER['REQUEST_METHOD'] == 'POST') {
$has2fa = $userObject->isTwoFactorEnabled($user_id); $has2fa = $userObject->isTwoFactorEnabled($user_id);
switch ($action) { switch ($action) {
case 'edit': case 'setup':
if (!$has2fa) { if (!$has2fa) {
require_once '../app/helpers/2fa.php'; $result = $userObject->enableTwoFactor($user_id);
$secret = $userObject->generateTwoFactorSecret(); if ($result['success']) {
$qrCode = $userObject->generateTwoFactorQR($user_id, $secret); $setupData = $result['data'];
$backupCodes = $userObject->generateBackupCodes(); } else {
Feedback::flash('ERROR', 'DEFAULT', $result['message'] ?? 'Failed to generate 2FA setup data');
header("Location: $app_root?page=credentials");
exit();
}
} }
// Get any new feedback messages // Get any new feedback messages
include '../app/helpers/feedback.php'; include '../app/helpers/feedback.php';